ACK: [SRU][N/Q][PATCH 0/1] CVE-2026-23231

[Yufeng Gao]

On 17/3/26 09:12, Tim Whisonant wrote:
> SRU Justification:
>
> [Impact]
>
> netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
>
> nf_tables_addchain() publishes the chain to table->chains via
> list_add_tail_rcu() (in nft_chain_add()) before registering hooks.
> If nf_tables_register_hook() then fails, the error path calls
> nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()
> with no RCU grace period in between.
>
> This creates two use-after-free conditions:
>
>   1) Control-plane: nf_tables_dump_chains() traverses table->chains
>      under rcu_read_lock(). A concurrent dump can still be walking
>      the chain when the error path frees it.
>
>   2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly
>      installs the IPv4 hook before IPv6 registration fails.  Packets
>      entering nft_do_chain() via the transient IPv4 hook can still be
>      dereferencing chain->blob_gen_X when the error path frees the
>      chain.
>
> Add synchronize_rcu() between nft_chain_del() and the chain destroy
> so that all RCU readers -- both dump threads and in-flight packet
> evaluation -- have finished before the chain is freed.
>
> [Fix]
>
> Questing: applied Noble patch
> Noble:    cherry picked from upstream
> Jammy:    not affected
> Focal:    not affected
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects the nftables subsystem within Netfilter
> to address two potential use-after-free scenarios rooted
> in nf_tables_addchain(). Issues would only affect Netfilter
> chains.
>
> Inseo An (1):
>    netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
>
>   net/netfilter/nf_tables_api.c | 1 +
>   1 file changed, 1 insertion(+)
>
Acked-by: Yufeng Gao <yufeng.gao at canonical.com>