ACK: [SRU][J/N/Q][PATCH 0/1] CVE-2026-23392

[Gabriela Bittencourt]

On 4/8/26 22:11, Tim Whisonant wrote:

> SRU Justification:
>
> [Impact]
>
> netfilter: nf_tables: release flowtable after rcu grace period on error
>
> Call synchronize_rcu() after unregistering the hooks from error path,
> since a hook that already refers to this flowtable can be already
> registered, exposing this flowtable to packet path and nfnetlink_hook
> control plane.
>
> This error path is rare, it should only happen by reaching the maximum
> number hooks or by failing to set up to hardware offload, just call
> synchronize_rcu().
>
> There is a check for already used device hooks by different flowtable
> that could result in EEXIST at this late stage. The hook parser can be
> updated to perform this check earlier to this error path really becomes
> rarely exercised.
>
> Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
> when dumping hooks.
>
> [Fix]
>
> Questing: applied Noble patch
> Noble:    cherry picked from upstream
> Jammy:    backported from upstream
> Focal:    sent to Forgejo
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects the nftables fast path code, particularly the
> allocation routine for the flowtable object, to correct a use
> after free in the error handling path. Issues would affect this
> nftables fast path table object handling.
>
> Pablo Neira Ayuso (1):
>    netfilter: nf_tables: release flowtable after rcu grace period on
>      error
>
>   net/netfilter/nf_tables_api.c | 1 +
>   1 file changed, 1 insertion(+)
>
Acked-by: Gabriela Bittencourt <gabriela.bittencourt at canonical.com>