On Wed, Aug 13, 2025 at 08:36:07AM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > A chain/flowtable update with duplicated devices in the same batch is > > possible. Unfortunately, netdev event path only removes the first > > device that is found, leaving unregistered the hook of the duplicated > > device. > > > > Check if a duplicated device exists in the transaction batch, bail out > > with EEXIST in such case. > > > > WARNING is hit when unregistering the hook: > > > > [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150 > > [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full) > > [...] > > [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150 > > Thanks Pablo. > > Just to confirm: this doesn't result in anything other than > the unreg splat, correct? > > Or does this leak memory too? It seems I tested on a kernel without CONFIG_KASAN, with it, it reports UaF. [ 97.140749] ================================================================== [ 97.140762] BUG: KASAN: slab-use-after-free in nf_hook_entry_head+0xd9/0x140 [ 97.140774] Read of size 8 at addr ffff88814feba108 by task nft/1097 > FTR, i placed this in nf.git:testing. Thanks.
