Commit 24f90fa3 authored Mar 17, 2026 by Florian Westphal

netfilter: bpf: defer hook memory release until rcu readers are done



Yiming Qian reports UaF when concurrent process is dumping hooks via
nfnetlink_hooks:

BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0
Read of size 8 at addr ffff888003edbf88 by task poc/79
Call Trace:
 <TASK>
 nfnl_hook_dump_one.isra.0+0xe71/0x10f0
 netlink_dump+0x554/0x12b0
 nfnl_hook_get+0x176/0x230
 [..]

Defer release until after concurrent readers have completed.

Reported-by: Yiming Qian <yimingqian591@gmail.com>
Fixes: 84601d6e ("bpf: add bpf_link support for BPF_NETFILTER programs")
Signed-off-by: Florian Westphal <fw@strlen.de>

parent 7c46bd84

net/netfilter/nf_bpf_link.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -170,7 +170,7 @@ static int bpf_nf_link_update(struct bpf_link link, struct bpf_prog new_prog,

		static const struct bpf_link_ops bpf_nf_link_lops = {
		.release = bpf_nf_link_release,
		.dealloc = bpf_nf_link_dealloc,
		.dealloc_deferred = bpf_nf_link_dealloc,
		.detach = bpf_nf_link_detach,
		.show_fdinfo = bpf_nf_link_show_info,
		.fill_link_info = bpf_nf_link_fill_link_info,