On Tue, Aug 09, 2022 at 06:34:02PM +0200, Florian Westphal wrote: > In nf_tables_updtable, if nf_tables_table_enable returns an error, > nft_trans_destroy is called to free the transaction object. > > nft_trans_destroy() calls list_del(), but the transaction was never > placed on a list -- the list head is all zeroes, this results in > a null dereference: > > BUG: KASAN: null-ptr-deref in nft_trans_destroy+0x26/0x59 > Call Trace: > nft_trans_destroy+0x26/0x59 > nf_tables_newtable+0x4bc/0x9bc > [..] > > Its sane to assume that nft_trans_destroy() can be called > on the transaction object returned by nft_trans_alloc(), so > make sure the list head is initialised. Applied to nf.git, thanks
