Abhishek Shah <abhishek.shah@xxxxxxxxxxxx> wrote: > Hi all, > > We found a race involving the table->handle variable here > <https://elixir.bootlin.com/linux/v5.18-rc5/source/net/netfilter/nf_tables_api.c#L1221>. > This race advances the pointer, which can cause out-of-bounds memory > accesses in the future. Please let us know what you think. > > Thanks! > > > *---------------------Report-----------------* > *read-write* to 0xffffffff883a01e8 of 8 bytes by task 6542 on cpu 0: > nf_tables_newtable+0x6dc/0xc00 net/netfilter/nf_tables_api.c:1221 > nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] [..] > *read-write* to 0xffffffff883a01e8 of 8 bytes by task 6541 on cpu 1: > nf_tables_newtable+0x6dc/0xc00 net/netfilter/nf_tables_api.c:1221 > nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] [..] I don't understand. Like all batch operations, nf_tables_newtable is supposed to run with the transaction mutex held, i.e. parallel execution is not expected. There is a lockdep assertion at start of nf_tables_newtable(); I don't see how its possible that two threads can run this concurrently.
