On Thu, May 04, 2023 at 02:20:21PM +0200, Florian Westphal wrote: > This reverts "netfilter: nf_tables: skip netdev events generated on netns removal". > > The problem is that when a veth device is released, the veth release > callback will also queue the peer netns device for removal. > > Its possible that the peer netns is also slated for removal. In this > case, the device memory is already released before the pre_exit hook of > the peer netns runs: > > BUG: KASAN: slab-use-after-free in nf_hook_entry_head+0x1b8/0x1d0 > Read of size 8 at addr ffff88812c0124f0 by task kworker/u8:1/45 > Workqueue: netns cleanup_net > Call Trace: > nf_hook_entry_head+0x1b8/0x1d0 > __nf_unregister_net_hook+0x76/0x510 > nft_netdev_unregister_hooks+0xa0/0x220 > __nft_release_hook+0x184/0x490 > nf_tables_pre_exit_net+0x12f/0x1b0 > .. > > Order is: > 1. First netns is released, veth_dellink() queues peer netns device > for removal > 2. peer netns is queued for removal > 3. peer netns device is released, unreg event is triggered > 4. unreg event is ignored because netns is going down > 5. pre_exit hook calls nft_netdev_unregister_hooks but device memory > might be free'd already. Applied to nf, thanks
