On Thu, Oct 10, 2024 at 6:34 PM Florian Westphal <fw@xxxxxxxxx> wrote:
>
> BUG: KASAN: slab-use-after-free in __nf_unregister_net_hook+0x640/0x6b0
> Read of size 8 at addr ffff8880106fe400 by task repro/72=
> bpf_nf_link_release+0xda/0x1e0
> bpf_link_free+0x139/0x2d0
> bpf_link_release+0x68/0x80
> __fput+0x414/0xb60
>
> Eric says:
> It seems that bpf was able to defer the __nf_unregister_net_hook()
> after exit()/close() time.
> Perhaps a netns reference is missing, because the netns has been
> dismantled/freed already.
> bpf_nf_link_attach() does :
> link->net = net;
> But I do not see a reference being taken on net.
>
> Add such a reference and release it after hook unreg.
> Note that I was unable to get syzbot reproducer to work, so I
> do not know if this resolves this splat.
>
> Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs")
> Diagnosed-by: Eric Dumazet <edumazet@xxxxxxxxxx>
> Reported-by: Lai, Yi <yi1.lai@xxxxxxxxxxxxxxx>
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
SGTM, thanks !
Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>
