Patch "netfilter: nf_tables: release flow rule object from commit path" has been added to the 6.0-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 5 Nov 2022 09:29:00 -0400

This is a note to let you know that I've just added the patch titled

    netfilter: nf_tables: release flow rule object from commit path

to the 6.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-nf_tables-release-flow-rule-object-from-co.patch
and it can be found in the queue-6.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 10f5188b3f8660690be88fb9ec220f199d18044c
Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date:   Wed Oct 26 09:54:45 2022 +0200

    netfilter: nf_tables: release flow rule object from commit path
    
    [ Upstream commit 26b5934ff4194e13196bedcba373cd4915071d0e ]
    
    No need to postpone this to the commit release path, since no packets
    are walking over this object, this is accessed from control plane only.
    This helped uncovered UAF triggered by races with the netlink notifier.
    
    Fixes: 9dd732e0bdf5 ("netfilter: nf_tables: memleak flow rule from commit path")
    Reported-by: syzbot+8f747f62763bc6c32916@xxxxxxxxxxxxxxxxxxxxxxxxx
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index cc598504bc10..879f4a1a27d5 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -8465,9 +8465,6 @@ static void nft_commit_release(struct nft_trans *trans)
 		nf_tables_chain_destroy(&trans->ctx);
 		break;
 	case NFT_MSG_DELRULE:
-		if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
-			nft_flow_rule_destroy(nft_trans_flow_rule(trans));
-
 		nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
 		break;
 	case NFT_MSG_DELSET:
@@ -8973,6 +8970,9 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
 			nft_rule_expr_deactivate(&trans->ctx,
 						 nft_trans_rule(trans),
 						 NFT_TRANS_COMMIT);
+
+			if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
+				nft_flow_rule_destroy(nft_trans_flow_rule(trans));
 			break;
 		case NFT_MSG_NEWSET:
 			nft_clear(net, nft_trans_set(trans));






