In the Linux kernel, the following vulnerability has been resolved:
ila: call nfunregisternet_hooks() sooner
syzbot found an use-after-free Read in ilanfinput [1]
Issue here is that ilaxlatexitnet() frees the rhashtable, then call nfunregisternethooks().
It should be done in the reverse way, with a synchronize_rcu().
This is a good match for a pre_exit() method.
[1] BUG: KASAN: use-after-free in rhtkeyhashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in _rhashtablelookup include/linux/rhashtable.h:604 [inline] BUG: KASAN: use-after-free in rhashtablelookup include/linux/rhashtable.h:646 [inline] BUG: KASAN: use-after-free in rhashtablelookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16
CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> _dumpstack lib/dumpstack.c:93 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:119 printaddressdescription mm/kasan/report.c:377 [inline] printreport+0x169/0x550 mm/kasan/report.c:488 kasanreport+0x143/0x180 mm/kasan/report.c:601 rhtkeyhashfn include/linux/rhashtable.h:159 [inline] _rhashtablelookup include/linux/rhashtable.h:604 [inline] rhashtablelookup include/linux/rhashtable.h:646 [inline] rhashtablelookupfast+0x77a/0x9b0 include/linux/rhashtable.h:672 ilalookupwildcards net/ipv6/ila/ilaxlat.c:132 [inline] ilaxlataddr net/ipv6/ila/ilaxlat.c:652 [inline] ilanfinput+0x1fe/0x3c0 net/ipv6/ila/ilaxlat.c:190 nfhookentryhookfn include/linux/netfilter.h:154 [inline] nfhookslow+0xc3/0x220 net/netfilter/core.c:626 nfhook include/linux/netfilter.h:269 [inline] NFHOOK+0x29e/0x450 include/linux/netfilter.h:312 _netifreceiveskbonecore net/core/dev.c:5661 [inline] _netifreceiveskb+0x1ea/0x650 net/core/dev.c:5775 processbacklog+0x662/0x15b0 net/core/dev.c:6108 _napipoll+0xcb/0x490 net/core/dev.c:6772 napipoll net/core/dev.c:6841 [inline] netrxaction+0x89b/0x1240 net/core/dev.c:6963 handlesoftirqs+0x2c4/0x970 kernel/softirq.c:554 runksoftirqd+0xca/0x130 kernel/softirq.c:928 smpbootthreadfn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 retfromfork+0x4b/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK>
The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) pagetype: 0xbfffffff(buddy) raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000 raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected pageowner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfpmask 0x52dc0(GFPKERNEL|GFPNOWARN|GFPNORETRY|GFPCOMP|GFPZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, freets 618981657187 setpageowner include/linux/pageowner.h:32 [inline] postallochook+0x1f3/0x230 mm/pagealloc.c:1493 prepnewpage mm/pagealloc.c:1501 [inline] getpagefromfreelist+0x2e4c/0x2f10 mm/pagealloc.c:3439 allocpagesnoprof+0x256/0x6c0 mm/pagealloc.c:4695 _allocpagesnodenoprof include/linux/gfp.h:269 [inline] allocpagesnodenoprof include/linux/gfp.h:296 [inline] kmalloclargenode+0x8b/0x1d0 mm/slub.c:4103 _kmalloclargenodenoprof+0x1a/0x80 mm/slub.c:4130 _dokmallocnode mm/slub.c:4146 [inline] _kmallocnodenoprof+0x2d2/0x440 mm/slub.c:4164 _kvmallocnodenoprof+0x72/0x190 mm/util.c:650 buckettablealloc lib/rhashtable.c:186 [inline] rhashtableinitnoprof+0x534/0xa60 lib/rhashtable.c:1071 ilaxlatinitnet+0xa0/0x110 net/ipv6/ila/ilaxlat.c:613 ops_ini ---truncated---