CVE-2021-47106

In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix use-after-free in nft_set_catchall_destroy() We
need to use list_for_each_entry_safe() iterator because we can not access
@catchall after kfree_rcu() call. syzbot reported: BUG: KASAN:
use-after-free in nft_set_catchall_destroy
net/netfilter/nf_tables_api.c:4486 [inline] BUG: KASAN: use-after-free in
nft_set_destroy net/netfilter/nf_tables_api.c:4504 [inline] BUG: KASAN:
use-after-free in nft_set_destroy+0x3fd/0x4f0
net/netfilter/nf_tables_api.c:4493 Read of size 8 at addr ffff8880716e5b80
by task syz-executor.3/8871 CPU: 1 PID: 8871 Comm: syz-executor.3 Not
tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute
Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK>
__dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134
lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x2ed
mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 nft_set_catchall_destroy
net/netfilter/nf_tables_api.c:4486 [inline] nft_set_destroy
net/netfilter/nf_tables_api.c:4504 [inline] nft_set_destroy+0x3fd/0x4f0
net/netfilter/nf_tables_api.c:4493 __nft_release_table+0x79f/0xcd0
net/netfilter/nf_tables_api.c:9626 nft_rcv_nl_event+0x4f8/0x670
net/netfilter/nf_tables_api.c:9688 notifier_call_chain+0xb5/0x200
kernel/notifier.c:83 blocking_notifier_call_chain kernel/notifier.c:318
[inline] blocking_notifier_call_chain+0x67/0x90 kernel/notifier.c:306
netlink_release+0xcb6/0x1dd0 net/netlink/af_netlink.c:788
__sock_release+0xcd/0x280 net/socket.c:649 sock_close+0x18/0x20
net/socket.c:1314 __fput+0x286/0x9f0 fs/file_table.c:280
task_work_run+0xdd/0x1a0 kernel/task_work.c:164 tracehook_notify_resume
include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop
kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x27e/0x290
kernel/entry/common.c:207 __syscall_exit_to_user_mode_work
kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60
kernel/entry/common.c:300 do_syscall_64+0x42/0xb0
arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP:
0033:0x7f75fbf28adb Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48
83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f
05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP:
002b:00007ffd8da7ec10 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX:
0000000000000000 RBX: 0000000000000004 RCX: 00007f75fbf28adb RDX:
00007f75fc08e828 RSI: ffffffffffffffff RDI: 0000000000000003 RBP:
00007f75fc08a960 R08: 0000000000000000 R09: 00007f75fc08e830 R10:
00007ffd8da7ed10 R11: 0000000000000293 R12: 00000000002067c3 R13:
00007ffd8da7ed10 R14: 00007f75fc088f60 R15: 0000000000000032 </TASK>
Allocated by task 8886: kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info
mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513
[inline] ____kasan_kmalloc mm/kasan/common.c:472 [inline]
__kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:522 kasan_kmalloc
include/linux/kasan.h:269 [inline] kmem_cache_alloc_trace+0x1ea/0x4a0
mm/slab.c:3575 kmalloc include/linux/slab.h:590 [inline]
nft_setelem_catchall_insert net/netfilter/nf_tables_api.c:5544 [inline]
nft_setelem_insert net/netfilter/nf_tables_api.c:5562 [inline]
nft_add_set_elem+0x232e/0x2f40 net/netfilter/nf_tables_api.c:5936
nf_tables_newsetelem+0x6ff/0xbb0 net/netfilter/nf_tables_api.c:6032
nfnetlink_rcv_batch+0x1710/0x25f0 net/netfilter/nfnetlink.c:513
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline]
nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:652
netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345
netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921
sock_sendmsg_nosec net/ —truncated—

Notes