In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: skip netdev events generated on netns removal
syzbot reported following (harmless) WARN:
WARNING: CPU: 1 PID: 2648 at net/netfilter/core.c:468 nftnetdevunregisterhooks net/netfilter/nftablesapi.c:230 [inline] nftablesunregisterhook include/net/netfilter/nftables.h:1090 [inline] _nftreleasebasechain+0x138/0x640 net/netfilter/nftablesapi.c:9524 nftnetdevevent net/netfilter/nftchainfilter.c:351 [inline] nftablesnetdevevent+0x521/0x8a0 net/netfilter/nftchain_filter.c:382
reproducer: unshare -n bash -c 'ip link add br0 type bridge; nft add table netdev t ; \ nft add chain netdev t ingress { type filter hook ingress device "br0" \ priority 0\; policy drop\; }'
Problem is that when netns device exit hooks create the UNREGISTER event, the .preexit hook for nftables core has already removed the base hook. Notifier attempts to do this again.
The need to do base hook unregister unconditionally was needed in the past, because notifier was last stage where reg->dev dereference was safe.
Now that nftables does the hook removal in .preexit, this isn't needed anymore.