In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlinkqueue: acquire rcureadlock() in instancedestroy_rcu()
syzbot reported that nfreinject() could be called without rcuread_lock() :
WARNING: suspicious RCU usage 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted
net/netfilter/nfnetlinkqueue.c:263 suspicious rcudereference_check() usage!
other info that might help us debug this:
rcuscheduleractive = 2, debuglocks = 1 2 locks held by syz-executor.4/13427: #0: ffffffff8e334f60 (rcucallback){....}-{0:0}, at: rculockacquire include/linux/rcupdate.h:329 [inline] #0: ffffffff8e334f60 (rcucallback){....}-{0:0}, at: rcudobatch kernel/rcu/tree.c:2190 [inline] #0: ffffffff8e334f60 (rcucallback){....}-{0:0}, at: rcucore+0xa86/0x1830 kernel/rcu/tree.c:2471 #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spinlockbh include/linux/spinlock.h:356 [inline] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnlflush net/netfilter/nfnetlinkqueue.c:405 [inline] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instancedestroyrcu+0x30/0x220 net/netfilter/nfnetlinkqueue.c:172
stack backtrace: CPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Call Trace: <IRQ> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:114 lockdeprcususpicious+0x221/0x340 kernel/locking/lockdep.c:6712 nfreinject net/netfilter/nfnetlinkqueue.c:323 [inline] nfqnlreinject+0x6ec/0x1120 net/netfilter/nfnetlinkqueue.c:397 nfqnlflush net/netfilter/nfnetlinkqueue.c:410 [inline] instancedestroyrcu+0x1ae/0x220 net/netfilter/nfnetlinkqueue.c:172 rcudobatch kernel/rcu/tree.c:2196 [inline] rcucore+0xafd/0x1830 kernel/rcu/tree.c:2471 handlesoftirqs+0x2d6/0x990 kernel/softirq.c:554 _dosoftirq kernel/softirq.c:588 [inline] invokesoftirq kernel/softirq.c:428 [inline] _irqexitrcu+0xf4/0x1c0 kernel/softirq.c:637 irqexitrcu+0x9/0x30 kernel/softirq.c:649 instrsysvecapictimerinterrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvecapictimerinterrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 </IRQ> <TASK>
{ "vanir_signatures": [ { "signature_version": "v1", "signature_type": "Function", "target": { "file": "net/netfilter/nfnetlink_queue.c", "function": "instance_destroy_rcu" }, "id": "CVE-2024-36286-0ce9a3db", "digest": { "length": 207.0, "function_hash": "96014690597644284162762107896486786444" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@215df6490e208bfdd5b3012f5075e7f8736f3e7a" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "net/netfilter/nfnetlink_queue.c" }, "id": "CVE-2024-36286-140e9e1b", "digest": { "line_hashes": [ "218305052673350981761579959462504620661", "190496730936634318772955106558894077273", "102526320493044357462962451638988307895", "220303481875693436246933312030032139877" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@68f40354a3851df46c27be96b84f11ae193e36c5" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "net/netfilter/nfnetlink_queue.c", "function": "instance_destroy_rcu" }, "id": "CVE-2024-36286-14e85d08", "digest": { "length": 207.0, "function_hash": "96014690597644284162762107896486786444" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@25ea5377e3d2921a0f96ae2551f5ab1b36825dd4" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "net/netfilter/nfnetlink_queue.c" }, "id": "CVE-2024-36286-337c36dc", "digest": { "line_hashes": [ "218305052673350981761579959462504620661", "190496730936634318772955106558894077273", "102526320493044357462962451638988307895", "220303481875693436246933312030032139877" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e01065b339e323b3dfa1be217fd89e9b3208b0ab" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "net/netfilter/nfnetlink_queue.c" }, "id": "CVE-2024-36286-36ad3337", "digest": { "line_hashes": [ "218305052673350981761579959462504620661", "190496730936634318772955106558894077273", "102526320493044357462962451638988307895", "220303481875693436246933312030032139877" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8658bd777cbfcb0c13df23d0ea120e70517761b9" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "net/netfilter/nfnetlink_queue.c", "function": "instance_destroy_rcu" }, "id": "CVE-2024-36286-399db750", "digest": { "length": 207.0, "function_hash": "96014690597644284162762107896486786444" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3989b817857f4890fab9379221a9d3f52bf5c256" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "net/netfilter/nfnetlink_queue.c", "function": "instance_destroy_rcu" }, "id": "CVE-2024-36286-3fb8e3ab", "digest": { "length": 207.0, "function_hash": "96014690597644284162762107896486786444" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@68f40354a3851df46c27be96b84f11ae193e36c5" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "net/netfilter/nfnetlink_queue.c", "function": "instance_destroy_rcu" }, "id": "CVE-2024-36286-699644e0", "digest": { "length": 207.0, "function_hash": "96014690597644284162762107896486786444" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8658bd777cbfcb0c13df23d0ea120e70517761b9" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "net/netfilter/nfnetlink_queue.c" }, "id": "CVE-2024-36286-7ce931c8", "digest": { "line_hashes": [ "218305052673350981761579959462504620661", "190496730936634318772955106558894077273", "102526320493044357462962451638988307895", "220303481875693436246933312030032139877" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dc21c6cc3d6986d938efbf95de62473982c98dec" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "net/netfilter/nfnetlink_queue.c" }, "id": "CVE-2024-36286-94d6180a", "digest": { "line_hashes": [ "218305052673350981761579959462504620661", "190496730936634318772955106558894077273", "102526320493044357462962451638988307895", "220303481875693436246933312030032139877" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@25ea5377e3d2921a0f96ae2551f5ab1b36825dd4" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "net/netfilter/nfnetlink_queue.c", "function": "instance_destroy_rcu" }, "id": "CVE-2024-36286-9b8d6396", "digest": { "length": 207.0, "function_hash": "96014690597644284162762107896486786444" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dc21c6cc3d6986d938efbf95de62473982c98dec" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "net/netfilter/nfnetlink_queue.c" }, "id": "CVE-2024-36286-aca99373", "digest": { "line_hashes": [ "218305052673350981761579959462504620661", "190496730936634318772955106558894077273", "102526320493044357462962451638988307895", "220303481875693436246933312030032139877" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3989b817857f4890fab9379221a9d3f52bf5c256" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "net/netfilter/nfnetlink_queue.c" }, "id": "CVE-2024-36286-c0984da5", "digest": { "line_hashes": [ "218305052673350981761579959462504620661", "190496730936634318772955106558894077273", "102526320493044357462962451638988307895", "220303481875693436246933312030032139877" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f365564af898819a523f1a8cf5c6ce053e9f718" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "net/netfilter/nfnetlink_queue.c", "function": "instance_destroy_rcu" }, "id": "CVE-2024-36286-e5cabbc8", "digest": { "length": 207.0, "function_hash": "96014690597644284162762107896486786444" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e01065b339e323b3dfa1be217fd89e9b3208b0ab" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "net/netfilter/nfnetlink_queue.c", "function": "instance_destroy_rcu" }, "id": "CVE-2024-36286-e910acd0", "digest": { "length": 207.0, "function_hash": "96014690597644284162762107896486786444" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f365564af898819a523f1a8cf5c6ce053e9f718" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "net/netfilter/nfnetlink_queue.c" }, "id": "CVE-2024-36286-ecf53d09", "digest": { "line_hashes": [ "218305052673350981761579959462504620661", "190496730936634318772955106558894077273", "102526320493044357462962451638988307895", "220303481875693436246933312030032139877" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@215df6490e208bfdd5b3012f5075e7f8736f3e7a" } ] }