DF-0513
Rule-chain mutation raced with concurrent ip6_fw_chk: lock-free linked list + kfree after crit_exit -> UAF on SMP
Summary
ip6_fw_chain global singly-linked list consumed LOCK-FREE by ip6_fw_chk(called from ip6_input/ip6_output any CPU). Mutated by add/del/zero/flush/GET with only crit_enter/crit_exit (masks interrupts on CURRENT CPU only, no SMP serialization). del_entry6(:912-916)+FLUSH(:1130-1134) call kfree AFTER crit_exit. IPV6_FW_GET(:1106)+ZERO(:945) walkers hold NO crit. Thread running ip6_fw_chk on CPU A holding chain/f pointers while CPU B frees that rule -> UAF. SKIPTO inner loop(:741-744) derefs chain->next->rule on node whose neighbors just unlinked/freed. No refcount, no token, no RCU. Practical: flood IPv6 pkts during rule edit. Fix: dedicated mutex/token across entire chk iteration AND del+flush kfree; or refcount+deferred free.