1. Patchew
  2. linux
  3. View series

[PATCH] netfilter: nft_tunnel: fix use-after-free on object destroy

Tristan Madani posted 1 patch 1 week, 5 days ago 
net/netfilter/nft_tunnel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] netfilter: nft_tunnel: fix use-after-free on object destroy
Posted by Tristan Madani 1 week, 5 days ago 
From: Tristan Madani <tristan@talencesecurity.com>

nft_tunnel_obj_destroy() calls metadata_dst_free() which directly
kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets
that took a reference via dst_hold() in nft_tunnel_obj_eval() and
are still queued (e.g. in a netem qdisc) are left with a dangling
pointer. When these packets are eventually dequeued, dst_release()
operates on freed memory.

Replace metadata_dst_free() with dst_release() so the metadata_dst
is freed only after all references are dropped. The dst subsystem
already handles metadata_dst cleanup in dst_destroy() when
DST_METADATA is set.

Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 net/netfilter/nft_tunnel.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 0b987bc2132ae..68f7cfbbee063 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -676,7 +676,7 @@ static void nft_tunnel_obj_destroy(const struct nft_ctx *ctx,
 {
 	struct nft_tunnel_obj *priv = nft_obj_data(obj);
 
-	metadata_dst_free(priv->md);
+	dst_release(&priv->md->dst);
 }
 
 static struct nft_object_type nft_tunnel_obj_type;
-- 
2.47.3
Re: [PATCH] netfilter: nft_tunnel: fix use-after-free on object destroy
Posted by Fernando Fernandez Mancera 1 week, 4 days ago 
On 5/27/26 3:57 PM, Tristan Madani wrote:
> From: Tristan Madani <tristan@talencesecurity.com>
> 
> nft_tunnel_obj_destroy() calls metadata_dst_free() which directly
> kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets
> that took a reference via dst_hold() in nft_tunnel_obj_eval() and
> are still queued (e.g. in a netem qdisc) are left with a dangling
> pointer. When these packets are eventually dequeued, dst_release()
> operates on freed memory.
> 
> Replace metadata_dst_free() with dst_release() so the metadata_dst
> is freed only after all references are dropped. The dst subsystem
> already handles metadata_dst cleanup in dst_destroy() when
> DST_METADATA is set.
> 
> Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support")
> Cc: stable@vger.kernel.org
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>

Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>

Thanks!

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.