Re: [PATCH net v2] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false

Next message: atwellwea: "[PATCH net-next v2 01/14] tcp: factor receive-memory accounting helpers"
Previous message: kernel test robot: "include/linux/list.h:74:19: warning: storing the address of local variable 'realm_queue' in '*&amp;realm_24(D)-&gt;rebuild_item.prev'"
In reply to: Jakub Kicinski: "Re: [PATCH net v2] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false"
Next in thread: Jakub Kicinski: "Re: [PATCH net v2] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Dumazet

Date: Sat Mar 14 2026 - 16:12:20 EST

On Sat, Mar 14, 2026 at 8:40 PM Jakub Kicinski <kuba@xxxxxxxxxx> wrote:
>
> On Thu, 12 Mar 2026 10:54:06 +0800 xietangxin wrote:
> > Fixes: f2fc6a54585a ("[NETNS][IPV6] route6 - move ip6_dst_ops inside the network namespace")
> > Cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: xietangxin <xietangxin@xxxxxxxx>
>
> The Fixes tag should be:
>
> Fixes: 0287587884b1 ("net: better IFF_XMIT_DST_RELEASE support")

I disagree

What was the situation before this patch ?

I think virtio_net has been able to hold skbs way before
IFF_XMIT_DST_RELEASE has been invented.

Some archeology :

commit 93f154b594fe47e4a7e5358b309add449a046cd3
Author: Eric Dumazet <dada1@xxxxxxxxxxxxx>
Date: Mon May 18 22:19:19 2009 -0700

net: release dst entry in dev_hard_start_xmit()

But really at that time struct dst_ops was not per netns

The bug came when each netns got a copy of "stuct dst_ops"

Not sure if 'fixing' virtio_net is enough. We really need to check all
other drivers that might hold skb with dst for more than an RCU grace
period.

Or... not count dst anymore. What is the point anyway ?