Re: [PATCH] netfilter: nft_tunnel: fix use-after-free on object destroy

Next message: Chen-Yu Tsai: "Re: [PATCH RFC 00/12] arm64: mediatek: Add M.2 E-key slot on Chromebooks"
Previous message: Lucas Faria Mendes: "[PATCH] vme_user: tighten slave window bounds and validate offsets"
In reply to: Tristan Madani: "[PATCH] netfilter: nft_tunnel: fix use-after-free on object destroy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Fernando Fernandez Mancera

Date: Wed May 27 2026 - 17:19:24 EST

On 5/27/26 3:57 PM, Tristan Madani wrote:

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

nft_tunnel_obj_destroy() calls metadata_dst_free() which directly
kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets
that took a reference via dst_hold() in nft_tunnel_obj_eval() and
are still queued (e.g. in a netem qdisc) are left with a dangling
pointer. When these packets are eventually dequeued, dst_release()
operates on freed memory.

Replace metadata_dst_free() with dst_release() so the metadata_dst
is freed only after all references are dropped. The dst subsystem
already handles metadata_dst cleanup in dst_destroy() when
DST_METADATA is set.

Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

Reviewed-by: Fernando Fernandez Mancera <fmancera@xxxxxxx>

Thanks!