Commit c32b26aa authored May 27, 2026 by Tristan Madani Committed by Pablo Neira Ayuso Jun 01, 2026

netfilter: nft_tunnel: fix use-after-free on object destroy



nft_tunnel_obj_destroy() calls metadata_dst_free() which directly
kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets
that took a reference via dst_hold() in nft_tunnel_obj_eval() and
are still queued (e.g. in a netem qdisc) are left with a dangling
pointer. When these packets are eventually dequeued, dst_release()
operates on freed memory.

Replace metadata_dst_free() with dst_release() so the metadata_dst
is freed only after all references are dropped. The dst subsystem
already handles metadata_dst cleanup in dst_destroy() when
DST_METADATA is set.

Fixes: af308b94 ("netfilter: nf_tables: add tunnel support")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 66eba0ff

net/netfilter/nft_tunnel.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -676,7 +676,7 @@ static void nft_tunnel_obj_destroy(const struct nft_ctx *ctx,
		{
		struct nft_tunnel_obj *priv = nft_obj_data(obj);

		metadata_dst_free(priv->md);
		dst_release(&priv->md->dst);
		}

		static struct nft_object_type nft_tunnel_obj_type;