[PATCH net v2] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false

[PATCH net v2] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false

[xietangxin]

A UAF issue occurs when the virtio_net driver is configured with napi_tx=N
and the device's IFF_XMIT_DST_RELEASE flag is cleared
(e.g., during the configuration of tc route filter rules).

When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack
expects the driver to hold the reference to skb->dst until the packet
is fully transmitted and freed. In virtio_net with napi_tx=N,
skbs may remain in the virtio transmit ring for an extended period.

If the network namespace is destroyed while these skbs are still pending,
the corresponding dst_ops structure has freed. When a subsequent packet
is transmitted, free_old_xmit() is triggered to clean up old skbs.
It then calls dst_release() on the skb associated with the stale dst_entry.
Since the dst_ops (referenced by the dst_entry) has already been freed,
a UAF kernel paging request occurs.

fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release
the dst reference before the skb is queued in virtio_net.

Call Trace:
 Unable to handle kernel paging request at virtual address ffff80007e150000
 CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT
  ...
  percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)
  dst_release+0xe0/0x110  net/core/dst.c:177
  skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177
  sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255
  dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469
  napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527
  __free_old_xmit+0x164/0x230  drivers/net/virtio_net.c:611 [virtio_net]
  free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]
  start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]
  ...

Reproduction Steps:
NETDEV="enp3s0"

config_qdisc_route_filter() {
    tc qdisc del dev $NETDEV root
    tc qdisc add dev $NETDEV root handle 1: prio
    tc filter add dev $NETDEV parent 1:0 \
	protocol ip prio 100 route to 100 flowid 1:1
    ip route add 192.168.1.100/32 dev $NETDEV realm 100
}

test_ns() {
    ip netns add testns
    ip link set $NETDEV netns testns
    ip netns exec testns ifconfig $NETDEV  10.0.32.46/24
    ip netns exec testns ping -c 1 10.0.32.1
    ip netns del testns
}

config_qdisc_route_filter

test_ns
sleep 2
test_ns

Fixes: f2fc6a54585a ("[NETNS][IPV6] route6 - move ip6_dst_ops inside the network namespace")
Cc: stable@vger.kernel.org
Signed-off-by: xietangxin <xietangxin@yeah.net>
---
change in v2: add cc stable and fix tag

v1: https://lore.kernel.org/all/20260307035110.7121-1-xietangxin@yeah.net/
---
 drivers/net/virtio_net.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index 72d6a9c6a..5b13a61b3 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -3351,6 +3351,7 @@ static netdev_tx_t start_xmit(struct sk_buff *skb, struct net_device *dev)
 	/* Don't wait up for transmitted skbs to be freed. */
 	if (!use_napi) {
 		skb_orphan(skb);
+		skb_dst_drop(skb);
 		nf_reset_ct(skb);
 	}
 
-- 
2.43.0

[PATCH net v2] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false

[xietangxin]

A UAF issue occurs when the virtio_net driver is configured with napi_tx=N
and the device's IFF_XMIT_DST_RELEASE flag is cleared
(e.g., during the configuration of tc route filter rules).

When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack
expects the driver to hold the reference to skb->dst until the packet
is fully transmitted and freed. In virtio_net with napi_tx=N,
skbs may remain in the virtio transmit ring for an extended period.

If the network namespace is destroyed while these skbs are still pending,
the corresponding dst_ops structure has freed. When a subsequent packet
is transmitted, free_old_xmit() is triggered to clean up old skbs.
It then calls dst_release() on the skb associated with the stale dst_entry.
Since the dst_ops (referenced by the dst_entry) has already been freed,
a UAF kernel paging request occurs.

fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release
the dst reference before the skb is queued in virtio_net.

Call Trace:
 Unable to handle kernel paging request at virtual address ffff80007e150000
 CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT
  ...
  percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)
  dst_release+0xe0/0x110  net/core/dst.c:177
  skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177
  sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255
  dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469
  napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527
  __free_old_xmit+0x164/0x230  drivers/net/virtio_net.c:611 [virtio_net]
  free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]
  start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]
  ...

Reproduction Steps:
NETDEV="enp3s0"

config_qdisc_route_filter() {
    tc qdisc del dev $NETDEV root
    tc qdisc add dev $NETDEV root handle 1: prio
    tc filter add dev $NETDEV parent 1:0 \
	protocol ip prio 100 route to 100 flowid 1:1
    ip route add 192.168.1.100/32 dev $NETDEV realm 100
}

test_ns() {
    ip netns add testns
    ip link set $NETDEV netns testns
    ip netns exec testns ifconfig $NETDEV  10.0.32.46/24
    ip netns exec testns ping -c 1 10.0.32.1
    ip netns del testns
}

config_qdisc_route_filter

test_ns
sleep 2
test_ns

Fixes: f2fc6a54585a ("[NETNS][IPV6] route6 - move ip6_dst_ops inside the network namespace")
Cc: stable@vger.kernel.org
Signed-off-by: xietangxin <xietangxin@yeah.net>
---
change in v2: add cc stable and fix tag

v1: https://lore.kernel.org/all/20260307035110.7121-1-xietangxin@yeah.net/
---
 drivers/net/virtio_net.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index 72d6a9c6a..5b13a61b3 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -3351,6 +3351,7 @@ static netdev_tx_t start_xmit(struct sk_buff *skb, struct net_device *dev)
 	/* Don't wait up for transmitted skbs to be freed. */
 	if (!use_napi) {
 		skb_orphan(skb);
+		skb_dst_drop(skb);
 		nf_reset_ct(skb);
 	}
 
-- 
2.43.0

Re: [PATCH net v2] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false

[Jakub Kicinski]

On Thu, 12 Mar 2026 10:54:06 +0800 xietangxin wrote:
> Fixes: f2fc6a54585a ("[NETNS][IPV6] route6 - move ip6_dst_ops inside the network namespace")
> Cc: stable@vger.kernel.org
> Signed-off-by: xietangxin <xietangxin@yeah.net>

The Fixes tag should be:

Fixes: 0287587884b1 ("net: better IFF_XMIT_DST_RELEASE support") 

please fix and repost
-- 
pw-bot: cr

Re: [PATCH net v2] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false

[Eric Dumazet]

On Sat, Mar 14, 2026 at 8:40 PM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Thu, 12 Mar 2026 10:54:06 +0800 xietangxin wrote:
> > Fixes: f2fc6a54585a ("[NETNS][IPV6] route6 - move ip6_dst_ops inside the network namespace")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: xietangxin <xietangxin@yeah.net>
>
> The Fixes tag should be:
>
> Fixes: 0287587884b1 ("net: better IFF_XMIT_DST_RELEASE support")

I disagree

What was the situation before this patch ?

I think virtio_net has been able to hold skbs way before
IFF_XMIT_DST_RELEASE has been invented.

Some archeology :

commit 93f154b594fe47e4a7e5358b309add449a046cd3
Author: Eric Dumazet <dada1@cosmosbay.com>
Date:   Mon May 18 22:19:19 2009 -0700

    net: release dst entry in dev_hard_start_xmit()

But really at that time struct dst_ops was not per netns

The bug came when each netns got a copy of "stuct dst_ops"

Not sure if 'fixing' virtio_net is enough. We really need to check all
other drivers that might hold skb with dst for more than an RCU grace
period.

Or... not count dst anymore. What is the point anyway ?

Re: [PATCH net v2] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false

[Jakub Kicinski]

On Sat, 14 Mar 2026 21:11:33 +0100 Eric Dumazet wrote:
> > On Thu, 12 Mar 2026 10:54:06 +0800 xietangxin wrote:  
> > > Fixes: f2fc6a54585a ("[NETNS][IPV6] route6 - move ip6_dst_ops inside the network namespace")
> > > Cc: stable@vger.kernel.org
> > > Signed-off-by: xietangxin <xietangxin@yeah.net>  
> >
> > The Fixes tag should be:
> >
> > Fixes: 0287587884b1 ("net: better IFF_XMIT_DST_RELEASE support")  
> 
> I disagree
> 
> What was the situation before this patch ?

My thinking process was that it's fairly unusual that the dst is kept
because the stack decided so. Normally its the device driver that asks
for dst to be kept when its xmit is called. I thought 0287587884b1 was
the first time when stack could make the dst decision behind device
driver's back. But my analysis was very shallow, could well be wrong.

Re: [PATCH net v2] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false

[xietangxin]

On 3/15/2026 9:12 AM, Jakub Kicinski wrote:
> On Sat, 14 Mar 2026 21:11:33 +0100 Eric Dumazet wrote:
>>> On Thu, 12 Mar 2026 10:54:06 +0800 xietangxin wrote:  
>>>> Fixes: f2fc6a54585a ("[NETNS][IPV6] route6 - move ip6_dst_ops inside the network namespace")
>>>> Cc: stable@vger.kernel.org
>>>> Signed-off-by: xietangxin <xietangxin@yeah.net>  
>>>
>>> The Fixes tag should be:
>>>
>>> Fixes: 0287587884b1 ("net: better IFF_XMIT_DST_RELEASE support")  
>>
>> I disagree
>>
>> What was the situation before this patch ?
> 
> My thinking process was that it's fairly unusual that the dst is kept
> because the stack decided so. Normally its the device driver that asks
> for dst to be kept when its xmit is called. I thought 0287587884b1 was
> the first time when stack could make the dst decision behind device
> driver's back. But my analysis was very shallow, could well be wrong.
Hi Jakub and Eric,

Thank you both for this deep dive.

As Eric noted, the root cause is architectural (the per-netns dst_ops),
but virtio_net with napi_tx=N seems to be a particularly vulnerable trigger.

I have verified that the TUN driver is not affected (discussed in v1 [1])
because its lifecycle management of skbs is different.
However, I haven't check other drivers that might also defer skb freeing.

Should I wait for a consensus on a more generic fix in the network core,
or would it be acceptable to land this targeted fix for virtio_net first
to address the immediate UAF?

[1] https://lore.kernel.org/all/4b8a6182-da50-4edb-a34a-b75ed784f1e2@yeah.net/

Best regards,
Tangxin Xie

Re: [PATCH net v2] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false

[Xuan Zhuo]

On Thu, 12 Mar 2026 10:54:06 +0800, xietangxin <xietangxin@yeah.net> wrote:
> A UAF issue occurs when the virtio_net driver is configured with napi_tx=N
> and the device's IFF_XMIT_DST_RELEASE flag is cleared
> (e.g., during the configuration of tc route filter rules).
>
> When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack
> expects the driver to hold the reference to skb->dst until the packet
> is fully transmitted and freed. In virtio_net with napi_tx=N,
> skbs may remain in the virtio transmit ring for an extended period.
>
> If the network namespace is destroyed while these skbs are still pending,
> the corresponding dst_ops structure has freed. When a subsequent packet
> is transmitted, free_old_xmit() is triggered to clean up old skbs.
> It then calls dst_release() on the skb associated with the stale dst_entry.
> Since the dst_ops (referenced by the dst_entry) has already been freed,
> a UAF kernel paging request occurs.

Sorry, this sounds a bit off to me. We know that napi_tx=N merely prolongs the
presence of the skb on the device side. However, even without napi_tx=N, there
is no guarantee that the skb will be freed within any specific timeframe.
Therefore, napi_tx=N just makes the issue more reproducible; it is not the root
cause. Also, I'm surprised that the dst could be freed while it is still
referenced/held. I have a feeling that something is being overlooked here.

Thanks.

>
> fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release
> the dst reference before the skb is queued in virtio_net.
>
> Call Trace:
>  Unable to handle kernel paging request at virtual address ffff80007e150000
>  CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT
>   ...
>   percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)
>   dst_release+0xe0/0x110  net/core/dst.c:177
>   skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177
>   sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255
>   dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469
>   napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527
>   __free_old_xmit+0x164/0x230  drivers/net/virtio_net.c:611 [virtio_net]
>   free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]
>   start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]
>   ...
>
> Reproduction Steps:
> NETDEV="enp3s0"
>
> config_qdisc_route_filter() {
>     tc qdisc del dev $NETDEV root
>     tc qdisc add dev $NETDEV root handle 1: prio
>     tc filter add dev $NETDEV parent 1:0 \
> 	protocol ip prio 100 route to 100 flowid 1:1
>     ip route add 192.168.1.100/32 dev $NETDEV realm 100
> }
>
> test_ns() {
>     ip netns add testns
>     ip link set $NETDEV netns testns
>     ip netns exec testns ifconfig $NETDEV  10.0.32.46/24
>     ip netns exec testns ping -c 1 10.0.32.1
>     ip netns del testns
> }
>
> config_qdisc_route_filter
>
> test_ns
> sleep 2
> test_ns
>
> Fixes: f2fc6a54585a ("[NETNS][IPV6] route6 - move ip6_dst_ops inside the network namespace")
> Cc: stable@vger.kernel.org
> Signed-off-by: xietangxin <xietangxin@yeah.net>
> ---
> change in v2: add cc stable and fix tag
>
> v1: https://lore.kernel.org/all/20260307035110.7121-1-xietangxin@yeah.net/
> ---
>  drivers/net/virtio_net.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
> index 72d6a9c6a..5b13a61b3 100644
> --- a/drivers/net/virtio_net.c
> +++ b/drivers/net/virtio_net.c
> @@ -3351,6 +3351,7 @@ static netdev_tx_t start_xmit(struct sk_buff *skb, struct net_device *dev)
>  	/* Don't wait up for transmitted skbs to be freed. */
>  	if (!use_napi) {
>  		skb_orphan(skb);
> +		skb_dst_drop(skb);
>  		nf_reset_ct(skb);
>  	}
>
> --
> 2.43.0
>

Re: [PATCH net v2] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false

[Eric Dumazet]

On Tue, Mar 24, 2026 at 12:11 AM Xuan Zhuo <xuanzhuo@linux.alibaba.com> wrote:
>
> On Thu, 12 Mar 2026 10:54:06 +0800, xietangxin <xietangxin@yeah.net> wrote:
> > A UAF issue occurs when the virtio_net driver is configured with napi_tx=N
> > and the device's IFF_XMIT_DST_RELEASE flag is cleared
> > (e.g., during the configuration of tc route filter rules).
> >
> > When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack
> > expects the driver to hold the reference to skb->dst until the packet
> > is fully transmitted and freed. In virtio_net with napi_tx=N,
> > skbs may remain in the virtio transmit ring for an extended period.
> >
> > If the network namespace is destroyed while these skbs are still pending,
> > the corresponding dst_ops structure has freed. When a subsequent packet
> > is transmitted, free_old_xmit() is triggered to clean up old skbs.
> > It then calls dst_release() on the skb associated with the stale dst_entry.
> > Since the dst_ops (referenced by the dst_entry) has already been freed,
> > a UAF kernel paging request occurs.
>
> Sorry, this sounds a bit off to me. We know that napi_tx=N merely prolongs the
> presence of the skb on the device side. However, even without napi_tx=N, there
> is no guarantee that the skb will be freed within any specific timeframe.
> Therefore, napi_tx=N just makes the issue more reproducible; it is not the root
> cause. Also, I'm surprised that the dst could be freed while it is still
> referenced/held. I have a feeling that something is being overlooked here.
>
> Thanks.
>
> >
> > fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release
> > the dst reference before the skb is queued in virtio_net.
> >
> > Call Trace:
> >  Unable to handle kernel paging request at virtual address ffff80007e150000
> >  CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT
> >   ...
> >   percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)
> >   dst_release+0xe0/0x110  net/core/dst.c:177
> >   skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177
> >   sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255
> >   dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469
> >   napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527
> >   __free_old_xmit+0x164/0x230  drivers/net/virtio_net.c:611 [virtio_net]
> >   free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]
> >   start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]
> >   ...
> >
> > Reproduction Steps:
> > NETDEV="enp3s0"
> >
> > config_qdisc_route_filter() {
> >     tc qdisc del dev $NETDEV root
> >     tc qdisc add dev $NETDEV root handle 1: prio
> >     tc filter add dev $NETDEV parent 1:0 \
> >       protocol ip prio 100 route to 100 flowid 1:1
> >     ip route add 192.168.1.100/32 dev $NETDEV realm 100
> > }
> >
> > test_ns() {
> >     ip netns add testns
> >     ip link set $NETDEV netns testns
> >     ip netns exec testns ifconfig $NETDEV  10.0.32.46/24
> >     ip netns exec testns ping -c 1 10.0.32.1
> >     ip netns del testns
> > }
> >
> > config_qdisc_route_filter
> >
> > test_ns
> > sleep 2
> > test_ns

I took a stab at this, please look at

https://lore.kernel.org/netdev/20260324073750.1500328-1-edumazet@google.com/T/#u

Re: [PATCH net v2] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false

[Xuan Zhuo]

On Tue, 24 Mar 2026 00:46:27 -0700, Eric Dumazet <edumazet@google.com> wrote:
> On Tue, Mar 24, 2026 at 12:11 AM Xuan Zhuo <xuanzhuo@linux.alibaba.com> wrote:
> >
> > On Thu, 12 Mar 2026 10:54:06 +0800, xietangxin <xietangxin@yeah.net> wrote:
> > > A UAF issue occurs when the virtio_net driver is configured with napi_tx=N
> > > and the device's IFF_XMIT_DST_RELEASE flag is cleared
> > > (e.g., during the configuration of tc route filter rules).
> > >
> > > When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack
> > > expects the driver to hold the reference to skb->dst until the packet
> > > is fully transmitted and freed. In virtio_net with napi_tx=N,
> > > skbs may remain in the virtio transmit ring for an extended period.
> > >
> > > If the network namespace is destroyed while these skbs are still pending,
> > > the corresponding dst_ops structure has freed. When a subsequent packet
> > > is transmitted, free_old_xmit() is triggered to clean up old skbs.
> > > It then calls dst_release() on the skb associated with the stale dst_entry.
> > > Since the dst_ops (referenced by the dst_entry) has already been freed,
> > > a UAF kernel paging request occurs.
> >
> > Sorry, this sounds a bit off to me. We know that napi_tx=N merely prolongs the
> > presence of the skb on the device side. However, even without napi_tx=N, there
> > is no guarantee that the skb will be freed within any specific timeframe.
> > Therefore, napi_tx=N just makes the issue more reproducible; it is not the root
> > cause. Also, I'm surprised that the dst could be freed while it is still
> > referenced/held. I have a feeling that something is being overlooked here.
> >
> > Thanks.
> >
> > >
> > > fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release
> > > the dst reference before the skb is queued in virtio_net.
> > >
> > > Call Trace:
> > >  Unable to handle kernel paging request at virtual address ffff80007e150000
> > >  CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT
> > >   ...
> > >   percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)
> > >   dst_release+0xe0/0x110  net/core/dst.c:177
> > >   skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177
> > >   sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255
> > >   dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469
> > >   napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527
> > >   __free_old_xmit+0x164/0x230  drivers/net/virtio_net.c:611 [virtio_net]
> > >   free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]
> > >   start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]
> > >   ...
> > >
> > > Reproduction Steps:
> > > NETDEV="enp3s0"
> > >
> > > config_qdisc_route_filter() {
> > >     tc qdisc del dev $NETDEV root
> > >     tc qdisc add dev $NETDEV root handle 1: prio
> > >     tc filter add dev $NETDEV parent 1:0 \
> > >       protocol ip prio 100 route to 100 flowid 1:1
> > >     ip route add 192.168.1.100/32 dev $NETDEV realm 100
> > > }
> > >
> > > test_ns() {
> > >     ip netns add testns
> > >     ip link set $NETDEV netns testns
> > >     ip netns exec testns ifconfig $NETDEV  10.0.32.46/24
> > >     ip netns exec testns ping -c 1 10.0.32.1
> > >     ip netns del testns
> > > }
> > >
> > > config_qdisc_route_filter
> > >
> > > test_ns
> > > sleep 2
> > > test_ns
>
> I took a stab at this, please look at
>
> https://lore.kernel.org/netdev/20260324073750.1500328-1-edumazet@google.com/T/#u

I see.

Thanks.

Re: [PATCH net v2] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false

[Xuan Zhuo]

On Thu, 12 Mar 2026 10:54:06 +0800, xietangxin <xietangxin@yeah.net> wrote:
> A UAF issue occurs when the virtio_net driver is configured with napi_tx=N
> and the device's IFF_XMIT_DST_RELEASE flag is cleared
> (e.g., during the configuration of tc route filter rules).
>
> When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack
> expects the driver to hold the reference to skb->dst until the packet
> is fully transmitted and freed. In virtio_net with napi_tx=N,
> skbs may remain in the virtio transmit ring for an extended period.
>
> If the network namespace is destroyed while these skbs are still pending,
> the corresponding dst_ops structure has freed. When a subsequent packet
> is transmitted, free_old_xmit() is triggered to clean up old skbs.
> It then calls dst_release() on the skb associated with the stale dst_entry.
> Since the dst_ops (referenced by the dst_entry) has already been freed,
> a UAF kernel paging request occurs.
>
> fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release
> the dst reference before the skb is queued in virtio_net.
>
> Call Trace:
>  Unable to handle kernel paging request at virtual address ffff80007e150000
>  CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT
>   ...
>   percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)
>   dst_release+0xe0/0x110  net/core/dst.c:177
>   skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177
>   sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255
>   dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469
>   napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527
>   __free_old_xmit+0x164/0x230  drivers/net/virtio_net.c:611 [virtio_net]
>   free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]
>   start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]
>   ...
>
> Reproduction Steps:
> NETDEV="enp3s0"
>
> config_qdisc_route_filter() {
>     tc qdisc del dev $NETDEV root
>     tc qdisc add dev $NETDEV root handle 1: prio
>     tc filter add dev $NETDEV parent 1:0 \
> 	protocol ip prio 100 route to 100 flowid 1:1
>     ip route add 192.168.1.100/32 dev $NETDEV realm 100
> }
>
> test_ns() {
>     ip netns add testns
>     ip link set $NETDEV netns testns
>     ip netns exec testns ifconfig $NETDEV  10.0.32.46/24
>     ip netns exec testns ping -c 1 10.0.32.1
>     ip netns del testns
> }
>
> config_qdisc_route_filter
>
> test_ns
> sleep 2
> test_ns
>
> Fixes: f2fc6a54585a ("[NETNS][IPV6] route6 - move ip6_dst_ops inside the network namespace")
> Cc: stable@vger.kernel.org
> Signed-off-by: xietangxin <xietangxin@yeah.net>

Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>

> ---
> change in v2: add cc stable and fix tag
>
> v1: https://lore.kernel.org/all/20260307035110.7121-1-xietangxin@yeah.net/
> ---
>  drivers/net/virtio_net.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
> index 72d6a9c6a..5b13a61b3 100644
> --- a/drivers/net/virtio_net.c
> +++ b/drivers/net/virtio_net.c
> @@ -3351,6 +3351,7 @@ static netdev_tx_t start_xmit(struct sk_buff *skb, struct net_device *dev)
>  	/* Don't wait up for transmitted skbs to be freed. */
>  	if (!use_napi) {
>  		skb_orphan(skb);
> +		skb_dst_drop(skb);
>  		nf_reset_ct(skb);
>  	}
>
> --
> 2.43.0
>

Re: [PATCH net v2] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Thu, 12 Mar 2026 10:54:06 +0800 you wrote:
> A UAF issue occurs when the virtio_net driver is configured with napi_tx=N
> and the device's IFF_XMIT_DST_RELEASE flag is cleared
> (e.g., during the configuration of tc route filter rules).
> 
> When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack
> expects the driver to hold the reference to skb->dst until the packet
> is fully transmitted and freed. In virtio_net with napi_tx=N,
> skbs may remain in the virtio transmit ring for an extended period.
> 
> [...]

Here is the summary with links:
  - [net,v2] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false
    https://git.kernel.org/netdev/net/c/ba8bda9a0896

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html