* Possible UaF bug in netdevice teardown path
@ 2026-06-01 9:13 Florian Westphal
0 siblings, 0 replies; only message in thread
From: Florian Westphal @ 2026-06-01 9:13 UTC (permalink / raw)
To: Lorenzo Bianconi, Tony Nguyen, Przemek Kitszel, Felix Fietkau,
Saeed Mahameed, Leon Romanovsky, Tariq Toukan, Mark Bloch
Cc: netdev, linux-mediatek, intel-wired-lan
Another sashiko drive-by report. TL;DR, do you need to apply this
pattern in your driver?
- metadata_dst_free(priv->md);
+ dst_release(&priv->md->dst);
Affects:
drivers/net/ethernet/airoha/airoha_eth.c
drivers/net/ethernet/intel/ice/ice_eswitch.c
drivers/net/ethernet/mediatek/mtk_eth_soc.c
drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
Long version:
https://sashiko.dev/#/patchset/20260527135751.1031891-1-tristmd%40gmail.com
This isn't a bug introduced by this patch, but looking at this fix, do
other callers of metadata_dst_free() suffer from the same use-after-free
vulnerability?
In drivers like ice_eswitch and mlx5 MACsec, a metadata_dst is allocated
and references are taken on it via dst_hold() when packets are processed
(for example, via skb_dst_set()).
However, on their teardown paths, these drivers call metadata_dst_free(),
which unconditionally frees the memory without checking the reference count.
If packets holding these references are queued (like in a netem qdisc)
during teardown, does the memory get freed prematurely, causing a
use-after-free when the networking stack eventually calls dst_release()
on the dequeued packets?
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-01 9:13 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-01 9:13 Possible UaF bug in netdevice teardown path Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox