[{"id":3679004,"web_url":"http://patchwork.ozlabs.org/comment/3679004/","msgid":"","list_archive_url":null,"date":"2026-04-18T19:58:03","subject":"Re: [PATCH nf] netfilter: xt_TCPMSS: check skb_dst before path-MTU\n clamping","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Weiming Shi wrote:\n> When TCPMSS with CLAMP_PMTU is used via nft_compat in a non-base\n> chain, par->hook_mask is set to 0, bypassing the checkentry hook\n> validation. The target can then run at PRE_ROUTING where skb_dst is\n> NULL, causing a null-ptr-deref in tcpmss_mangle_packet():\n> \n> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n> RIP: 0010:tcpmss_mangle_packet (include/net/dst.h:219 net/netfilter/xt_TCPMSS.c:105)\n> tcpmss_tg4 (net/netfilter/xt_TCPMSS.c:202)\n> nft_target_eval_xt (net/netfilter/nft_compat.c:87)\n> nft_do_chain (net/netfilter/nf_tables_core.c:287)\n> nf_hook_slow (net/netfilter/core.c:623)\n> \n> Check skb_dst() for NULL before calling dst_mtu().\n\nFWIW I will apply this patch even though its wrong.\n\nnft_compat.c is just too broken, I don't see how it can be\nfixed in any reasonable amount of time.\n\nvalidation is done too early, at expression instantiation\ntime.\n\nThis doesn't work because we have incomplete graph, it has\nto be done at final table validation time.\n\nBut then all required compat info (xtables hints) is gone\nand no longer available.\n\nAFAICS the only way to resolve this is to cache the info in\nthe nft_expr priv area (WHERE IS ABSOLUTELY DOESN'T BELONG!)\nbecause thats the only storage thewre is.\n\n*puke*","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12021-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fyjH6336zz1yGt\n\tfor ; Sun, 19 Apr 2026 05:58:26 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 5E0BA302F25C\n\tfor ; Sat, 18 Apr 2026 19:58:16 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id ED0D533AD8A;\n\tSat, 18 Apr 2026 19:58:14 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id B553B40DFBB;\n\tSat, 18 Apr 2026 19:58:12 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 73AD9606C8; Sat, 18 Apr 2026 21:58:04 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776542294; cv=none;\n b=pJeJPaaNiolGz9DMC8Rrjt4m1qb2k/wXnMoWxoo2xXdebUqykjj26bxqf0dilJs3hFL/7yJ2v+DOc80ZcYym4qidjIRnaYj6ui9CVIYB+DxpfMdNDdGuxtfuPqCBo9mSBIp3Ztx3r+J9OPo0bGWbCGWJLRGROlmQj1VY7K5gXdg=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776542294; c=relaxed/simple;\n\tbh=YmD4xH14x4Bvv6dMNNSg+rwjIoqkpvZpcCLOuZSzbuk=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=iiUWzcMYKeUQ7Zu12K3JAYycbLlwzZ+GZiDsnIFUTSSY6oEWv+Pb4ZvpkHZviOXcuBtXcyY3bqyg3n8RYC44eQZ0gVC4MDessZ8+QUmTPCnXGGGK6lnRoccnQAD/TY8SacpS0RDglkk/+Q75M6oQ4bHc6ABUlB2mVuOU56lKOQc=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Sat, 18 Apr 2026 21:58:03 +0200","From":"Florian Westphal ","To":"Weiming Shi ","Cc":"Pablo Neira Ayuso ,\n\t\"David S . Miller\" ,\n\tEric Dumazet ,\n\tJakub Kicinski , Paolo Abeni ,\n\tPhil Sutter , Simon Horman ,\n\tnetfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n\tnetdev@vger.kernel.org, Xiang Mei ","Subject":"Re: [PATCH nf] netfilter: xt_TCPMSS: check skb_dst before path-MTU\n clamping","Message-ID":"","References":"<20260418163057.2611503-2-bestswngs@gmail.com>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","Content-Transfer-Encoding":"quoted-printable","In-Reply-To":"<20260418163057.2611503-2-bestswngs@gmail.com>"}},{"id":3679062,"web_url":"http://patchwork.ozlabs.org/comment/3679062/","msgid":"","list_archive_url":null,"date":"2026-04-19T08:00:33","subject":"Re: [PATCH nf] netfilter: xt_TCPMSS: check skb_dst before path-MTU\n clamping","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Florian Westphal wrote:\n> Weiming Shi wrote:\n> > When TCPMSS with CLAMP_PMTU is used via nft_compat in a non-base\n> > chain, par->hook_mask is set to 0, bypassing the checkentry hook\n> > validation. The target can then run at PRE_ROUTING where skb_dst is\n> > NULL, causing a null-ptr-deref in tcpmss_mangle_packet():\n> > \n> > KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n> > RIP: 0010:tcpmss_mangle_packet (include/net/dst.h:219 net/netfilter/xt_TCPMSS.c:105)\n> > tcpmss_tg4 (net/netfilter/xt_TCPMSS.c:202)\n> > nft_target_eval_xt (net/netfilter/nft_compat.c:87)\n> > nft_do_chain (net/netfilter/nf_tables_core.c:287)\n> > nf_hook_slow (net/netfilter/core.c:623)\n> > \n> > Check skb_dst() for NULL before calling dst_mtu().\n> \n> FWIW I will apply this patch even though its wrong.\n> \n> nft_compat.c is just too broken, I don't see how it can be\n> fixed in any reasonable amount of time.\n\nnet/netfilter/xt_TCPMSS.c: (par->hook_mask & ~((1 << NF_INET_FORWARD) |\nnet/netfilter/xt_addrtype.c: if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |\nnet/netfilter/xt_devgroup.c: par->hook_mask & ~((1 << NF_INET_PRE_ROUTING) |\nnet/netfilter/xt_physdev.c: par->hook_mask & (1 << NF_INET_LOCAL_OUT)) {\nnet/netfilter/xt_policy.c: if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |\nnet/netfilter/xt_set.c: (par->hook_mask & ~(1 << NF_INET_FORWARD |\n\nLook at this I don't see an alternative to mixing nft specific bits into\nx_tables, i.e.:\n\ndiff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h\n--- a/include/linux/netfilter/x_tables.h\n+++ b/include/linux/netfilter/x_tables.h\n@@ -187,6 +187,8 @@ struct xt_target {\n /* Should return 0 on success or an error code otherwise (-Exxxx). */\n int (*checkentry)(const struct xt_tgchk_param *);\n \n+ int (*nft_validate_chain)(const void *targinfo, unsigned int hook_mask);\n+\n /* Called when entry of this type deleted. */\n void (*destroy)(const struct xt_tgdtor_param *);\n #ifdef CONFIG_NETFILTER_XTABLES_COMPAT\n\n.. and then call that from nft_compat.c for TCPSS.\nSame for matches.","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c09:e001:a7::12fc:5321; helo=sto.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12023-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from sto.lore.kernel.org (sto.lore.kernel.org\n [IPv6:2600:3c09:e001:a7::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fz1Jb5swrz1yGs\n\tfor ; Sun, 19 Apr 2026 18:00:47 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id E7F2A30071FA\n\tfor ; Sun, 19 Apr 2026 08:00:42 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 994DC3382DE;\n\tSun, 19 Apr 2026 08:00:38 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 6BD9333987;\n\tSun, 19 Apr 2026 08:00:36 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 2891B60420; Sun, 19 Apr 2026 10:00:34 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776585638; cv=none;\n b=LBqtXD2RaneOIjDy5cf0okaXdMmaqWzLGfb5Py7a/xDRODUu08WprerB9iOykI/5AQadqWLKUXKnI+YOT4OxXFp+OSiCxHWrzzC9SlAz9gDRda9WmGkKA/Dyl4zWVYq3pLu9dxigbCkDd+TIiDvuZzUgHnW8TYwNQRodPrcQ4ng=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776585638; c=relaxed/simple;\n\tbh=Z/bcn2OK8NOgU6UH+vEzzrrUVNXWK29iBoH9LmnHRUo=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=rNH4La7aDnT88AuCdquBHkSxMR4T5mTi9cjtKGgbioReo/H+Nm+j3YsakRCb2vpFxeLtGGiVfXvXHTbmBtvMQGlmHXnEYQqPYoYdBvZVirupxusePLH7csufuBdv9wBwpXLjkpNMyl1kqeW++yIg5pF4kzAHD8J9fUl12FX+Q18=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Sun, 19 Apr 2026 10:00:33 +0200","From":"Florian Westphal ","To":"Weiming Shi ","Cc":"Pablo Neira Ayuso ,\n\t\"David S . Miller\" ,\n\tEric Dumazet ,\n\tJakub Kicinski , Paolo Abeni ,\n\tPhil Sutter , Simon Horman ,\n\tnetfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n\tnetdev@vger.kernel.org, Xiang Mei ","Subject":"Re: [PATCH nf] netfilter: xt_TCPMSS: check skb_dst before path-MTU\n clamping","Message-ID":"","References":"<20260418163057.2611503-2-bestswngs@gmail.com>\n ","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":""}},{"id":3679072,"web_url":"http://patchwork.ozlabs.org/comment/3679072/","msgid":"","list_archive_url":null,"date":"2026-04-19T10:24:54","subject":"Re: [PATCH nf] netfilter: xt_TCPMSS: check skb_dst before path-MTU\n clamping","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Sat, Apr 18, 2026 at 09:58:03PM +0200, Florian Westphal wrote:\n> Weiming Shi wrote:\n> > When TCPMSS with CLAMP_PMTU is used via nft_compat in a non-base\n> > chain, par->hook_mask is set to 0, bypassing the checkentry hook\n> > validation. The target can then run at PRE_ROUTING where skb_dst is\n> > NULL, causing a null-ptr-deref in tcpmss_mangle_packet():\n> > \n> > KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n> > RIP: 0010:tcpmss_mangle_packet (include/net/dst.h:219 net/netfilter/xt_TCPMSS.c:105)\n> > tcpmss_tg4 (net/netfilter/xt_TCPMSS.c:202)\n> > nft_target_eval_xt (net/netfilter/nft_compat.c:87)\n> > nft_do_chain (net/netfilter/nf_tables_core.c:287)\n> > nf_hook_slow (net/netfilter/core.c:623)\n> > \n> > Check skb_dst() for NULL before calling dst_mtu().\n> \n> FWIW I will apply this patch even though its wrong.\n> \n> nft_compat.c is just too broken, I don't see how it can be\n> fixed in any reasonable amount of time.\n> \n> validation is done too early, at expression instantiation\n> time.\n> \n> This doesn't work because we have incomplete graph, it has\n> to be done at final table validation time.\n\nI remember this used to work, maybe it broke with recent updates on\nthe chain graph detection?\n\nOnce the non-basechain is added it should consider the basechain where\nthis can be reached.\n\n> But then all required compat info (xtables hints) is gone\n> and no longer available.\n\nWhat?\n\n> AFAICS the only way to resolve this is to cache the info in\n> the nft_expr priv area (WHERE IS ABSOLUTELY DOESN'T BELONG!)\n> because thats the only storage thewre is.\n\nNo.","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=OLyHmMPN;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12024-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"OLyHmMPN\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fz4WN4xzlz1yD4\n\tfor ; Sun, 19 Apr 2026 20:25:20 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 19E17300F949\n\tfor ; Sun, 19 Apr 2026 10:25:14 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id A82E633A708;\n\tSun, 19 Apr 2026 10:25:09 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 3CD4D17A305;\n\tSun, 19 Apr 2026 10:25:05 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id DF58960179;\n\tSun, 19 Apr 2026 12:24:56 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776594309; cv=none;\n b=ZX/RsmkQQVNOt93INlM46UFrjJ1AtoVSKuHCuMRUuRhAtbdApEoanhq+h0ze+qVMSQ8GaLCcQT2Weh+1llGD80TCiY34D0X/bFq63vYmUTASHCDCuCoZKCs4wQvAM2uaBtW/1erxM5Ze2vD5gFbHqG1jseh3wzzyM0Oc2tx0oTs=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776594309; c=relaxed/simple;\n\tbh=1AETEye2n5BqQfWpwqwE3uKRWeF6PjS/uvoyZ2bBZUQ=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=JFIRixMocW4ITpg86dPg4Nv7iEBIt02G/bc4MGaY1uG8V/2AIei5cpWJqug58kfwVCWSZqqmfSpfL9ARYfZjlGBb5m72APCuWStW974KIAPbRB3lrLrT19aiZhQcjaMdfPSNUh8UxBR5fbRytXPLCPlJ3I4r5OzWFNoi4mI+c5M=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=OLyHmMPN; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776594297;\n\tbh=vbQW3CZlEvB4l+2tXDghlNC9xoerUt/G4afV7MdnnvI=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=OLyHmMPNp+8/18uXiLZRSmBka8ONYm6A2ztEKD1tFaZb9nn0jWjpGl5Uv43W/JRD0\n\t 0VH/Jyc7USkJeXHpNs/U9UUeGMrTnEO8SJKQIvGk25dj0Nmi5lNZJTglBziRUXcqG8\n\t yL0T0ZE2qtRWU3qQeTMYsyJ46zLAOw2aM11Gktbp5CYefIa1XYf+cMnhkIAjYKRoZ3\n\t 3RdpUCB/dbuRQg6k/tG2U4cYJKoM/BkVfBW+lC26nwbKpxcPxDYa3L78TbKSDUN3Vs\n\t H9Q+1bCQ1lf5bfhh8f9UHjRfeblOa0GtgdEUMKnvkTkl51n6WbyucuSOj73kT9OoxR\n\t nwcPhRyUQ7dbA==","Date":"Sun, 19 Apr 2026 12:24:54 +0200","From":"Pablo Neira Ayuso ","To":"Florian Westphal ","Cc":"Weiming Shi ,\n\t\"David S . Miller\" ,\n\tEric Dumazet ,\n\tJakub Kicinski , Paolo Abeni ,\n\tPhil Sutter , Simon Horman ,\n\tnetfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n\tnetdev@vger.kernel.org, Xiang Mei ","Subject":"Re: [PATCH nf] netfilter: xt_TCPMSS: check skb_dst before path-MTU\n clamping","Message-ID":"","References":"<20260418163057.2611503-2-bestswngs@gmail.com>\n ","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":""}},{"id":3679073,"web_url":"http://patchwork.ozlabs.org/comment/3679073/","msgid":"","list_archive_url":null,"date":"2026-04-19T10:25:48","subject":"Re: [PATCH nf] netfilter: xt_TCPMSS: check skb_dst before path-MTU\n clamping","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Sat, Apr 18, 2026 at 09:58:03PM +0200, Florian Westphal wrote:\n> Weiming Shi wrote:\n> > When TCPMSS with CLAMP_PMTU is used via nft_compat in a non-base\n> > chain, par->hook_mask is set to 0, bypassing the checkentry hook\n> > validation. The target can then run at PRE_ROUTING where skb_dst is\n> > NULL, causing a null-ptr-deref in tcpmss_mangle_packet():\n> > \n> > KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n> > RIP: 0010:tcpmss_mangle_packet (include/net/dst.h:219 net/netfilter/xt_TCPMSS.c:105)\n> > tcpmss_tg4 (net/netfilter/xt_TCPMSS.c:202)\n> > nft_target_eval_xt (net/netfilter/nft_compat.c:87)\n> > nft_do_chain (net/netfilter/nf_tables_core.c:287)\n> > nf_hook_slow (net/netfilter/core.c:623)\n> > \n> > Check skb_dst() for NULL before calling dst_mtu().\n> \n> FWIW I will apply this patch even though its wrong.\n\nAnd no please, do not apply this.\n\nThis needs to be fixes from the chain graph detection.","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=iSJ8aMgU;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.232.135.74; helo=sto.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12025-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"iSJ8aMgU\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sto.lore.kernel.org (sto.lore.kernel.org [172.232.135.74])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fz4XG0gpzz1yCv\n\tfor ; Sun, 19 Apr 2026 20:26:06 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id 0A1433004DE3\n\tfor ; Sun, 19 Apr 2026 10:25:59 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 83BE233ADAE;\n\tSun, 19 Apr 2026 10:25:55 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 90509175A6D;\n\tSun, 19 Apr 2026 10:25:53 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id EE6D56024E;\n\tSun, 19 Apr 2026 12:25:51 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776594355; cv=none;\n b=szJRGLX5veaWtXR3iNirxoMGUDK0hIJYt9l1DTFkSVdbYcw3LekMzZMWZsjP/TliYKIds2xeLFk7hcpwXb4vmBj04wULJUXkEo7BV/c9+EI4hTf/4qVABIQUGhoBVO8r5OvCm612zGCAW3nv5JfNBrCrt6H9E9pPGqpVMzkikPg=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776594355; c=relaxed/simple;\n\tbh=pGf27fHB6NDXa24eN9IR6YBaNfutpVi61d7JnshfYsM=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=haO0uFN1r3YVODMgqIBJltL7bPCtxTzhcVLzJOEdB/y/CcT3Us07/KZIpEPQLTwviW2NadmVRx9thOwptOKGY9F7MSCqySFNaM4n/pJ+MmzbnNbFV0E1rICiOl2RfLJDh0QiYTMm5mUu9AHEQ6c9+8YyNLkPF6HvgzmiSKdLVGE=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=iSJ8aMgU; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776594352;\n\tbh=Q2TWX1Ir+hevOyb+K2P0n8+5uFgS+pe9UMNdMlJNWao=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=iSJ8aMgUrwLpJWTeiD7gUthxly7avQrbnxnjIgQqlZEGFIHEW8lURIPV9xja/E2+a\n\t pbodt28T4g3BTHbqGoRdQO4np1t+RhHshG4UL/KAom5QN92wlxN1iZLdUeoV53Vtss\n\t KlPA7/U15GQFeZ28jl471FPmbKKEtkpH2Pi/UlMKBmRKm73F+PinvYnDSDyZ1M07bN\n\t wN3wQe6I6H3Ree5bCOKi7UuC368Ix3iFJS3nIaVUNkdiisoF5pAEu1w11KCHw3hdv7\n\t z1gGZYQNiQoMJ5Sn7McA2hjYCcPLirixBnToktrs/iZ5vLss5op1FnuT5omG6DU0+f\n\t TvHzfmqx/W3AA==","Date":"Sun, 19 Apr 2026 12:25:48 +0200","From":"Pablo Neira Ayuso ","To":"Florian Westphal ","Cc":"Weiming Shi ,\n\t\"David S . Miller\" ,\n\tEric Dumazet ,\n\tJakub Kicinski , Paolo Abeni ,\n\tPhil Sutter , Simon Horman ,\n\tnetfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n\tnetdev@vger.kernel.org, Xiang Mei ","Subject":"Re: [PATCH nf] netfilter: xt_TCPMSS: check skb_dst before path-MTU\n clamping","Message-ID":"","References":"<20260418163057.2611503-2-bestswngs@gmail.com>\n ","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":""}}]