{"id":2224789,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2224789/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260418163057.2611503-2-bestswngs@gmail.com/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/1.1/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260418163057.2611503-2-bestswngs@gmail.com>","date":"2026-04-18T16:30:58","name":"[nf] netfilter: xt_TCPMSS: check skb_dst before path-MTU clamping","commit_ref":null,"pull_url":null,"state":"under-review","archived":false,"hash":"85c56e6c3119c25827bb0afd7607f14c4fbb421c","submitter":{"id":92941,"url":"http://patchwork.ozlabs.org/api/1.1/people/92941/?format=json","name":"Weiming Shi","email":"bestswngs@gmail.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260418163057.2611503-2-bestswngs@gmail.com/mbox/","series":[{"id":500454,"url":"http://patchwork.ozlabs.org/api/1.1/series/500454/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=500454","date":"2026-04-18T16:30:58","name":"[nf] netfilter: xt_TCPMSS: check skb_dst before path-MTU clamping","version":1,"mbox":"http://patchwork.ozlabs.org/series/500454/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2224789/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2224789/checks/","tags":{},"headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=To7DAt54;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=104.64.211.4; helo=sin.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12018-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"To7DAt54\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=74.125.82.170","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org [104.64.211.4])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fycjS0pJnz1yGt\n\tfor ; Sun, 19 Apr 2026 02:32:28 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id DFDC7300981D\n\tfor ; Sat, 18 Apr 2026 16:32:23 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id D23AF3101C8;\n\tSat, 18 Apr 2026 16:32:22 +0000 (UTC)","from mail-dy1-f170.google.com (mail-dy1-f170.google.com\n [74.125.82.170])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id C4F042E6CC7\n\tfor ; Sat, 18 Apr 2026 16:32:20 +0000 (UTC)","by mail-dy1-f170.google.com with SMTP id\n 5a478bee46e88-2e622a9da9cso2429860eec.0\n for ;\n Sat, 18 Apr 2026 09:32:20 -0700 (PDT)","from efaec68ba852.tailc0aff1.ts.net ([206.206.192.132])\n by smtp.gmail.com with ESMTPSA id\n 5a478bee46e88-2e536e54562sm6894368eec.0.2026.04.18.09.32.18\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Sat, 18 Apr 2026 09:32:18 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776529942; cv=none;\n b=M6zAqN7uYWAxDq/Dvs12pFrc+6kSR1yzwXlJK1Y+2c721Yp+uPOA5y0n3ZsGsw99OZthiQc7KNDRgG7cwI2w0qVtXjFNhJGZ94SFSaHHbMfH74Kwgy0EC9hL5Q+O4M1zIh9X7ISWazwlvtr0n+/SK1VzdYCukVjO6UwxqIRdQMg=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776529942; c=relaxed/simple;\n\tbh=M7B2FiAQ68bmq17gT51ms1yjCM5hrhJ8ivTJGQv6vmI=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=EarGMnSRBZmscgWP/qKHwyUd6GE2Ulb+3vzyCkJ1CqoBkf/hGMFqbQvSpjizRVacucOVs/l/G/L4SElOiDbtPtFGBUgeSBY4M8RAMdtF8vy/YLtZNGOIWih49OI0y1IJvT7lDnDWKXp/2fPrRY0USi8OoqGZo9sUANUiW3lGkm4=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=To7DAt54; arc=none smtp.client-ip=74.125.82.170","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776529940; x=1777134740;\n darn=vger.kernel.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=3kxoQx5x6kYpwthdIyOArHGCLCerv98lrw2KVJASpKc=;\n b=To7DAt54CBNFikgfoMwt+Ya3cmFxCxyD2DJ+v0gEiFWAKqQr/40RXAYp4UXnokoipq\n IvRQPVJJ6uDmPe1b+7gQ8p25CwcVYdG1iUcHWOLDfN9DtSjsBCfz8+0AfxhCzsqA4L1s\n 9p0FmEj1ddfNcl8m0/cbT5EEdqe8nvTMVdEoNDix/b8Hp1SZVD7d5EVuSsM6tzMBYSHH\n 3Yqyt/b+IDS8b6vcmmj2edgVDr5DtFbhhyGBaStBfNh7/xocyY6Fnslep1MdxcZ7g5Gy\n 2boB6h1Pw/Nlj7A9250L+4IpiitDzpmdzmK/cO8W9LB8x9xDmaNQ3r5xDNGWR448CJax\n k28Q==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776529940; x=1777134740;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=3kxoQx5x6kYpwthdIyOArHGCLCerv98lrw2KVJASpKc=;\n b=ax83qj7LHysbLvxOZGelyyFFuiVSdUFH1QzElF7X6LAdxhs9PZZgi9hZBKEtLqgUCZ\n 3Vi+59WRYst7R7w6TlEvnI8oCWpyfkd91SLbQAdLKRTgvkCf1OUeIiMdqZpS/fnx44Th\n tV2qdSSJL16EElLVaEf2ZQFwkYv1X99FX3Y2t7t1qpanCHTs6zMOPHySD52XBRxVImsZ\n M7Q6RMjwxRy+Kq+TGHBpWaOUrLxIoCv9O+481w2PIxBAl8XZyJ8N3GqfPkhsiRxEB2ei\n TqObIhK7/2shrPlTB2EzE4re1OK0akGeImfQf7jEhABpw5WDwen0wl5mbx3sEDhu5izc\n llAQ==","X-Forwarded-Encrypted":"i=1;\n AFNElJ8WEgNoPzZ42icZ14WHPH4b0+iFqr9dL5d9pAoDACARnF539w0ZoQ4oFNLHZMvWjLDI0E30dW53mt/f7hAnkIY=@vger.kernel.org","X-Gm-Message-State":"AOJu0YxH8yPyKSYw21ZNODApQYydmLJUh2T49y5JsKOD9Vn3ELWDbDAP\n\tjeB6HtR44ABagcdWRZeK8dlGmQV8qeOFjGhd2ImsSPbXyaRKdwoynRTC","X-Gm-Gg":"AeBDieselSf5Rk2/ENtQGAPg2dYhDIklKuMr2dCVtsLrG5igBRnOxnMf7Bxduy5KnQT\n\tIXswi2l3xkPkSBEx6//t1UKsahLlQkIbeizGmFEB2QJdPGEpaKohIpx9d2acEAf1jVSO/QINg78\n\tZUrmk2Zs9d9MW4/AsinHpWnjEdfGbTcOag8TanZqFUpollAZtwXUii8X4fgH2UZpZQewnDS/Slu\n\tDP+y3/4FcSkl9TQIbibSyn6oFrN7mUMEjQWQhOukv8pbRBMMMxoImdCaLgE6hxqMpHgcPzYkaMw\n\ttP7cn6HcI+g2isEWoUOTo60Jnn/zcNSZ5kO+d3b6JAnVcSr34Q3ZwDfKMv6GetjYrRqndzt0kgE\n\tbkRSY/f18cHrBMzEK9ZZfOUockSjtguOvs2wCL2RbSFPt5RWhXayVrZ7/1k6t6wpnD4iruXN0U1\n\twVkTeY/toFwK5yrIjwXBNRySc5XyYZuYZOhjCt0VGAHt2nNnoAQLJN4hYS+7cwMuEL084rE/ZhH\n\tKmcS1sh9EC+HfsNUa+z","X-Received":"by 2002:a05:7301:5784:b0:2de:c5ca:c1f3 with SMTP id\n 5a478bee46e88-2e465293dfdmr3688244eec.4.1776529939859;\n Sat, 18 Apr 2026 09:32:19 -0700 (PDT)","From":"Weiming Shi ","To":"Pablo Neira Ayuso ,\n\tFlorian Westphal ,\n\t\"David S . Miller\" ,\n\tEric Dumazet ,\n\tJakub Kicinski ,\n\tPaolo Abeni ","Cc":"Phil Sutter ,\n\tSimon Horman ,\n\tnetfilter-devel@vger.kernel.org,\n\tcoreteam@netfilter.org,\n\tnetdev@vger.kernel.org,\n\tXiang Mei ,\n\tWeiming Shi ","Subject":"[PATCH nf] netfilter: xt_TCPMSS: check skb_dst before path-MTU\n clamping","Date":"Sat, 18 Apr 2026 09:30:58 -0700","Message-ID":"<20260418163057.2611503-2-bestswngs@gmail.com>","X-Mailer":"git-send-email 2.43.0","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"},"content":"When TCPMSS with CLAMP_PMTU is used via nft_compat in a non-base\nchain, par->hook_mask is set to 0, bypassing the checkentry hook\nvalidation. The target can then run at PRE_ROUTING where skb_dst is\nNULL, causing a null-ptr-deref in tcpmss_mangle_packet():\n\n KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n RIP: 0010:tcpmss_mangle_packet (include/net/dst.h:219 net/netfilter/xt_TCPMSS.c:105)\n tcpmss_tg4 (net/netfilter/xt_TCPMSS.c:202)\n nft_target_eval_xt (net/netfilter/nft_compat.c:87)\n nft_do_chain (net/netfilter/nf_tables_core.c:287)\n nf_hook_slow (net/netfilter/core.c:623)\n\nCheck skb_dst() for NULL before calling dst_mtu().\n\nFixes: 493618a92c6a (\"netfilter: nft_compat: fix hook validation for non-base chains\")\nReported-by: Xiang Mei \nSigned-off-by: Weiming Shi \n---\n net/netfilter/xt_TCPMSS.c | 7 ++++++-\n 1 file changed, 6 insertions(+), 1 deletion(-)","diff":"diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c\nindex 116a885adb3c..79b5e475e23e 100644\n--- a/net/netfilter/xt_TCPMSS.c\n+++ b/net/netfilter/xt_TCPMSS.c\n@@ -102,7 +102,12 @@ tcpmss_mangle_packet(struct sk_buff *skb,\n \tif (info->mss == XT_TCPMSS_CLAMP_PMTU) {\n \t\tstruct net *net = xt_net(par);\n \t\tunsigned int in_mtu = tcpmss_reverse_mtu(net, skb, family);\n-\t\tunsigned int min_mtu = min(dst_mtu(skb_dst(skb)), in_mtu);\n+\t\tunsigned int min_mtu;\n+\n+\t\tif (!skb_dst(skb))\n+\t\t\treturn -1;\n+\n+\t\tmin_mtu = min(dst_mtu(skb_dst(skb)), in_mtu);\n \n \t\tif (min_mtu <= minlen) {\n \t\t\tnet_err_ratelimited(\"unknown or invalid path-MTU (%u)\\n\",\n","prefixes":["nf"]}