ice_eswitch_release_repr() frees the port representor metadata_dst via metadata_dst_free(), which directly kfree()s the object and ignores the dst_entry refcount. The eswitch slow-path TX routine ice_eswitch_port_start_xmit() takes a reference on this dst with dst_hold() and attaches it to the skb via skb_dst_set(). If such an skb is still in flight (e.g. queued in a qdisc) when the representor is torn down, the metadata_dst is freed while the skb still points at it. When the skb is later freed, dst_release() operates on already-freed memory. Replace metadata_dst_free() with dst_release() so the metadata_dst is freed only after the last reference is dropped. The dst subsystem frees metadata_dst objects from dst_destroy() once the refcount reaches zero (DST_METADATA is set by metadata_dst_alloc()). Same class of bug and fix as commit c32b26aaa2f9 ("netfilter: nft_tunnel: fix use-after-free on object destroy"). Fixes: fff292b47ac1 ("ice: add VF representors one by one") Cc: stable@vger.kernel.org Signed-off-by: Doruk Tan Ozturk --- drivers/net/ethernet/intel/ice/ice_eswitch.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/intel/ice/ice_eswitch.c b/drivers/net/ethernet/intel/ice/ice_eswitch.c index 2e4f0969035f..41b30a7ca4a9 100644 --- a/drivers/net/ethernet/intel/ice/ice_eswitch.c +++ b/drivers/net/ethernet/intel/ice/ice_eswitch.c @@ -95,7 +95,7 @@ ice_eswitch_release_repr(struct ice_pf *pf, struct ice_repr *repr) return; ice_vsi_update_security(vsi, ice_vsi_ctx_set_antispoof); - metadata_dst_free(repr->dst); + dst_release(&repr->dst->dst); repr->dst = NULL; ice_fltr_add_mac_and_broadcast(vsi, repr->parent_mac, ICE_FWD_TO_VSI); -- 2.43.0