netfilter: conntrack: call nf_ct_gre_keymap_destroy() if master helper is pptp

For GRE flows, validate that the ct master helper (if any) is pptp before calling nf_ct_gre_keymap_destroy(), so the helper data area can be accessed safely. Note that only the pptp helper provides a .destroy callback. Fixes: e56894356f60 ("netfilter: conntrack: remove l4proto destroy hook") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2026-06-04 08:21:13 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2026-06-05 16:21:38 +0200
commit: b0f02608fbcd607b5131cceb91fc0a035264e61c (patch)
tree: 3d7a98a803505debb13d3310e30a267915870b13
parent: 35e21a4dccc5c255ba59ccfbfeb4629ed21da972 (diff)
1 files changed, 16 insertions, 2 deletions
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 91255fd3b35d..4fb3a2d18631 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -562,9 +562,23 @@ static void destroy_gre_conntrack(struct nf_conn *ct)
 {
 #ifdef CONFIG_NF_CT_PROTO_GRE
 	struct nf_conn *master = ct->master;
+	struct nf_conn_help *help;
+
+	if (!master)
+		return;
+
+	help = nfct_help(master);
+	if (help) {
+		struct nf_conntrack_helper *helper;
 
-	if (master)
-		nf_ct_gre_keymap_destroy(master);
+		rcu_read_lock();
+		helper = rcu_dereference(help->helper);
+		/* Only pptp helper has a destroy callback. */
+		if (helper && helper->destroy)
+			nf_ct_gre_keymap_destroy(master);
+
+		rcu_read_unlock();
+	}
 #endif
 }
author	Pablo Neira Ayuso <pablo@netfilter.org>	2026-06-04 08:21:13 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2026-06-05 16:21:38 +0200
commit	b0f02608fbcd607b5131cceb91fc0a035264e61c (patch)
tree	3d7a98a803505debb13d3310e30a267915870b13
parent	35e21a4dccc5c255ba59ccfbfeb4629ed21da972 (diff)