netfilter: nf_queue: handle socket prefetch

stable inclusion from stable-v5.10.104 commit 81f817f3e559d3e4e56110f6132f8322a97fbc8c bugzilla: https://gitee.com/openeuler/kernel/issues/I56XAC Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=81f817f3e559d3e4e56110f6132f8322a97fbc8c -------------------------------- commit 3b836da4 upstream. In case someone combines bpf socket assign and nf_queue, then we will queue an skb who references a struct sock that did not have its reference count incremented. As we leave rcu protection, there is no guarantee that skb->sk is still valid. For refcount-less skb->sk case, try to increment the reference count and then override the destructor. In case of failure we have two choices: orphan the skb and 'delete' preselect or let nf_queue() drop the packet. Do the latter, it should not happen during normal operation. Fixes: cf7fbe66 ("bpf: Add socket assign support") Acked-by: N Joe Stringer <joe@cilium.io> Signed-off-by: N Florian Westphal <fw@strlen.de> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Yu Liao <liaoyu15@huawei.com> Reviewed-by: N Wei Li <liwei391@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

netfilter: nf_queue: handle socket prefetch
stable inclusion from stable-v5.10.104 commit 81f817f3e559d3e4e56110f6132f8322a97fbc8c bugzilla: https://gitee.com/openeuler/kernel/issues/I56XAC Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=81f817f3e559d3e4e56110f6132f8322a97fbc8c -------------------------------- commit 3b836da4 upstream. In case someone combines bpf socket assign and nf_queue, then we will queue an skb who references a struct sock that did not have its reference count incremented. As we leave rcu protection, there is no guarantee that skb->sk is still valid. For refcount-less skb->sk case, try to increment the reference count and then override the destructor. In case of failure we have two choices: orphan the skb and 'delete' preselect or let nf_queue() drop the packet. Do the latter, it should not happen during normal operation. Fixes: cf7fbe66 ("bpf: Add socket assign support") Acked-by: N Joe Stringer <joe@cilium.io> Signed-off-by: N Florian Westphal <fw@strlen.de> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Yu Liao <liaoyu15@huawei.com> Reviewed-by: N Wei Li <liwei391@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
42c756cd · Florian Westphal · Zheng Zengkai · 11b769ac · 42c756cd
隐藏空白更改
内联并排

Showing with 12 addition and 0 deletion

net/netfilter/nf_queue.c net/netfilter/nf_queue.c +12 -0

未找到文件。
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -189,6 +189,18 @@ static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
 		break;
 	}
+	if (skb_sk_is_prefetched(skb)) {
+		struct sock *sk = skb->sk;
+		if (!sk_is_refcounted(sk)) {
+			if (!refcount_inc_not_zero(&sk->sk_refcnt))
+				return -ENOTCONN;
+			/* drop refcount on skb_orphan */
+			skb->destructor = sock_edemux;
+		}
+	}
 	entry = kmalloc(sizeof(*entry) + route_key_size, GFP_ATOMIC);
 	if (!entry)
 		return -ENOMEM;