releases/4.14.27/netfilter-use-skb_to_full_sk-in-ip6_route_me_harder.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 7d98386d55a5afaa65de77e1e9197edeb8a42079 Mon Sep 17 00:00:00 2001
 From: Eric Dumazet <edumazet@google.com>
 Date: Sun, 25 Feb 2018 11:49:07 -0800
 Subject: netfilter: use skb_to_full_sk in ip6_route_me_harder
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 From: Eric Dumazet <edumazet@google.com>

 commit 7d98386d55a5afaa65de77e1e9197edeb8a42079 upstream.

 For some reason, Florian forgot to apply to ip6_route_me_harder
 the fix that went in commit 29e09229d9f2 ("netfilter: use
 skb_to_full_sk in ip_route_me_harder")

 Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
 Signed-off-by: Eric Dumazet <edumazet@google.com>
 Reported-by: syzbot <syzkaller@googlegroups.com>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  net/ipv6/netfilter.c |    9 +++++----
  1 file changed, 5 insertions(+), 4 deletions(-)

 --- a/net/ipv6/netfilter.c
 +++ b/net/ipv6/netfilter.c
 @@ -21,18 +21,19 @@
  int ip6_route_me_harder(struct net *net, struct sk_buff *skb)
  {
  	const struct ipv6hdr *iph = ipv6_hdr(skb);
 +	struct sock *sk = sk_to_full_sk(skb->sk);
  	unsigned int hh_len;
  	struct dst_entry *dst;
  	struct flowi6 fl6 = {
 -		.flowi6_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0,
 +		.flowi6_oif = sk ? sk->sk_bound_dev_if : 0,
  		.flowi6_mark = skb->mark,
 -		.flowi6_uid = sock_net_uid(net, skb->sk),
 +		.flowi6_uid = sock_net_uid(net, sk),
  		.daddr = iph->daddr,
  		.saddr = iph->saddr,
  	};
  	int err;

 -	dst = ip6_route_output(net, skb->sk, &fl6);
 +	dst = ip6_route_output(net, sk, &fl6);
  	err = dst->error;
  	if (err) {
  		IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
 @@ -50,7 +51,7 @@ int ip6_route_me_harder(struct net *net,
  	if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
  	    xfrm_decode_session(skb, flowi6_to_flowi(&fl6), AF_INET6) == 0) {
  		skb_dst_set(skb, NULL);
 -		dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), skb->sk, 0);
 +		dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), sk, 0);
  		if (IS_ERR(dst))
  			return PTR_ERR(dst);
  		skb_dst_set(skb, dst);
	From 7d98386d55a5afaa65de77e1e9197edeb8a42079 Mon Sep 17 00:00:00 2001
	From: Eric Dumazet <edumazet@google.com>
	Date: Sun, 25 Feb 2018 11:49:07 -0800
	Subject: netfilter: use skb_to_full_sk in ip6_route_me_harder
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	From: Eric Dumazet <edumazet@google.com>

	commit 7d98386d55a5afaa65de77e1e9197edeb8a42079 upstream.

	For some reason, Florian forgot to apply to ip6_route_me_harder
	the fix that went in commit 29e09229d9f2 ("netfilter: use
	skb_to_full_sk in ip_route_me_harder")

	Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Reported-by: syzbot <syzkaller@googlegroups.com>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	net/ipv6/netfilter.c \| 9 +++++----
	1 file changed, 5 insertions(+), 4 deletions(-)

	--- a/net/ipv6/netfilter.c
	+++ b/net/ipv6/netfilter.c
	@@ -21,18 +21,19 @@
	int ip6_route_me_harder(struct net net, struct sk_buff skb)
	{
	const struct ipv6hdr *iph = ipv6_hdr(skb);
	+ struct sock *sk = sk_to_full_sk(skb->sk);
	unsigned int hh_len;
	struct dst_entry *dst;
	struct flowi6 fl6 = {
	- .flowi6_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0,
	+ .flowi6_oif = sk ? sk->sk_bound_dev_if : 0,
	.flowi6_mark = skb->mark,
	- .flowi6_uid = sock_net_uid(net, skb->sk),
	+ .flowi6_uid = sock_net_uid(net, sk),
	.daddr = iph->daddr,
	.saddr = iph->saddr,
	};
	int err;

	- dst = ip6_route_output(net, skb->sk, &fl6);
	+ dst = ip6_route_output(net, sk, &fl6);
	err = dst->error;
	if (err) {
	IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
	@@ -50,7 +51,7 @@ int ip6_route_me_harder(struct net *net,
	if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
	xfrm_decode_session(skb, flowi6_to_flowi(&fl6), AF_INET6) == 0) {
	skb_dst_set(skb, NULL);
	- dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), skb->sk, 0);
	+ dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), sk, 0);
	if (IS_ERR(dst))
	return PTR_ERR(dst);
	skb_dst_set(skb, dst);