releases/5.4.183/netfilter-nf_queue-don-t-assume-sk-is-full-socket.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 747670fd9a2d1b7774030dba65ca022ba442ce71 Mon Sep 17 00:00:00 2001
 From: Florian Westphal <fw@strlen.de>
 Date: Fri, 25 Feb 2022 14:02:41 +0100
 Subject: netfilter: nf_queue: don't assume sk is full socket

 From: Florian Westphal <fw@strlen.de>

 commit 747670fd9a2d1b7774030dba65ca022ba442ce71 upstream.

 There is no guarantee that state->sk refers to a full socket.

 If refcount transitions to 0, sock_put calls sk_free which then ends up
 with garbage fields.

 I'd like to thank Oleksandr Natalenko and Jiri Benc for considerable
 debug work and pointing out state->sk oddities.

 Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
 Tested-by: Oleksandr Natalenko <oleksandr@redhat.com>
 Signed-off-by: Florian Westphal <fw@strlen.de>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  net/netfilter/nf_queue.c |   11 ++++++++++-
  1 file changed, 10 insertions(+), 1 deletion(-)

 --- a/net/netfilter/nf_queue.c
 +++ b/net/netfilter/nf_queue.c
 @@ -64,6 +64,15 @@ static void nf_queue_entry_release_br_nf
  #endif
  }

 +static void nf_queue_sock_put(struct sock *sk)
 +{
 +#ifdef CONFIG_INET
 +	sock_gen_put(sk);
 +#else
 +	sock_put(sk);
 +#endif
 +}
 +
  void nf_queue_entry_release_refs(struct nf_queue_entry *entry)
  {
  	struct nf_hook_state *state = &entry->state;
 @@ -74,7 +83,7 @@ void nf_queue_entry_release_refs(struct
  	if (state->out)
  		dev_put(state->out);
  	if (state->sk)
 -		sock_put(state->sk);
 +		nf_queue_sock_put(state->sk);

  	nf_queue_entry_release_br_nf_refs(entry->skb);
  }
	From 747670fd9a2d1b7774030dba65ca022ba442ce71 Mon Sep 17 00:00:00 2001
	From: Florian Westphal <fw@strlen.de>
	Date: Fri, 25 Feb 2022 14:02:41 +0100
	Subject: netfilter: nf_queue: don't assume sk is full socket

	From: Florian Westphal <fw@strlen.de>

	commit 747670fd9a2d1b7774030dba65ca022ba442ce71 upstream.

	There is no guarantee that state->sk refers to a full socket.

	If refcount transitions to 0, sock_put calls sk_free which then ends up
	with garbage fields.

	I'd like to thank Oleksandr Natalenko and Jiri Benc for considerable
	debug work and pointing out state->sk oddities.

	Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
	Tested-by: Oleksandr Natalenko <oleksandr@redhat.com>
	Signed-off-by: Florian Westphal <fw@strlen.de>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	net/netfilter/nf_queue.c \| 11 ++++++++++-
	1 file changed, 10 insertions(+), 1 deletion(-)

	--- a/net/netfilter/nf_queue.c
	+++ b/net/netfilter/nf_queue.c
	@@ -64,6 +64,15 @@ static void nf_queue_entry_release_br_nf
	#endif
	}

	+static void nf_queue_sock_put(struct sock *sk)
	+{
	+#ifdef CONFIG_INET
	+ sock_gen_put(sk);
	+#else
	+ sock_put(sk);
	+#endif
	+}
	+
	void nf_queue_entry_release_refs(struct nf_queue_entry *entry)
	{
	struct nf_hook_state *state = &entry->state;
	@@ -74,7 +83,7 @@ void nf_queue_entry_release_refs(struct
	if (state->out)
	dev_put(state->out);
	if (state->sk)
	- sock_put(state->sk);
	+ nf_queue_sock_put(state->sk);

	nf_queue_entry_release_br_nf_refs(entry->skb);
	}