[PATCH openEuler-1.0-LTS] netfilter: nft_flow_offload: reset dst in route object after setting up flow

22 May 2024

From: Pablo Neira Ayuso <pablo@netfilter.org>

mainline inclusion
from mainline-v6.8-rc6
commit 9e0f0430389be7696396c62f037be4bf72cf93e3
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q8LQ
CVE: CVE-2024-27403

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...

---------------------------

dst is transferred to the flow object, route object does not own it
anymore.  Reset dst in route object, otherwise if flow_offload_add()
fails, error path releases dst twice, leading to a refcount underflow.

Fixes: a3c90f7a2323 ("netfilter: nf_tables: flow offload expression")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Conflicts:
	include/net/netfilter/nf_flow_table.h
	net/netfilter/nf_flow_table_core.c
[This is because we did not backport f1363e058b84, fa502c865666,
8b9229d15877, 7a27f6ab4135]
Signed-off-by: Liu Jian <liujian56@huawei.com>
---
 net/netfilter/nf_flow_table_core.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index b3957fe7eced..4f4869853cbe 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -21,6 +21,16 @@ struct flow_offload_entry {
 static DEFINE_MUTEX(flowtable_lock);
 static LIST_HEAD(flowtables);
 
+static struct dst_entry *nft_route_dst_fetch(struct nf_flow_route *route,
+					     enum flow_offload_tuple_dir dir)
+{
+	struct dst_entry *dst = route->tuple[dir].dst;
+
+	route->tuple[dir].dst = NULL;
+
+	return dst;
+}
+
 static void
 flow_offload_fill_dir(struct flow_offload *flow, struct nf_conn *ct,
 		      struct nf_flow_route *route,
@@ -29,7 +39,7 @@ flow_offload_fill_dir(struct flow_offload *flow, struct nf_conn *ct,
 	struct flow_offload_tuple *ft = &flow->tuplehash[dir].tuple;
 	struct nf_conntrack_tuple *ctt = &ct->tuplehash[dir].tuple;
 	struct dst_entry *other_dst = route->tuple[!dir].dst;
-	struct dst_entry *dst = route->tuple[dir].dst;
+	struct dst_entry *dst = nft_route_dst_fetch(route, dir);
 
 	ft->dir = dir;
 
-- 
2.34.1

    