[PATCH openEuler-1.0-LTS] netfilter: nft_flow_offload: reset dst in route object after setting up flow
From: Pablo Neira Ayuso <pablo@netfilter.org> mainline inclusion from mainline-v6.8-rc6 commit 9e0f0430389be7696396c62f037be4bf72cf93e3 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q8LQ CVE: CVE-2024-27403 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... --------------------------- dst is transferred to the flow object, route object does not own it anymore. Reset dst in route object, otherwise if flow_offload_add() fails, error path releases dst twice, leading to a refcount underflow. Fixes: a3c90f7a2323 ("netfilter: nf_tables: flow offload expression") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Conflicts: include/net/netfilter/nf_flow_table.h net/netfilter/nf_flow_table_core.c [This is because we did not backport f1363e058b84, fa502c865666, 8b9229d15877, 7a27f6ab4135] Signed-off-by: Liu Jian <liujian56@huawei.com> --- net/netfilter/nf_flow_table_core.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index b3957fe7eced..4f4869853cbe 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -21,6 +21,16 @@ struct flow_offload_entry { static DEFINE_MUTEX(flowtable_lock); static LIST_HEAD(flowtables); +static struct dst_entry *nft_route_dst_fetch(struct nf_flow_route *route, + enum flow_offload_tuple_dir dir) +{ + struct dst_entry *dst = route->tuple[dir].dst; + + route->tuple[dir].dst = NULL; + + return dst; +} + static void flow_offload_fill_dir(struct flow_offload *flow, struct nf_conn *ct, struct nf_flow_route *route, @@ -29,7 +39,7 @@ flow_offload_fill_dir(struct flow_offload *flow, struct nf_conn *ct, struct flow_offload_tuple *ft = &flow->tuplehash[dir].tuple; struct nf_conntrack_tuple *ctt = &ct->tuplehash[dir].tuple; struct dst_entry *other_dst = route->tuple[!dir].dst; - struct dst_entry *dst = route->tuple[dir].dst; + struct dst_entry *dst = nft_route_dst_fetch(route, dir); ft->dir = dir; -- 2.34.1
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/7817 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/5... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/7817 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/5...
participants (2)
-
Liu Jian -
patchwork bot