From: Florian Westphal fw@strlen.de
stable inclusion from stable-v5.10.104 commit 81f817f3e559d3e4e56110f6132f8322a97fbc8c bugzilla: https://gitee.com/openeuler/kernel/issues/I56XAC
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit 3b836da4081fa585cf6c392f62557496f2cb0efe upstream.
In case someone combines bpf socket assign and nf_queue, then we will queue an skb who references a struct sock that did not have its reference count incremented.
As we leave rcu protection, there is no guarantee that skb->sk is still valid.
For refcount-less skb->sk case, try to increment the reference count and then override the destructor.
In case of failure we have two choices: orphan the skb and 'delete' preselect or let nf_queue() drop the packet.
Do the latter, it should not happen during normal operation.
Fixes: cf7fbe660f2d ("bpf: Add socket assign support") Acked-by: Joe Stringer joe@cilium.io Signed-off-by: Florian Westphal fw@strlen.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Yu Liao liaoyu15@huawei.com Reviewed-by: Wei Li liwei391@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- net/netfilter/nf_queue.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c index 543904249f7e..bb8607ff94bc 100644 --- a/net/netfilter/nf_queue.c +++ b/net/netfilter/nf_queue.c @@ -189,6 +189,18 @@ static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state, break; }
+ if (skb_sk_is_prefetched(skb)) { + struct sock *sk = skb->sk; + + if (!sk_is_refcounted(sk)) { + if (!refcount_inc_not_zero(&sk->sk_refcnt)) + return -ENOTCONN; + + /* drop refcount on skb_orphan */ + skb->destructor = sock_edemux; + } + } + entry = kmalloc(sizeof(*entry) + route_key_size, GFP_ATOMIC); if (!entry) return -ENOMEM;