From: David Miller <davem@davemloft.net>
To: fw@strlen.de
Cc: netdev@vger.kernel.org, eric.dumazet@gmail.com,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCH net v2] net: make skb_dst_force return true when dst is refcounted
Date: Sat, 29 Jun 2019 11:02:16 -0700 (PDT) [thread overview]
Message-ID: <20190629.110216.897222978158891297.davem@davemloft.net> (raw)
In-Reply-To: <20190626184045.2922-1-fw@strlen.de>
From: Florian Westphal <fw@strlen.de>
Date: Wed, 26 Jun 2019 20:40:45 +0200
> netfilter did not expect that skb_dst_force() can cause skb to lose its
> dst entry.
>
> I got a bug report with a skb->dst NULL dereference in netfilter
> output path. The backtrace contains nf_reinject(), so the dst might have
> been cleared when skb got queued to userspace.
>
> Other users were fixed via
> if (skb_dst(skb)) {
> skb_dst_force(skb);
> if (!skb_dst(skb))
> goto handle_err;
> }
>
> But I think its preferable to make the 'dst might be cleared' part
> of the function explicit.
>
> In netfilter case, skb with a null dst is expected when queueing in
> prerouting hook, so drop skb for the other hooks.
>
> v2:
> v1 of this patch returned true in case skb had no dst entry.
> Eric said:
> Say if we have two skb_dst_force() calls for some reason
> on the same skb, only the first one will return false.
>
> This now returns false even when skb had no dst, as per Erics
> suggestion, so callers might need to check skb_dst() first before
> skb_dst_force().
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
...
> Alternatively this could be routed via netfilter tree, let me
> know your preference.
Applied and I'll queue this up for -stable, thanks Florian.
prev parent reply other threads:[~2019-06-29 18:02 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-26 18:40 [PATCH net v2] net: make skb_dst_force return true when dst is refcounted Florian Westphal
2019-06-29 18:02 ` David Miller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190629.110216.897222978158891297.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).