From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Martin Zaharinov <micron10@gmail.com>,
Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 022/105] netfilter: nat: cant use dst_hold on noref dst
Date: Fri, 11 Jan 2019 15:13:53 +0100 [thread overview]
Message-ID: <20190111131105.165943651@linuxfoundation.org> (raw)
In-Reply-To: <20190111131102.899065735@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
[ Upstream commit 542fbda0f08f1cbbc250f9e59f7537649651d0c8 ]
The dst entry might already have a zero refcount, waiting on rcu list
to be free'd. Using dst_hold() transitions its reference count to 1, and
next dst release will try to free it again -- resulting in a double free:
WARNING: CPU: 1 PID: 0 at include/net/dst.h:239 nf_xfrm_me_harder+0xe7/0x130 [nf_nat]
RIP: 0010:nf_xfrm_me_harder+0xe7/0x130 [nf_nat]
Code: 48 8b 5c 24 60 65 48 33 1c 25 28 00 00 00 75 53 48 83 c4 68 5b 5d 41 5c c3 85 c0 74 0d 8d 48 01 f0 0f b1 0a 74 86 85 c0 75 f3 <0f> 0b e9 7b ff ff ff 29 c6 31 d2 b9 20 00 48 00 4c 89 e7 e8 31 27
Call Trace:
nf_nat_ipv4_out+0x78/0x90 [nf_nat_ipv4]
nf_hook_slow+0x36/0xd0
ip_output+0x9f/0xd0
ip_forward+0x328/0x440
ip_rcv+0x8a/0xb0
Use dst_hold_safe instead and bail out if we cannot take a reference.
Fixes: a4c2fd7f7891 ("net: remove DST_NOCACHE flag")
Reported-by: Martin Zaharinov <micron10@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_nat_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index af8345fc4fbd..ed0ea64b8d04 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -97,7 +97,8 @@ int nf_xfrm_me_harder(struct net *net, struct sk_buff *skb, unsigned int family)
dst = skb_dst(skb);
if (dst->xfrm)
dst = ((struct xfrm_dst *)dst)->route;
- dst_hold(dst);
+ if (!dst_hold_safe(dst))
+ return -EHOSTUNREACH;
dst = xfrm_lookup(net, dst, &fl, skb->sk, 0);
if (IS_ERR(dst))
--
2.19.1
next prev parent reply other threads:[~2019-01-11 15:00 UTC|newest]
Thread overview: 116+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-11 14:13 [PATCH 4.14 000/105] 4.14.93-stable review Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 001/105] pinctrl: meson: fix pull enable register calculation Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 002/105] powerpc: Fix COFF zImage booting on old powermacs Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 003/105] powerpc/mm: Fix linux page tables build with some configs Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 004/105] HID: ite: Add USB id match for another ITE based keyboard rfkill key quirk Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 005/105] ARM: imx: update the cpu power up timing setting on i.mx6sx Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 006/105] ARM: dts: imx7d-nitrogen7: Fix the description of the Wifi clock Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 007/105] Input: restore EV_ABS ABS_RESERVED Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 008/105] checkstack.pl: fix for aarch64 Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 009/105] xfrm: Fix error return code in xfrm_output_one() Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 010/105] xfrm: Fix bucket count reported to userspace Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 011/105] xfrm: Fix NULL pointer dereference in xfrm_input when skb_dst_force clears the dst_entry Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 012/105] netfilter: seqadj: re-load tcp header pointer after possible head reallocation Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 013/105] scsi: bnx2fc: Fix NULL dereference in error handling Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 014/105] Input: omap-keypad - fix idle configuration to not block SoC idle states Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 015/105] Input: synaptics - enable RMI on ThinkPad T560 Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 016/105] ibmvnic: Fix non-atomic memory allocation in IRQ context Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 017/105] ieee802154: ca8210: fix possible u8 overflow in ca8210_rx_done Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 018/105] x86/mm: Fix guard hole handling Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 019/105] x86/dump_pagetables: Fix LDT remap address marker Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 020/105] i40e: fix mac filter delete when setting mac address Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 021/105] netfilter: ipset: do not call ipset_nest_end after nla_nest_cancel Greg Kroah-Hartman
2019-01-11 14:13 ` Greg Kroah-Hartman [this message]
2019-01-11 14:13 ` [PATCH 4.14 023/105] bnx2x: Clear fip MAC when fcoe offload support is disabled Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 024/105] bnx2x: Remove configured vlans as part of unload sequence Greg Kroah-Hartman
2019-01-12 21:22 ` Sudip Mukherjee
2019-01-13 7:04 ` Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 025/105] bnx2x: Send update-svid ramrod with retry/poll flags enabled Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 026/105] scsi: target: iscsi: cxgbit: fix csk leak Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 027/105] scsi: target: iscsi: cxgbit: add missing spin_lock_init() Greg Kroah-Hartman
2019-01-11 14:13 ` [PATCH 4.14 028/105] x86, hyperv: remove PCI dependency Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 029/105] drivers: net: xgene: Remove unnecessary forward declarations Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 030/105] w90p910_ether: remove incorrect __init annotation Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 031/105] net: hns: Incorrect offset address used for some registers Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 032/105] net: hns: All ports can not work when insmod hns ko after rmmod Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 033/105] net: hns: Some registers use wrong address according to the datasheet Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 034/105] net: hns: Fixed bug that netdev was opened twice Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 035/105] net: hns: Clean rx fbd when ae stopped Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 036/105] net: hns: Free irq when exit from abnormal branch Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 037/105] net: hns: Avoid net reset caused by pause frames storm Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 038/105] net: hns: Fix ntuple-filters status error Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 039/105] net: hns: Add mac pcs config when enable|disable mac Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 040/105] net: hns: Fix ping failed when use net bridge and send multicast Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 041/105] SUNRPC: Fix a race with XPRT_CONNECTING Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 042/105] qed: Fix an error code qed_ll2_start_xmit() Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 043/105] net: macb: fix random memory corruption on RX with 64-bit DMA Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 044/105] net: macb: fix dropped RX frames due to a race Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 045/105] lan78xx: Resolve issue with changing MAC address Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 046/105] vxge: ensure data0 is initialized in when fetching firmware version information Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 047/105] mac80211: free skb fraglist before freeing the skb Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 048/105] kbuild: fix false positive warning/error about missing libelf Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 049/105] virtio: fix test build after uio.h change Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 050/105] gpio: mvebu: only fail on missing clk if pwm is actually to be used Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 051/105] Input: synaptics - enable SMBus for HP EliteBook 840 G4 Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 052/105] net: netxen: fix a missing check and an uninitialized use Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 053/105] qmi_wwan: Fix qmap header retrieval in qmimux_rx_fixup Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 054/105] serial/sunsu: fix refcount leak Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 055/105] scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 056/105] scsi: lpfc: do not set queue->page_count to 0 if pc_sli4_params.wqpcnt is invalid Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 057/105] genirq/affinity: Dont return with empty affinity masks on error Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 058/105] tools: fix cross-compile var clobbering Greg Kroah-Hartman
2019-01-12 21:18 ` Sudip Mukherjee
2019-01-12 21:35 ` Martin Kelly
2019-01-13 7:10 ` Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 059/105] fork: record start_time late Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 060/105] zram: fix double free backing device Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 061/105] hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 062/105] mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 063/105] mm, devm_memremap_pages: kill mapping "System RAM" support Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 064/105] mm, hmm: use devm semantics for hmm_devmem_{add, remove} Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 065/105] mm, hmm: mark hmm_devmem_{add, add_resource} EXPORT_SYMBOL_GPL Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 066/105] mm, swap: fix swapoff with KSM pages Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 067/105] sunrpc: fix cache_head leak due to queued request Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 068/105] sunrpc: use SVC_NET() in svcauth_gss_* functions Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 069/105] powerpc: avoid -mno-sched-epilog on GCC 4.9 and newer Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 070/105] powerpc: Disable -Wbuiltin-requires-header when setjmp is used Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 071/105] ftrace: Build with CPPFLAGS to get -Qunused-arguments Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 072/105] md: raid10: remove VLAIS Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 073/105] kbuild: add -no-integrated-as Clang option unconditionally Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 074/105] kbuild: consolidate Clang compiler flags Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 075/105] Makefile: Export clang toolchain variables Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 076/105] powerpc/boot: Set target when cross-compiling for clang Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 077/105] raid6/ppc: Fix build " Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 078/105] vhost/vsock: fix uninitialized vhost_vsock->guest_cid Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 079/105] dm verity: fix crash on bufio buffer that was allocated with vmalloc Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 080/105] dm zoned: Fix target BIO completion handling Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 081/105] ALSA: cs46xx: Potential NULL dereference in probe Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 082/105] ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 083/105] ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 084/105] dlm: fixed memory leaks after failed ls_remove_names allocation Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 085/105] dlm: possible memory leak on error path in create_lkb() Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 086/105] dlm: lost put_lkb on error path in receive_convert() and receive_unlock() Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 087/105] dlm: memory leaks on error path in dlm_user_request() Greg Kroah-Hartman
2019-01-11 14:14 ` [PATCH 4.14 088/105] gfs2: Get rid of potential double-freeing in gfs2_create_inode Greg Kroah-Hartman
2019-01-11 14:15 ` [PATCH 4.14 089/105] gfs2: Fix loop in gfs2_rbm_find Greg Kroah-Hartman
2019-01-11 14:15 ` [PATCH 4.14 090/105] b43: Fix error in cordic routine Greg Kroah-Hartman
2019-01-11 14:15 ` [PATCH 4.14 091/105] selinux: policydb - fix byte order and alignment issues Greg Kroah-Hartman
2019-01-11 14:15 ` [PATCH 4.14 092/105] lockd: Show pid of lockd for remote locks Greg Kroah-Hartman
2019-01-11 14:15 ` [PATCH 4.14 093/105] arm64: drop linker script hack to hide __efistub_ symbols Greg Kroah-Hartman
2019-01-11 18:02 ` Nick Desaulniers
2019-01-12 8:03 ` Greg Kroah-Hartman
2019-01-11 14:15 ` [PATCH 4.14 094/105] arm64: relocatable: fix inconsistencies in linker script and options Greg Kroah-Hartman
2019-01-11 14:15 ` [PATCH 4.14 095/105] powerpc/tm: Set MSR[TS] just prior to recheckpoint Greg Kroah-Hartman
2019-01-11 14:15 ` [PATCH 4.14 096/105] 9p/net: put a lower bound on msize Greg Kroah-Hartman
2019-01-11 14:15 ` [PATCH 4.14 097/105] rxe: fix error completion wr_id and qp_num Greg Kroah-Hartman
2019-01-11 14:15 ` [PATCH 4.14 098/105] iommu/vt-d: Handle domain agaw being less than iommu agaw Greg Kroah-Hartman
2019-01-11 14:15 ` [PATCH 4.14 099/105] sched/fair: Fix infinite loop in update_blocked_averages() by reverting a9e7f6544b9c Greg Kroah-Hartman
2019-01-11 14:15 ` [PATCH 4.14 100/105] ceph: dont update importing caps mseq when handing cap export Greg Kroah-Hartman
2019-01-11 14:15 ` [PATCH 4.14 101/105] genwqe: Fix size check Greg Kroah-Hartman
2019-01-11 14:15 ` [PATCH 4.14 102/105] intel_th: msu: Fix an off-by-one in attribute store Greg Kroah-Hartman
2019-01-11 14:15 ` [PATCH 4.14 103/105] power: supply: olpc_battery: correct the temperature units Greg Kroah-Hartman
2019-01-11 14:15 ` [PATCH 4.14 104/105] lib: fix build failure in CONFIG_DEBUG_VIRTUAL test Greg Kroah-Hartman
2019-01-11 14:15 ` [PATCH 4.14 105/105] drm/vc4: Set ->is_yuv to false when num_planes == 1 Greg Kroah-Hartman
2019-01-11 21:41 ` [PATCH 4.14 000/105] 4.14.93-stable review shuah
2019-01-12 8:21 ` Naresh Kamboju
2019-01-12 17:44 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190111131105.165943651@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=micron10@gmail.com \
--cc=pablo@netfilter.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).