From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Fernando Fernandez Mancera <ffmancera@riseup.net>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 60/63] netfilter: nft_socket: fix erroneous socket assignment
Date: Sun, 29 Sep 2019 15:54:33 +0200 [thread overview]
Message-ID: <20190929135041.228856362@linuxfoundation.org> (raw)
In-Reply-To: <20190929135031.382429403@linuxfoundation.org>
From: Fernando Fernandez Mancera <ffmancera@riseup.net>
[ Upstream commit 039b1f4f24ecc8493b6bb9d70b4b78750d1b35c2 ]
The socket assignment is wrong, see skb_orphan():
When skb->destructor callback is not set, but skb->sk is set, this hits BUG().
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1651813
Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket matching")
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_socket.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
index d7f3776dfd719..637ce3e8c575c 100644
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@@ -47,9 +47,6 @@ static void nft_socket_eval(const struct nft_expr *expr,
return;
}
- /* So that subsequent socket matching not to require other lookups. */
- skb->sk = sk;
-
switch(priv->key) {
case NFT_SOCKET_TRANSPARENT:
nft_reg_store8(dest, inet_sk_transparent(sk));
@@ -66,6 +63,9 @@ static void nft_socket_eval(const struct nft_expr *expr,
WARN_ON(1);
regs->verdict.code = NFT_BREAK;
}
+
+ if (sk != skb->sk)
+ sock_gen_put(sk);
}
static const struct nla_policy nft_socket_policy[NFTA_SOCKET_MAX + 1] = {
--
2.20.1
next prev parent reply other threads:[~2019-09-29 14:00 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-29 13:53 [PATCH 4.19 00/63] 4.19.76-stable review Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 01/63] Revert "Bluetooth: validate BLE connection interval updates" Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 02/63] net/ibmvnic: free reset work of removed device from queue Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 03/63] RDMA/restrack: Protect from reentry to resource return path Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 04/63] powerpc/xive: Fix bogus error code returned by OPAL Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 05/63] drm/amd/display: readd -msse2 to prevent Clang from emitting libcalls to undefined SW FP routines Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 06/63] IB/core: Add an unbound WQ type to the new CQ API Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 07/63] HID: prodikeys: Fix general protection fault during probe Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 08/63] HID: sony: Fix memory corruption issue on cleanup Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 09/63] HID: logitech: Fix general protection fault caused by Logitech driver Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 10/63] HID: hidraw: Fix invalid read in hidraw_ioctl Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 11/63] HID: Add quirk for HP X500 PIXART OEM mouse Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 12/63] mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword() Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 13/63] crypto: talitos - fix missing break in switch statement Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 14/63] CIFS: fix deadlock in cached root handling Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 15/63] net/mlx5e: Set ECN for received packets using CQE indication Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 16/63] net/mlx5e: dont set CHECKSUM_COMPLETE on SCTP packets Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 17/63] mlx5: fix get_ip_proto() Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 18/63] net/mlx5e: Allow reporting of checksum unnecessary Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 19/63] net/mlx5e: XDP, Avoid checksum complete when XDP prog is loaded Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 20/63] net/mlx5e: Rx, Fixup skb checksum for packets with tail padding Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 21/63] net/mlx5e: Rx, Check ip headers sanity Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 22/63] iwlwifi: mvm: send BCAST management frames to the right station Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 23/63] iwlwifi: mvm: always init rs_fw with 20MHz bandwidth rates Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 24/63] media: tvp5150: fix switch exit in set control handler Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 25/63] ASoC: Intel: cht_bsw_max98090_ti: Enable codec clock once and keep it enabled Greg Kroah-Hartman
2019-09-29 13:53 ` [PATCH 4.19 26/63] ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt() Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 27/63] ALSA: usb-audio: Add Hiby device family to quirks for native DSD support Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 28/63] ALSA: usb-audio: Add DSD support for EVGA NU Audio Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 29/63] ALSA: dice: fix wrong packet parameter for Alesis iO26 Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 30/63] ALSA: hda - Add laptop imic fixup for ASUS M9V laptop Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 31/63] ALSA: hda - Apply AMD controller workaround for Raven platform Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 32/63] objtool: Clobber user CFLAGS variable Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 33/63] tpm: Fix TPM 1.2 Shutdown sequence to prevent future TPM operations Greg Kroah-Hartman
2019-09-30 6:13 ` Pavel Machek
2019-09-30 12:57 ` Sasha Levin
2019-10-01 20:56 ` Jarkko Sakkinen
2019-09-29 13:54 ` [PATCH 4.19 34/63] pinctrl: sprd: Use define directive for sprd_pinconf_params values Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 35/63] power: supply: sysfs: ratelimit property read error message Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 36/63] locking/lockdep: Add debug_locks check in __lock_downgrade() Greg Kroah-Hartman
2019-09-29 14:43 ` Tetsuo Handa
2019-09-29 14:49 ` Greg Kroah-Hartman
2019-09-30 0:28 ` Sasha Levin
2019-09-30 1:46 ` Tetsuo Handa
2019-09-30 11:35 ` Sasha Levin
2019-09-30 14:00 ` Waiman Long
2019-10-01 22:20 ` Sasha Levin
2019-10-02 13:16 ` Waiman Long
2019-09-29 13:54 ` [PATCH 4.19 37/63] locking/lockdep: Add debug_locks check in __lock_downgrade() - again Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 38/63] scsi: qla2xxx: Turn off IOCB timeout timer on IOCB completion Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 39/63] scsi: qla2xxx: Remove all rports if fabric scan retry fails Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 40/63] scsi: qla2xxx: Return switch command on a timeout Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 41/63] Revert "drm/amd/powerplay: Enable/Disable NBPSTATE on On/OFF of UVD" Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 42/63] bpf: libbpf: retry loading program on EAGAIN Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 43/63] irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 44/63] f2fs: check all the data segments against all node ones Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 45/63] PCI: hv: Avoid use of hv_pci_dev->pci_slot after freeing it Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 46/63] bcache: remove redundant LIST_HEAD(journal) from run_cache_set() Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 47/63] initramfs: dont free a non-existent initrd Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 48/63] blk-mq: change gfp flags to GFP_NOIO in blk_mq_realloc_hw_ctxs Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 49/63] blk-mq: move cancel of requeue_work to the front of blk_exit_queue Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 50/63] Revert "f2fs: avoid out-of-range memory access" Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 51/63] dm zoned: fix invalid memory access Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 52/63] net/ibmvnic: Fix missing { in __ibmvnic_reset Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 53/63] f2fs: fix to do sanity check on segment bitmap of LFS curseg Greg Kroah-Hartman
2019-09-30 7:21 ` Pavel Machek
2019-09-30 7:36 ` Chao Yu
2019-09-30 13:22 ` Sasha Levin
2019-09-29 13:54 ` [PATCH 4.19 54/63] drm: Flush output polling on shutdown Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 55/63] net: dont warn in inet diag when IPV6 is disabled Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 56/63] Bluetooth: btrtl: HCI reset on close for Realtek BT chip Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 57/63] ACPI: video: Add new hw_changes_brightness quirk, set it on PB Easynote MZ35 Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 58/63] drm/nouveau/disp/nv50-: fix center/aspect-corrected scaling Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 59/63] xfs: dont crash on null attr fork xfs_bmapi_read Greg Kroah-Hartman
2019-09-29 13:54 ` Greg Kroah-Hartman [this message]
2019-09-29 13:54 ` [PATCH 4.19 61/63] Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 62/63] net_sched: check cops->tcf_block in tc_bind_tclass() Greg Kroah-Hartman
2019-09-29 13:54 ` [PATCH 4.19 63/63] net/rds: An rds_sock is added too early to the hash table Greg Kroah-Hartman
2019-09-29 19:00 ` [PATCH 4.19 00/63] 4.19.76-stable review kernelci.org bot
2019-09-30 18:30 ` Guenter Roeck
2019-09-30 22:44 ` shuah
2019-10-01 1:05 ` Dan Rue
2019-10-01 14:58 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190929135041.228856362@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ffmancera@riseup.net \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).