git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Mon, 28 Feb 2022 23:46:19 +0000 (00:46 +0100)
committer	Paolo Pisati <paolo.pisati@canonical.com>
	Wed, 9 Mar 2022 14:17:53 +0000 (15:17 +0100)
commit	698adf3a6a14712255b3f4b09990a1d48a31f416
tree	315a7bbb8cc4a50aa3b353423a22aeda66d176bc	tree
parent	0749882792b4d3b42a365f330c6848db979dbc31	commit \| diff

netfilter: nf_queue: handle socket prefetch

BugLink: https://bugs.launchpad.net/bugs/1964361
commit 3b836da4081fa585cf6c392f62557496f2cb0efe upstream.

In case someone combines bpf socket assign and nf_queue, then we will
queue an skb who references a struct sock that did not have its
reference count incremented.

As we leave rcu protection, there is no guarantee that skb->sk is still
valid.

For refcount-less skb->sk case, try to increment the reference count
and then override the destructor.

In case of failure we have two choices: orphan the skb and 'delete'
preselect or let nf_queue() drop the packet.

Do the latter, it should not happen during normal operation.

Fixes: cf7fbe660f2d ("bpf: Add socket assign support")
Acked-by: Joe Stringer <joe@cilium.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>