netfilter: nf_queue: don't assume sk is full socket

There is no guarantee that state->sk refers to a full socket. If refcount transitions to 0, sock_put calls sk_free which then ends up with garbage fields. I'd like to thank Oleksandr Natalenko and Jiri Benc for considerable debug work and pointing out state->sk oddities. Fixes: ca6fb065 ("tcp: attach SYNACK messages to request sockets instead of listener") Tested-by: Oleksandr Natalenko <oleksandr@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>

netfilter: nf_queue: don't assume sk is full socket
There is no guarantee that state->sk refers to a full socket. If refcount transitions to 0, sock_put calls sk_free which then ends up with garbage fields. I'd like to thank Oleksandr Natalenko and Jiri Benc for considerable debug work and pointing out state->sk oddities. Fixes: ca6fb065 ("tcp: attach SYNACK messages to request sockets instead of listener") Tested-by: Oleksandr Natalenko <oleksandr@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>
747670fd · Florian Westphal · 17a8f31b · 747670fd
Commit 747670fd authored Feb 25, 2022 by Florian Westphal
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 1 deletion

net/netfilter/nf_queue.c net/netfilter/nf_queue.c +10 -1

No files found.
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -46,6 +46,15 @@ void nf_unregister_queue_handler(void)
 }
 EXPORT_SYMBOL(nf_unregister_queue_handler);

+static void nf_queue_sock_put(struct sock *sk)
+{
+#ifdef CONFIG_INET
+	sock_gen_put(sk);
+#else
+	sock_put(sk);
+#endif
+}
+
 static void nf_queue_entry_release_refs(struct nf_queue_entry *entry)
 {
 	struct nf_hook_state *state = &entry->state;
@@ -54,7 +63,7 @@ static void nf_queue_entry_release_refs(struct nf_queue_entry *entry)
 	dev_put(state->in);
 	dev_put(state->out);
 	if (state->sk)
-		sock_put(state->sk);
+		nf_queue_sock_put(state->sk);

 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
 	dev_put(entry->physin);