netfilter: nft_socket: fix erroneous socket assignment

ffmancera · ummakynes · commit 039b1f4f24ec · 2019-09-02T23:20:59.000+02:00
The socket assignment is wrong, see skb_orphan(): When skb->destructor callback is not set, but skb->sk is set, this hits BUG(). Link: https://bugzilla.redhat.com/show_bug.cgi?id=1651813 Fixes: 554ced0 ("netfilter: nf_tables: add support for native socket matching") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
@@ -47,9 +47,6 @@ static void nft_socket_eval(const struct nft_expr *expr,
 		return;
 	}
 
-	/* So that subsequent socket matching not to require other lookups. */
-	skb->sk = sk;
-
 	switch(priv->key) {
 	case NFT_SOCKET_TRANSPARENT:
 		nft_reg_store8(dest, inet_sk_transparent(sk));
@@ -66,6 +63,9 @@ static void nft_socket_eval(const struct nft_expr *expr,
 		WARN_ON(1);
 		regs->verdict.code = NFT_BREAK;
 	}
+
+	if (sk != skb->sk)
+		sock_gen_put(sk);
 }
 
 static const struct nla_policy nft_socket_policy[NFTA_SOCKET_MAX + 1] = {

Original file line number	Diff line number	Diff line change
`@@ -47,9 +47,6 @@ static void nft_socket_eval(const struct nft_expr *expr,`
`47`	`47`	`return;`
`48`	`48`	`}`
`49`	`49`
`50`		`- /* So that subsequent socket matching not to require other lookups. */`
`51`		`- skb->sk = sk;`
`52`		`-`
`53`	`50`	`switch(priv->key) {`
`54`	`51`	`case NFT_SOCKET_TRANSPARENT:`
`55`	`52`	`nft_reg_store8(dest, inet_sk_transparent(sk));`
`@@ -66,6 +63,9 @@ static void nft_socket_eval(const struct nft_expr *expr,`
`66`	`63`	`WARN_ON(1);`
`67`	`64`	`regs->verdict.code = NFT_BREAK;`
`68`	`65`	`}`
	`66`	`+`
	`67`	`+ if (sk != skb->sk)`
	`68`	`+ sock_gen_put(sk);`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`static const struct nla_policy nft_socket_policy[NFTA_SOCKET_MAX + 1] = {`