Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755312AbdLOJwl (ORCPT ); Fri, 15 Dec 2017 04:52:41 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:35882 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756241AbdLOJwh (ORCPT ); Fri, 15 Dec 2017 04:52:37 -0500 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, Pablo Neira Ayuso Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Debabrata Banerjee Subject: [PATCH 4.9 16/27] Fix handling of verdicts after NF_QUEUE Date: Fri, 15 Dec 2017 10:51:59 +0100 Message-Id: <20171215092258.755929284@linuxfoundation.org> X-Mailer: git-send-email 2.15.1 In-Reply-To: <20171215092257.674368056@linuxfoundation.org> References: <20171215092257.674368056@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1125 Lines: 38 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Debabrata Banerjee [This fix is only needed for v4.9 stable since v4.10+ does not have the issue] A verdict of NF_STOLEN after NF_QUEUE will cause an incorrect return value and a potential kernel panic via double free of skb's This was broken by commit 7034b566a4e7 ("netfilter: fix nf_queue handling") and subsequently fixed in v4.10 by commit c63cbc460419 ("netfilter: use switch() to handle verdict cases from nf_hook_slow()"). However that commit cannot be cleanly cherry-picked to v4.9 Signed-off-by: Debabrata Banerjee Acked-by: Pablo Neira Ayuso --- net/netfilter/core.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -364,6 +364,11 @@ next_hook: ret = nf_queue(skb, state, &entry, verdict); if (ret == 1 && entry) goto next_hook; + } else { + /* Implicit handling for NF_STOLEN, as well as any other + * non conventional verdicts. + */ + ret = 0; } return ret; }