--- /dev/null
+From 34243b9ec856309339172b1507379074156947e8 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Sun, 23 Jan 2022 15:24:00 +0100
+Subject: netfilter: nft_ct: fix use after free when attaching zone template
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 34243b9ec856309339172b1507379074156947e8 upstream.
+
+The conversion erroneously removed the refcount increment.
+In case we can use the percpu template, we need to increment
+the refcount, else it will be released when the skb gets freed.
+
+In case the slowpath is taken, the new template already has a
+refcount of 1.
+
+Fixes: 719774377622 ("netfilter: conntrack: convert to refcount_t api")
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_ct.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -260,9 +260,12 @@ static void nft_ct_set_zone_eval(const s
+ ct = this_cpu_read(nft_ct_pcpu_template);
+
+ if (likely(refcount_read(&ct->ct_general.use) == 1)) {
++ refcount_inc(&ct->ct_general.use);
+ nf_ct_zone_add(ct, &zone);
+ } else {
+- /* previous skb got queued to userspace */
++ /* previous skb got queued to userspace, allocate temporary
++ * one until percpu template can be reused.
++ */
+ ct = nf_ct_tmpl_alloc(nft_net(pkt), &zone, GFP_ATOMIC);
+ if (!ct) {
+ regs->verdict.code = NF_DROP;
projects / thirdparty / kernel / stable-queue.git / commitdiff
