From: Jakub Kicinski <kuba@kernel.org>
Date: Thu, 11 Jul 2024 19:57:57 +0000 (-0700)
Subject: Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
X-Git-Tag: v6.11-rc1~163^2~53
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7c8267275de6989a9b682a07d75e89395457ee01;p=thirdparty%2Fkernel%2Flinux.git

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Cross-merge networking fixes after downstream PR.

Conflicts:

net/sched/act_ct.c
  26488172b029 ("net/sched: Fix UAF when resolving a clash")
  3abbd7ed8b76 ("act_ct: prepare for stolen verdict coming from conntrack and nat engine")

No adjacent changes.

Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---

7c8267275de6989a9b682a07d75e89395457ee01
diff --cc net/sched/act_ct.c
index a6b7c514a181c,6fa3cca87d346..113b907da0f75
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@@ -1078,9 -1075,16 +1078,17 @@@ do_nat
  		/* This will take care of sending queued events
  		 * even if the connection is already confirmed.
  		 */
 -		if (nf_conntrack_confirm(skb) != NF_ACCEPT)
 -			goto drop;
 +		err = nf_conntrack_confirm(skb);
 +		if (err != NF_ACCEPT)
 +			goto nf_error;
+ 
+ 		/* The ct may be dropped if a clash has been resolved,
+ 		 * so it's necessary to retrieve it from skb again to
+ 		 * prevent UAF.
+ 		 */
+ 		ct = nf_ct_get(skb, &ctinfo);
+ 		if (!ct)
+ 			skip_add = true;
  	}
  
  	if (!skip_add)