netfilter: conntrack: fix cloned unconfirmed skb->_nfct race in __nf_conntrack_confirm

[thirdparty/kernel/stable.git] / net / netfilter / nf_conntrack_core.c

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 815956ac5a764bafd4398011e0545789175cdaf9..85de2a7b0ede0ca07f6c63fa75ad4baf3c192c43 100644 (file)
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -936,10 +936,18 @@ __nf_conntrack_confirm(struct sk_buff *skb)
         * REJECT will give spurious warnings here.
         */
 
-       /* No external references means no one else could have
-        * confirmed us.
+       /* Another skb with the same unconfirmed conntrack may
+        * win the race. This may happen for bridge(br_flood)
+        * or broadcast/multicast packets do skb_clone with
+        * unconfirmed conntrack.
         */
-       WARN_ON(nf_ct_is_confirmed(ct));
+       if (unlikely(nf_ct_is_confirmed(ct))) {
+               WARN_ON_ONCE(1);
+               nf_conntrack_double_unlock(hash, reply_hash);
+               local_bh_enable();
+               return NF_DROP;
+       }
+
        pr_debug("Confirming conntrack %p\n", ct);
        /* We have to check the DYING flag after unlink to prevent
         * a race against nf_ct_get_next_corpse() possibly called from