--- /dev/null
+From 11cb63b0d1a0685e0831ae3c77223e002ef18189 Mon Sep 17 00:00:00 2001
+From: Victor Nogueira <victor@mojatatu.com>
+Date: Wed, 25 Feb 2026 10:43:48 -0300
+Subject: net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
+
+From: Victor Nogueira <victor@mojatatu.com>
+
+commit 11cb63b0d1a0685e0831ae3c77223e002ef18189 upstream.
+
+As Paolo said earlier [1]:
+
+"Since the blamed commit below, classify can return TC_ACT_CONSUMED while
+the current skb being held by the defragmentation engine. As reported by
+GangMin Kim, if such packet is that may cause a UaF when the defrag engine
+later on tries to tuch again such packet."
+
+act_ct was never meant to be used in the egress path, however some users
+are attaching it to egress today [2]. Attempting to reach a middle
+ground, we noticed that, while most qdiscs are not handling
+TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we
+address the issue by only allowing act_ct to bind to clsact/ingress
+qdiscs and shared blocks. That way it's still possible to attach act_ct to
+egress (albeit only with clsact).
+
+[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/
+[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/
+
+Reported-by: GangMin Kim <km.kim1503@gmail.com>
+Fixes: 3f14b377d01d ("net/sched: act_ct: fix skb leak and crash on ooo frags")
+CC: stable@vger.kernel.org
+Signed-off-by: Victor Nogueira <victor@mojatatu.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260225134349.1287037-1-victor@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/act_api.h | 1 +
+ net/sched/act_ct.c | 6 ++++++
+ net/sched/cls_api.c | 7 +++++++
+ 3 files changed, 14 insertions(+)
+
+--- a/include/net/act_api.h
++++ b/include/net/act_api.h
+@@ -68,6 +68,7 @@ struct tc_action {
+ #define TCA_ACT_FLAGS_REPLACE (1U << (TCA_ACT_FLAGS_USER_BITS + 2))
+ #define TCA_ACT_FLAGS_NO_RTNL (1U << (TCA_ACT_FLAGS_USER_BITS + 3))
+ #define TCA_ACT_FLAGS_AT_INGRESS (1U << (TCA_ACT_FLAGS_USER_BITS + 4))
++#define TCA_ACT_FLAGS_AT_INGRESS_OR_CLSACT (1U << (TCA_ACT_FLAGS_USER_BITS + 5))
+
+ /* Update lastuse only if needed, to avoid dirtying a cache line.
+ * We use a temp variable to avoid fetching jiffies twice.
+--- a/net/sched/act_ct.c
++++ b/net/sched/act_ct.c
+@@ -1327,6 +1327,12 @@ static int tcf_ct_init(struct net *net,
+ return -EINVAL;
+ }
+
++ if (bind && !(flags & TCA_ACT_FLAGS_AT_INGRESS_OR_CLSACT)) {
++ NL_SET_ERR_MSG_MOD(extack,
++ "Attaching ct to a non ingress/clsact qdisc is unsupported");
++ return -EOPNOTSUPP;
++ }
++
+ err = nla_parse_nested(tb, TCA_CT_MAX, nla, ct_policy, extack);
+ if (err < 0)
+ return err;
+--- a/net/sched/cls_api.c
++++ b/net/sched/cls_api.c
+@@ -2151,6 +2151,11 @@ static bool is_qdisc_ingress(__u32 class
+ return (TC_H_MIN(classid) == TC_H_MIN(TC_H_MIN_INGRESS));
+ }
+
++static bool is_ingress_or_clsact(struct tcf_block *block, struct Qdisc *q)
++{
++ return tcf_block_shared(block) || (q && !!(q->flags & TCQ_F_INGRESS));
++}
++
+ static int tc_new_tfilter(struct sk_buff *skb, struct nlmsghdr *n,
+ struct netlink_ext_ack *extack)
+ {
+@@ -2344,6 +2349,8 @@ replay:
+ flags |= TCA_ACT_FLAGS_NO_RTNL;
+ if (is_qdisc_ingress(parent))
+ flags |= TCA_ACT_FLAGS_AT_INGRESS;
++ if (is_ingress_or_clsact(block, q))
++ flags |= TCA_ACT_FLAGS_AT_INGRESS_OR_CLSACT;
+ err = tp->ops->change(net, skb, tp, cl, t->tcm_handle, tca, &fh,
+ flags, extack);
+ if (err == 0) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
