--- /dev/null
+From xiyou.wangcong@gmail.com Sat Nov 28 11:07:47 2020
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Fri, 20 Nov 2020 19:43:17 -0800
+Subject: netfilter: clear skb->next in NF_HOOK_LIST()
+To: netdev@vger.kernel.org
+Cc: Cong Wang <cong.wang@bytedance.com>, liuzx@knownsec.com, Florian Westphal <fw@strlen.de>, Edward Cree <ecree@solarflare.com>, stable@vger.kernel.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Message-ID: <20201121034317.577081-1-xiyou.wangcong@gmail.com>
+
+
+From: Cong Wang <cong.wang@bytedance.com>
+
+NF_HOOK_LIST() uses list_del() to remove skb from the linked list,
+however, it is not sufficient as skb->next still points to other
+skb. We should just call skb_list_del_init() to clear skb->next,
+like the rest places which using skb list.
+
+This has been fixed in upstream by commit ca58fbe06c54
+("netfilter: add and use nf_hook_slow_list()").
+
+Fixes: 9f17dbf04ddf ("netfilter: fix use-after-free in NF_HOOK_LIST")
+Reported-by: liuzx@knownsec.com
+Tested-by: liuzx@knownsec.com
+Cc: Florian Westphal <fw@strlen.de>
+Cc: Edward Cree <ecree@solarflare.com>
+Cc: stable@vger.kernel.org # between 4.19 and 5.4
+Signed-off-by: Cong Wang <cong.wang@bytedance.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/netfilter.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/netfilter.h
++++ b/include/linux/netfilter.h
+@@ -316,7 +316,7 @@ NF_HOOK_LIST(uint8_t pf, unsigned int ho
+
+ INIT_LIST_HEAD(&sublist);
+ list_for_each_entry_safe(skb, next, head, list) {
+- list_del(&skb->list);
++ skb_list_del_init(skb);
+ if (nf_hook(pf, hook, net, sk, skb, in, out, okfn) == 1)
+ list_add_tail(&skb->list, &sublist);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
