From: Florian Westphal <[email protected]>
Date: Wed, 26 Jun 2019 20:40:45 +0200
> netfilter did not expect that skb_dst_force() can cause skb to lose its
> dst entry.
>
> I got a bug report with a skb->dst NULL dereference in netfilter
> output path. The backtrace contains nf_reinject(), so the dst might have
> been cleared when skb got queued to userspace.
>
> Other users were fixed via
> if (skb_dst(skb)) {
> skb_dst_force(skb);
> if (!skb_dst(skb))
> goto handle_err;
> }
>
> But I think its preferable to make the 'dst might be cleared' part
> of the function explicit.
>
> In netfilter case, skb with a null dst is expected when queueing in
> prerouting hook, so drop skb for the other hooks.
>
> v2:
> v1 of this patch returned true in case skb had no dst entry.
> Eric said:
> Say if we have two skb_dst_force() calls for some reason
> on the same skb, only the first one will return false.
>
> This now returns false even when skb had no dst, as per Erics
> suggestion, so callers might need to check skb_dst() first before
> skb_dst_force().
>
> Signed-off-by: Florian Westphal <[email protected]>
...
> Alternatively this could be routed via netfilter tree, let me
> know your preference.
Applied and I'll queue this up for -stable, thanks Florian.
