From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from air.basealt.ru (air.basealt.ru [193.43.8.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6D56D3A3E87; Tue, 21 Apr 2026 13:24:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.43.8.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776777892; cv=none; b=JHArWKLlkH6yoIpE/Jm9AKINUH954PhZyeQ4f9CcONa4/ykPmwb21oT47jQ0QjM4549dJ8pR5WPRL9pqA1cAV2gKVX9zYD/aYkfeCiapdF26CvqRY3kgB8FSJxWzla7wefRXlpmG5EmFzpG05obswdt953KNpgFoKdaAdFC6x8g= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776777892; c=relaxed/simple; bh=/xu8AWmRVVuh11eqNmE0WUAxXfoJ86ZTHSflhs1t3ic=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=rg3AITUVS6G+oXp09i95XpDrXbOFFWBhbuSptL5PlMFWio9g1+8g4a+fpGdyM/6IHgE+BgwPhlbdHaCRIFJ2vpEQYWoED7/J5LjIEnrex3pbre7vC9krOOFjiOsllVnwvSRZ7+VcWUe+yEBkthZ2dDBYAdaRvuvZwcI8+v/zeF8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=altlinux.org; spf=pass smtp.mailfrom=altlinux.org; arc=none smtp.client-ip=193.43.8.18 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=altlinux.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=altlinux.org Received: from altlinux.ipa.basealt.ru (unknown [193.43.11.2]) (Authenticated sender: kovalevvv) by air.basealt.ru (Postfix) with ESMTPSA id 85D4E2338F; Tue, 21 Apr 2026 16:24:48 +0300 (MSK) From: Vasiliy Kovalev To: stable@vger.kernel.org Cc: "David S . Miller" , Jamal Hadi Salim , Marcelo Ricardo Leitner , netdev@vger.kernel.org, lvc-project@linuxtesting.org, kovalev@altlinux.org Subject: [PATCH 5.10.y] net/sched: act_ct: fix ref leak when switching zones Date: Tue, 21 Apr 2026 16:24:47 +0300 Message-Id: <20260421132447.38455-1-kovalev@altlinux.org> X-Mailer: git-send-email 2.33.8 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Marcelo Ricardo Leitner commit bcb74e132a76ce0502bb33d5b65533a4ed72d159 upstream. When switching zones or network namespaces without doing a ct clear in between, it is now leaking a reference to the old ct entry. That's because tcf_ct_skb_nfct_cached() returns false and tcf_ct_flow_table_lookup() may simply overwrite it. The fix is to, as the ct entry is not reusable, free it already at tcf_ct_skb_nfct_cached(). Reported-by: Florian Westphal Fixes: 2f131de361f6 ("net/sched: act_ct: Fix flow table lookup after ct clear or switching zones") Signed-off-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller [ kovalev: bp to fix CVE-2022-49183; used nf_conntrack_put(&ct->ct_general) instead of nf_ct_put(ct) due to the older kernel not yet having the conversion from the indirect call (see upstream commit 408bdcfce8df) ] Signed-off-by: Vasiliy Kovalev --- net/sched/act_ct.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index d9748c917a50..d75f4b2b97da 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -589,22 +589,25 @@ static bool tcf_ct_skb_nfct_cached(struct net *net, struct sk_buff *skb, if (!ct) return false; if (!net_eq(net, read_pnet(&ct->ct_net))) - return false; + goto drop_ct; if (nf_ct_zone(ct)->id != zone_id) - return false; + goto drop_ct; /* Force conntrack entry direction. */ if (force && CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) { if (nf_ct_is_confirmed(ct)) nf_ct_kill(ct); - nf_conntrack_put(&ct->ct_general); - nf_ct_set(skb, NULL, IP_CT_UNTRACKED); - - return false; + goto drop_ct; } return true; + +drop_ct: + nf_conntrack_put(&ct->ct_general); + nf_ct_set(skb, NULL, IP_CT_UNTRACKED); + + return false; } /* Trim the skb to the length specified by the IP/IPv6 header, -- 2.50.1