netfilter: nft_socket: fix sk refcount leaks
[ Upstream commit 8b26ff7af8c32cb4148b3e147c52f9e4c695209c ]
We must put 'sk' reference before returning.
BUG=b/371156341
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2024-46855 in the Linux kernel.
cos-patch: security-moderate
Fixes: 039b1f4f24ec ("netfilter: nft_socket: fix erroneous socket assignment")
Change-Id: I748a9749bf46b5f42c0dcf9ff73add7ae48761d8
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kernel CVE Triage Automation <cloud-image-kernel-cve-triage-automation@prod.google.com>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/82919
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Shuo Yang <gshuoy@google.com>
Reviewed-by: Anil Altinay <aaltinay@google.com>
diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
index f28324f..0f37738 100644
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@@ -110,13 +110,13 @@ static void nft_socket_eval(const struct nft_expr *expr,
*dest = READ_ONCE(sk->sk_mark);
} else {
regs->verdict.code = NFT_BREAK;
- return;
+ goto out_put_sk;
}
break;
case NFT_SOCKET_WILDCARD:
if (!sk_fullsock(sk)) {
regs->verdict.code = NFT_BREAK;
- return;
+ goto out_put_sk;
}
nft_socket_wildcard(pkt, regs, sk, dest);
break;
@@ -124,7 +124,7 @@ static void nft_socket_eval(const struct nft_expr *expr,
case NFT_SOCKET_CGROUPV2:
if (!nft_sock_get_eval_cgroupv2(dest, sk, pkt, priv->level)) {
regs->verdict.code = NFT_BREAK;
- return;
+ goto out_put_sk;
}
break;
#endif
@@ -133,6 +133,7 @@ static void nft_socket_eval(const struct nft_expr *expr,
regs->verdict.code = NFT_BREAK;
}
+out_put_sk:
if (sk != skb->sk)
sock_gen_put(sk);
}
