Since the blamed commit below, classify can return TC_ACT_CONSUMED while the current skb being held by the defragmentation engine. As reported by GangMin Kim, if such packet is that may cause a UaF when the defrag engine later on tries to tuch again such packet. act_ct was never meant to be used outside of the ingress path. Making defrag really works for act_ct outside such constraints range from very difficult to completely impossible. Address the issue making act_ct drop any packet when not attached to the ingress path and additionally emit a warning about the bad configuration. Reported-by: GangMin Kim Fixes: 8f9516daedd6 ("sched: Add enqueue/dequeue of dualpi2 qdisc") CC: stable@vger.kernel.org Link: https://patch.msgid.link/16f6b264373ad60ab18eb8525809e7267442afa7.1770394932.git.pabeni@redhat.com Signed-off-by: Paolo Abeni --- Catching the bad configuration at runtime instead of init time to reduce complexity --- net/sched/act_ct.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index 81d488655793..e8eb0d195f4a 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -987,6 +987,11 @@ TC_INDIRECT_SCOPE int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a, tcf_lastuse_update(&c->tcf_tm); tcf_action_update_bstats(&c->common, skb); + if (!skb_at_tc_ingress(skb)) { + pr_warn_once("act_CT should be attached at ingress!\n"); + goto drop; + } + if (clear) { qdisc_skb_cb(skb)->post_ct = false; ct = nf_ct_get(skb, &ctinfo); @@ -1109,6 +1114,7 @@ TC_INDIRECT_SCOPE int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a, out_frag: if (err != -EINPROGRESS) tcf_action_inc_drop_qstats(&c->common); + return TC_ACT_CONSUMED; drop: -- 2.53.0