On Fri, Sep 03, 2021 at 03:23:35PM +0200, Benjamin Hesmans wrote:
> Bug reported by KASAN:
>
> BUG: KASAN: use-after-scope in inet6_ehashfn (net/ipv6/inet6_hashtables.c:40)
> Call Trace:
> (...)
> inet6_ehashfn (net/ipv6/inet6_hashtables.c:40)
> (...)
> nf_sk_lookup_slow_v6 (net/ipv6/netfilter/nf_socket_ipv6.c:91
> net/ipv6/netfilter/nf_socket_ipv6.c:146)
>
> It seems that this bug has already been fixed by Eric Dumazet in the
> past in:
> commit 78296c97ca1f ("netfilter: xt_socket: fix a stack corruption bug")
>
> But a variant of the same issue has been introduced in
> commit d64d80a2cde9 ("netfilter: x_tables: don't extract flow keys on early demuxed sks in socket match")
>
> `daddr` and `saddr` potentially hold a reference to ipv6_var that is no
> longer in scope when the call to `nf_socket_get_sock_v6` is made.
Applied, thanks.
