Willem de Bruijn <willemdebruijn.kernel@xxxxxxxxx> wrote:
> > > syzkaller did something like this:
> > > table inet filter {
> > > chain input {
> > > type filter hook input priority filter; policy accept;
> > > meta nftrace set 1 # calls skb_get_hash
> > > tcp dport 42 reject with tcp reset # emits skb with NULL skb dev/sk
> > > }
> > > chain output {
> > > type filter hook output priority filter; policy accept;
> > > # empty chain is enough
> > > }
> > > }
> > >
> > > ... then sends a tcp packet to port 42.
> > >
> > > Initial attempt to simply set skb->dev from nf_reject_ipv4 doesn't cover
> > > all cases: skbs generated via ipv4 igmp_send_report trigger similar splat.
>
> Does this mean we have more non-nf callsites to convert?
There might be non-nf call sites that need skb_get_hash_net(),
but I don't know of any.
The above comment was meant to say that I tried to patch this
outside of flow dissector by setting skb->dev properly in nf_reject,
but that still triggers a slightly different WARN trace, this time
due to igmp_send_report also sending skb without dev+sk pointers.
