In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_mirred: dont override retval if we already lost the skb
If were redirecting the skb, and havent called tcf_mirred_forward(), yet, we need to tell the core to drop the skb by setting the retcode to SHOT. If we have called tcf_mirred_forward(), however, the skb is out of our hands and returning SHOT will lead to UaF.
Move the retval override to the error path which actually need it.