From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B9324C43334 for ; Fri, 3 Jun 2022 17:42:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344677AbiFCRmK (ORCPT ); Fri, 3 Jun 2022 13:42:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56948 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344660AbiFCRld (ORCPT ); Fri, 3 Jun 2022 13:41:33 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0C44854020; Fri, 3 Jun 2022 10:41:06 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 755C361B01; Fri, 3 Jun 2022 17:41:05 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 64DB3C385A9; Fri, 3 Jun 2022 17:41:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1654278064; bh=NrqR3APVfQTFn18O8kTbv5kSSR7EgdJGvzMmKqheoAE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rFicIFX+K4C+/uyw81xSFfkg+cs5hLoQPnGEd+dNXAOWYQ/nzUh1qvh2D9O6C0FNB Hpv9a/PtFgix0b2lWR5lHy7TSNCquZcvvc52neJ3jvvAB9egHvrJJeb4c9zyKAhnEW pg5mUM+/C/8FD+N9e9vbligOIyem8Qd3+2s3UGaU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+793a590957d9c1b96620@syzkaller.appspotmail.com, Florian Westphal , Pablo Neira Ayuso Subject: [PATCH 4.14 14/23] netfilter: conntrack: re-fetch conntrack after insertion Date: Fri, 3 Jun 2022 19:39:41 +0200 Message-Id: <20220603173814.799160490@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220603173814.362515009@linuxfoundation.org> References: <20220603173814.362515009@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Florian Westphal commit 56b14ecec97f39118bf85c9ac2438c5a949509ed upstream. In case the conntrack is clashing, insertion can free skb->_nfct and set skb->_nfct to the already-confirmed entry. This wasn't found before because the conntrack entry and the extension space used to free'd after an rcu grace period, plus the race needs events enabled to trigger. Reported-by: Fixes: 71d8c47fc653 ("netfilter: conntrack: introduce clash resolution on insertion race") Fixes: 2ad9d7747c10 ("netfilter: conntrack: free extension area immediately") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- include/net/netfilter/nf_conntrack_core.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/include/net/netfilter/nf_conntrack_core.h +++ b/include/net/netfilter/nf_conntrack_core.h @@ -67,8 +67,13 @@ static inline int nf_conntrack_confirm(s int ret = NF_ACCEPT; if (ct) { - if (!nf_ct_is_confirmed(ct)) + if (!nf_ct_is_confirmed(ct)) { ret = __nf_conntrack_confirm(skb); + + if (ret == NF_ACCEPT) + ct = (struct nf_conn *)skb_nfct(skb); + } + if (likely(ret == NF_ACCEPT)) nf_ct_deliver_cached_events(ct); }