[PATCH] openvswitch: Ensure nf_ct_put is not called with null pointer

[PATCH] openvswitch: Ensure nf_ct_put is not called with null pointer

[Mark Mielke]

A recent commit replaced calls to nf_conntrack_put() with calls
to nf_ct_put(). nf_conntrack_put() permitted the caller to pass
null without side effects, while nf_ct_put() performs WARN_ON()
and proceeds to try and de-reference the pointer. ovs-vswitchd
triggers the warning on startup:

[   22.178881] WARNING: CPU: 69 PID: 2157 at include/net/netfilter/nf_conntrack.h:176 __ovs_ct_lookup+0x4e2/0x6a0 [openvswitch]
...
[   22.213573] Call Trace:
[   22.214318]  <TASK>
[   22.215064]  ovs_ct_execute+0x49c/0x7f0 [openvswitch]
...

Cc: stable@vger.kernel.org
Fixes: 408bdcfce8df ("net: prefer nf_ct_put instead of nf_conntrack_put")
Signed-off-by: Mark Mielke <mark.mielke@gmail.com>
---
 net/openvswitch/conntrack.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index 4a947c13c813..69972f037d21 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -970,7 +970,8 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
 		/* Associate skb with specified zone. */
 		if (tmpl) {
 			ct = nf_ct_get(skb, &ctinfo);
-			nf_ct_put(ct);
+			if (ct)
+				nf_ct_put(ct);
 			nf_conntrack_get(&tmpl->ct_general);
 			nf_ct_set(skb, tmpl, IP_CT_NEW);
 		}
@@ -1339,8 +1340,8 @@ int ovs_ct_clear(struct sk_buff *skb, struct sw_flow_key *key)
 	struct nf_conn *ct;
 
 	ct = nf_ct_get(skb, &ctinfo);
-
-	nf_ct_put(ct);
+	if (ct)
+		nf_ct_put(ct);
 	nf_ct_set(skb, NULL, IP_CT_UNTRACKED);
 	ovs_ct_fill_key(skb, key, false);
 
-- 
2.35.1

Re: [PATCH] openvswitch: Ensure nf_ct_put is not called with null pointer

[Florian Westphal]

Mark Mielke <mark.mielke@gmail.com> wrote:
> A recent commit replaced calls to nf_conntrack_put() with calls
> to nf_ct_put(). nf_conntrack_put() permitted the caller to pass
> null without side effects, while nf_ct_put() performs WARN_ON()
> and proceeds to try and de-reference the pointer. ovs-vswitchd
> triggers the warning on startup:
> 
> [   22.178881] WARNING: CPU: 69 PID: 2157 at include/net/netfilter/nf_conntrack.h:176 __ovs_ct_lookup+0x4e2/0x6a0 [openvswitch]
> ...
> [   22.213573] Call Trace:
> [   22.214318]  <TASK>
> [   22.215064]  ovs_ct_execute+0x49c/0x7f0 [openvswitch]

Applied to nf.git, thanks.

Re: [PATCH] openvswitch: Ensure nf_ct_put is not called with null pointer

[Florian Westphal]

Mark Mielke <mark.mielke@gmail.com> wrote:
> A recent commit replaced calls to nf_conntrack_put() with calls
> to nf_ct_put(). nf_conntrack_put() permitted the caller to pass
> null without side effects, while nf_ct_put() performs WARN_ON()
> and proceeds to try and de-reference the pointer. ovs-vswitchd
> triggers the warning on startup:
> 
> [   22.178881] WARNING: CPU: 69 PID: 2157 at include/net/netfilter/nf_conntrack.h:176 __ovs_ct_lookup+0x4e2/0x6a0 [openvswitch]
> ...
> [   22.213573] Call Trace:
> [   22.214318]  <TASK>
> [   22.215064]  ovs_ct_execute+0x49c/0x7f0 [openvswitch]
> ...
> Cc: stable@vger.kernel.org
> Fixes: 408bdcfce8df ("net: prefer nf_ct_put instead of nf_conntrack_put")

Actually, no.  As Pablo Neira just pointed out to me Upstream kernel is fine.
The preceeding commit made nf_ct_out() a noop when ct is NULL.

Re: [ovs-dev] [PATCH] openvswitch: Ensure nf_ct_put is not called with null pointer

[Ilya Maximets]

On 4/10/22 17:41, Florian Westphal wrote:
> Mark Mielke <mark.mielke@gmail.com> wrote:
>> A recent commit replaced calls to nf_conntrack_put() with calls
>> to nf_ct_put(). nf_conntrack_put() permitted the caller to pass
>> null without side effects, while nf_ct_put() performs WARN_ON()
>> and proceeds to try and de-reference the pointer. ovs-vswitchd
>> triggers the warning on startup:
>>
>> [   22.178881] WARNING: CPU: 69 PID: 2157 at include/net/netfilter/nf_conntrack.h:176 __ovs_ct_lookup+0x4e2/0x6a0 [openvswitch]
>> ...
>> [   22.213573] Call Trace:
>> [   22.214318]  <TASK>
>> [   22.215064]  ovs_ct_execute+0x49c/0x7f0 [openvswitch]
>> ...
>> Cc: stable@vger.kernel.org
>> Fixes: 408bdcfce8df ("net: prefer nf_ct_put instead of nf_conntrack_put")
> 
> Actually, no.  As Pablo Neira just pointed out to me Upstream kernel is fine.
> The preceeding commit made nf_ct_out() a noop when ct is NULL.

Hi, Florian.

There is a problem on 5.15 longterm tree where the offending commit
got backported, but the previous one was not, so it triggers an issue
while loading the openvswitch module.

To be more clear, v5.15.35 contains the following commit:
  408bdcfce8df ("net: prefer nf_ct_put instead of nf_conntrack_put")
backported as commit 72dd9e61fa319bc44020c2d365275fc8f6799bff, but
it doesn't have the previous one:
  6ae7989c9af0 ("netfilter: conntrack: avoid useless indirection during conntrack destruction")
that adds the NULL pointer check to the nf_ct_put().

Either 6ae7989c9af0 should be backported to 5.15 or 72dd9e61fa31
reverted on that tree.

Best regards, Ilya Maximets.

Re: [ovs-dev] [PATCH] openvswitch: Ensure nf_ct_put is not called with null pointer

[Florian Westphal]

Ilya Maximets <i.maximets@ovn.org> wrote:
> Hi, Florian.
> 
> There is a problem on 5.15 longterm tree where the offending commit
> got backported, but the previous one was not, so it triggers an issue
> while loading the openvswitch module.
> 
> To be more clear, v5.15.35 contains the following commit:
>   408bdcfce8df ("net: prefer nf_ct_put instead of nf_conntrack_put")
> backported as commit 72dd9e61fa319bc44020c2d365275fc8f6799bff, but
> it doesn't have the previous one:
>   6ae7989c9af0 ("netfilter: conntrack: avoid useless indirection during conntrack destruction")
> that adds the NULL pointer check to the nf_ct_put().
> 
> Either 6ae7989c9af0 should be backported to 5.15 or 72dd9e61fa31
> reverted on that tree.

The commit was never meant to be backported to stable, it doesn't fix any bug.

I suspect it was done to take 'net/sched: act_ct: fix ref leak when
switching zones' without munging it.

I suggest to add stable-only patch that makes nf_ct_put(NULL)
legal, like in linux.git, but I don't know stable team preferences.

Re: [ovs-dev] [PATCH] openvswitch: Ensure nf_ct_put is not called with null pointer

[Greg KH]

On Mon, Apr 25, 2022 at 12:36:54PM +0200, Ilya Maximets wrote:
> On 4/10/22 17:41, Florian Westphal wrote:
> > Mark Mielke <mark.mielke@gmail.com> wrote:
> >> A recent commit replaced calls to nf_conntrack_put() with calls
> >> to nf_ct_put(). nf_conntrack_put() permitted the caller to pass
> >> null without side effects, while nf_ct_put() performs WARN_ON()
> >> and proceeds to try and de-reference the pointer. ovs-vswitchd
> >> triggers the warning on startup:
> >>
> >> [   22.178881] WARNING: CPU: 69 PID: 2157 at include/net/netfilter/nf_conntrack.h:176 __ovs_ct_lookup+0x4e2/0x6a0 [openvswitch]
> >> ...
> >> [   22.213573] Call Trace:
> >> [   22.214318]  <TASK>
> >> [   22.215064]  ovs_ct_execute+0x49c/0x7f0 [openvswitch]
> >> ...
> >> Cc: stable@vger.kernel.org
> >> Fixes: 408bdcfce8df ("net: prefer nf_ct_put instead of nf_conntrack_put")
> > 
> > Actually, no.  As Pablo Neira just pointed out to me Upstream kernel is fine.
> > The preceeding commit made nf_ct_out() a noop when ct is NULL.
> 
> Hi, Florian.
> 
> There is a problem on 5.15 longterm tree where the offending commit
> got backported, but the previous one was not, so it triggers an issue
> while loading the openvswitch module.
> 
> To be more clear, v5.15.35 contains the following commit:
>   408bdcfce8df ("net: prefer nf_ct_put instead of nf_conntrack_put")
> backported as commit 72dd9e61fa319bc44020c2d365275fc8f6799bff, but
> it doesn't have the previous one:
>   6ae7989c9af0 ("netfilter: conntrack: avoid useless indirection during conntrack destruction")
> that adds the NULL pointer check to the nf_ct_put().
> 
> Either 6ae7989c9af0 should be backported to 5.15 or 72dd9e61fa31
> reverted on that tree.

I've backported the needed commit now, thanks.

greg k-h