Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2522513yba; Mon, 15 Apr 2019 13:30:50 -0700 (PDT) X-Google-Smtp-Source: APXvYqwEredCNT0sL/F9L0B2x2SoYaCbCUquk0UcWhzYneHjL98GZiW0YoriGx4MTnihlSaOuj5J X-Received: by 2002:a17:902:bb0d:: with SMTP id l13mr75220189pls.141.1555360250313; Mon, 15 Apr 2019 13:30:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555360250; cv=none; d=google.com; s=arc-20160816; b=FNIWUoy2JKugJBmitin6RQCVufrsb4u1VBSpr6B+A0u+WXfZoFI2MFLSV353/fxlTC aD6qUSbvMW8Y7VhhQg18l4ByZi/suC82oki2bYykkGBEu5wZ9RFY6fvgFyNuFwZecc/Q 5gHGYp6s31rPS1gvcy0p5IQljmwKkNdZ+IupoOw/j3o+4ojdk3oRvtFWITNY9PaFtk+5 bdSo6kKYXsyh/bDA5g0nXhujBCRD9zEB7msGdxPrElt10oCkLEGUx6r0jHTa7ADGUlrq 3DH42gHdvjZJfY+yu1EjWf/DKeNdu02N2F9dFmiUxpXVkm/seMPTImlH2Ocj5VwnybWw nC4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=9PsOePdRMsYsQu/VRPaC59b539Fq3O4vp1v/j8K+C/4=; b=jrD6s1VSHpRn1pj7NhTbocgvubtuQ5qNZ6B9c5UvvvaC7TSA1oYk4lK72H3AtGASLu uaL0TQ4SZ3BPDzC3mh2MHo5vhVhCDUiP89BVIhxg72TwfE9EqYH3V4FOx+UZDwcQ+PdE gXTS03GIbBIPCfvcVQg0g7mH3MF49yfLlpXNOaDxsmgMOQm0985OvmWSF/8++s+IUVBj c73NJ7w/AgE+VDg4qLJ35dlczmm6UCAD5huYAw2BCtHikav1yiUxZ4uRf/z7MSrKR1cR yu+dyakKE8Vviu+f1TZCoVvju7Mh0wb1EzKpxeGLR3oO0oIUePRAikYb+1dF4hGvhO/9 SYIw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2bzmWJDO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s79si31097472pfa.69.2019.04.15.13.30.33; Mon, 15 Apr 2019 13:30:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2bzmWJDO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729922AbfDOTG1 (ORCPT + 99 others); Mon, 15 Apr 2019 15:06:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:40706 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729156AbfDOTGV (ORCPT ); Mon, 15 Apr 2019 15:06:21 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 88504218FF; Mon, 15 Apr 2019 19:06:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555355180; bh=OW4UbZwh1ZuuO1I8NoHgJPrkGfV1q8SGsN4Z5EdNMXg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2bzmWJDOGpSYf1REhWZc9IHzQ4r0AN2uK5IPql9WJw8TVEvPeSd9Km3tiqDxAQtU9 RnYkyziOb8ElX9x5V8KCYniRUrX5/fDHJE7dI6oOXK8IKaXC86x+lt/7e0TgM71WtF 2Tichbs5MZI6Ynggf2hHDYonT3KqmrvOZyiv7+MM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+2fae8fa157dd92618cae@syzkaller.appspotmail.com, Florian Westphal , Pablo Neira Ayuso , Zubin Mithra , "Sasha Levin (Microsoft)" Subject: [PATCH 4.19 043/101] netfilter: nfnetlink_cttimeout: fetch timeouts for udplite and gre, too Date: Mon, 15 Apr 2019 20:58:41 +0200 Message-Id: <20190415183742.752458651@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190415183740.341577907@linuxfoundation.org> References: <20190415183740.341577907@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org commit 89259088c1b7fecb43e8e245dc931909132a4e03 upstream syzbot was able to trigger the WARN in cttimeout_default_get() by passing UDPLITE as l4protocol. Alias UDPLITE to UDP, both use same timeout values. Furthermore, also fetch GRE timeouts. GRE is a bit more complicated, as it still can be a module and its netns_proto_gre struct layout isn't visible outside of the gre module. Can't move timeouts around, it appears conntrack sysctl unregister assumes net_generic() returns nf_proto_net, so we get crash. Expose layout of netns_proto_gre instead. A followup nf-next patch could make gre tracker be built-in as well if needed, its not that large. Last, make the WARN() mention the missing protocol value in case anything else is missing. Reported-by: syzbot+2fae8fa157dd92618cae@syzkaller.appspotmail.com Fixes: 8866df9264a3 ("netfilter: nfnetlink_cttimeout: pass default timeout policy to obj_to_nlattr") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Zubin Mithra Signed-off-by: Sasha Levin (Microsoft) --- include/linux/netfilter/nf_conntrack_proto_gre.h | 13 +++++++++++++ net/netfilter/nf_conntrack_proto_gre.c | 14 ++------------ net/netfilter/nfnetlink_cttimeout.c | 15 +++++++++++++-- 3 files changed, 28 insertions(+), 14 deletions(-) diff --git a/include/linux/netfilter/nf_conntrack_proto_gre.h b/include/linux/netfilter/nf_conntrack_proto_gre.h index b8d95564bd53..14edb795ab43 100644 --- a/include/linux/netfilter/nf_conntrack_proto_gre.h +++ b/include/linux/netfilter/nf_conntrack_proto_gre.h @@ -21,6 +21,19 @@ struct nf_ct_gre_keymap { struct nf_conntrack_tuple tuple; }; +enum grep_conntrack { + GRE_CT_UNREPLIED, + GRE_CT_REPLIED, + GRE_CT_MAX +}; + +struct netns_proto_gre { + struct nf_proto_net nf; + rwlock_t keymap_lock; + struct list_head keymap_list; + unsigned int gre_timeouts[GRE_CT_MAX]; +}; + /* add new tuple->key_reply pair to keymap */ int nf_ct_gre_keymap_add(struct nf_conn *ct, enum ip_conntrack_dir dir, struct nf_conntrack_tuple *t); diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c index 650eb4fba2c5..841c472aae1c 100644 --- a/net/netfilter/nf_conntrack_proto_gre.c +++ b/net/netfilter/nf_conntrack_proto_gre.c @@ -43,24 +43,12 @@ #include #include -enum grep_conntrack { - GRE_CT_UNREPLIED, - GRE_CT_REPLIED, - GRE_CT_MAX -}; - static const unsigned int gre_timeouts[GRE_CT_MAX] = { [GRE_CT_UNREPLIED] = 30*HZ, [GRE_CT_REPLIED] = 180*HZ, }; static unsigned int proto_gre_net_id __read_mostly; -struct netns_proto_gre { - struct nf_proto_net nf; - rwlock_t keymap_lock; - struct list_head keymap_list; - unsigned int gre_timeouts[GRE_CT_MAX]; -}; static inline struct netns_proto_gre *gre_pernet(struct net *net) { @@ -408,6 +396,8 @@ static int __init nf_ct_proto_gre_init(void) { int ret; + BUILD_BUG_ON(offsetof(struct netns_proto_gre, nf) != 0); + ret = register_pernet_subsys(&proto_gre_net_ops); if (ret < 0) goto out_pernet; diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c index 1dc4ea327cbe..70a7382b9787 100644 --- a/net/netfilter/nfnetlink_cttimeout.c +++ b/net/netfilter/nfnetlink_cttimeout.c @@ -469,7 +469,8 @@ static int cttimeout_default_get(struct net *net, struct sock *ctnl, case IPPROTO_TCP: timeouts = net->ct.nf_ct_proto.tcp.timeouts; break; - case IPPROTO_UDP: + case IPPROTO_UDP: /* fallthrough */ + case IPPROTO_UDPLITE: timeouts = net->ct.nf_ct_proto.udp.timeouts; break; case IPPROTO_DCCP: @@ -483,13 +484,23 @@ static int cttimeout_default_get(struct net *net, struct sock *ctnl, case IPPROTO_SCTP: #ifdef CONFIG_NF_CT_PROTO_SCTP timeouts = net->ct.nf_ct_proto.sctp.timeouts; +#endif + break; + case IPPROTO_GRE: +#ifdef CONFIG_NF_CT_PROTO_GRE + if (l4proto->net_id) { + struct netns_proto_gre *net_gre; + + net_gre = net_generic(net, *l4proto->net_id); + timeouts = net_gre->gre_timeouts; + } #endif break; case 255: timeouts = &net->ct.nf_ct_proto.generic.timeout; break; default: - WARN_ON_ONCE(1); + WARN_ONCE(1, "Missing timeouts for proto %d", l4proto->l4proto); break; } -- 2.19.1