Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp87243iof;
        Sun, 5 Jun 2022 21:58:42 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyCz8kiKKLeqXn05+wktQ7iOxQLYBR+LWzE/FO5y2KjxD6cA8AQDIqyd8CL/VzDnT68smeS
X-Received: by 2002:a05:6a00:114b:b0:4f7:915:3ec3 with SMTP id b11-20020a056a00114b00b004f709153ec3mr22773079pfm.8.1654491521829;
        Sun, 05 Jun 2022 21:58:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1654491521; cv=none;
        d=google.com; s=arc-20160816;
        b=XFiDnK7DwbpiROj4RNjSlDiW+lEOLiJjLLQfFPNgjlszw//mNog9vMIWvSSD4yQskm
         8OPKpaewJzJue1rT+UpHRR7rjCGqTr/pmzslV6wjdLq/PfLGhv9UmObyFm9WTFPt7V9P
         JJgKV/AnzoYgguK7xcp9pyo3Mq1HQ6ymLFLPun8ScBl5Yxr1XILnyhHQ2mZm6oKBDPby
         tUoxqp+vGxGFXkU/3tm8EkQfpQRDClMkgQ2cdd5uDGRYEbQBEZ9yQtDPDCrrcksIuXbl
         1f/njeeNWQEUlQf1eSrf4duItv4Z9Tjks5VBILMpElMu3twFDWMZFKzbKkNB7d6GaqVz
         qUiw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=anMcwQtVQA7KRiYMUOHrWnXXAbCVCqPprg4ZNTgNKLI=;
        b=vsWh93VFT6lopzsl3kDcDzxsxoOcUGwKMHqaRNTo2ShyRyY+LEjnB2jQ6LTS4vIP4i
         ZUbA0KaDpJBEASFyWFECUbbg+L68TUe9RUVxKy0IPyoVtIdgYakwcnkA557vlMJpYpSL
         J3iavVJGAAWoRRFsjuYFOSTfM1lggPS3fgDDL3jgaL/IURVpxw9OOojh5KkBoxlzvDLs
         Oa3znf6O3oDxEWx0x+U/27IxV/AXvXd+PJyrLQ1T7/nfp5FEHkHxQ7yywbAwXGEMVoKg
         mbQ97zSTK6Iz7TFH4JLnHLKMVDKjXlah1C9cCQSLx/WsNiYyzN6h1ELBb410w8D8Umuj
         mkcw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=fVo1AST0;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id c4-20020a056a000ac400b0050d429bb67esi21537252pfl.82.2022.06.05.21.58.41
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 05 Jun 2022 21:58:41 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=fVo1AST0;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id D9099106573;
	Sun,  5 Jun 2022 21:12:07 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1345979AbiFCR6e (ORCPT <rfc822;a.bouin@gmail.com> + 99 others);
        Fri, 3 Jun 2022 13:58:34 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58246 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1346940AbiFCRvp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 3 Jun 2022 13:51:45 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4A70755358;
        Fri,  3 Jun 2022 10:49:50 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id CE5B2B82189;
        Fri,  3 Jun 2022 17:49:48 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 280B0C385A9;
        Fri,  3 Jun 2022 17:49:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1654278587;
        bh=+jKGu2m+qotB5j1a1TjLLakeDpMh01+5nUzTVxMt6Vo=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=fVo1AST0GB+siLT2VRa+Jbm61BM0AUH5uenkMDum0ff5vOQRQ5wM88B3YFQRXFYXP
         XXxJvhpc+W48nAifstTfZWk9LknaI8bNTLnsvr6VtE5t2BIytdg4Qg8DIDPW0m50Na
         Gv3MdZwcIWYraavW+UVLR4ohWQtWPnF3BGUhzHys=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+793a590957d9c1b96620@syzkaller.appspotmail.com,
        Florian Westphal <fw@strlen.de>,
        Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 5.15 27/66] netfilter: conntrack: re-fetch conntrack after insertion
Date:   Fri,  3 Jun 2022 19:43:07 +0200
Message-Id: <20220603173821.441752761@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220603173820.663747061@linuxfoundation.org>
References: <20220603173820.663747061@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Florian Westphal <fw@strlen.de>

commit 56b14ecec97f39118bf85c9ac2438c5a949509ed upstream.

In case the conntrack is clashing, insertion can free skb->_nfct and
set skb->_nfct to the already-confirmed entry.

This wasn't found before because the conntrack entry and the extension
space used to free'd after an rcu grace period, plus the race needs
events enabled to trigger.

Reported-by: <syzbot+793a590957d9c1b96620@syzkaller.appspotmail.com>
Fixes: 71d8c47fc653 ("netfilter: conntrack: introduce clash resolution on insertion race")
Fixes: 2ad9d7747c10 ("netfilter: conntrack: free extension area immediately")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/netfilter/nf_conntrack_core.h |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -58,8 +58,13 @@ static inline int nf_conntrack_confirm(s
 	int ret = NF_ACCEPT;
 
 	if (ct) {
-		if (!nf_ct_is_confirmed(ct))
+		if (!nf_ct_is_confirmed(ct)) {
 			ret = __nf_conntrack_confirm(skb);
+
+			if (ret == NF_ACCEPT)
+				ct = (struct nf_conn *)skb_nfct(skb);
+		}
+
 		if (likely(ret == NF_ACCEPT))
 			nf_ct_deliver_cached_events(ct);
 	}