Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp94896iof;
        Sun, 5 Jun 2022 22:11:55 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwhaXOI7AwkQ3lwSciZSQLARdbx0nOYDHARQPnqeYXmyg3nXxHWdHgzkL1lZDgQhiQFAgAl
X-Received: by 2002:a17:903:248b:b0:160:f4b0:e663 with SMTP id p11-20020a170903248b00b00160f4b0e663mr22330849plw.49.1654492315689;
        Sun, 05 Jun 2022 22:11:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1654492315; cv=none;
        d=google.com; s=arc-20160816;
        b=SUee4/nBB7BCRRAGBBkWaLkmsj+xffurnb1lIpm5sYlWUw5j8g2QfzuzBjlmBx+liJ
         BxPkZQnLKpeAA1OWc5H0c9ianastHQFw0OzDXhLOnGGDldTsmUu1zjve+Vm8/mPc/R4a
         7AteU9YfAv5bj0BFKeVu1PVjXTEoQy+FahH+Yso3AOhE1gHy87Vuqggvou1r5NMCVB3o
         bnllWHiDfJnrNaLL9mG+1KllDRXyv4JZO9mTcnS0+UeBZhllenPf85m54U4NYoWmGOEy
         lhU6lGdf9wY6VUor6itCxpPw4aj9Xve7wc2Vtir1HUAucVSMyT708vVgFU6Xh+Jxlnp7
         9yPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=anMcwQtVQA7KRiYMUOHrWnXXAbCVCqPprg4ZNTgNKLI=;
        b=i+lGHjVWZZd6Ntai2dnULKV5J/ruza5Ta3I4NRjFVWaWC1AOoefWL/jysI6XcODGMG
         MR4VaEpuU22o6rieV+uqwyk05nOHDs7Y3iOy6lACme0ITs/PYNNCTnwVR7+JS6TKG+1s
         sfIleKrrsIKfPk2Kn7h6M/n7zVZlodWwkaNVQ18NAf1Ze+9Fm/U/4iVtCgbUpb2pWhty
         ccuhGqACurkAuvr0bMkcYH2YOXY358Br1hpl96GMSaWs6QPllMx/fb07wyej8+Pi82vq
         vCic5JlNl8sFkTyKXrw4O1TPmw6OTl9VPlqQEjFifqO1oW7/6WQzwlVyCtpx9HLeM0rR
         n7yA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="L/0DKgXu";
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id t18-20020a170902e85200b00163a83d160asi20810418plg.168.2022.06.05.22.11.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 05 Jun 2022 22:11:55 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="L/0DKgXu";
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2D3DE14AF44;
	Sun,  5 Jun 2022 21:18:10 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1344943AbiFCRoc (ORCPT <rfc822;a.bouin@gmail.com> + 99 others);
        Fri, 3 Jun 2022 13:44:32 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57698 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1345043AbiFCRnm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 3 Jun 2022 13:43:42 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 971F454F9E;
        Fri,  3 Jun 2022 10:42:12 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 5C393B8242E;
        Fri,  3 Jun 2022 17:42:09 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id AC996C385A9;
        Fri,  3 Jun 2022 17:42:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1654278128;
        bh=+jKGu2m+qotB5j1a1TjLLakeDpMh01+5nUzTVxMt6Vo=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=L/0DKgXut34P+/LrimPoK0NvSKq1aUQE6A5GKIYPEVZDx8elOz3D9I9jKp20rP0bM
         lwSxPCNA86ukGROp+FRbu1grtjA3KMbi74uNNp5+Wk/+05FZj+NJW6aJ0GKIb1ufWt
         imhL2LK8JZ/T7pEoupUmeWT3+PzQ5pDEibR4GhCQ=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+793a590957d9c1b96620@syzkaller.appspotmail.com,
        Florian Westphal <fw@strlen.de>,
        Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 4.19 19/30] netfilter: conntrack: re-fetch conntrack after insertion
Date:   Fri,  3 Jun 2022 19:39:47 +0200
Message-Id: <20220603173815.661040365@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220603173815.088143764@linuxfoundation.org>
References: <20220603173815.088143764@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Florian Westphal <fw@strlen.de>

commit 56b14ecec97f39118bf85c9ac2438c5a949509ed upstream.

In case the conntrack is clashing, insertion can free skb->_nfct and
set skb->_nfct to the already-confirmed entry.

This wasn't found before because the conntrack entry and the extension
space used to free'd after an rcu grace period, plus the race needs
events enabled to trigger.

Reported-by: <syzbot+793a590957d9c1b96620@syzkaller.appspotmail.com>
Fixes: 71d8c47fc653 ("netfilter: conntrack: introduce clash resolution on insertion race")
Fixes: 2ad9d7747c10 ("netfilter: conntrack: free extension area immediately")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/netfilter/nf_conntrack_core.h |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -58,8 +58,13 @@ static inline int nf_conntrack_confirm(s
 	int ret = NF_ACCEPT;
 
 	if (ct) {
-		if (!nf_ct_is_confirmed(ct))
+		if (!nf_ct_is_confirmed(ct)) {
 			ret = __nf_conntrack_confirm(skb);
+
+			if (ret == NF_ACCEPT)
+				ct = (struct nf_conn *)skb_nfct(skb);
+		}
+
 		if (likely(ret == NF_ACCEPT))
 			nf_ct_deliver_cached_events(ct);
 	}