Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp100514iof;
        Sun, 5 Jun 2022 22:22:59 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxQeh05cRAYSgwST7nCekpU0CbdlDz+ujTuB/E+ngL2RaMTKXmd5YCGUdSBhd45DmcMqkPc
X-Received: by 2002:a17:90b:2404:b0:1e3:4db0:f32a with SMTP id nr4-20020a17090b240400b001e34db0f32amr31976628pjb.201.1654492979182;
        Sun, 05 Jun 2022 22:22:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1654492979; cv=none;
        d=google.com; s=arc-20160816;
        b=bPQNTrtv9jeKW9CakJyM0xuiQ+G9Nl28ujzTyhN6iam7K5fj6Q/k8BuTGPXf6dWeAC
         IOVyL7YpaZFTBBGljxnNFTsYjB15KIQ3Oxretp9fJODvmD6MGyHINnoGazzxWijgZ0TO
         Pgri9VaPQRH5BOwKphBxs+UoxsGgTkNtHXZFT06Dibp0IMnH3cu1/jG6X3jcNE+EArvd
         SxxpfIJg+dv6BqxG2ittuHVOnYSJFPzTCvxTITwBRbI5MSwHtiIWRb9YABJgCEKweXht
         Ga44o3Pkm3bXuJH93hawTM8plXBkC6+J2WtVwH9Gac+NN7K2syCsWNHUP+m18bGov9tV
         gQvA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=PS7RcDVXj+AYYhSTojb6e7EpIs2WkY4AwORZklELSvA=;
        b=KOp81GCMIJGioug0obOoyb45Q82dWBP2C3rTMEqW8scoka9MSGhANlLpeW9jjtJX1B
         nuaMl9qbZCzd1leSRcJ/tmT8HJhtnrYsD3bDL9yaTBIS5BxEcITWn277Nf98ypnwO+yW
         s0epcsjYukTeCX+VFC3QlJFhn5qtVj9C9Z83YnGDxhnweoyptCfx0gRGBx0br1PpOpSP
         yw7VYX+wW7g335lB/sNPtHUOuEluTaI6iCGgc5+y1IdlwoF7qg3IH47dRmKOfp8nxO0m
         +lvWO0iQ/zWkipPpIZf5BllavfwCNt6ZMf+ddDEimDiIrGw/bVnWydhf2fm254CgnAk4
         XbiQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ZU0YgQ8y;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id b20-20020a170902b61400b00161f01e76easi17390378pls.249.2022.06.05.22.22.58
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 05 Jun 2022 22:22:59 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ZU0YgQ8y;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 58A1719FB28;
	Sun,  5 Jun 2022 21:25:46 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238996AbiFCRzn (ORCPT <rfc822;a.bouin@gmail.com> + 99 others);
        Fri, 3 Jun 2022 13:55:43 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44708 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1346103AbiFCRus (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 3 Jun 2022 13:50:48 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5EBF759BAF;
        Fri,  3 Jun 2022 10:47:10 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 66A6C60C3D;
        Fri,  3 Jun 2022 17:47:09 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id ECBD8C385A9;
        Fri,  3 Jun 2022 17:47:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1654278428;
        bh=7yMpx/p4JIbj1RxSrsvc4F7sy+yL65SQaQLr9b7p4J4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=ZU0YgQ8ylEEj8vMI1DlAEdglLFn2EKU7Z3L1O4DKzC3hqJ1VlD9a+leC7PNIgG/FZ
         nF+fnPgNBmybb+PNm7XgWatQP4cJbLcBLKaZPLtcbZLS2CcLRxTloSikpsY7LHH+j3
         olUCFkGoyJqGX3N2D84x+h5zBiZmgBYyVS8JhoVw=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+793a590957d9c1b96620@syzkaller.appspotmail.com,
        Florian Westphal <fw@strlen.de>,
        Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 5.10 30/53] netfilter: conntrack: re-fetch conntrack after insertion
Date:   Fri,  3 Jun 2022 19:43:15 +0200
Message-Id: <20220603173819.600692184@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220603173818.716010877@linuxfoundation.org>
References: <20220603173818.716010877@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Florian Westphal <fw@strlen.de>

commit 56b14ecec97f39118bf85c9ac2438c5a949509ed upstream.

In case the conntrack is clashing, insertion can free skb->_nfct and
set skb->_nfct to the already-confirmed entry.

This wasn't found before because the conntrack entry and the extension
space used to free'd after an rcu grace period, plus the race needs
events enabled to trigger.

Reported-by: <syzbot+793a590957d9c1b96620@syzkaller.appspotmail.com>
Fixes: 71d8c47fc653 ("netfilter: conntrack: introduce clash resolution on insertion race")
Fixes: 2ad9d7747c10 ("netfilter: conntrack: free extension area immediately")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/netfilter/nf_conntrack_core.h |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -59,8 +59,13 @@ static inline int nf_conntrack_confirm(s
 	int ret = NF_ACCEPT;
 
 	if (ct) {
-		if (!nf_ct_is_confirmed(ct))
+		if (!nf_ct_is_confirmed(ct)) {
 			ret = __nf_conntrack_confirm(skb);
+
+			if (ret == NF_ACCEPT)
+				ct = (struct nf_conn *)skb_nfct(skb);
+		}
+
 		if (likely(ret == NF_ACCEPT))
 			nf_ct_deliver_cached_events(ct);
 	}