Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp111674iof;
        Sun, 5 Jun 2022 22:44:22 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzQkGuhtha6tRNseONIvVIJYW6Xb66B9ac14khdfn6bAde2eX7AbznESnW7+8Y3Hx1lVJSI
X-Received: by 2002:a65:4183:0:b0:3fc:1370:9c37 with SMTP id a3-20020a654183000000b003fc13709c37mr19798718pgq.4.1654494262526;
        Sun, 05 Jun 2022 22:44:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1654494262; cv=none;
        d=google.com; s=arc-20160816;
        b=rrcX5QG80cCcqtjHdX2+TfYL/NrkAdQzTQwpkj/ENAc2De5NoUPKnBTy7XsBsVX6Jw
         DPOS8XJ8mw7SYrVNv7rNCnxfeQ5/7Uxp1Q/bLETCyIb/c2A0lM94ckXy7BzMxtKNmISq
         PL8+cix3ygiDy7Uu2WJFaWl8sJqE3T2AivWVQXEMuLRgB6YJDCb3w18oCSYpUAK1MXzc
         VFezq8L3KPvtsv6sNtc+Wx/ndIr5ltsZdbosuhrMsZgnIv47GmgIPKJjqu2KPmKB8Ng8
         stUzUY8E1zlab8wv61XMAaxA3/b2SVio3RpBX4R/rjIRMgNDxlLq4/3ZMlc47kynA6Pk
         mvNg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=anMcwQtVQA7KRiYMUOHrWnXXAbCVCqPprg4ZNTgNKLI=;
        b=SUWbYwfwASryKvLrbXRdp2kdz3KkulDW2NvmW5n0kBDQ0QYmf4ntIwfTmcXMXa35rX
         UFuRnbFa7O7W9aUVHGfGt8dgm7C3NtodGG+ny0BJ7CSl6DqlsJ+SFK0wd/sBTaP/scck
         gJk6fpRFf5DX9JOZl1GLHkCjjGIK/PdIa1QJsjDQWh6j4tt8o1j6UyPjxDndRoW8brlU
         7jrGqJYVBWjqptlqp6Dv9WLaTlHcSOq2l+xCYv+6bF6S4ZNFOkknbNapWBuIe2hEO9hL
         7LVuhCQxQ4LkCZ+rGjf+9P5UxViqhNcdBgPMVtT8BaWFV+nU4DHzFjDTwqtn4EAAiAfr
         EEMA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=yRuprK4N;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id o13-20020a170902d4cd00b001637dbe1bc4si21187818plg.44.2022.06.05.22.44.22
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 05 Jun 2022 22:44:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=yRuprK4N;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 36F492271A4;
	Sun,  5 Jun 2022 21:34:41 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239670AbiFCSOd (ORCPT <rfc822;a.bouin@gmail.com> + 99 others);
        Fri, 3 Jun 2022 14:14:33 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48530 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1346374AbiFCSAP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 3 Jun 2022 14:00:15 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E2E0B583BA;
        Fri,  3 Jun 2022 10:56:19 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 5C73C6147E;
        Fri,  3 Jun 2022 17:56:19 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6DB71C385A9;
        Fri,  3 Jun 2022 17:56:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1654278978;
        bh=+jKGu2m+qotB5j1a1TjLLakeDpMh01+5nUzTVxMt6Vo=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=yRuprK4N0uW9KA91MoS6frGxWtvLNGq9+Q/mYRIDBWxLZa6GOlErNDtFuCsiKffKJ
         pGPouzKVL4rRnlcNRzJ/6vPFDW/7FP8K1GxNETEo4wG3dYvd5rb2P5V1Emj7rpRBtx
         2Verpy9UzV4VccgoS66b/61G+LxJcGvs3Cpw34r0=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+793a590957d9c1b96620@syzkaller.appspotmail.com,
        Florian Westphal <fw@strlen.de>,
        Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 5.18 14/67] netfilter: conntrack: re-fetch conntrack after insertion
Date:   Fri,  3 Jun 2022 19:43:15 +0200
Message-Id: <20220603173821.142120889@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220603173820.731531504@linuxfoundation.org>
References: <20220603173820.731531504@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Florian Westphal <fw@strlen.de>

commit 56b14ecec97f39118bf85c9ac2438c5a949509ed upstream.

In case the conntrack is clashing, insertion can free skb->_nfct and
set skb->_nfct to the already-confirmed entry.

This wasn't found before because the conntrack entry and the extension
space used to free'd after an rcu grace period, plus the race needs
events enabled to trigger.

Reported-by: <syzbot+793a590957d9c1b96620@syzkaller.appspotmail.com>
Fixes: 71d8c47fc653 ("netfilter: conntrack: introduce clash resolution on insertion race")
Fixes: 2ad9d7747c10 ("netfilter: conntrack: free extension area immediately")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/netfilter/nf_conntrack_core.h |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -58,8 +58,13 @@ static inline int nf_conntrack_confirm(s
 	int ret = NF_ACCEPT;
 
 	if (ct) {
-		if (!nf_ct_is_confirmed(ct))
+		if (!nf_ct_is_confirmed(ct)) {
 			ret = __nf_conntrack_confirm(skb);
+
+			if (ret == NF_ACCEPT)
+				ct = (struct nf_conn *)skb_nfct(skb);
+		}
+
 		if (likely(ret == NF_ACCEPT))
 			nf_ct_deliver_cached_events(ct);
 	}