Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp111674iof; Sun, 5 Jun 2022 22:44:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzQkGuhtha6tRNseONIvVIJYW6Xb66B9ac14khdfn6bAde2eX7AbznESnW7+8Y3Hx1lVJSI X-Received: by 2002:a65:4183:0:b0:3fc:1370:9c37 with SMTP id a3-20020a654183000000b003fc13709c37mr19798718pgq.4.1654494262526; Sun, 05 Jun 2022 22:44:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654494262; cv=none; d=google.com; s=arc-20160816; b=rrcX5QG80cCcqtjHdX2+TfYL/NrkAdQzTQwpkj/ENAc2De5NoUPKnBTy7XsBsVX6Jw DPOS8XJ8mw7SYrVNv7rNCnxfeQ5/7Uxp1Q/bLETCyIb/c2A0lM94ckXy7BzMxtKNmISq PL8+cix3ygiDy7Uu2WJFaWl8sJqE3T2AivWVQXEMuLRgB6YJDCb3w18oCSYpUAK1MXzc VFezq8L3KPvtsv6sNtc+Wx/ndIr5ltsZdbosuhrMsZgnIv47GmgIPKJjqu2KPmKB8Ng8 stUzUY8E1zlab8wv61XMAaxA3/b2SVio3RpBX4R/rjIRMgNDxlLq4/3ZMlc47kynA6Pk mvNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=anMcwQtVQA7KRiYMUOHrWnXXAbCVCqPprg4ZNTgNKLI=; b=SUWbYwfwASryKvLrbXRdp2kdz3KkulDW2NvmW5n0kBDQ0QYmf4ntIwfTmcXMXa35rX UFuRnbFa7O7W9aUVHGfGt8dgm7C3NtodGG+ny0BJ7CSl6DqlsJ+SFK0wd/sBTaP/scck gJk6fpRFf5DX9JOZl1GLHkCjjGIK/PdIa1QJsjDQWh6j4tt8o1j6UyPjxDndRoW8brlU 7jrGqJYVBWjqptlqp6Dv9WLaTlHcSOq2l+xCYv+6bF6S4ZNFOkknbNapWBuIe2hEO9hL 7LVuhCQxQ4LkCZ+rGjf+9P5UxViqhNcdBgPMVtT8BaWFV+nU4DHzFjDTwqtn4EAAiAfr EEMA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=yRuprK4N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id o13-20020a170902d4cd00b001637dbe1bc4si21187818plg.44.2022.06.05.22.44.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 05 Jun 2022 22:44:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=yRuprK4N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 36F492271A4; Sun, 5 Jun 2022 21:34:41 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239670AbiFCSOd (ORCPT + 99 others); Fri, 3 Jun 2022 14:14:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48530 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346374AbiFCSAP (ORCPT ); Fri, 3 Jun 2022 14:00:15 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E2E0B583BA; Fri, 3 Jun 2022 10:56:19 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5C73C6147E; Fri, 3 Jun 2022 17:56:19 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6DB71C385A9; Fri, 3 Jun 2022 17:56:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1654278978; bh=+jKGu2m+qotB5j1a1TjLLakeDpMh01+5nUzTVxMt6Vo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yRuprK4N0uW9KA91MoS6frGxWtvLNGq9+Q/mYRIDBWxLZa6GOlErNDtFuCsiKffKJ pGPouzKVL4rRnlcNRzJ/6vPFDW/7FP8K1GxNETEo4wG3dYvd5rb2P5V1Emj7rpRBtx 2Verpy9UzV4VccgoS66b/61G+LxJcGvs3Cpw34r0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+793a590957d9c1b96620@syzkaller.appspotmail.com, Florian Westphal , Pablo Neira Ayuso Subject: [PATCH 5.18 14/67] netfilter: conntrack: re-fetch conntrack after insertion Date: Fri, 3 Jun 2022 19:43:15 +0200 Message-Id: <20220603173821.142120889@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220603173820.731531504@linuxfoundation.org> References: <20220603173820.731531504@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Florian Westphal commit 56b14ecec97f39118bf85c9ac2438c5a949509ed upstream. In case the conntrack is clashing, insertion can free skb->_nfct and set skb->_nfct to the already-confirmed entry. This wasn't found before because the conntrack entry and the extension space used to free'd after an rcu grace period, plus the race needs events enabled to trigger. Reported-by: Fixes: 71d8c47fc653 ("netfilter: conntrack: introduce clash resolution on insertion race") Fixes: 2ad9d7747c10 ("netfilter: conntrack: free extension area immediately") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- include/net/netfilter/nf_conntrack_core.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/include/net/netfilter/nf_conntrack_core.h +++ b/include/net/netfilter/nf_conntrack_core.h @@ -58,8 +58,13 @@ static inline int nf_conntrack_confirm(s int ret = NF_ACCEPT; if (ct) { - if (!nf_ct_is_confirmed(ct)) + if (!nf_ct_is_confirmed(ct)) { ret = __nf_conntrack_confirm(skb); + + if (ret == NF_ACCEPT) + ct = (struct nf_conn *)skb_nfct(skb); + } + if (likely(ret == NF_ACCEPT)) nf_ct_deliver_cached_events(ct); }