Skip to content

Commit a9985ec

Browse files
fw-strlenfw-strlen
committed
netfilter: conntrack: restore IPS_CONFIRMED out of nf_conntrack_hash_check_insert()
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2189550 Upstream Status: commit 2cdaa3e commit 2cdaa3e Author: Pablo Neira Ayuso <[email protected]> Date: Tue Apr 18 23:31:26 2023 +0200 netfilter: conntrack: restore IPS_CONFIRMED out of nf_conntrack_hash_check_insert() e6d57e9 ("netfilter: conntrack: fix rmmod double-free race") consolidates IPS_CONFIRMED bit set in nf_conntrack_hash_check_insert(). However, this breaks ctnetlink: # conntrack -I -p tcp --timeout 123 --src 1.2.3.4 --dst 5.6.7.8 --state ESTABLISHED --sport 1 --dport 4 -u SEEN_REPLY conntrack v1.4.6 (conntrack-tools): Operation failed: Device or resource busy This is a partial revert of the aforementioned commit to restore IPS_CONFIRMED. Fixes: e6d57e9 ("netfilter: conntrack: fix rmmod double-free race") Reported-by: Stéphane Graber <[email protected]> Tested-by: Stéphane Graber <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]> Signed-off-by: Florian Westphal <[email protected]>
1 parent 5c92dbf commit a9985ec

File tree

3 files changed

+4
-1
lines changed

3 files changed

+4
-1
lines changed

net/netfilter/nf_conntrack_bpf.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -381,6 +381,7 @@ struct nf_conn *bpf_ct_insert_entry(struct nf_conn___init *nfct_i)
381381
struct nf_conn *nfct = (struct nf_conn *)nfct_i;
382382
int err;
383383

384+
nfct->status |= IPS_CONFIRMED;
384385
err = nf_conntrack_hash_check_insert(nfct);
385386
if (err < 0) {
386387
nf_conntrack_free(nfct);

net/netfilter/nf_conntrack_core.c

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -938,7 +938,6 @@ nf_conntrack_hash_check_insert(struct nf_conn *ct)
938938
goto out;
939939
}
940940

941-
ct->status |= IPS_CONFIRMED;
942941
smp_wmb();
943942
/* The caller holds a reference to this object */
944943
refcount_set(&ct->ct_general.use, 2);

net/netfilter/nf_conntrack_netlink.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2321,6 +2321,9 @@ ctnetlink_create_conntrack(struct net *net,
23212321
nfct_seqadj_ext_add(ct);
23222322
nfct_synproxy_ext_add(ct);
23232323

2324+
/* we must add conntrack extensions before confirmation. */
2325+
ct->status |= IPS_CONFIRMED;
2326+
23242327
if (cda[CTA_STATUS]) {
23252328
err = ctnetlink_change_status(ct, cda);
23262329
if (err < 0)

0 commit comments

Comments
 (0)