On Tue, Feb 14, 2023 at 05:23:59PM +0100, Florian Westphal wrote: > nf_conntrack_hash_check_insert() callers free the ct entry directly, via > nf_conntrack_free. > > This isn't safe anymore because > nf_conntrack_hash_check_insert() might place the entry into the conntrack > table and then delteted the entry again because it found that a conntrack > extension has been removed at the same time. > > In this case, the just-added entry is removed again and an error is > returned to the caller. > > Problem is that another cpu might have picked up this entry and > incremented its reference count. > > This results in a use-after-free/double-free, once by the other cpu and > once by the caller of nf_conntrack_hash_check_insert(). > > Fix this by making nf_conntrack_hash_check_insert() not fail anymore > after the insertion, just like before the 'Fixes' commit. > > This is safe because a racing nf_ct_iterate() has to wait for us > to release the conntrack hash spinlocks. > > While at it, make the function return -EAGAIN in the rmmod (genid > changed) case, this makes nfnetlink replay the command (suggested > by Pablo Neira). Applied, thanks
