Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> e6d57e9ff0ae ("netfilter: conntrack: fix rmmod double-free race")
> consolidates IPS_CONFIRMED bit set in nf_conntrack_hash_check_insert().
> However, this breaks ctnetlink:
>
> # conntrack -I -p tcp --timeout 123 --src 1.2.3.4 --dst 5.6.7.8 --state ESTABLISHED --sport 1 --dport 4 -u SEEN_REPLY
> conntrack v1.4.6 (conntrack-tools): Operation failed: Device or resource busy
>
> This is a partial revert of the aforementioned commit.
>
> Fixes: e6d57e9ff0ae ("netfilter: conntrack: fix rmmod double-free race")
> Reported-by: Stéphane Graber <stgraber@xxxxxxxxxxxx>
> Tested-by: Stéphane Graber <stgraber@xxxxxxxxxxxx>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> net/netfilter/nf_conntrack_bpf.c | 1 +
> net/netfilter/nf_conntrack_core.c | 1 -
> net/netfilter/nf_conntrack_netlink.c | 3 +++
> 3 files changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index bfc3aaa2c872..d3ee18854698 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -2316,6 +2316,9 @@ ctnetlink_create_conntrack(struct net *net,
> nfct_seqadj_ext_add(ct);
> nfct_synproxy_ext_add(ct);
>
> + /* we must add conntrack extensions before confirmation. */
> + ct->status |= IPS_CONFIRMED;
> +
I'd guess that these 2 lines are the only part that is needed, but up
to you.
