On Wed, Apr 19, 2023 at 08:17:23AM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > e6d57e9ff0ae ("netfilter: conntrack: fix rmmod double-free race")
> > consolidates IPS_CONFIRMED bit set in nf_conntrack_hash_check_insert().
> > However, this breaks ctnetlink:
> >
> > # conntrack -I -p tcp --timeout 123 --src 1.2.3.4 --dst 5.6.7.8 --state ESTABLISHED --sport 1 --dport 4 -u SEEN_REPLY
> > conntrack v1.4.6 (conntrack-tools): Operation failed: Device or resource busy
> >
> > This is a partial revert of the aforementioned commit.
> >
> > Fixes: e6d57e9ff0ae ("netfilter: conntrack: fix rmmod double-free race")
> > Reported-by: Stéphane Graber <stgraber@xxxxxxxxxxxx>
> > Tested-by: Stéphane Graber <stgraber@xxxxxxxxxxxx>
> > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> > ---
> > net/netfilter/nf_conntrack_bpf.c | 1 +
> > net/netfilter/nf_conntrack_core.c | 1 -
> > net/netfilter/nf_conntrack_netlink.c | 3 +++
> > 3 files changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> > index bfc3aaa2c872..d3ee18854698 100644
> > --- a/net/netfilter/nf_conntrack_netlink.c
> > +++ b/net/netfilter/nf_conntrack_netlink.c
> > @@ -2316,6 +2316,9 @@ ctnetlink_create_conntrack(struct net *net,
> > nfct_seqadj_ext_add(ct);
> > nfct_synproxy_ext_add(ct);
> >
> > + /* we must add conntrack extensions before confirmation. */
> > + ct->status |= IPS_CONFIRMED;
> > +
>
> I'd guess that these 2 lines are the only part that is needed, but up
> to you.
OK, I have drropped the bfp chunk.
