Patch "netfilter: conntrack: fix possible bug_on with enable_hooks=1" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Wed, 17 May 2023 21:44:16 -0400

This is a note to let you know that I've just added the patch titled

    netfilter: conntrack: fix possible bug_on with enable_hooks=1

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-conntrack-fix-possible-bug_on-with-enable_.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit aec7b44bcf21098a008292e286ca67dd529668d7
Author: Florian Westphal <fw@xxxxxxxxx>
Date:   Thu May 4 14:55:02 2023 +0200

    netfilter: conntrack: fix possible bug_on with enable_hooks=1
    
    [ Upstream commit e72eeab542dbf4f544e389e64fa13b82a1b6d003 ]
    
    I received a bug report (no reproducer so far) where we trip over
    
    712         rcu_read_lock();
    713         ct_hook = rcu_dereference(nf_ct_hook);
    714         BUG_ON(ct_hook == NULL);  // here
    
    In nf_conntrack_destroy().
    
    First turn this BUG_ON into a WARN.  I think it was triggered
    via enable_hooks=1 flag.
    
    When this flag is turned on, the conntrack hooks are registered
    before nf_ct_hook pointer gets assigned.
    This opens a short window where packets enter the conntrack machinery,
    can have skb->_nfct set up and a subsequent kfree_skb might occur
    before nf_ct_hook is set.
    
    Call nf_conntrack_init_end() to set nf_ct_hook before we register the
    pernet ops.
    
    Fixes: ba3fbe663635 ("netfilter: nf_conntrack: provide modparam to always register conntrack hooks")
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index cca0762a90102..8eed6536e7e7b 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -675,9 +675,11 @@ void nf_conntrack_destroy(struct nf_conntrack *nfct)
 
 	rcu_read_lock();
 	ct_hook = rcu_dereference(nf_ct_hook);
-	BUG_ON(ct_hook == NULL);
-	ct_hook->destroy(nfct);
+	if (ct_hook)
+		ct_hook->destroy(nfct);
 	rcu_read_unlock();
+
+	WARN_ON(!ct_hook);
 }
 EXPORT_SYMBOL(nf_conntrack_destroy);
 
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 338f02a12076b..7515705583bcf 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -1229,11 +1229,12 @@ static int __init nf_conntrack_standalone_init(void)
 	nf_conntrack_htable_size_user = nf_conntrack_htable_size;
 #endif
 
+	nf_conntrack_init_end();
+
 	ret = register_pernet_subsys(&nf_conntrack_net_ops);
 	if (ret < 0)
 		goto out_pernet;
 
-	nf_conntrack_init_end();
 	return 0;
 
 out_pernet:






