Patch "netfilter: conntrack: clamp maximum hashtable size to INT_MAX" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 10 Jan 2025 09:30:49 -0500

This is a note to let you know that I've just added the patch titled

    netfilter: conntrack: clamp maximum hashtable size to INT_MAX

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-conntrack-clamp-maximum-hashtable-size-to-.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit cae372154fb5dd03c272718114a0c3e1e90bd8c0
Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date:   Wed Jan 8 22:56:33 2025 +0100

    netfilter: conntrack: clamp maximum hashtable size to INT_MAX
    
    [ Upstream commit b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13 ]
    
    Use INT_MAX as maximum size for the conntrack hashtable. Otherwise, it
    is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when
    resizing hashtable because __GFP_NOWARN is unset. See:
    
      0708a0afe291 ("mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls")
    
    Note: hashtable resize is only possible from init_netns.
    
    Fixes: 9cc1c73ad666 ("netfilter: conntrack: avoid integer overflow when resizing")
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 024f93fc8c0b..b7b2ed05ac50 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -2591,12 +2591,15 @@ void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls)
 	struct hlist_nulls_head *hash;
 	unsigned int nr_slots, i;
 
-	if (*sizep > (UINT_MAX / sizeof(struct hlist_nulls_head)))
+	if (*sizep > (INT_MAX / sizeof(struct hlist_nulls_head)))
 		return NULL;
 
 	BUILD_BUG_ON(sizeof(struct hlist_nulls_head) != sizeof(struct hlist_head));
 	nr_slots = *sizep = roundup(*sizep, PAGE_SIZE / sizeof(struct hlist_nulls_head));
 
+	if (nr_slots > (INT_MAX / sizeof(struct hlist_nulls_head)))
+		return NULL;
+
 	hash = kvcalloc(nr_slots, sizeof(struct hlist_nulls_head), GFP_KERNEL);
 
 	if (hash && nulls)







