[PATCH 5.10 062/116] netfilter: ctnetlink: disable helper autoassign

From: Greg Kroah-Hartman
Date: Mon Feb 14 2022 - 04:53:33 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.10 065/116] drm/panel: simple: Assign data from panel_dpi_probe() correctly"
Previous message: Greg Kroah-Hartman: "[PATCH 5.10 061/116] misc: fastrpc: avoid double fput() on failed usercopy"
In reply to: Greg Kroah-Hartman: "[PATCH 5.10 061/116] misc: fastrpc: avoid double fput() on failed usercopy"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.10 065/116] drm/panel: simple: Assign data from panel_dpi_probe() correctly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Florian Westphal <fw@xxxxxxxxx>

[ Upstream commit d1ca60efc53d665cf89ed847a14a510a81770b81 ]

When userspace, e.g. conntrackd, inserts an entry with a specified helper,
its possible that the helper is lost immediately after its added:

ctnetlink_create_conntrack
-> nf_ct_helper_ext_add + assign helper
-> ctnetlink_setup_nat
-> ctnetlink_parse_nat_setup
-> parse_nat_setup -> nfnetlink_parse_nat_setup
-> nf_nat_setup_info
-> nf_conntrack_alter_reply
-> __nf_ct_try_assign_helper

... and __nf_ct_try_assign_helper will zero the helper again.

Set IPS_HELPER bit to bypass auto-assign logic, its unwanted, just like
when helper is assigned via ruleset.

Dropped old 'not strictly necessary' comment, it referred to use of
rcu_assign_pointer() before it got replaced by RCU_INIT_POINTER().

NB: Fixes tag intentionally incorrect, this extends the referenced commit,
but this change won't build without IPS_HELPER introduced there.

Fixes: 6714cf5465d280 ("netfilter: nf_conntrack: fix explicit helper attachment and NAT")
Reported-by: Pham Thanh Tuyen <phamtyn@xxxxxxxxx>
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
include/uapi/linux/netfilter/nf_conntrack_common.h | 2 +-
net/netfilter/nf_conntrack_netlink.c | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h
index 4b3395082d15c..26071021e986f 100644
--- a/include/uapi/linux/netfilter/nf_conntrack_common.h
+++ b/include/uapi/linux/netfilter/nf_conntrack_common.h
@@ -106,7 +106,7 @@ enum ip_conntrack_status {
IPS_NAT_CLASH = IPS_UNTRACKED,
#endif

- /* Conntrack got a helper explicitly attached via CT target. */
+ /* Conntrack got a helper explicitly attached (ruleset, ctnetlink). */
IPS_HELPER_BIT = 13,
IPS_HELPER = (1 << IPS_HELPER_BIT),

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index c6bcc28ae3387..eeeaa34b3e7b5 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2283,7 +2283,8 @@ ctnetlink_create_conntrack(struct net *net,
if (helper->from_nlattr)
helper->from_nlattr(helpinfo, ct);

- /* not in hash table yet so not strictly necessary */
+ /* disable helper auto-assignment for this entry */
+ ct->status |= IPS_HELPER;
RCU_INIT_POINTER(help->helper, helper);
}
} else {
--
2.34.1

Next message: Greg Kroah-Hartman: "[PATCH 5.10 065/116] drm/panel: simple: Assign data from panel_dpi_probe() correctly"
Previous message: Greg Kroah-Hartman: "[PATCH 5.10 061/116] misc: fastrpc: avoid double fput() on failed usercopy"
In reply to: Greg Kroah-Hartman: "[PATCH 5.10 061/116] misc: fastrpc: avoid double fput() on failed usercopy"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.10 065/116] drm/panel: simple: Assign data from panel_dpi_probe() correctly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]