[{"id":3669232,"web_url":"http://patchwork.ozlabs.org/comment/3669232/","msgid":"","list_archive_url":null,"date":"2026-03-25T17:26:55","subject":"Re: [PATCH net 10/14] netfilter: ctnetlink: ensure safe access to\n master conntrack","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"Hi Florian,\n\nSorry for this late followup incremental fix.\n\nOn Wed, Mar 25, 2026 at 02:11:04PM +0100, Florian Westphal wrote:\n> From: Pablo Neira Ayuso \n> \n> Holding reference on the expectation is not sufficient, the master\n> conntrack object can just go away, making exp->master invalid.\n\nThis patch needs this update for expectations which do not have\nnfct_help(ct), two cases:\n\n- nft_ct creates\n- ip_vs_ftp\n\nSee attached incremental patch.","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=PqdlzDjX;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11412-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"PqdlzDjX\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fgvCX6v9Nz1xy3\n\tfor ; Thu, 26 Mar 2026 04:34:00 +1100 (AEDT)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 760BE30C0290\n\tfor ; Wed, 25 Mar 2026 17:27:06 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 57CDA405AA6;\n\tWed, 25 Mar 2026 17:27:04 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id F14622F3C18;\n\tWed, 25 Mar 2026 17:27:00 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 374D3600B5;\n\tWed, 25 Mar 2026 18:26:58 +0100 (CET)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1774459623; cv=none;\n b=R0uA9f2CiCCo2E5kU5+L3KcNMLHdo7XNT/P9uP+cY66iAGg03JR4swG2MjpT2cpjmlNIGs7BT383Th6pY+qJOsbzkVXpFo6WKeuMbh6x8katJuUKpXLoTn5J2tbn+Ps5Trcg6guZlsUEtT427bOGejwfuNVj2whclsHNftV5md8=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1774459623; c=relaxed/simple;\n\tbh=a4aj5jAmH16K+/PquDZcbtSVDhId/k9irzRhOU0Ai74=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=Bk4H8S8AD/J//8vV6FbsogliCIDAPSp75soEy50HlU9ACH5Hbpb7lMoFQkK2Gu0enMJUxjYfl8KuuYTA/sb4uxCCS9zQWFnyxFN6wY1fPB/JN0A3ntQU/cP2ymVwe4/3rI2v1k1pdavXyJYMUAWZnCkrCzQZsqgr4qaTulvNL6o=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=PqdlzDjX; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1774459618;\n\tbh=R/N3iI1l0bnsXgxzIzcUgBpAxd8OgKgFL9Jb7qTamhY=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=PqdlzDjX/bpuRfD0n7MN6PkT2VzmDTcpQnpydbs4UzAUGSiW7eNJdre0GjGxXOG5c\n\t q4qzkB45G8zh6tkgstbanuL6GzVgpMcWDXjdasDSNOOXaivp067BIjgeYcujkt7NLM\n\t OUw841ze/Erp4oEHq9YPaCpaCGIpHP8+NkQoEtw5Oinyh4FSVfXiqNKy+2R3+iGrCA\n\t tu5SB+WugRWu4bcUzxRjIp/Til7xvc30CSKVzWDeqERFfG9rttAgEoEKQQ+NmdvC6p\n\t 3+KCJqzr07bF5XZXPzPEIHODyuP+Y49wIF2hcjb0BloXdIu9XIrX/TYGIBNaurEP1W\n\t ln6FTSWfu1/iw==","Date":"Wed, 25 Mar 2026 18:26:55 +0100","From":"Pablo Neira Ayuso ","To":"Florian Westphal ","Cc":"netdev@vger.kernel.org, Paolo Abeni ,\n\t\"David S. Miller\" ,\n\tEric Dumazet ,\n\tJakub Kicinski , netfilter-devel@vger.kernel.org","Subject":"Re: [PATCH net 10/14] netfilter: ctnetlink: ensure safe access to\n master conntrack","Message-ID":"","References":"<20260325131108.23045-1-fw@strlen.de>\n <20260325131108.23045-11-fw@strlen.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"multipart/mixed; boundary=\"a6qFS7dqxNZJ8s0L\"","Content-Disposition":"inline","In-Reply-To":"<20260325131108.23045-11-fw@strlen.de>"}},{"id":3669239,"web_url":"http://patchwork.ozlabs.org/comment/3669239/","msgid":"","list_archive_url":null,"date":"2026-03-25T17:28:51","subject":"Re: [PATCH net 10/14] netfilter: ctnetlink: ensure safe access to\n master conntrack","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Wed, Mar 25, 2026 at 06:26:58PM +0100, Pablo Neira Ayuso wrote:\n> Hi Florian,\n> \n> Sorry for this late followup incremental fix.\n> \n> On Wed, Mar 25, 2026 at 02:11:04PM +0100, Florian Westphal wrote:\n> > From: Pablo Neira Ayuso \n> > \n> > Holding reference on the expectation is not sufficient, the master\n> > conntrack object can just go away, making exp->master invalid.\n> \n> This patch needs this update for expectations which do not have\n> nfct_help(ct), two cases:\n> \n> - nft_ct creates\n> - ip_vs_ftp\n> \n> See attached incremental patch.\n\nSorry. Actually, This incremental fix is for:\n\n [PATCH net 08/14] netfilter: nf_conntrack_expect: honor expectation helper field\n\nfor the two cases I mentioned above.\n\n> diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c\n> index 509d3eb6f56a..cf39662c4b97 100644\n> --- a/net/netfilter/nf_conntrack_expect.c\n> +++ b/net/netfilter/nf_conntrack_expect.c\n> @@ -325,7 +325,9 @@ void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int class,\n> \t\t u_int8_t proto, const __be16 *src, const __be16 *dst)\n> {\n> \tstruct net *net = read_pnet(&exp->master->ct_net);\n> -\n> +\tstruct nf_conntrack_helper *helper;\n> +\tstruct nf_conn *ct = exp->master;\n> +\tstruct nf_conn_help *help;\n> \tint len;\n> \n> \tif (family == AF_INET)\n> @@ -336,7 +338,14 @@ void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int class,\n> \texp->flags = 0;\n> \texp->class = class;\n> \texp->expectfn = NULL;\n> -\trcu_assign_pointer(exp->helper, nfct_help(exp->master)->helper);\n> +\thelp = nfct_help(ct);\n> +\tif (help) {\n> +\t\thelper = rcu_dereference(help->helper);\n> +\t\tif (helper)\n> +\t\t\trcu_assign_pointer(exp->helper, help->helper);\n> +\t} else {\n> +\t\texp->helper = NULL;\n> +\t}\n> \twrite_pnet(&exp->net, net);\n> \texp->zone = exp->master->zone;\n> \texp->tuple.src.l3num = family;","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=j9Wga8q5;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11413-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"j9Wga8q5\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fgvGh3rKJz1xy1\n\tfor ; Thu, 26 Mar 2026 04:36:44 +1100 (AEDT)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id C126D31293DC\n\tfor ; Wed, 25 Mar 2026 17:29:15 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 24EB240627D;\n\tWed, 25 Mar 2026 17:29:01 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 2414E405AB0;\n\tWed, 25 Mar 2026 17:28:55 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id CE23C600B5;\n\tWed, 25 Mar 2026 18:28:53 +0100 (CET)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1774459739; cv=none;\n b=i+RXxKCqu7NqhgU4aRX2ydbDXouzluVJUCVikRvg9HUBenNu3p5pEOcCWX/sT/tVKS20Jfh9o/jjJuU6k8I0tcybb3YuVc/GzQdS4wgJ0FTsogfWM4+3yBLe0LT5tK0CiDSNR0bfQG+uCa/UhxIc75+swPug17vK/UrF/kY1LKk=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1774459739; c=relaxed/simple;\n\tbh=mZ5FCmbmEUI5S9A3jMuoQakyvUbkEdqp4jWuG5946Mc=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=ZHCcEqFaQQah0yV2fG5pQOk8gDxXh8o+uc9XAd2UYnMAQWNYgbftU8vnfjqtjHSCWDym85kRB1YtsGnGYBMsbZ6TgowrpkN4FcO0H2TpSVnsvbAe5FRTwYF6P0HLhfsMj02rvcE0HCEcSSXkce/ki6ceWzUBk2IYTDyCGWx6NqM=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=j9Wga8q5; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1774459733;\n\tbh=fr7RHDf4eIASZHHxRVVoIlUiKoSTbIXLlIA9z4ENRyw=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=j9Wga8q50dMVs7JlhYI4TNBAXU2Y+i8YqJNTTWB4du53tuf9eaGfvnPGTpXdeMYfW\n\t DuGAnOCxTSVh6MUhO2JbbOpfDrYdrEPEICg+pm791NXtw4OWBNUqXGNbEBVQxk0rhi\n\t DFSWwglKO3MRiZYCgD6j2h41GZlMYQ6WJXwWybd/IxxmTR4uPpwsHrTGeDbagXtHZa\n\t YRZzTCBifWYqvcgJ1CXC0ADAGYgK2b26nGvgn2hD2HHb5nqJNqsJoFkRWCfVGf2A2M\n\t ZEZgmnbGw3TSnpfrJSiIiw4NUpmhd/7xUPI/YzLgctDLwghIYhXZOOqMXnnsXfiM2H\n\t TwpSSOCVD7Fow==","Date":"Wed, 25 Mar 2026 18:28:51 +0100","From":"Pablo Neira Ayuso ","To":"Florian Westphal ","Cc":"netdev@vger.kernel.org, Paolo Abeni ,\n\t\"David S. Miller\" ,\n\tEric Dumazet ,\n\tJakub Kicinski , netfilter-devel@vger.kernel.org","Subject":"Re: [PATCH net 10/14] netfilter: ctnetlink: ensure safe access to\n master conntrack","Message-ID":"","References":"<20260325131108.23045-1-fw@strlen.de>\n <20260325131108.23045-11-fw@strlen.de>\n ","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":""}},{"id":3669240,"web_url":"http://patchwork.ozlabs.org/comment/3669240/","msgid":"","list_archive_url":null,"date":"2026-03-25T17:28:58","subject":"Re: [PATCH net 10/14] netfilter: ctnetlink: ensure safe access to\n master conntrack","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Pablo Neira Ayuso wrote:\n> Sorry for this late followup incremental fix.\n\nI'm tired.\n\n> diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c\n> index 509d3eb6f56a..cf39662c4b97 100644\n> --- a/net/netfilter/nf_conntrack_expect.c\n> +++ b/net/netfilter/nf_conntrack_expect.c\n> @@ -325,7 +325,9 @@ void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int class,\n> \t\t u_int8_t proto, const __be16 *src, const __be16 *dst)\n> {\n> \tstruct net *net = read_pnet(&exp->master->ct_net);\n> -\n> +\tstruct nf_conntrack_helper *helper;\n> +\tstruct nf_conn *ct = exp->master;\n> +\tstruct nf_conn_help *help;\n> \tint len;\n> \n> \tif (family == AF_INET)\n> @@ -336,7 +338,14 @@ void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int class,\n> \texp->flags = 0;\n> \texp->class = class;\n> \texp->expectfn = NULL;\n> -\trcu_assign_pointer(exp->helper, nfct_help(exp->master)->helper);\n> +\thelp = nfct_help(ct);\n\nDo we have a reference here? Is that safe?\n\nI'm not looking forward to a new PR.","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11414-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fgvGv5GdTz1xy1\n\tfor ; Thu, 26 Mar 2026 04:36:55 +1100 (AEDT)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id D72DA3130C6A\n\tfor ; Wed, 25 Mar 2026 17:29:30 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 7251A405AD7;\n\tWed, 25 Mar 2026 17:29:28 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id A318C4014A8;\n\tWed, 25 Mar 2026 17:29:25 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid D3F39608BD; Wed, 25 Mar 2026 18:29:23 +0100 (CET)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1774459767; cv=none;\n b=a59+D7Oouks0oYgZgXj7tpFUE1nOapQ5Q6x56pFdVl8QCZxEZGnq27ReHv4Cksli9C6u1VObKF2cYv8RW20KSyDsEZ3WrBghUqrPexUwsCdv15e0uVhFhfa14fbmU2UpyE5EpQA8nXojLzFULYWc6fSEqC4z9ujtO6E76wzaEPY=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1774459767; c=relaxed/simple;\n\tbh=97rYFqJNRPWwAQmAUMBPRGRwoJMnJ7FsODxE0p7iAX0=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=kxyJ5Szq5vU/FusiI4+W4lbGzZhWVnhU9mKdN/wiz5Isx1CNgovAK7Q9c3uNJqOGpEKUcTb1MzOPYKIkLPPChyahn0fakXvwR1oWhmx5lHSdZ/69WDiF+adQe3JMCnDze84pa80Nonch86KlbOzvqAF7D7jjNzIT7yljYgqrZkU=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Wed, 25 Mar 2026 18:28:58 +0100","From":"Florian Westphal ","To":"Pablo Neira Ayuso ","Cc":"netdev@vger.kernel.org, Paolo Abeni ,\n\t\"David S. Miller\" ,\n\tEric Dumazet ,\n\tJakub Kicinski , netfilter-devel@vger.kernel.org","Subject":"Re: [PATCH net 10/14] netfilter: ctnetlink: ensure safe access to\n master conntrack","Message-ID":"","References":"<20260325131108.23045-1-fw@strlen.de>\n <20260325131108.23045-11-fw@strlen.de>\n ","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":""}},{"id":3669247,"web_url":"http://patchwork.ozlabs.org/comment/3669247/","msgid":"","list_archive_url":null,"date":"2026-03-25T17:38:30","subject":"Re: [PATCH net 10/14] netfilter: ctnetlink: ensure safe access to\n master conntrack","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Wed, Mar 25, 2026 at 06:28:58PM +0100, Florian Westphal wrote:\n> Pablo Neira Ayuso wrote:\n> > Sorry for this late followup incremental fix.\n> \n> I'm tired.\n> \n> > diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c\n> > index 509d3eb6f56a..cf39662c4b97 100644\n> > --- a/net/netfilter/nf_conntrack_expect.c\n> > +++ b/net/netfilter/nf_conntrack_expect.c\n> > @@ -325,7 +325,9 @@ void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int class,\n> > \t\t u_int8_t proto, const __be16 *src, const __be16 *dst)\n> > {\n> > \tstruct net *net = read_pnet(&exp->master->ct_net);\n> > -\n> > +\tstruct nf_conntrack_helper *helper;\n> > +\tstruct nf_conn *ct = exp->master;\n> > +\tstruct nf_conn_help *help;\n> > \tint len;\n> > \n> > \tif (family == AF_INET)\n> > @@ -336,7 +338,14 @@ void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int class,\n> > \texp->flags = 0;\n> > \texp->class = class;\n> > \texp->expectfn = NULL;\n> > -\trcu_assign_pointer(exp->helper, nfct_help(exp->master)->helper);\n> > +\thelp = nfct_help(ct);\n> \n> Do we have a reference here? Is that safe?\n\nThis ct is coming from the skb from packet path, while rcu_read_lock()\nis held, the skb owns this ct.\n\n> I'm not looking forward to a new PR.\n\nApologies.","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=iQEDGglA;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11415-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"iQEDGglA\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fgvSt2jjnz1xy3\n\tfor ; Thu, 26 Mar 2026 04:45:34 +1100 (AEDT)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 5F5B530E267E\n\tfor ; Wed, 25 Mar 2026 17:38:40 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 55D053BD636;\n\tWed, 25 Mar 2026 17:38:37 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 72BC73E4C8B;\n\tWed, 25 Mar 2026 17:38:35 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 5377B600B9;\n\tWed, 25 Mar 2026 18:38:33 +0100 (CET)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1774460316; cv=none;\n b=VOZ+V7SCmZcXS/pyI0+tiyBnKUrYoaimsE3/oQTx2aG6D6MNnerZjwkX8mmJmnEtpmw1qp9cPEXB49CxUFNZ1ABHIRc5tawi90rjxdMVVUaFaWKdTreTUUekQljg9p4zwvs/mXWXsrMKZ8WXAub01V5nhGjSwdR+G+Qj/aaOsFk=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1774460316; c=relaxed/simple;\n\tbh=i/PCW2KwbkSGnN7UFnNGlu/tnmgSOsRklYCvWppu7pU=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=iE0NTzxXXsi+JlWs0Lbrsgj5F//yvX1cTWq1w4y320PgP4OJIKwUxnzS+SYjFyyBUQw1gAqbF2eqFL+gmyYGyLbJCU4TD3RU8qPuFUUXnNFczFPtCTa6zNSUZaDfg87lqnzMUmdtJswqqiALT7c7Q46/NGBXXv3nrmy6pQmNz6c=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=iQEDGglA; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1774460313;\n\tbh=rRXcHrpcOVkMBFaBuInNnRfkXXu/rgto+v/iY4SduS4=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=iQEDGglAVYhEpXWdWadAsO6dZeaqMrwThOuncC6TyEXiLeOHwoYdAu1YRlxmF740h\n\t 9nElGCkiH7tmrWvoBif7c+S90KH5NSmHmjLXwCNb+9ka88FERr/5atV+AHSME9rOzy\n\t tmDMx0p49q7USHeJSeP5JLNgoXBkvuJ3gG5Jgy0P9gznaSRYhYOdQnietuunVoknYL\n\t 4x+PMnv8P+ehjSKKI4RT5pPQuTL0+ZzaYbY+MdQx9cjYcmXsJMdUNusF0+SD1UPTV4\n\t OVDqbijSryVeJbj7agWiY7Fm3CW/wpoQ5ogKx7Y2VnCxTGKyy501yuwmsqu8PyjAMm\n\t VdabeOUiqJjDA==","Date":"Wed, 25 Mar 2026 18:38:30 +0100","From":"Pablo Neira Ayuso ","To":"Florian Westphal ","Cc":"netdev@vger.kernel.org, Paolo Abeni ,\n\t\"David S. Miller\" ,\n\tEric Dumazet ,\n\tJakub Kicinski , netfilter-devel@vger.kernel.org","Subject":"Re: [PATCH net 10/14] netfilter: ctnetlink: ensure safe access to\n master conntrack","Message-ID":"","References":"<20260325131108.23045-1-fw@strlen.de>\n <20260325131108.23045-11-fw@strlen.de>\n \n ","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":""}}]