Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2216436/?format=api
{ "id": 2216436, "url": "http://patchwork.ozlabs.org/api/patches/2216436/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260326125153.685915-9-pablo@netfilter.org/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260326125153.685915-9-pablo@netfilter.org>", "list_archive_url": null, "date": "2026-03-26T12:51:49", "name": "[net,08/12] netfilter: ctnetlink: ensure safe access to master conntrack", "commit_ref": null, "pull_url": null, "state": "handled-elsewhere", "archived": true, "hash": "a4daf1c41a9b41a196f01169e0fd7bb39e35f0b8", "submitter": { "id": 1315, "url": "http://patchwork.ozlabs.org/api/people/1315/?format=api", "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260326125153.685915-9-pablo@netfilter.org/mbox/", "series": [ { "id": 497584, "url": "http://patchwork.ozlabs.org/api/series/497584/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=497584", "date": "2026-03-26T12:51:41", "name": "[net,01/12] netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry", "version": 3, "mbox": "http://patchwork.ozlabs.org/series/497584/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2216436/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2216436/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <netfilter-devel+bounces-11447-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=p0aCQJec;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c09:e001:a7::12fc:5321; helo=sto.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11447-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"p0aCQJec\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124", "smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org" ], "Received": [ "from sto.lore.kernel.org (sto.lore.kernel.org\n [IPv6:2600:3c09:e001:a7::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fhNwb0tv9z1y1G\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 26 Mar 2026 23:52:47 +1100 (AEDT)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id DBBFB304DF1F\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 26 Mar 2026 12:52:15 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 0820A285C88;\n\tThu, 26 Mar 2026 12:52:11 +0000 (UTC)", "from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 24C1727E056;\n\tThu, 26 Mar 2026 12:52:09 +0000 (UTC)", "from localhost.localdomain (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with ESMTPSA id E82CB6026D;\n\tThu, 26 Mar 2026 13:52:06 +0100 (CET)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1774529530; cv=none;\n b=BsNQFrmG1hMZihrDRUbxBWTKXZJBT5xBGu9MhCqgILqZhHOMHjDGEwT0QlNU0uphr6pt3u6ZWp+/MxRZI1TssUPTyIX7p5Dzj3kO4u4hljqK+FaSCtwNT/rntnIBRlGN1AjVDIJ05ZrlVjaR4+yQaCAwDP3zk/K/S4KphrWR2xg=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1774529530; c=relaxed/simple;\n\tbh=1s9DZjAHoVuYpHvnJY0+Rv5MfpSeCaZID3pEFXgtbiM=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=PEPi0pNgxOeEdvUX6+lGxVR4mEQN5fQueV+8zspyvk7n8lomL1by6JP00mqd7VMYorKF+9n7jR+mP8At2Dci8bq00bSLGzlJrQIcOmG5N4RmRlFKWif5jJDqmOkD80lo8Oh8xdDXBBYQ4Gp0HaqGSy3u7mAlztz06lwN2nffCgM=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=p0aCQJec; arc=none smtp.client-ip=217.70.190.124", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1774529527;\n\tbh=c2oFxf7laka3ewjT50JmynISekij/PH4ViHMcXso+NI=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=p0aCQJecdpS8KlqwgdmhJUaWqVjK/EpKkT6LKSKNKfJ+6WFKJrss0oEJORJgQbJ9A\n\t 1OJv1Wyf8C641/m3BgKAyOXNXkkIPx9IOjD1et/zwdwdjMrflgR8o1L0zh7LmcU1QH\n\t QsBBxSDJyOh/s1ilnAQamoiANMcBZHc1hufYXnlxli+qf0uRAYLYaUvkxxmkrrcJRt\n\t oSfQZVykt/Vrk+QNDDeBJYqYMf87suLDlKveqx4sAFp8ckDQk/dxEjay9wEWcIxlHX\n\t DiKrZg8VhEsctHn6PZPL7HttMemJfoD6Qpl8c/yHVOlos65IDUhY6OWPJR5xOwEo5t\n\t V8AFQY2ioOt2A==", "From": "Pablo Neira Ayuso <pablo@netfilter.org>", "To": "netfilter-devel@vger.kernel.org", "Cc": "davem@davemloft.net,\n\tnetdev@vger.kernel.org,\n\tkuba@kernel.org,\n\tpabeni@redhat.com,\n\tedumazet@google.com,\n\tfw@strlen.de,\n\thorms@kernel.org", "Subject": "[PATCH net 08/12] netfilter: ctnetlink: ensure safe access to master\n conntrack", "Date": "Thu, 26 Mar 2026 13:51:49 +0100", "Message-ID": "<20260326125153.685915-9-pablo@netfilter.org>", "X-Mailer": "git-send-email 2.47.3", "In-Reply-To": "<20260326125153.685915-1-pablo@netfilter.org>", "References": "<20260326125153.685915-1-pablo@netfilter.org>", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "Holding reference on the expectation is not sufficient, the master\nconntrack object can just go away, making exp->master invalid.\n\nTo access exp->master safely:\n\n- Grab the nf_conntrack_expect_lock, this gets serialized with\n clean_from_lists() which also holds this lock when the master\n conntrack goes away.\n\n- Hold reference on master conntrack via nf_conntrack_find_get().\n Not so easy since the master tuple to look up for the master conntrack\n is not available in the existing problematic paths.\n\nThis patch goes for extending the nf_conntrack_expect_lock section\nto address this issue for simplicity, in the cases that are described\nbelow this is just slightly extending the lock section.\n\nThe add expectation command already holds a reference to the master\nconntrack from ctnetlink_create_expect().\n\nHowever, the delete expectation command needs to grab the spinlock\nbefore looking up for the expectation. Expand the existing spinlock\nsection to address this to cover the expectation lookup. Note that,\nthe nf_ct_expect_iterate_net() calls already grabs the spinlock while\niterating over the expectation table, which is correct.\n\nThe get expectation command needs to grab the spinlock to ensure master\nconntrack does not go away. This also expands the existing spinlock\nsection to cover the expectation lookup too. I needed to move the\nnetlink skb allocation out of the spinlock to keep it GFP_KERNEL.\n\nFor the expectation events, the IPEXP_DESTROY event is already delivered\nunder the spinlock, just move the delivery of IPEXP_NEW under the\nspinlock too because the master conntrack event cache is reached through\nexp->master.\n\nWhile at it, add lockdep notations to help identify what codepaths need\nto grab the spinlock.\n\nSigned-off-by: Florian Westphal <fw@strlen.de>\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\n include/net/netfilter/nf_conntrack_core.h | 5 ++++\n net/netfilter/nf_conntrack_ecache.c | 2 ++\n net/netfilter/nf_conntrack_expect.c | 10 +++++++-\n net/netfilter/nf_conntrack_netlink.c | 28 +++++++++++++++--------\n 4 files changed, 35 insertions(+), 10 deletions(-)", "diff": "diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h\nindex 3384859a8921..8883575adcc1 100644\n--- a/include/net/netfilter/nf_conntrack_core.h\n+++ b/include/net/netfilter/nf_conntrack_core.h\n@@ -83,6 +83,11 @@ void nf_conntrack_lock(spinlock_t *lock);\n \n extern spinlock_t nf_conntrack_expect_lock;\n \n+static inline void lockdep_nfct_expect_lock_held(void)\n+{\n+\tlockdep_assert_held(&nf_conntrack_expect_lock);\n+}\n+\n /* ctnetlink code shared by both ctnetlink and nf_conntrack_bpf */\n \n static inline void __nf_ct_set_timeout(struct nf_conn *ct, u64 timeout)\ndiff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c\nindex 81baf2082604..9df159448b89 100644\n--- a/net/netfilter/nf_conntrack_ecache.c\n+++ b/net/netfilter/nf_conntrack_ecache.c\n@@ -247,6 +247,8 @@ void nf_ct_expect_event_report(enum ip_conntrack_expect_events event,\n \tstruct nf_ct_event_notifier *notify;\n \tstruct nf_conntrack_ecache *e;\n \n+\tlockdep_nfct_expect_lock_held();\n+\n \trcu_read_lock();\n \tnotify = rcu_dereference(net->ct.nf_conntrack_event_cb);\n \tif (!notify)\ndiff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c\nindex 64977db12b1d..1cbe5f1108c2 100644\n--- a/net/netfilter/nf_conntrack_expect.c\n+++ b/net/netfilter/nf_conntrack_expect.c\n@@ -51,6 +51,7 @@ void nf_ct_unlink_expect_report(struct nf_conntrack_expect *exp,\n \tstruct net *net = nf_ct_exp_net(exp);\n \tstruct nf_conntrack_net *cnet;\n \n+\tlockdep_nfct_expect_lock_held();\n \tWARN_ON(!master_help);\n \tWARN_ON(timer_pending(&exp->timeout));\n \n@@ -118,6 +119,8 @@ nf_ct_exp_equal(const struct nf_conntrack_tuple *tuple,\n \n bool nf_ct_remove_expect(struct nf_conntrack_expect *exp)\n {\n+\tlockdep_nfct_expect_lock_held();\n+\n \tif (timer_delete(&exp->timeout)) {\n \t\tnf_ct_unlink_expect(exp);\n \t\tnf_ct_expect_put(exp);\n@@ -177,6 +180,8 @@ nf_ct_find_expectation(struct net *net,\n \tstruct nf_conntrack_expect *i, *exp = NULL;\n \tunsigned int h;\n \n+\tlockdep_nfct_expect_lock_held();\n+\n \tif (!cnet->expect_count)\n \t\treturn NULL;\n \n@@ -454,6 +459,8 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect,\n \tunsigned int h;\n \tint ret = 0;\n \n+\tlockdep_nfct_expect_lock_held();\n+\n \tif (!master_help) {\n \t\tret = -ESHUTDOWN;\n \t\tgoto out;\n@@ -510,8 +517,9 @@ int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,\n \n \tnf_ct_expect_insert(expect);\n \n-\tspin_unlock_bh(&nf_conntrack_expect_lock);\n \tnf_ct_expect_event_report(IPEXP_NEW, expect, portid, report);\n+\tspin_unlock_bh(&nf_conntrack_expect_lock);\n+\n \treturn 0;\n out:\n \tspin_unlock_bh(&nf_conntrack_expect_lock);\ndiff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c\nindex 8477c3736432..89540112d165 100644\n--- a/net/netfilter/nf_conntrack_netlink.c\n+++ b/net/netfilter/nf_conntrack_netlink.c\n@@ -3355,31 +3355,37 @@ static int ctnetlink_get_expect(struct sk_buff *skb,\n \tif (err < 0)\n \t\treturn err;\n \n+\tskb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);\n+\tif (!skb2)\n+\t\treturn -ENOMEM;\n+\n+\tspin_lock_bh(&nf_conntrack_expect_lock);\n \texp = nf_ct_expect_find_get(info->net, &zone, &tuple);\n-\tif (!exp)\n+\tif (!exp) {\n+\t\tspin_unlock_bh(&nf_conntrack_expect_lock);\n+\t\tkfree_skb(skb2);\n \t\treturn -ENOENT;\n+\t}\n \n \tif (cda[CTA_EXPECT_ID]) {\n \t\t__be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);\n \n \t\tif (id != nf_expect_get_id(exp)) {\n \t\t\tnf_ct_expect_put(exp);\n+\t\t\tspin_unlock_bh(&nf_conntrack_expect_lock);\n+\t\t\tkfree_skb(skb2);\n \t\t\treturn -ENOENT;\n \t\t}\n \t}\n \n-\tskb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);\n-\tif (!skb2) {\n-\t\tnf_ct_expect_put(exp);\n-\t\treturn -ENOMEM;\n-\t}\n-\n \trcu_read_lock();\n \terr = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid,\n \t\t\t\t info->nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW,\n \t\t\t\t exp);\n \trcu_read_unlock();\n \tnf_ct_expect_put(exp);\n+\tspin_unlock_bh(&nf_conntrack_expect_lock);\n+\n \tif (err <= 0) {\n \t\tkfree_skb(skb2);\n \t\treturn -ENOMEM;\n@@ -3426,22 +3432,26 @@ static int ctnetlink_del_expect(struct sk_buff *skb,\n \t\tif (err < 0)\n \t\t\treturn err;\n \n+\t\tspin_lock_bh(&nf_conntrack_expect_lock);\n+\n \t\t/* bump usage count to 2 */\n \t\texp = nf_ct_expect_find_get(info->net, &zone, &tuple);\n-\t\tif (!exp)\n+\t\tif (!exp) {\n+\t\t\tspin_unlock_bh(&nf_conntrack_expect_lock);\n \t\t\treturn -ENOENT;\n+\t\t}\n \n \t\tif (cda[CTA_EXPECT_ID]) {\n \t\t\t__be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);\n \n \t\t\tif (id != nf_expect_get_id(exp)) {\n \t\t\t\tnf_ct_expect_put(exp);\n+\t\t\t\tspin_unlock_bh(&nf_conntrack_expect_lock);\n \t\t\t\treturn -ENOENT;\n \t\t\t}\n \t\t}\n \n \t\t/* after list removal, usage count == 1 */\n-\t\tspin_lock_bh(&nf_conntrack_expect_lock);\n \t\tif (timer_delete(&exp->timeout)) {\n \t\t\tnf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid,\n \t\t\t\t\t\t nlmsg_report(info->nlh));\n", "prefixes": [ "net", "08/12" ] }