Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2217708/?format=api
{ "id": 2217708, "url": "http://patchwork.ozlabs.org/api/patches/2217708/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260330115236.882409-1-pablo@netfilter.org/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260330115236.882409-1-pablo@netfilter.org>", "list_archive_url": null, "date": "2026-03-30T11:52:36", "name": "[nf,v2] netfilter: ctnetlink: ignore explicit helper on new expectations", "commit_ref": null, "pull_url": null, "state": "changes-requested", "archived": false, "hash": "34b62e8e7d34d20f302e4e37eaf3b5f43220ebf2", "submitter": { "id": 1315, "url": "http://patchwork.ozlabs.org/api/people/1315/?format=api", "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260330115236.882409-1-pablo@netfilter.org/mbox/", "series": [ { "id": 498009, "url": "http://patchwork.ozlabs.org/api/series/498009/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=498009", "date": "2026-03-30T11:52:36", "name": "[nf,v2] netfilter: ctnetlink: ignore explicit helper on new expectations", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/498009/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2217708/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2217708/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <netfilter-devel+bounces-11491-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=fmv/Iwtx;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c09:e001:a7::12fc:5321; helo=sto.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11491-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"fmv/Iwtx\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124", "smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org" ], "Received": [ "from sto.lore.kernel.org (sto.lore.kernel.org\n [IPv6:2600:3c09:e001:a7::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fkqPf5kYJz1yG8\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 30 Mar 2026 22:52:54 +1100 (AEDT)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id 4F9053011C8E\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 30 Mar 2026 11:52:44 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id A154B3C9439;\n\tMon, 30 Mar 2026 11:52:43 +0000 (UTC)", "from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id DE6CD37CD24\n\tfor <netfilter-devel@vger.kernel.org>; Mon, 30 Mar 2026 11:52:41 +0000 (UTC)", "from localhost.localdomain (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with ESMTPSA id E3BF260181;\n\tMon, 30 Mar 2026 13:52:39 +0200 (CEST)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1774871563; cv=none;\n b=uPx8yupB8l2ebH9VCYwoEQpafmP1QY0Fs6MAat+mqvV9HpnZKOiqIt01ye4ehIYmzDhyhYIXsTLOKA04ViFM4tizj+bXzY3/7VOAjKPFFFYUCX/WxjnCTxJa6qkIDueaeV+ygHIV6aGEQUjQkdN4gC0FLOSdsJ66JQExqRja7fU=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1774871563; c=relaxed/simple;\n\tbh=Qz9zxk13kEuVIdQEYzvy7JqPK47C6Vz0fS1sBP1dSg0=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=ch3FBbHHtoT42T+e1JQmfnoMSDBshXkoQGZMBlGG7EUtUtoPRksPJElL7z6SnJ9wg4GSQ9rL3ux/U0v/9/oJitYY181uhsKQa3IVyeIWfpE9TfB6pasyU0J9+MqqHodO4Xqte8AZwJE3riDC9HJrLQalYJgRjp4QwO1h8+uM8Jo=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=fmv/Iwtx; arc=none smtp.client-ip=217.70.190.124", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1774871560;\n\tbh=R2dAsBopxfTJ1ZK8y8CtoQGLPp7qgvz/8b6vArS0V64=;\n\th=From:To:Cc:Subject:Date:From;\n\tb=fmv/Iwtx3cPUCuXCtmtmmoBbZDQoUdsRAA9DdRCaLlxnJNsYFKvPN9z8NHs9NmSC+\n\t 8eQjDxEWKVuUmgpmP2D1pVJTZj6ri3aimSHCj7dxsn2NzxDJhACpIushi1PQGjtf0N\n\t OfTxuVz9KTpNlV112zHm9tJy2TQ+KaPS4IU3yCqgQl8J0M3EC/EzoWlPH36ao92Zie\n\t avnOA7M0L9PGXlvtBoLsGhjydRrtC9R4vtREP/3IUG7RzcJoMyEztHMOm+bZKwmxP4\n\t 3DBxbsRMfbuBkxod1ewcu1DUFwrKwGYJ5RKGfAENn/reI7+YUq3DyWSjlLG5CIk3GK\n\t QhZMnW0hCMq1w==", "From": "Pablo Neira Ayuso <pablo@netfilter.org>", "To": "netfilter-devel@vger.kernel.org", "Cc": "fw@strlen.de,\n\tffmancera@suse.de", "Subject": "[PATCH nf,v2] netfilter: ctnetlink: ignore explicit helper on new\n expectations", "Date": "Mon, 30 Mar 2026 13:52:36 +0200", "Message-ID": "<20260330115236.882409-1-pablo@netfilter.org>", "X-Mailer": "git-send-email 2.47.3", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "Use the existing master conntrack helper, anything else is not really\nsupported and it just makes validation more complicated, so just ignore\nwhat helper userspace suggests for this expectation.\n\nThis was uncovered when validating CTA_EXPECT_CLASS via different helper\nprovided by userspace than the existing master conntrack helper:\n\n BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0\n Read of size 4 at addr ffff8880043fe408 by task poc/102\n Call Trace:\n nf_ct_expect_related_report+0x2479/0x27c0\n ctnetlink_create_expect+0x22b/0x3b0\n ctnetlink_new_expect+0x4bd/0x5c0\n nfnetlink_rcv_msg+0x67a/0x950\n netlink_rcv_skb+0x120/0x350\n\nAllowing to read kernel memory bytes off the expectation boundary.\n\nCTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace\nvia netlink dump.\n\nFixes: bd0779370588 (\"netfilter: nfnetlink_queue: allow to attach expectations to conntracks\")\nReported-by: Qi Tang <tpluszz77@gmail.com>\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\nv2: Expand commit description a bit and s/disallow/ignore in the patch subject.\n\n Tested with the ssdp ct helper in userspace, which is the only one\n that sets this and it still works after this.\n\n src/helpers/ssdp.c: nfexp_set_attr(exp, ATTR_EXP_HELPER_NAME, \"ssdp\");\n\n net/netfilter/nf_conntrack_netlink.c | 52 +++++-----------------------\n 1 file changed, 9 insertions(+), 43 deletions(-)", "diff": "diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c\nindex 35f859b24103..a4826ab8e2ca 100644\n--- a/net/netfilter/nf_conntrack_netlink.c\n+++ b/net/netfilter/nf_conntrack_netlink.c\n@@ -2636,7 +2636,6 @@ static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {\n \n static struct nf_conntrack_expect *\n ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,\n-\t\t struct nf_conntrack_helper *helper,\n \t\t struct nf_conntrack_tuple *tuple,\n \t\t struct nf_conntrack_tuple *mask);\n \n@@ -2865,7 +2864,6 @@ ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,\n {\n \tstruct nlattr *cda[CTA_EXPECT_MAX+1];\n \tstruct nf_conntrack_tuple tuple, mask;\n-\tstruct nf_conntrack_helper *helper = NULL;\n \tstruct nf_conntrack_expect *exp;\n \tint err;\n \n@@ -2879,17 +2877,8 @@ ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,\n \tif (err < 0)\n \t\treturn err;\n \n-\tif (cda[CTA_EXPECT_HELP_NAME]) {\n-\t\tconst char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);\n-\n-\t\thelper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),\n-\t\t\t\t\t\t nf_ct_protonum(ct));\n-\t\tif (helper == NULL)\n-\t\t\treturn -EOPNOTSUPP;\n-\t}\n-\n \texp = ctnetlink_alloc_expect((const struct nlattr * const *)cda, ct,\n-\t\t\t\t helper, &tuple, &mask);\n+\t\t\t\t &tuple, &mask);\n \tif (IS_ERR(exp))\n \t\treturn PTR_ERR(exp);\n \n@@ -3528,11 +3517,11 @@ ctnetlink_parse_expect_nat(const struct nlattr *attr,\n \n static struct nf_conntrack_expect *\n ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,\n-\t\t struct nf_conntrack_helper *helper,\n \t\t struct nf_conntrack_tuple *tuple,\n \t\t struct nf_conntrack_tuple *mask)\n {\n \tstruct net *net = read_pnet(&ct->ct_net);\n+\tstruct nf_conntrack_helper *helper;\n \tstruct nf_conntrack_expect *exp;\n \tstruct nf_conn_help *help;\n \tu32 class = 0;\n@@ -3542,7 +3531,11 @@ ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,\n \tif (!help)\n \t\treturn ERR_PTR(-EOPNOTSUPP);\n \n-\tif (cda[CTA_EXPECT_CLASS] && helper) {\n+\thelper = rcu_dereference(help->helper);\n+\tif (!helper)\n+\t\treturn ERR_PTR(-EOPNOTSUPP);\n+\n+\tif (cda[CTA_EXPECT_CLASS]) {\n \t\tclass = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS]));\n \t\tif (class > helper->expect_class_max)\n \t\t\treturn ERR_PTR(-EINVAL);\n@@ -3607,7 +3600,6 @@ ctnetlink_create_expect(struct net *net,\n {\n \tstruct nf_conntrack_tuple tuple, mask, master_tuple;\n \tstruct nf_conntrack_tuple_hash *h = NULL;\n-\tstruct nf_conntrack_helper *helper = NULL;\n \tstruct nf_conntrack_expect *exp;\n \tstruct nf_conn *ct;\n \tint err;\n@@ -3633,33 +3625,7 @@ ctnetlink_create_expect(struct net *net,\n \tct = nf_ct_tuplehash_to_ctrack(h);\n \n \trcu_read_lock();\n-\tif (cda[CTA_EXPECT_HELP_NAME]) {\n-\t\tconst char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);\n-\n-\t\thelper = __nf_conntrack_helper_find(helpname, u3,\n-\t\t\t\t\t\t nf_ct_protonum(ct));\n-\t\tif (helper == NULL) {\n-\t\t\trcu_read_unlock();\n-#ifdef CONFIG_MODULES\n-\t\t\tif (request_module(\"nfct-helper-%s\", helpname) < 0) {\n-\t\t\t\terr = -EOPNOTSUPP;\n-\t\t\t\tgoto err_ct;\n-\t\t\t}\n-\t\t\trcu_read_lock();\n-\t\t\thelper = __nf_conntrack_helper_find(helpname, u3,\n-\t\t\t\t\t\t\t nf_ct_protonum(ct));\n-\t\t\tif (helper) {\n-\t\t\t\terr = -EAGAIN;\n-\t\t\t\tgoto err_rcu;\n-\t\t\t}\n-\t\t\trcu_read_unlock();\n-#endif\n-\t\t\terr = -EOPNOTSUPP;\n-\t\t\tgoto err_ct;\n-\t\t}\n-\t}\n-\n-\texp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask);\n+\texp = ctnetlink_alloc_expect(cda, ct, &tuple, &mask);\n \tif (IS_ERR(exp)) {\n \t\terr = PTR_ERR(exp);\n \t\tgoto err_rcu;\n@@ -3669,8 +3635,8 @@ ctnetlink_create_expect(struct net *net,\n \tnf_ct_expect_put(exp);\n err_rcu:\n \trcu_read_unlock();\n-err_ct:\n \tnf_ct_put(ct);\n+\n \treturn err;\n }\n \n", "prefixes": [ "nf", "v2" ] }