{"id":2226485,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2226485/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260422131818.106417-2-vebohr@gmail.com/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/1.2/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260422131818.106417-2-vebohr@gmail.com>","list_archive_url":null,"date":"2026-04-22T13:18:18","name":"[1/1] selftests: netfilter: add nft_ct timeout destroy race test","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"77f3011f37d20ed9f5adaddb692c512808654bbc","submitter":{"id":93224,"url":"http://patchwork.ozlabs.org/api/1.2/people/93224/?format=json","name":"Vastargazing","email":"vebohr@gmail.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260422131818.106417-2-vebohr@gmail.com/mbox/","series":[{"id":501011,"url":"http://patchwork.ozlabs.org/api/1.2/series/501011/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=501011","date":"2026-04-22T13:18:18","name":"selftests: netfilter: add regression test for nft_ct timeout UAF","version":1,"mbox":"http://patchwork.ozlabs.org/series/501011/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2226485/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2226485/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=szUHn4++;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.232.135.74; helo=sto.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12130-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"szUHn4++\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.167.44","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com"],"Received":["from sto.lore.kernel.org (sto.lore.kernel.org [172.232.135.74])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g10D61kJRz1y2d\n\tfor ; Wed, 22 Apr 2026 23:18:46 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id 24E6D300D75F\n\tfor ; Wed, 22 Apr 2026 13:18:43 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 936D427713;\n\tWed, 22 Apr 2026 13:18:41 +0000 (UTC)","from mail-lf1-f44.google.com (mail-lf1-f44.google.com\n [209.85.167.44])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 897E63D171D\n\tfor ; Wed, 22 Apr 2026 13:18:39 +0000 (UTC)","by mail-lf1-f44.google.com with SMTP id\n 2adb3069b0e04-59e4989dacdso5974007e87.1\n for ;\n Wed, 22 Apr 2026 06:18:39 -0700 (PDT)","from va-HP-Pavilion-Desktop-595-p0xxx.mshome.net ([193.0.150.248])\n by smtp.gmail.com with ESMTPSA id\n 2adb3069b0e04-5a418376d0asm4447656e87.0.2026.04.22.06.18.35\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 22 Apr 2026 06:18:37 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776863921; cv=none;\n b=EXwxqRtNftu5qcjkUecKp2EDMz7CiAvkuB3S0sP2ad0mWUTv8UDQmNICvJ6Vh/zghHtpzfa7K77TVtVZpRiTeHBW2+jreHcl/SP9s8SfazRbgeSWw1+PUEbTU5kVbIAUCzh144OQAHVdfNJKZHgUub3OsByapFhAcUTKHBYpXPM=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776863921; c=relaxed/simple;\n\tbh=S3w2SiBkuP+XZ0VGSoPCvw5mDdlWVPD5qe2D5ZB+nfU=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=XHadpqY/JvBr25Ykwyutg0NMb1CUBQOiwdYIDGA2Qz67q7GAAK4R2CiywdS2gZTXufpB+wZTJ4BeeBtYhxtkLzk7VORwhsI8WIivpvSNYfvjC7Dv/K3GrsK1A59j8KVdiajIUx4TUzXaeXXI+KioVAmMNkevGkp09cWzo8Xhxls=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=szUHn4++; arc=none smtp.client-ip=209.85.167.44","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776863918; x=1777468718;\n darn=vger.kernel.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=vmGAlvlxWs8/umIxWqRxtuHab2nnEuxDktgVlQFqEV8=;\n b=szUHn4++z3GJzi2Txn+Ldmc60J7pOo7qwtoQ3R0ONuAkYzldtNortZAa25H/X/TpMd\n kv78ulhMYU4k1go4ohy80HA6jluH+PwDyNd02warn8GJmJoxlLZNEdo0cvGpucy3zj39\n CWEtCiItlIHDNaw3NtounrE8fAEA+x5nD535hhuMyR7m1nvBWN5rMMWmPw7zOJdVWnJV\n 9A47xlraGzS3LFQl/P5JrquJ9kN8lQvxb4tQ+bq+B7uuqzhtvERAWrm0fdU7cS7JJoBj\n b8J7JZhTn4KpeCYuYz2h8wmNkEBSNP5BVj48mq7igAMMgZpQftcxhmuCNbyezrgju+DX\n ajTg==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776863918; x=1777468718;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=vmGAlvlxWs8/umIxWqRxtuHab2nnEuxDktgVlQFqEV8=;\n b=qWi8MLrPDhEc9K+SEgk7iWlGTLN7taQaVMsrfUawU0iHaiLJlm4+2xYtc8Ds7XdXJJ\n k5YlfjezTWuXVuo/4Kp+zezkqLpua8aYHaileupf9JyIVmLJYXMO21skOtoEpaVTZQwE\n xfbeakWTgUhyf2bFQBSFs7fhrTfWkhLdnIU6VUXbshy5tGbSXgOYZZMbX9yBd5hmav8i\n 1KbBI3W1LaSgU7WYFguIOZPmigcq+2wwykc1wv8ffIpAykLw7IRY7LBNvuMWUFnAQX99\n bhXCo2+jwgfmrZQdCRhIQBxfrAGzgntnMneyy/GdZ9Fr8iJNFYg+2gAg+f46sJs8FuYF\n 73Pg==","X-Gm-Message-State":"AOJu0Yz8OIMyYNAJo1RHXDzXq0pIQAl58NfHW75F9zZLxIWNNMRaryZu\n\tyLwheIn8TShOI+hpAWW56DDscBd/7MQXJ9tfIxC9phHm5uSiqGmvDfRfNMJpC7N1rpluSBIwC9c\n\t=","X-Gm-Gg":"AeBDieuiMoT6VDdD4Y/JBF/TYTZY+BzVN1TEBZWaCt6hZwu+UITxzpncqdAJ/thJXFy\n\tNxZv1oS1VxCOhTJzG1kq0EpIVypLPWs8zBTf88HTyQ+ul3xnTeq1OcNLVZUmuJPh1rA2t+5Jo8j\n\tNBHdctvtmA827Zl/VNDH/92TGAYbINXVu4o5nzRbaPGCgamwdifvf7fCtVfoY9FA7WCtWR4864R\n\tLHUnb+68bO84rtgAEew01Dr2wEtipx8ISqZk9AbVz3MkUpAyBz4bUHi7IW/6hH8lNcFCFBx0Xor\n\tPA3rV64MLBRhH2kleWAYjr7UjL/chaY9Ly3jedj7IqdK9XUYvDk10j7kW9cHmZNdmFSoXu8aqzT\n\tQshm0kDj9Did5Z+yXIf8QJIY1l/tCG/XIbWZMNILd4KsxawDGJr7oEhhcppfTuq5jJlylEOF0au\n\tMuwqNuh49BYCUNS+9cMC/cs6Sg357rlbWbJvPWyNcl5IThJ4FDYShT07YIXIPvgjeR6os141I=","X-Received":"by 2002:a05:6512:2248:b0:5a4:992:e8b2 with SMTP id\n 2adb3069b0e04-5a4172e1c8bmr8319129e87.21.1776863917376;\n Wed, 22 Apr 2026 06:18:37 -0700 (PDT)","From":"Vastargazing ","To":"pablo@netfilter.org,\n\tfw@strlen.de","Cc":"netfilter-devel@vger.kernel.org,\n\tlinux-kselftest@vger.kernel.org,\n\tshuah@kernel.org,\n\tlinux-kernel@vger.kernel.org,\n\tVastargazing ","Subject":"[PATCH 1/1] selftests: netfilter: add nft_ct timeout destroy race\n test","Date":"Wed, 22 Apr 2026 16:18:18 +0300","Message-ID":"<20260422131818.106417-2-vebohr@gmail.com>","X-Mailer":"git-send-email 2.51.0","In-Reply-To":"<20260422131818.106417-1-vebohr@gmail.com>","References":"<20260422131818.106417-1-vebohr@gmail.com>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"},"content":"Add a netfilter kselftest for the nft_ct timeout object destroy race\nfixed by commit f8dca15a1b19 (\"netfilter: nft_ct: fix use-after-free in\ntimeout object destroy\").\n\nKeep creating new TCP connections from one namespace while repeatedly\nflushing and recreating the table that owns a ct timeout object. This\nexercises concurrent packet processing against the timeout object\nteardown path without requiring external traffic tools beyond bash,\nnft and ip.\n\nOn a KASAN kernel, a regression in the RCU lifetime handling should\nshow up as a slab-use-after-free report in nf_conntrack_tcp_packet().\n\nAssisted-by: GitHub Copilot:claude-sonnet-4-6\nSigned-off-by: Vastargazing \n---\n .../testing/selftests/net/netfilter/Makefile | 1 +\n .../netfilter/nft_ct_timeout_concurrency.sh | 116 ++++++++++++++++++\n 2 files changed, 117 insertions(+)\n create mode 100644 tools/testing/selftests/net/netfilter/nft_ct_timeout_concurrency.sh","diff":"diff --git a/tools/testing/selftests/net/netfilter/Makefile b/tools/testing/selftests/net/netfilter/Makefile\nindex ee2d1a5254f8..bcf53a1ef7ec 100644\n--- a/tools/testing/selftests/net/netfilter/Makefile\n+++ b/tools/testing/selftests/net/netfilter/Makefile\n@@ -25,6 +25,7 @@ TEST_PROGS := \\\n \tnft_audit.sh \\\n \tnft_concat_range.sh \\\n \tnft_conntrack_helper.sh \\\n+\tnft_ct_timeout_concurrency.sh \\\n \tnft_fib.sh \\\n \tnft_flowtable.sh \\\n \tnft_interface_stress.sh \\\ndiff --git a/tools/testing/selftests/net/netfilter/nft_ct_timeout_concurrency.sh b/tools/testing/selftests/net/netfilter/nft_ct_timeout_concurrency.sh\nnew file mode 100644\nindex 000000000000..79876cdfb2df\n--- /dev/null\n+++ b/tools/testing/selftests/net/netfilter/nft_ct_timeout_concurrency.sh\n@@ -0,0 +1,116 @@\n+#!/bin/bash\n+# SPDX-License-Identifier: GPL-2.0\n+#\n+# Stress nftables ct timeout object destruction while new TCP flows keep\n+# attaching the object.\n+\n+net_netfilter_dir=$(dirname \"$(readlink -e \"${BASH_SOURCE[0]}\")\")\n+source \"$net_netfilter_dir/lib.sh\"\n+\n+checktool \"nft --version\" \"run test without nft tool\"\n+\n+read kernel_tainted < /proc/sys/kernel/tainted\n+\n+# Default to 80% of the global timeout but keep this stress test short.\n+TEST_RUNTIME=$((${kselftest_timeout:-30} * 8 / 10))\n+[[ $TEST_RUNTIME -gt 20 ]] && TEST_RUNTIME=20\n+\n+PORT=12345\n+\n+cleanup()\n+{\n+\tcleanup_all_ns\n+}\n+\n+load_ruleset()\n+{\n+\tip netns exec \"$ns1\" nft -f - </dev/null || true\n+\tip netns exec \"$ns1\" nft delete table ip ct_test 2>/dev/null || true\n+}\n+\n+rule_packets()\n+{\n+\tlocal packets\n+\n+\tpackets=$(ip netns exec \"$ns1\" nft list chain ip ct_test output 2>/dev/null |\n+\t\tsed -n 's/.*counter packets \\([0-9][0-9]*\\) bytes.*/\\1/p' |\n+\t\thead -n1)\n+\n+\tif [ -n \"$packets\" ]; then\n+\t\techo \"$packets\"\n+\telse\n+\t\techo 0\n+\tfi\n+}\n+\n+trap cleanup EXIT\n+\n+setup_ns ns1 ns2 || exit $ksft_skip\n+\n+if ! ip link add veth0 netns \"$ns1\" type veth peer name veth0 netns \"$ns2\" > /dev/null 2>&1; then\n+\techo \"SKIP: No virtual ethernet pair device support in kernel\"\n+\texit $ksft_skip\n+fi\n+\n+ip -net \"$ns1\" link set veth0 up\n+ip -net \"$ns2\" link set veth0 up\n+\n+ip -net \"$ns1\" addr add 10.0.1.1/24 dev veth0\n+ip -net \"$ns2\" addr add 10.0.1.2/24 dev veth0\n+\n+if ! load_ruleset; then\n+\techo \"SKIP: Could not load ct timeout ruleset\"\n+\texit $ksft_skip\n+fi\n+\n+ip netns exec \"$ns1\" bash -c '\n+\twhile :; do\n+\t\texec 3<>/dev/tcp/10.0.1.2/'\"$PORT\"' 2>/dev/null || true\n+\t\texec 3<&- 3>&-\n+\tdone\n+' > /dev/null 2>&1 &\n+traffic_pid=$!\n+\n+if ! busywait_for_counter \"$BUSYWAIT_TIMEOUT\" 1 rule_packets > /dev/null; then\n+\techo \"FAIL: Did not observe TCP traffic hitting ct timeout rule\"\n+\texit $ksft_fail\n+fi\n+\n+end_time=$((SECONDS + TEST_RUNTIME))\n+while [ \"$SECONDS\" -lt \"$end_time\" ]; do\n+\tflush_table\n+\n+\tif ! load_ruleset; then\n+\t\techo \"FAIL: Could not recreate ct timeout ruleset\"\n+\t\texit $ksft_fail\n+\tfi\n+done\n+\n+flush_table\n+\n+kill \"$traffic_pid\" 2>/dev/null\n+wait \"$traffic_pid\" 2>/dev/null\n+\n+if [[ $kernel_tainted -eq 0 && $(