From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf 1/2] netfilter: ctnetlink: fix refcount leak on table dump
Date: Thu, 7 Aug 2025 13:29:51 +0200 [thread overview]
Message-ID: <aJSOLzS5WJU1U8ys@strlen.de> (raw)
In-Reply-To: <aJSGlBD36tgRNWpT@calendula>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Aug 01, 2025 at 05:25:08PM +0200, Florian Westphal wrote:
> > There is a reference count leak in ctnetlink_dump_table():
> > if (res < 0) {
> > nf_conntrack_get(&ct->ct_general); // HERE
> > cb->args[1] = (unsigned long)ct;
> > ...
> goto out;
>
> >
> > While its very unlikely, its possible that ct == last.
>
> out:
> ...
> if (last) {
> /* nf ct hash resize happened, now clear the leftover. */
> if ((struct nf_conn *)cb->args[1] == last) {
> cb->args[1] = 0;
> }
>
> nf_ct_put(last);
> }
>
> I think problem was introduced here:
>
> fefa92679dbe ("netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize")
I think you'r right, the 'clear the leftover' is only correct if
we hit cb->args[0] >= htable_size condition.
OTOH reverting it gives the problem that commit fixed.
So I think that this code is just way too complicated,
i have no idea why this ever used reference counts, they do not buy
anything but headaches.
> cookie is indeed safer approach.
>
> IIRC, the concern is that cookie could result in providing a bogus
> conntrack listing due to object recycling, which is more likely to
> happen with SLAB_TYPESAFE_BY_RCU.
Maybe, but even if this code would just store the address, the probability
of a recycle happening in such a way that a conntrack oject happens to be
stored, and then on next dump got re-added at exactly this slot is
almost 0.
And even if it would have been, the worst that can happen is that we
dump another entry a second time. /proc code uses to walk the entire
table from start, counting dumped-entries and I'm not aware of 'dup'
complaints.
> Then, it should be very unlikely that such recycling that leads to
> picking up from the wrong conntrack object because two conntrack
> objects in the same memory spot will have different id.
Yes, it considers the tuples for the hash too, so its exteremly
unlikely for a recycle to result in same u32 hash value.
next prev parent reply other threads:[~2025-08-07 11:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-01 15:25 [PATCH nf 0/2] netfilter: ctnetlink: fix memory leak in ctnetlink dump Florian Westphal
2025-08-01 15:25 ` [PATCH nf 1/2] netfilter: ctnetlink: fix refcount leak on table dump Florian Westphal
2025-08-07 10:57 ` Pablo Neira Ayuso
2025-08-07 11:29 ` Florian Westphal [this message]
2025-08-01 15:25 ` [PATCH nf 2/2] netfilter: ctnetlink: remove refcounting in expectation dumpers Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aJSOLzS5WJU1U8ys@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.