[PATCH 0/1] selftests: netfilter: add regression test for nft_ct timeout UAF

[PATCH 0/1] selftests: netfilter: add regression test for nft_ct timeout UAF

[Vastargazing]

From: Vastargazing <vebohr@email.com>

Commit f8dca15a1b19 ("netfilter: nft_ct: fix use-after-free in timeout
object destroy") fixed a slab-use-after-free but no regression test was
added. This patch adds one to tools/testing/selftests/net/netfilter/.

Vastargazing (1):
  selftests: netfilter: add nft_ct timeout destroy race test

 .../testing/selftests/net/netfilter/Makefile  |   1 +
 .../netfilter/nft_ct_timeout_concurrency.sh   | 116 ++++++++++++++++++
 2 files changed, 117 insertions(+)
 create mode 100644 tools/testing/selftests/net/netfilter/nft_ct_timeout_concurrency.sh

-- 
2.51.0

[PATCH 1/1] selftests: netfilter: add nft_ct timeout destroy race test

[Vastargazing]

Add a netfilter kselftest for the nft_ct timeout object destroy race
fixed by commit f8dca15a1b19 ("netfilter: nft_ct: fix use-after-free in
timeout object destroy").

Keep creating new TCP connections from one namespace while repeatedly
flushing and recreating the table that owns a ct timeout object. This
exercises concurrent packet processing against the timeout object
teardown path without requiring external traffic tools beyond bash,
nft and ip.

On a KASAN kernel, a regression in the RCU lifetime handling should
show up as a slab-use-after-free report in nf_conntrack_tcp_packet().

Assisted-by: GitHub Copilot:claude-sonnet-4-6
Signed-off-by: Vastargazing <vebohr@gmail.com>
---
 .../testing/selftests/net/netfilter/Makefile  |   1 +
 .../netfilter/nft_ct_timeout_concurrency.sh   | 116 ++++++++++++++++++
 2 files changed, 117 insertions(+)
 create mode 100644 tools/testing/selftests/net/netfilter/nft_ct_timeout_concurrency.sh

diff --git a/tools/testing/selftests/net/netfilter/Makefile b/tools/testing/selftests/net/netfilter/Makefile
index ee2d1a5254f8..bcf53a1ef7ec 100644
--- a/tools/testing/selftests/net/netfilter/Makefile
+++ b/tools/testing/selftests/net/netfilter/Makefile
@@ -25,6 +25,7 @@ TEST_PROGS := \
 	nft_audit.sh \
 	nft_concat_range.sh \
 	nft_conntrack_helper.sh \
+	nft_ct_timeout_concurrency.sh \
 	nft_fib.sh \
 	nft_flowtable.sh \
 	nft_interface_stress.sh \
diff --git a/tools/testing/selftests/net/netfilter/nft_ct_timeout_concurrency.sh b/tools/testing/selftests/net/netfilter/nft_ct_timeout_concurrency.sh
new file mode 100644
index 000000000000..79876cdfb2df
--- /dev/null
+++ b/tools/testing/selftests/net/netfilter/nft_ct_timeout_concurrency.sh
@@ -0,0 +1,116 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# Stress nftables ct timeout object destruction while new TCP flows keep
+# attaching the object.
+
+net_netfilter_dir=$(dirname "$(readlink -e "${BASH_SOURCE[0]}")")
+source "$net_netfilter_dir/lib.sh"
+
+checktool "nft --version" "run test without nft tool"
+
+read kernel_tainted < /proc/sys/kernel/tainted
+
+# Default to 80% of the global timeout but keep this stress test short.
+TEST_RUNTIME=$((${kselftest_timeout:-30} * 8 / 10))
+[[ $TEST_RUNTIME -gt 20 ]] && TEST_RUNTIME=20
+
+PORT=12345
+
+cleanup()
+{
+	cleanup_all_ns
+}
+
+load_ruleset()
+{
+	ip netns exec "$ns1" nft -f - <<EOF
+table ip ct_test {
+	ct timeout tcptime {
+		protocol tcp
+		policy = { established: 5s }
+	}
+
+	chain output {
+		type filter hook output priority filter; policy accept;
+		ct state new ip daddr 10.0.1.2 tcp dport $PORT counter ct timeout set "tcptime"
+	}
+}
+EOF
+}
+
+flush_table()
+{
+	ip netns exec "$ns1" nft flush table ip ct_test 2>/dev/null || true
+	ip netns exec "$ns1" nft delete table ip ct_test 2>/dev/null || true
+}
+
+rule_packets()
+{
+	local packets
+
+	packets=$(ip netns exec "$ns1" nft list chain ip ct_test output 2>/dev/null |
+		sed -n 's/.*counter packets \([0-9][0-9]*\) bytes.*/\1/p' |
+		head -n1)
+
+	if [ -n "$packets" ]; then
+		echo "$packets"
+	else
+		echo 0
+	fi
+}
+
+trap cleanup EXIT
+
+setup_ns ns1 ns2 || exit $ksft_skip
+
+if ! ip link add veth0 netns "$ns1" type veth peer name veth0 netns "$ns2" > /dev/null 2>&1; then
+	echo "SKIP: No virtual ethernet pair device support in kernel"
+	exit $ksft_skip
+fi
+
+ip -net "$ns1" link set veth0 up
+ip -net "$ns2" link set veth0 up
+
+ip -net "$ns1" addr add 10.0.1.1/24 dev veth0
+ip -net "$ns2" addr add 10.0.1.2/24 dev veth0
+
+if ! load_ruleset; then
+	echo "SKIP: Could not load ct timeout ruleset"
+	exit $ksft_skip
+fi
+
+ip netns exec "$ns1" bash -c '
+	while :; do
+		exec 3<>/dev/tcp/10.0.1.2/'"$PORT"' 2>/dev/null || true
+		exec 3<&- 3>&-
+	done
+' > /dev/null 2>&1 &
+traffic_pid=$!
+
+if ! busywait_for_counter "$BUSYWAIT_TIMEOUT" 1 rule_packets > /dev/null; then
+	echo "FAIL: Did not observe TCP traffic hitting ct timeout rule"
+	exit $ksft_fail
+fi
+
+end_time=$((SECONDS + TEST_RUNTIME))
+while [ "$SECONDS" -lt "$end_time" ]; do
+	flush_table
+
+	if ! load_ruleset; then
+		echo "FAIL: Could not recreate ct timeout ruleset"
+		exit $ksft_fail
+	fi
+done
+
+flush_table
+
+kill "$traffic_pid" 2>/dev/null
+wait "$traffic_pid" 2>/dev/null
+
+if [[ $kernel_tainted -eq 0 && $(</proc/sys/kernel/tainted) -ne 0 ]]; then
+	echo "FAIL: Kernel is tainted"
+	exit $ksft_fail
+fi
+
+exit $ksft_pass
-- 
2.51.0

Re: [PATCH 1/1] selftests: netfilter: add nft_ct timeout destroy race test

[Florian Westphal]

Vastargazing <vebohr@gmail.com> wrote:
> new file mode 100644

This should say '755', else you get

# Warning: file nft_ct_timeout_concurrency.sh is not executable

I'm not sure we should add regression tests for regression tests sake.
Else we'll quickly accumulate thousands of such scripts and test
run time will explode.

A functional test for timeout policies would be much more useful.
We have a few of those in nftables.git but they ony check that
userspace and kernel parsing sides work.