From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
<netfilter-devel@vger.kernel.org>,
pablo@netfilter.org
Subject: [PATCH net 11/14] netfilter: nf_conntrack_expect: store netns and zone in expectation
Date: Wed, 25 Mar 2026 14:11:05 +0100 [thread overview]
Message-ID: <20260325131108.23045-12-fw@strlen.de> (raw)
In-Reply-To: <20260325131108.23045-1-fw@strlen.de>
From: Pablo Neira Ayuso <pablo@netfilter.org>
__nf_ct_expect_find() and nf_ct_expect_find_get() are called under
rcu_read_lock() but they dereference the master conntrack via
exp->master.
Since the expectation does not hold a reference on the master conntrack,
this could be dying conntrack or different recycled conntrack than the
real master due to SLAB_TYPESAFE_RCU.
Store the netns, the master_tuple and the zone in struct
nf_conntrack_expect as a safety measure.
This patch is required by the follow up fix not to dump expectations
that do not belong to this netns.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/net/netfilter/nf_conntrack_expect.h | 18 +++++++++++++++++-
net/netfilter/nf_conntrack_expect.c | 8 ++++++--
net/netfilter/nf_conntrack_netlink.c | 3 +++
3 files changed, 26 insertions(+), 3 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index 1b01400b10bd..e9a8350e7ccf 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -22,10 +22,16 @@ struct nf_conntrack_expect {
/* Hash member */
struct hlist_node hnode;
+ /* Network namespace */
+ possible_net_t net;
+
/* We expect this tuple, with the following mask */
struct nf_conntrack_tuple tuple;
struct nf_conntrack_tuple_mask mask;
+#ifdef CONFIG_NF_CONNTRACK_ZONES
+ struct nf_conntrack_zone zone;
+#endif
/* Usage count. */
refcount_t use;
@@ -62,7 +68,17 @@ struct nf_conntrack_expect {
static inline struct net *nf_ct_exp_net(struct nf_conntrack_expect *exp)
{
- return nf_ct_net(exp->master);
+ return read_pnet(&exp->net);
+}
+
+static inline bool nf_ct_exp_zone_equal_any(const struct nf_conntrack_expect *a,
+ const struct nf_conntrack_zone *b)
+{
+#ifdef CONFIG_NF_CONNTRACK_ZONES
+ return a->zone.id == b->id;
+#else
+ return true;
+#endif
}
#define NF_CT_EXP_POLICY_NAME_LEN 16
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 2505d1f4b68c..8896fb20b58e 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -113,8 +113,8 @@ nf_ct_exp_equal(const struct nf_conntrack_tuple *tuple,
const struct net *net)
{
return nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask) &&
- net_eq(net, nf_ct_net(i->master)) &&
- nf_ct_zone_equal_any(i->master, zone);
+ net_eq(net, read_pnet(&i->net)) &&
+ nf_ct_exp_zone_equal_any(i, zone);
}
bool nf_ct_remove_expect(struct nf_conntrack_expect *exp)
@@ -324,6 +324,8 @@ void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int class,
const union nf_inet_addr *daddr,
u_int8_t proto, const __be16 *src, const __be16 *dst)
{
+ struct net *net = read_pnet(&exp->master->ct_net);
+
int len;
if (family == AF_INET)
@@ -335,6 +337,8 @@ void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int class,
exp->class = class;
exp->expectfn = NULL;
rcu_assign_pointer(exp->helper, nfct_help(exp->master)->helper);
+ write_pnet(&exp->net, net);
+ exp->zone = exp->master->zone;
exp->tuple.src.l3num = family;
exp->tuple.dst.protonum = proto;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 89540112d165..2ec33c0518e9 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -3538,6 +3538,7 @@ ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,
struct nf_conntrack_tuple *tuple,
struct nf_conntrack_tuple *mask)
{
+ struct net *net = read_pnet(&ct->ct_net);
struct nf_conntrack_expect *exp;
struct nf_conn_help *help;
u32 class = 0;
@@ -3577,6 +3578,8 @@ ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,
exp->class = class;
exp->master = ct;
+ write_pnet(&exp->net, net);
+ exp->zone = ct->zone;
if (!helper)
helper = rcu_dereference(help->helper);
rcu_assign_pointer(exp->helper, helper);
--
2.52.0
next prev parent reply other threads:[~2026-03-25 13:12 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-25 13:10 [PATCH net 00/14] netfilter: updates for net Florian Westphal
2026-03-25 13:10 ` [PATCH net 01/14] netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry Florian Westphal
2026-03-25 13:10 ` [PATCH net 02/14] selftests: netfilter: nft_concat_range.sh: add check for flush+reload bug Florian Westphal
2026-03-25 13:10 ` [PATCH net 03/14] netfilter: ipset: Fix data race between add and list header in all hash types Florian Westphal
2026-03-25 13:10 ` [PATCH net 04/14] netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD Florian Westphal
2026-03-25 13:10 ` [PATCH net 05/14] netfilter: x_tables: reject unsupported families in xt_check_match/xt_check_target Florian Westphal
2026-03-25 13:11 ` [PATCH net 06/14] netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Florian Westphal
2026-03-25 13:11 ` [PATCH net 07/14] netfilter: nft_set_rbtree: revisit array resize logic Florian Westphal
2026-03-25 13:11 ` [PATCH net 08/14] netfilter: nf_conntrack_expect: honor expectation helper field Florian Westphal
2026-03-25 13:11 ` [PATCH net 09/14] netfilter: nf_conntrack_expect: use expect->helper Florian Westphal
2026-03-25 13:11 ` [PATCH net 10/14] netfilter: ctnetlink: ensure safe access to master conntrack Florian Westphal
2026-03-25 17:26 ` Pablo Neira Ayuso
2026-03-25 17:28 ` Pablo Neira Ayuso
2026-03-25 17:28 ` Florian Westphal
2026-03-25 17:38 ` Pablo Neira Ayuso
2026-03-25 13:11 ` Florian Westphal [this message]
2026-03-25 13:11 ` [PATCH net 12/14] netfilter: nf_conntrack_expect: skip expectations in other netns via proc Florian Westphal
2026-03-25 13:11 ` [PATCH net 13/14] netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp Florian Westphal
2026-03-25 13:11 ` [PATCH net 14/14] netfilter: ctnetlink: use netlink policy range checks Florian Westphal
2026-03-25 17:42 ` [PATCH net 00/14] netfilter: updates for net Florian Westphal
2026-03-25 17:48 ` Pablo Neira Ayuso
2026-03-25 17:51 ` Florian Westphal
2026-03-25 17:59 ` Pablo Neira Ayuso
-- strict thread matches above, loose matches on Subject: below --
2026-03-25 22:26 [PATCH net,v2 00/14] Netfilter fixes " Pablo Neira Ayuso
2026-03-25 22:26 ` [PATCH net 11/14] netfilter: nf_conntrack_expect: store netns and zone in expectation Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260325131108.23045-12-fw@strlen.de \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox