public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH] netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
@ 2026-03-29 16:52 Qi Tang
  2026-03-30 21:34 ` kernel test robot
  2026-03-31  6:14 ` [PATCH v2] " Qi Tang
  0 siblings, 2 replies; 4+ messages in thread
From: Qi Tang @ 2026-03-29 16:52 UTC (permalink / raw)
  To: Pablo Neira Ayuso, Florian Westphal
  Cc: Phil Sutter, netfilter-devel, coreteam, netdev, Qi Tang

ctnetlink_alloc_expect() allocates expectations from a non-zeroing
slab cache via nf_ct_expect_alloc().  When CTA_EXPECT_NAT is not
present in the netlink message, saved_addr and saved_proto are
never initialized.  Stale data from a previous slab occupant can
then be dumped to userspace by ctnetlink_exp_dump_expect(), which
checks these fields to decide whether to emit CTA_EXPECT_NAT.

The safe sibling nf_ct_expect_init(), used by the packet path,
explicitly zeroes these fields.

Zero saved_addr and saved_proto in the else branch so that
expectations created without NAT metadata cannot leak kernel heap
contents to userspace.

Confirmed by priming the expect slab with NAT-bearing expectations,
freeing them, creating a new expectation without CTA_EXPECT_NAT,
and observing that the ctnetlink dump emits a spurious
CTA_EXPECT_NAT containing stale data from the prior allocation.

Fixes: 076a0ca02644 ("netfilter: ctnetlink: add NAT support for expectations")
Signed-off-by: Qi Tang <tpluszz77@gmail.com>
---
 net/netfilter/nf_conntrack_netlink.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index c57c665363e0..c152079f5ac7 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -3593,6 +3593,10 @@ ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,
 						 exp, nf_ct_l3num(ct));
 		if (err < 0)
 			goto err_out;
+	} else {
+		memset(&exp->saved_addr, 0, sizeof(exp->saved_addr));
+		memset(&exp->saved_proto, 0, sizeof(exp->saved_proto));
+		exp->dir = 0;
 	}
 	return exp;
 err_out:
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
  2026-03-29 16:52 [PATCH] netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent Qi Tang
@ 2026-03-30 21:34 ` kernel test robot
  2026-03-31  6:14 ` [PATCH v2] " Qi Tang
  1 sibling, 0 replies; 4+ messages in thread
From: kernel test robot @ 2026-03-30 21:34 UTC (permalink / raw)
  To: Qi Tang, Pablo Neira Ayuso, Florian Westphal
  Cc: oe-kbuild-all, Phil Sutter, netfilter-devel, coreteam, netdev,
	Qi Tang

Hi Qi,

kernel test robot noticed the following build errors:

[auto build test ERROR on netfilter-nf/main]
[also build test ERROR on linus/master nf-next/master horms-ipvs/master v7.0-rc6 next-20260327]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Qi-Tang/netfilter-ctnetlink-zero-expect-NAT-fields-when-CTA_EXPECT_NAT-absent/20260330-195347
base:   https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git main
patch link:    https://lore.kernel.org/r/20260329165217.241038-1-tpluszz77%40gmail.com
patch subject: [PATCH] netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
config: sh-randconfig-001-20260331 (https://download.01.org/0day-ci/archive/20260331/202603310541.XVM8V7WG-lkp@intel.com/config)
compiler: sh4-linux-gcc (GCC) 15.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260331/202603310541.XVM8V7WG-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202603310541.XVM8V7WG-lkp@intel.com/

All errors (new ones prefixed by >>):

   net/netfilter/nf_conntrack_netlink.c: In function 'ctnetlink_alloc_expect':
>> net/netfilter/nf_conntrack_netlink.c:3592:28: error: 'struct nf_conntrack_expect' has no member named 'saved_addr'
    3592 |                 memset(&exp->saved_addr, 0, sizeof(exp->saved_addr));
         |                            ^~
   net/netfilter/nf_conntrack_netlink.c:3592:55: error: 'struct nf_conntrack_expect' has no member named 'saved_addr'
    3592 |                 memset(&exp->saved_addr, 0, sizeof(exp->saved_addr));
         |                                                       ^~
>> net/netfilter/nf_conntrack_netlink.c:3593:28: error: 'struct nf_conntrack_expect' has no member named 'saved_proto'
    3593 |                 memset(&exp->saved_proto, 0, sizeof(exp->saved_proto));
         |                            ^~
   net/netfilter/nf_conntrack_netlink.c:3593:56: error: 'struct nf_conntrack_expect' has no member named 'saved_proto'
    3593 |                 memset(&exp->saved_proto, 0, sizeof(exp->saved_proto));
         |                                                        ^~
>> net/netfilter/nf_conntrack_netlink.c:3594:20: error: 'struct nf_conntrack_expect' has no member named 'dir'
    3594 |                 exp->dir = 0;
         |                    ^~


vim +3592 net/netfilter/nf_conntrack_netlink.c

  3528	
  3529	static struct nf_conntrack_expect *
  3530	ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,
  3531			       struct nf_conntrack_helper *helper,
  3532			       struct nf_conntrack_tuple *tuple,
  3533			       struct nf_conntrack_tuple *mask)
  3534	{
  3535		struct net *net = read_pnet(&ct->ct_net);
  3536		struct nf_conntrack_expect *exp;
  3537		struct nf_conn_help *help;
  3538		u32 class = 0;
  3539		int err;
  3540	
  3541		help = nfct_help(ct);
  3542		if (!help)
  3543			return ERR_PTR(-EOPNOTSUPP);
  3544	
  3545		if (cda[CTA_EXPECT_CLASS] && helper) {
  3546			class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS]));
  3547			if (class > helper->expect_class_max)
  3548				return ERR_PTR(-EINVAL);
  3549		}
  3550		exp = nf_ct_expect_alloc(ct);
  3551		if (!exp)
  3552			return ERR_PTR(-ENOMEM);
  3553	
  3554		if (cda[CTA_EXPECT_FLAGS]) {
  3555			exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS]));
  3556			exp->flags &= ~NF_CT_EXPECT_USERSPACE;
  3557		} else {
  3558			exp->flags = 0;
  3559		}
  3560		if (cda[CTA_EXPECT_FN]) {
  3561			const char *name = nla_data(cda[CTA_EXPECT_FN]);
  3562			struct nf_ct_helper_expectfn *expfn;
  3563	
  3564			expfn = nf_ct_helper_expectfn_find_by_name(name);
  3565			if (expfn == NULL) {
  3566				err = -EINVAL;
  3567				goto err_out;
  3568			}
  3569			exp->expectfn = expfn->expectfn;
  3570		} else
  3571			exp->expectfn = NULL;
  3572	
  3573		exp->class = class;
  3574		exp->master = ct;
  3575		write_pnet(&exp->net, net);
  3576	#ifdef CONFIG_NF_CONNTRACK_ZONES
  3577		exp->zone = ct->zone;
  3578	#endif
  3579		if (!helper)
  3580			helper = rcu_dereference(help->helper);
  3581		rcu_assign_pointer(exp->helper, helper);
  3582		exp->tuple = *tuple;
  3583		exp->mask.src.u3 = mask->src.u3;
  3584		exp->mask.src.u.all = mask->src.u.all;
  3585	
  3586		if (cda[CTA_EXPECT_NAT]) {
  3587			err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT],
  3588							 exp, nf_ct_l3num(ct));
  3589			if (err < 0)
  3590				goto err_out;
  3591		} else {
> 3592			memset(&exp->saved_addr, 0, sizeof(exp->saved_addr));
> 3593			memset(&exp->saved_proto, 0, sizeof(exp->saved_proto));
> 3594			exp->dir = 0;
  3595		}
  3596		return exp;
  3597	err_out:
  3598		nf_ct_expect_put(exp);
  3599		return ERR_PTR(err);
  3600	}
  3601	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH v2] netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
  2026-03-29 16:52 [PATCH] netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent Qi Tang
  2026-03-30 21:34 ` kernel test robot
@ 2026-03-31  6:14 ` Qi Tang
  2026-03-31  6:21   ` Qi Tang
  1 sibling, 1 reply; 4+ messages in thread
From: Qi Tang @ 2026-03-31  6:14 UTC (permalink / raw)
  To: Pablo Neira Ayuso, Florian Westphal
  Cc: Phil Sutter, netfilter-devel, coreteam, netdev, kernel test robot,
	Qi Tang

ctnetlink_alloc_expect() allocates expectations from a non-zeroing
slab cache via nf_ct_expect_alloc().  When CTA_EXPECT_NAT is not
present in the netlink message, saved_addr and saved_proto are
never initialized.  Stale data from a previous slab occupant can
then be dumped to userspace by ctnetlink_exp_dump_expect(), which
checks these fields to decide whether to emit CTA_EXPECT_NAT.

The safe sibling nf_ct_expect_init(), used by the packet path,
explicitly zeroes these fields.

Zero saved_addr, saved_proto and dir in the else branch, guarded
by IS_ENABLED(CONFIG_NF_NAT) since these fields only exist when
NAT is enabled.

Confirmed by priming the expect slab with NAT-bearing expectations,
freeing them, creating a new expectation without CTA_EXPECT_NAT,
and observing that the ctnetlink dump emits a spurious
CTA_EXPECT_NAT containing stale data from the prior allocation.

Fixes: 076a0ca02644 ("netfilter: ctnetlink: add NAT support for expectations")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202603310541.XVM8V7WG-lkp@intel.com/
Signed-off-by: Qi Tang <tpluszz77@gmail.com>
---

Changes in v2:
  - Wrap zeroing in #if IS_ENABLED(CONFIG_NF_NAT) to fix build
    when CONFIG_NF_NAT is disabled (kernel test robot)

Link: https://lore.kernel.org/all/20260329165217.241038-1-tpluszz77@gmail.com/
 net/netfilter/nf_conntrack_netlink.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index c57c665363e0..6d7eab7e8cf8 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -3593,6 +3593,12 @@ ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,
 						 exp, nf_ct_l3num(ct));
 		if (err < 0)
 			goto err_out;
+#if IS_ENABLED(CONFIG_NF_NAT)
+	} else {
+		memset(&exp->saved_addr, 0, sizeof(exp->saved_addr));
+		memset(&exp->saved_proto, 0, sizeof(exp->saved_proto));
+		exp->dir = 0;
+#endif
 	}
 	return exp;
 err_out:
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH v2] netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
  2026-03-31  6:14 ` [PATCH v2] " Qi Tang
@ 2026-03-31  6:21   ` Qi Tang
  0 siblings, 0 replies; 4+ messages in thread
From: Qi Tang @ 2026-03-31  6:21 UTC (permalink / raw)
  To: Pablo Neira Ayuso, Florian Westphal; +Cc: netfilter-devel, netdev, Qi Tang

Please ignore this mis-threaded v2. The correct standalone v2 has
been sent separately.

Qi Tang

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-31  6:21 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-29 16:52 [PATCH] netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent Qi Tang
2026-03-30 21:34 ` kernel test robot
2026-03-31  6:14 ` [PATCH v2] " Qi Tang
2026-03-31  6:21   ` Qi Tang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox