* [PATCH] netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
@ 2026-03-29 16:52 Qi Tang
2026-03-30 21:34 ` kernel test robot
2026-03-31 6:14 ` [PATCH v2] " Qi Tang
0 siblings, 2 replies; 4+ messages in thread
From: Qi Tang @ 2026-03-29 16:52 UTC (permalink / raw)
To: Pablo Neira Ayuso, Florian Westphal
Cc: Phil Sutter, netfilter-devel, coreteam, netdev, Qi Tang
ctnetlink_alloc_expect() allocates expectations from a non-zeroing
slab cache via nf_ct_expect_alloc(). When CTA_EXPECT_NAT is not
present in the netlink message, saved_addr and saved_proto are
never initialized. Stale data from a previous slab occupant can
then be dumped to userspace by ctnetlink_exp_dump_expect(), which
checks these fields to decide whether to emit CTA_EXPECT_NAT.
The safe sibling nf_ct_expect_init(), used by the packet path,
explicitly zeroes these fields.
Zero saved_addr and saved_proto in the else branch so that
expectations created without NAT metadata cannot leak kernel heap
contents to userspace.
Confirmed by priming the expect slab with NAT-bearing expectations,
freeing them, creating a new expectation without CTA_EXPECT_NAT,
and observing that the ctnetlink dump emits a spurious
CTA_EXPECT_NAT containing stale data from the prior allocation.
Fixes: 076a0ca02644 ("netfilter: ctnetlink: add NAT support for expectations")
Signed-off-by: Qi Tang <tpluszz77@gmail.com>
---
net/netfilter/nf_conntrack_netlink.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index c57c665363e0..c152079f5ac7 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -3593,6 +3593,10 @@ ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,
exp, nf_ct_l3num(ct));
if (err < 0)
goto err_out;
+ } else {
+ memset(&exp->saved_addr, 0, sizeof(exp->saved_addr));
+ memset(&exp->saved_proto, 0, sizeof(exp->saved_proto));
+ exp->dir = 0;
}
return exp;
err_out:
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
2026-03-29 16:52 [PATCH] netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent Qi Tang
@ 2026-03-30 21:34 ` kernel test robot
2026-03-31 6:14 ` [PATCH v2] " Qi Tang
1 sibling, 0 replies; 4+ messages in thread
From: kernel test robot @ 2026-03-30 21:34 UTC (permalink / raw)
To: Qi Tang, Pablo Neira Ayuso, Florian Westphal
Cc: oe-kbuild-all, Phil Sutter, netfilter-devel, coreteam, netdev,
Qi Tang
Hi Qi,
kernel test robot noticed the following build errors:
[auto build test ERROR on netfilter-nf/main]
[also build test ERROR on linus/master nf-next/master horms-ipvs/master v7.0-rc6 next-20260327]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Qi-Tang/netfilter-ctnetlink-zero-expect-NAT-fields-when-CTA_EXPECT_NAT-absent/20260330-195347
base: https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git main
patch link: https://lore.kernel.org/r/20260329165217.241038-1-tpluszz77%40gmail.com
patch subject: [PATCH] netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
config: sh-randconfig-001-20260331 (https://download.01.org/0day-ci/archive/20260331/202603310541.XVM8V7WG-lkp@intel.com/config)
compiler: sh4-linux-gcc (GCC) 15.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260331/202603310541.XVM8V7WG-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202603310541.XVM8V7WG-lkp@intel.com/
All errors (new ones prefixed by >>):
net/netfilter/nf_conntrack_netlink.c: In function 'ctnetlink_alloc_expect':
>> net/netfilter/nf_conntrack_netlink.c:3592:28: error: 'struct nf_conntrack_expect' has no member named 'saved_addr'
3592 | memset(&exp->saved_addr, 0, sizeof(exp->saved_addr));
| ^~
net/netfilter/nf_conntrack_netlink.c:3592:55: error: 'struct nf_conntrack_expect' has no member named 'saved_addr'
3592 | memset(&exp->saved_addr, 0, sizeof(exp->saved_addr));
| ^~
>> net/netfilter/nf_conntrack_netlink.c:3593:28: error: 'struct nf_conntrack_expect' has no member named 'saved_proto'
3593 | memset(&exp->saved_proto, 0, sizeof(exp->saved_proto));
| ^~
net/netfilter/nf_conntrack_netlink.c:3593:56: error: 'struct nf_conntrack_expect' has no member named 'saved_proto'
3593 | memset(&exp->saved_proto, 0, sizeof(exp->saved_proto));
| ^~
>> net/netfilter/nf_conntrack_netlink.c:3594:20: error: 'struct nf_conntrack_expect' has no member named 'dir'
3594 | exp->dir = 0;
| ^~
vim +3592 net/netfilter/nf_conntrack_netlink.c
3528
3529 static struct nf_conntrack_expect *
3530 ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,
3531 struct nf_conntrack_helper *helper,
3532 struct nf_conntrack_tuple *tuple,
3533 struct nf_conntrack_tuple *mask)
3534 {
3535 struct net *net = read_pnet(&ct->ct_net);
3536 struct nf_conntrack_expect *exp;
3537 struct nf_conn_help *help;
3538 u32 class = 0;
3539 int err;
3540
3541 help = nfct_help(ct);
3542 if (!help)
3543 return ERR_PTR(-EOPNOTSUPP);
3544
3545 if (cda[CTA_EXPECT_CLASS] && helper) {
3546 class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS]));
3547 if (class > helper->expect_class_max)
3548 return ERR_PTR(-EINVAL);
3549 }
3550 exp = nf_ct_expect_alloc(ct);
3551 if (!exp)
3552 return ERR_PTR(-ENOMEM);
3553
3554 if (cda[CTA_EXPECT_FLAGS]) {
3555 exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS]));
3556 exp->flags &= ~NF_CT_EXPECT_USERSPACE;
3557 } else {
3558 exp->flags = 0;
3559 }
3560 if (cda[CTA_EXPECT_FN]) {
3561 const char *name = nla_data(cda[CTA_EXPECT_FN]);
3562 struct nf_ct_helper_expectfn *expfn;
3563
3564 expfn = nf_ct_helper_expectfn_find_by_name(name);
3565 if (expfn == NULL) {
3566 err = -EINVAL;
3567 goto err_out;
3568 }
3569 exp->expectfn = expfn->expectfn;
3570 } else
3571 exp->expectfn = NULL;
3572
3573 exp->class = class;
3574 exp->master = ct;
3575 write_pnet(&exp->net, net);
3576 #ifdef CONFIG_NF_CONNTRACK_ZONES
3577 exp->zone = ct->zone;
3578 #endif
3579 if (!helper)
3580 helper = rcu_dereference(help->helper);
3581 rcu_assign_pointer(exp->helper, helper);
3582 exp->tuple = *tuple;
3583 exp->mask.src.u3 = mask->src.u3;
3584 exp->mask.src.u.all = mask->src.u.all;
3585
3586 if (cda[CTA_EXPECT_NAT]) {
3587 err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT],
3588 exp, nf_ct_l3num(ct));
3589 if (err < 0)
3590 goto err_out;
3591 } else {
> 3592 memset(&exp->saved_addr, 0, sizeof(exp->saved_addr));
> 3593 memset(&exp->saved_proto, 0, sizeof(exp->saved_proto));
> 3594 exp->dir = 0;
3595 }
3596 return exp;
3597 err_out:
3598 nf_ct_expect_put(exp);
3599 return ERR_PTR(err);
3600 }
3601
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH v2] netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
2026-03-29 16:52 [PATCH] netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent Qi Tang
2026-03-30 21:34 ` kernel test robot
@ 2026-03-31 6:14 ` Qi Tang
2026-03-31 6:21 ` Qi Tang
1 sibling, 1 reply; 4+ messages in thread
From: Qi Tang @ 2026-03-31 6:14 UTC (permalink / raw)
To: Pablo Neira Ayuso, Florian Westphal
Cc: Phil Sutter, netfilter-devel, coreteam, netdev, kernel test robot,
Qi Tang
ctnetlink_alloc_expect() allocates expectations from a non-zeroing
slab cache via nf_ct_expect_alloc(). When CTA_EXPECT_NAT is not
present in the netlink message, saved_addr and saved_proto are
never initialized. Stale data from a previous slab occupant can
then be dumped to userspace by ctnetlink_exp_dump_expect(), which
checks these fields to decide whether to emit CTA_EXPECT_NAT.
The safe sibling nf_ct_expect_init(), used by the packet path,
explicitly zeroes these fields.
Zero saved_addr, saved_proto and dir in the else branch, guarded
by IS_ENABLED(CONFIG_NF_NAT) since these fields only exist when
NAT is enabled.
Confirmed by priming the expect slab with NAT-bearing expectations,
freeing them, creating a new expectation without CTA_EXPECT_NAT,
and observing that the ctnetlink dump emits a spurious
CTA_EXPECT_NAT containing stale data from the prior allocation.
Fixes: 076a0ca02644 ("netfilter: ctnetlink: add NAT support for expectations")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202603310541.XVM8V7WG-lkp@intel.com/
Signed-off-by: Qi Tang <tpluszz77@gmail.com>
---
Changes in v2:
- Wrap zeroing in #if IS_ENABLED(CONFIG_NF_NAT) to fix build
when CONFIG_NF_NAT is disabled (kernel test robot)
Link: https://lore.kernel.org/all/20260329165217.241038-1-tpluszz77@gmail.com/
net/netfilter/nf_conntrack_netlink.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index c57c665363e0..6d7eab7e8cf8 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -3593,6 +3593,12 @@ ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,
exp, nf_ct_l3num(ct));
if (err < 0)
goto err_out;
+#if IS_ENABLED(CONFIG_NF_NAT)
+ } else {
+ memset(&exp->saved_addr, 0, sizeof(exp->saved_addr));
+ memset(&exp->saved_proto, 0, sizeof(exp->saved_proto));
+ exp->dir = 0;
+#endif
}
return exp;
err_out:
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-31 6:21 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-29 16:52 [PATCH] netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent Qi Tang
2026-03-30 21:34 ` kernel test robot
2026-03-31 6:14 ` [PATCH v2] " Qi Tang
2026-03-31 6:21 ` Qi Tang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox