[PATCH net 0/2] Netfilter fixes for net

[PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix imbalance between flowtable BIND and UNBIND calls to configure
   hardware offload, this fixes a possible kmemleak.

2) Clamp maximum conntrack hashtable size to INT_MAX to fix a possible
   WARN_ON_ONCE splat coming from kvmalloc_array(), only possible from
   init_netns.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-01-09

Thanks.

----------------------------------------------------------------

The following changes since commit 4f619d518db9cd1a933c3a095a5f95d0c1584ae8:

  net: wwan: t7xx: Fix FSM command timeout issue (2024-12-30 18:00:32 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-01-09

for you to fetch changes up to b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13:

  netfilter: conntrack: clamp maximum hashtable size to INT_MAX (2025-01-09 13:29:45 +0100)

----------------------------------------------------------------
netfilter pull request 25-01-09

----------------------------------------------------------------
Pablo Neira Ayuso (2):
      netfilter: nf_tables: imbalance in flowtable binding
      netfilter: conntrack: clamp maximum hashtable size to INT_MAX

 net/netfilter/nf_conntrack_core.c |  5 ++++-
 net/netfilter/nf_tables_api.c     | 15 +++++++++++----
 2 files changed, 15 insertions(+), 5 deletions(-)

[PATCH nf] netfilter: conntrack: clamp maximum hashtable size to INT_MAX

[Pablo Neira Ayuso]

According to 0708a0afe291 ("mm: Consider __GFP_NOWARN flag for oversized
kvmalloc() calls"), use INT_MAX as maximum size for the conntrack
hashtable. Otherwise, it is possible to hit WARN_ON_ONCE in
__kvmalloc_node_noprof() when __GFP_NOWARN flag is unset when resizing.

Note: hashtable resize is only possible from init_netns.

Fixes: 9cc1c73ad666 ("netfilter: conntrack: avoid integer overflow when resizing")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_core.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 8666d733b984..7f8b245e287a 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -2510,12 +2510,15 @@ void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls)
 	struct hlist_nulls_head *hash;
 	unsigned int nr_slots, i;
 
-	if (*sizep > (UINT_MAX / sizeof(struct hlist_nulls_head)))
+	if (*sizep > (INT_MAX / sizeof(struct hlist_nulls_head)))
 		return NULL;
 
 	BUILD_BUG_ON(sizeof(struct hlist_nulls_head) != sizeof(struct hlist_head));
 	nr_slots = *sizep = roundup(*sizep, PAGE_SIZE / sizeof(struct hlist_nulls_head));
 
+	if (nr_slots > (INT_MAX / sizeof(struct hlist_nulls_head)))
+		return NULL;
+
 	hash = kvcalloc(nr_slots, sizeof(struct hlist_nulls_head), GFP_KERNEL);
 
 	if (hash && nulls)
-- 
2.30.2

Re: [PATCH nf] netfilter: conntrack: clamp maximum hashtable size to INT_MAX

[Pablo Neira Ayuso]

On Thu, Jan 09, 2025 at 01:35:30PM +0100, Pablo Neira Ayuso wrote:
> According to 0708a0afe291 ("mm: Consider __GFP_NOWARN flag for oversized
> kvmalloc() calls"), use INT_MAX as maximum size for the conntrack
> hashtable. Otherwise, it is possible to hit WARN_ON_ONCE in
> __kvmalloc_node_noprof() when __GFP_NOWARN flag is unset when resizing.
> 
> Note: hashtable resize is only possible from init_netns.

Please, ignore this duplicated patch with incorrect [nf] tag that
slipped through this submission. Sorry for the inconvenience.

Thanks.