From 57f74f6573763060d214a08c4436536c47888d15 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 22 Aug 2019 19:47:16 +0100 Subject: [PATCH] netfilter: conntrack: Use consistent ct id hash calculation This fixes a regression in 4.19.44. --- debian/changelog | 2 + ...ack-use-consistent-ct-id-hash-calcul.patch | 61 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 64 insertions(+) create mode 100644 debian/patches/bugfix/all/netfilter-conntrack-use-consistent-ct-id-hash-calcul.patch diff --git a/debian/changelog b/debian/changelog index 3d98140bc..5bd0db110 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,6 +8,8 @@ linux (4.19.67-2) UNRELEASED; urgency=medium * KVM: Ignore ABI changes * [ppc64el] Disable PPC_TRANSACTIONAL_MEM (Closes: #866122) * [ppc64el] Avoid ABI change for disabling TM + * netfilter: conntrack: Use consistent ct id hash calculation + (fixes regression in 4.19.44) -- Ben Hutchings Wed, 21 Aug 2019 23:37:56 +0100 diff --git a/debian/patches/bugfix/all/netfilter-conntrack-use-consistent-ct-id-hash-calcul.patch b/debian/patches/bugfix/all/netfilter-conntrack-use-consistent-ct-id-hash-calcul.patch new file mode 100644 index 000000000..1bce9264e --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-conntrack-use-consistent-ct-id-hash-calcul.patch @@ -0,0 +1,61 @@ +From: Dirk Morris +Date: Thu, 8 Aug 2019 13:57:51 -0700 +Subject: netfilter: conntrack: Use consistent ct id hash calculation +Origin: https://git.kernel.org/linus/656c8e9cc1badbc18eefe6ba01d33ebbcae61b9a + +Change ct id hash calculation to only use invariants. + +Currently the ct id hash calculation is based on some fields that can +change in the lifetime on a conntrack entry in some corner cases. The +current hash uses the whole tuple which contains an hlist pointer which +will change when the conntrack is placed on the dying list resulting in +a ct id change. + +This patch also removes the reply-side tuple and extension pointer from +the hash calculation so that the ct id will will not change from +initialization until confirmation. + +Fixes: 3c79107631db1f7 ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id") +Signed-off-by: Dirk Morris +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + net/netfilter/nf_conntrack_core.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index a542761e90d1..81a8ef42b88d 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -453,13 +453,12 @@ EXPORT_SYMBOL_GPL(nf_ct_invert_tuple); + * table location, we assume id gets exposed to userspace. + * + * Following nf_conn items do not change throughout lifetime +- * of the nf_conn after it has been committed to main hash table: ++ * of the nf_conn: + * + * 1. nf_conn address +- * 2. nf_conn->ext address +- * 3. nf_conn->master address (normally NULL) +- * 4. tuple +- * 5. the associated net namespace ++ * 2. nf_conn->master address (normally NULL) ++ * 3. the associated net namespace ++ * 4. the original direction tuple + */ + u32 nf_ct_get_id(const struct nf_conn *ct) + { +@@ -469,9 +468,10 @@ u32 nf_ct_get_id(const struct nf_conn *ct) + net_get_random_once(&ct_id_seed, sizeof(ct_id_seed)); + + a = (unsigned long)ct; +- b = (unsigned long)ct->master ^ net_hash_mix(nf_ct_net(ct)); +- c = (unsigned long)ct->ext; +- d = (unsigned long)siphash(&ct->tuplehash, sizeof(ct->tuplehash), ++ b = (unsigned long)ct->master; ++ c = (unsigned long)nf_ct_net(ct); ++ d = (unsigned long)siphash(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, ++ sizeof(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple), + &ct_id_seed); + #ifdef CONFIG_64BIT + return siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &ct_id_seed); diff --git a/debian/patches/series b/debian/patches/series index 4cdbc4622..26ce098f7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -160,6 +160,7 @@ features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch +bugfix/all/netfilter-conntrack-use-consistent-ct-id-hash-calcul.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch