From: Greg Kroah-Hartman Date: Tue, 20 Aug 2019 16:31:21 +0000 (-0700) Subject: 5.2-stable patches X-Git-Tag: v4.19.68~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=95a0538f001fc73a6f50f54d9c3e77e06ce9dfdf;p=thirdparty%2Fkernel%2Fstable-queue.git 5.2-stable patches added patches: netfilter-conntrack-use-consistent-ct-id-hash-calculation.patch --- diff --git a/queue-5.2/netfilter-conntrack-use-consistent-ct-id-hash-calculation.patch b/queue-5.2/netfilter-conntrack-use-consistent-ct-id-hash-calculation.patch new file mode 100644 index 00000000000..6da4878382d --- /dev/null +++ b/queue-5.2/netfilter-conntrack-use-consistent-ct-id-hash-calculation.patch @@ -0,0 +1,65 @@ +From 656c8e9cc1badbc18eefe6ba01d33ebbcae61b9a Mon Sep 17 00:00:00 2001 +From: Dirk Morris +Date: Thu, 8 Aug 2019 13:57:51 -0700 +Subject: netfilter: conntrack: Use consistent ct id hash calculation + +From: Dirk Morris + +commit 656c8e9cc1badbc18eefe6ba01d33ebbcae61b9a upstream. + +Change ct id hash calculation to only use invariants. + +Currently the ct id hash calculation is based on some fields that can +change in the lifetime on a conntrack entry in some corner cases. The +current hash uses the whole tuple which contains an hlist pointer which +will change when the conntrack is placed on the dying list resulting in +a ct id change. + +This patch also removes the reply-side tuple and extension pointer from +the hash calculation so that the ct id will will not change from +initialization until confirmation. + +Fixes: 3c79107631db1f7 ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id") +Signed-off-by: Dirk Morris +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_conntrack_core.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -453,13 +453,12 @@ EXPORT_SYMBOL_GPL(nf_ct_invert_tuple); + * table location, we assume id gets exposed to userspace. + * + * Following nf_conn items do not change throughout lifetime +- * of the nf_conn after it has been committed to main hash table: ++ * of the nf_conn: + * + * 1. nf_conn address +- * 2. nf_conn->ext address +- * 3. nf_conn->master address (normally NULL) +- * 4. tuple +- * 5. the associated net namespace ++ * 2. nf_conn->master address (normally NULL) ++ * 3. the associated net namespace ++ * 4. the original direction tuple + */ + u32 nf_ct_get_id(const struct nf_conn *ct) + { +@@ -469,9 +468,10 @@ u32 nf_ct_get_id(const struct nf_conn *c + net_get_random_once(&ct_id_seed, sizeof(ct_id_seed)); + + a = (unsigned long)ct; +- b = (unsigned long)ct->master ^ net_hash_mix(nf_ct_net(ct)); +- c = (unsigned long)ct->ext; +- d = (unsigned long)siphash(&ct->tuplehash, sizeof(ct->tuplehash), ++ b = (unsigned long)ct->master; ++ c = (unsigned long)nf_ct_net(ct); ++ d = (unsigned long)siphash(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, ++ sizeof(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple), + &ct_id_seed); + #ifdef CONFIG_64BIT + return siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &ct_id_seed); diff --git a/queue-5.2/series b/queue-5.2/series index ed09f67c7da..88d084f85a0 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -102,3 +102,4 @@ usb-serial-option-add-support-for-zte-mf871a.patch usb-serial-option-add-the-broadmobi-bm818-card.patch usb-serial-option-add-motorola-modem-uarts.patch usb-setup-authorized_default-attributes-using-usb_bus_notify.patch +netfilter-conntrack-use-consistent-ct-id-hash-calculation.patch