netfilter: conntrack: restore IPS_CONFIRMED out of nf_conntrack_hash_check_insert()

e6d57e9ff0ae ("netfilter: conntrack: fix rmmod double-free race") consolidates IPS_CONFIRMED bit set in nf_conntrack_hash_check_insert(). However, this breaks ctnetlink: # conntrack -I -p tcp --timeout 123 --src 1.2.3.4 --dst 5.6.7.8 --state ESTABLISHED --sport 1 --dport 4 -u SEEN_REPLY conntrack v1.4.6 (conntrack-tools): Operation failed: Device or resource busy This is a partial revert of the aforementioned commit to restore IPS_CONFIRMED. Fixes: e6d57e9ff0ae ("netfilter: conntrack: fix rmmod double-free race") Reported-by: Stéphane Graber <stgraber@stgraber.org> Tested-by: Stéphane Graber <stgraber@stgraber.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2023-04-18 23:31:26 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2023-04-19 10:07:59 +0200
commit: 2cdaa3eefed83082923cf219c8b6a314e622da74 (patch)
tree: 0a1a923ba40879e7603b4c097ea197572de0b9b6 /net/netfilter/nf_conntrack_netlink.c
parent: 92e8c732d8518588ac34b4cb3feaf37d2cb87555 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index bfc3aaa2c872..d3ee18854698 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2316,6 +2316,9 @@ ctnetlink_create_conntrack(struct net *net,
 	nfct_seqadj_ext_add(ct);
 	nfct_synproxy_ext_add(ct);
 
+	/* we must add conntrack extensions before confirmation. */
+	ct->status |= IPS_CONFIRMED;
+
 	if (cda[CTA_STATUS]) {
 		err = ctnetlink_change_status(ct, cda);
 		if (err < 0)
author	Pablo Neira Ayuso <pablo@netfilter.org>	2023-04-18 23:31:26 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2023-04-19 10:07:59 +0200
commit	2cdaa3eefed83082923cf219c8b6a314e622da74 (patch)
tree	0a1a923ba40879e7603b4c097ea197572de0b9b6 /net/netfilter/nf_conntrack_netlink.c
parent	92e8c732d8518588ac34b4cb3feaf37d2cb87555 (diff)