Commit 3ffb502d authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by Dong Chenchen
Browse files

netfilter: conntrack: clamp maximum hashtable size to INT_MAX 

mainline inclusion
from mainline-v6.13-rc7
commit b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBIQQN
CVE: CVE-2025-21648

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13



--------------------------------

Use INT_MAX as maximum size for the conntrack hashtable. Otherwise, it
is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when
resizing hashtable because __GFP_NOWARN is unset. See:

  0708a0af ("mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls")

Note: hashtable resize is only possible from init_netns.

Fixes: 9cc1c73a ("netfilter: conntrack: avoid integer overflow when resizing")
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Conflicts:
	net/netfilter/nf_conntrack_core.c
[commit b9e0102a use kvcalloc, which not merged lead to conflict]
Signed-off-by: default avatarDong Chenchen <dongchenchen2@huawei.com>
parent 6a6cc2b6

net/netfilter/nf_conntrack_core.c

+4 −1
Original line number Diff line number Diff line
@@ -2314,12 +2314,15 @@ void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls) 
	struct hlist_nulls_head *hash;

	unsigned int nr_slots, i;



	if (*sizep > (UINT_MAX / sizeof(struct hlist_nulls_head)))

	if (*sizep > (INT_MAX / sizeof(struct hlist_nulls_head)))

		return NULL;



	BUILD_BUG_ON(sizeof(struct hlist_nulls_head) != sizeof(struct hlist_head));

	nr_slots = *sizep = roundup(*sizep, PAGE_SIZE / sizeof(struct hlist_nulls_head));



	if (nr_slots > (INT_MAX / sizeof(struct hlist_nulls_head)))

		return NULL;



	hash = kvmalloc_array(nr_slots, sizeof(struct hlist_nulls_head),

			      GFP_KERNEL | __GFP_ZERO);