netfilter: nft_connlimit: fix possible data race on connection count

ffmancera · Florian Westphal · commit 8d96dfdcabef · 2025-10-29T14:47:59.000+01:00
nft_connlimit_eval() reads priv->list->count to check if the connection limit has been exceeded. This value is being read without a lock and can be modified by a different process. Use READ_ONCE() for correctness. Fixes: df4a902 ("netfilter: nf_conncount: merge lookup and add functions") Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de> Signed-off-by: Florian Westphal <fw@strlen.de>
diff --git a/net/netfilter/nft_connlimit.c b/net/netfilter/nft_connlimit.c
@@ -48,7 +48,7 @@ static inline void nft_connlimit_do_eval(struct nft_connlimit *priv,
 		return;
 	}
 
-	count = priv->list->count;
+	count = READ_ONCE(priv->list->count);
 
 	if ((count > priv->limit) ^ priv->invert) {
 		regs->verdict.code = NFT_BREAK;

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ static inline void nft_connlimit_do_eval(struct nft_connlimit *priv,`
`48`	`48`	`return;`
`49`	`49`	`}`
`50`	`50`
`51`		`- count = priv->list->count;`
	`51`	`+ count = READ_ONCE(priv->list->count);`
`52`	`52`
`53`	`53`	`if ((count > priv->limit) ^ priv->invert) {`
`54`	`54`	`regs->verdict.code = NFT_BREAK;`