tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 382711115afc1197da2c288679079946650ef017 commit: cc12c927ac504e99fc176ea49e85226b6aeadcd5 [1605/1605] netfilter: conntrack: allow insertion of clashing entries config: x86_64-buildonly-randconfig-2002-20250501 (https://download.01.org/0day-ci/archive/20250703/202507030549.czVv179y-lkp@i...) compiler: clang version 20.1.2 (https://github.com/llvm/llvm-project 58df0ef89dd64126512e4ee27b4ac3fd8ddf6247) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250703/202507030549.czVv179y-lkp@i...) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202507030549.czVv179y-lkp@intel.com/ All warnings (new ones prefixed by >>):
net/netfilter/nf_conntrack_core.c:1017: warning: Function parameter or member 'reply_hash' not described in 'nf_ct_resolve_clash' net/netfilter/nf_conntrack_core.c:1017: warning: Excess function parameter 'hash_reply' description in 'nf_ct_resolve_clash'
vim +1017 net/netfilter/nf_conntrack_core.c cc12c927ac504e Florian Westphal 2023-11-02 980 6199b71796bcaa Florian Westphal 2023-11-02 981 /** 6199b71796bcaa Florian Westphal 2023-11-02 982 * nf_ct_resolve_clash - attempt to handle clash without packet drop 6199b71796bcaa Florian Westphal 2023-11-02 983 * 6199b71796bcaa Florian Westphal 2023-11-02 984 * @skb: skb that causes the clash 6199b71796bcaa Florian Westphal 2023-11-02 985 * @h: tuplehash of the clashing entry already in table cc12c927ac504e Florian Westphal 2023-11-02 986 * @hash_reply: hash slot for reply direction 6199b71796bcaa Florian Westphal 2023-11-02 987 * 6199b71796bcaa Florian Westphal 2023-11-02 988 * A conntrack entry can be inserted to the connection tracking table 6199b71796bcaa Florian Westphal 2023-11-02 989 * if there is no existing entry with an identical tuple. 6199b71796bcaa Florian Westphal 2023-11-02 990 * 6199b71796bcaa Florian Westphal 2023-11-02 991 * If there is one, @skb (and the assocated, unconfirmed conntrack) has 6199b71796bcaa Florian Westphal 2023-11-02 992 * to be dropped. In case @skb is retransmitted, next conntrack lookup 6199b71796bcaa Florian Westphal 2023-11-02 993 * will find the already-existing entry. 6199b71796bcaa Florian Westphal 2023-11-02 994 * 6199b71796bcaa Florian Westphal 2023-11-02 995 * The major problem with such packet drop is the extra delay added by 6199b71796bcaa Florian Westphal 2023-11-02 996 * the packet loss -- it will take some time for a retransmit to occur 6199b71796bcaa Florian Westphal 2023-11-02 997 * (or the sender to time out when waiting for a reply). 6199b71796bcaa Florian Westphal 2023-11-02 998 * 6199b71796bcaa Florian Westphal 2023-11-02 999 * This function attempts to handle the situation without packet drop. 6199b71796bcaa Florian Westphal 2023-11-02 1000 * 6199b71796bcaa Florian Westphal 2023-11-02 1001 * If @skb has no NAT transformation or if the colliding entries are 6199b71796bcaa Florian Westphal 2023-11-02 1002 * exactly the same, only the to-be-confirmed conntrack entry is discarded 6199b71796bcaa Florian Westphal 2023-11-02 1003 * and @skb is associated with the conntrack entry already in the table. 6199b71796bcaa Florian Westphal 2023-11-02 1004 * cc12c927ac504e Florian Westphal 2023-11-02 1005 * Failing that, the new, unconfirmed conntrack is still added to the table cc12c927ac504e Florian Westphal 2023-11-02 1006 * provided that the collision only occurs in the ORIGINAL direction. cc12c927ac504e Florian Westphal 2023-11-02 1007 * The new entry will be added after the existing one in the hash list, cc12c927ac504e Florian Westphal 2023-11-02 1008 * so packets in the ORIGINAL direction will continue to match the existing cc12c927ac504e Florian Westphal 2023-11-02 1009 * entry. The new entry will also have a fixed timeout so it expires -- cc12c927ac504e Florian Westphal 2023-11-02 1010 * due to the collision, it will not see bidirectional traffic. cc12c927ac504e Florian Westphal 2023-11-02 1011 * 6199b71796bcaa Florian Westphal 2023-11-02 1012 * Returns NF_DROP if the clash could not be resolved. 6199b71796bcaa Florian Westphal 2023-11-02 1013 */ 115dffa33ea6f5 Florian Westphal 2023-11-02 1014 static __cold noinline int cc12c927ac504e Florian Westphal 2023-11-02 1015 nf_ct_resolve_clash(struct sk_buff *skb, struct nf_conntrack_tuple_hash *h, cc12c927ac504e Florian Westphal 2023-11-02 1016 u32 reply_hash) 71d8c47fc65371 Pablo Neira Ayuso 2016-05-01 @1017 { 71d8c47fc65371 Pablo Neira Ayuso 2016-05-01 1018 /* This is the conntrack entry already in hashes that won race. */ 71d8c47fc65371 Pablo Neira Ayuso 2016-05-01 1019 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); b3480fe059ac91 Florian Westphal 2017-08-12 1020 const struct nf_conntrack_l4proto *l4proto; 6199b71796bcaa Florian Westphal 2023-11-02 1021 enum ip_conntrack_info ctinfo; 6199b71796bcaa Florian Westphal 2023-11-02 1022 struct nf_conn *loser_ct; 6199b71796bcaa Florian Westphal 2023-11-02 1023 struct net *net; 94ebb264459f97 Florian Westphal 2023-11-02 1024 int ret; 6199b71796bcaa Florian Westphal 2023-11-02 1025 6199b71796bcaa Florian Westphal 2023-11-02 1026 loser_ct = nf_ct_get(skb, &ctinfo); 94ebb264459f97 Florian Westphal 2023-11-02 1027 net = nf_ct_net(loser_ct); 71d8c47fc65371 Pablo Neira Ayuso 2016-05-01 1028 71d8c47fc65371 Pablo Neira Ayuso 2016-05-01 1029 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); 6199b71796bcaa Florian Westphal 2023-11-02 1030 if (!l4proto->allow_clash) 6199b71796bcaa Florian Westphal 2023-11-02 1031 goto drop; 6199b71796bcaa Florian Westphal 2023-11-02 1032 94ebb264459f97 Florian Westphal 2023-11-02 1033 ret = __nf_ct_resolve_clash(skb, h); 94ebb264459f97 Florian Westphal 2023-11-02 1034 if (ret == NF_ACCEPT) 94ebb264459f97 Florian Westphal 2023-11-02 1035 return ret; 6199b71796bcaa Florian Westphal 2023-11-02 1036 cc12c927ac504e Florian Westphal 2023-11-02 1037 ret = nf_ct_resolve_clash_harder(skb, reply_hash); cc12c927ac504e Florian Westphal 2023-11-02 1038 if (ret == NF_ACCEPT) cc12c927ac504e Florian Westphal 2023-11-02 1039 return ret; cc12c927ac504e Florian Westphal 2023-11-02 1040 6199b71796bcaa Florian Westphal 2023-11-02 1041 drop: 94ebb264459f97 Florian Westphal 2023-11-02 1042 nf_ct_add_to_dying_list(loser_ct); 71d8c47fc65371 Pablo Neira Ayuso 2016-05-01 1043 NF_CT_STAT_INC(net, drop); 94ebb264459f97 Florian Westphal 2023-11-02 1044 NF_CT_STAT_INC(net, insert_failed); 71d8c47fc65371 Pablo Neira Ayuso 2016-05-01 1045 return NF_DROP; 71d8c47fc65371 Pablo Neira Ayuso 2016-05-01 1046 } 71d8c47fc65371 Pablo Neira Ayuso 2016-05-01 1047 :::::: The code at line 1017 was first introduced by commit :::::: 71d8c47fc653711c41bc3282e5b0e605b3727956 netfilter: conntrack: introduce clash resolution on insertion race :::::: TO: Pablo Neira Ayuso <pablo@netfilter.org> :::::: CC: Pablo Neira Ayuso <pablo@netfilter.org> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki