--- /dev/null
+From beaec533fc2701a28a4d667f67c9f59c6e4e0d13 Mon Sep 17 00:00:00 2001
+From: Alexander Potapenko <glider@google.com>
+Date: Wed, 19 Jul 2017 20:27:30 +0200
+Subject: llist: clang: introduce member_address_is_nonnull()
+
+From: Alexander Potapenko <glider@google.com>
+
+commit beaec533fc2701a28a4d667f67c9f59c6e4e0d13 upstream.
+
+Currently llist_for_each_entry() and llist_for_each_entry_safe() iterate
+until &pos->member != NULL. But when building the kernel with Clang,
+the compiler assumes &pos->member cannot be NULL if the member's offset
+is greater than 0 (which would be equivalent to the object being
+non-contiguous in memory). Therefore the loop condition is always true,
+and the loops become infinite.
+
+To work around this, introduce the member_address_is_nonnull() macro,
+which casts object pointer to uintptr_t, thus letting the member pointer
+to be NULL.
+
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Tested-by: Sodagudi Prasad <psodagud@codeaurora.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/llist.h | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+--- a/include/linux/llist.h
++++ b/include/linux/llist.h
+@@ -88,6 +88,23 @@ static inline void init_llist_head(struc
+ container_of(ptr, type, member)
+
+ /**
++ * member_address_is_nonnull - check whether the member address is not NULL
++ * @ptr: the object pointer (struct type * that contains the llist_node)
++ * @member: the name of the llist_node within the struct.
++ *
++ * This macro is conceptually the same as
++ * &ptr->member != NULL
++ * but it works around the fact that compilers can decide that taking a member
++ * address is never a NULL pointer.
++ *
++ * Real objects that start at a high address and have a member at NULL are
++ * unlikely to exist, but such pointers may be returned e.g. by the
++ * container_of() macro.
++ */
++#define member_address_is_nonnull(ptr, member) \
++ ((uintptr_t)(ptr) + offsetof(typeof(*(ptr)), member) != 0)
++
++/**
+ * llist_for_each - iterate over some deleted entries of a lock-less list
+ * @pos: the &struct llist_node to use as a loop cursor
+ * @node: the first entry of deleted list entries
+@@ -121,7 +138,7 @@ static inline void init_llist_head(struc
+ */
+ #define llist_for_each_entry(pos, node, member) \
+ for ((pos) = llist_entry((node), typeof(*(pos)), member); \
+- &(pos)->member != NULL; \
++ member_address_is_nonnull(pos, member); \
+ (pos) = llist_entry((pos)->member.next, typeof(*(pos)), member))
+
+ /**
+@@ -143,7 +160,7 @@ static inline void init_llist_head(struc
+ */
+ #define llist_for_each_entry_safe(pos, n, node, member) \
+ for (pos = llist_entry((node), typeof(*pos), member); \
+- &pos->member != NULL && \
++ member_address_is_nonnull(pos, member) && \
+ (n = llist_entry(pos->member.next, typeof(*n), member), true); \
+ pos = n)
+
+++ /dev/null
-From aebfa52a925d701114afd6af0def35bab16d4f47 Mon Sep 17 00:00:00 2001
-From: Paolo Abeni <pabeni@redhat.com>
-Date: Thu, 22 Mar 2018 11:08:50 +0100
-Subject: netfilter: drop template ct when conntrack is skipped.
-
-From: Paolo Abeni <pabeni@redhat.com>
-
-commit aebfa52a925d701114afd6af0def35bab16d4f47 upstream.
-
-The ipv4 nf_ct code currently skips the nf_conntrak_in() call
-for fragmented packets. As a results later matches/target can end
-up manipulating template ct entry instead of 'real' ones.
-
-Exploiting the above, syzbot found a way to trigger the following
-splat:
-
-WARNING: CPU: 1 PID: 4242 at net/netfilter/xt_cluster.c:55
-xt_cluster_mt+0x6c1/0x840 net/netfilter/xt_cluster.c:127
-Kernel panic - not syncing: panic_on_warn set ...
-
-CPU: 1 PID: 4242 Comm: syzkaller027971 Not tainted 4.16.0-rc2+ #243
-Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
-Google 01/01/2011
-Call Trace:
- __dump_stack lib/dump_stack.c:17 [inline]
- dump_stack+0x194/0x24d lib/dump_stack.c:53
- panic+0x1e4/0x41c kernel/panic.c:183
- __warn+0x1dc/0x200 kernel/panic.c:547
- report_bug+0x211/0x2d0 lib/bug.c:184
- fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
- fixup_bug arch/x86/kernel/traps.c:247 [inline]
- do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
- do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
- invalid_op+0x58/0x80 arch/x86/entry/entry_64.S:957
-RIP: 0010:xt_cluster_hash net/netfilter/xt_cluster.c:55 [inline]
-RIP: 0010:xt_cluster_mt+0x6c1/0x840 net/netfilter/xt_cluster.c:127
-RSP: 0018:ffff8801d2f6f2d0 EFLAGS: 00010293
-RAX: ffff8801af700540 RBX: 0000000000000000 RCX: ffffffff84a2d1e1
-RDX: 0000000000000000 RSI: ffff8801d2f6f478 RDI: ffff8801cafd336a
-RBP: ffff8801d2f6f2e8 R08: 0000000000000000 R09: 0000000000000001
-R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801b03b3d18
-R13: ffff8801cafd3300 R14: dffffc0000000000 R15: ffff8801d2f6f478
- ipt_do_table+0xa91/0x19b0 net/ipv4/netfilter/ip_tables.c:296
- iptable_filter_hook+0x65/0x80 net/ipv4/netfilter/iptable_filter.c:41
- nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline]
- nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483
- nf_hook include/linux/netfilter.h:243 [inline]
- NF_HOOK include/linux/netfilter.h:286 [inline]
- raw_send_hdrinc.isra.17+0xf39/0x1880 net/ipv4/raw.c:432
- raw_sendmsg+0x14cd/0x26b0 net/ipv4/raw.c:669
- inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
- sock_sendmsg_nosec net/socket.c:629 [inline]
- sock_sendmsg+0xca/0x110 net/socket.c:639
- SYSC_sendto+0x361/0x5c0 net/socket.c:1748
- SyS_sendto+0x40/0x50 net/socket.c:1716
- do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
- entry_SYSCALL_64_after_hwframe+0x42/0xb7
-RIP: 0033:0x441b49
-RSP: 002b:00007ffff5ca8b18 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
-RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000441b49
-RDX: 0000000000000030 RSI: 0000000020ff7000 RDI: 0000000000000003
-RBP: 00000000006cc018 R08: 000000002066354c R09: 0000000000000010
-R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000403470
-R13: 0000000000403500 R14: 0000000000000000 R15: 0000000000000000
-Dumping ftrace buffer:
- (ftrace buffer empty)
-Kernel Offset: disabled
-Rebooting in 86400 seconds..
-
-Instead of adding checks for template ct on every target/match
-manipulating skb->_nfct, simply drop the template ct when skipping
-nf_conntrack_in().
-
-Fixes: 7b4fdf77a450ec ("netfilter: don't track fragmented packets")
-Reported-and-tested-by: syzbot+0346441ae0545cfcea3a@syzkaller.appspotmail.com
-Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-Acked-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 14 +++++++++++++-
- 1 file changed, 13 insertions(+), 1 deletion(-)
-
---- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
-+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
-@@ -159,8 +159,20 @@ static unsigned int ipv4_conntrack_local
- ip_hdrlen(skb) < sizeof(struct iphdr))
- return NF_ACCEPT;
-
-- if (ip_is_fragment(ip_hdr(skb))) /* IP_NODEFRAG setsockopt set */
-+ if (ip_is_fragment(ip_hdr(skb))) { /* IP_NODEFRAG setsockopt set */
-+ enum ip_conntrack_info ctinfo;
-+ struct nf_conn *tmpl;
-+
-+ tmpl = nf_ct_get(skb, &ctinfo);
-+ if (tmpl && nf_ct_is_template(tmpl)) {
-+ /* when skipping ct, clear templates to avoid fooling
-+ * later targets/matches
-+ */
-+ skb->_nfct = 0;
-+ nf_ct_put(tmpl);
-+ }
- return NF_ACCEPT;
-+ }
-
- return nf_conntrack_in(state->net, PF_INET, state->hook, skb);
- }
projects / thirdparty / kernel / stable-queue.git / commitdiff
