From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 11 May 2018 07:08:32 +0000 (+0200)
Subject: drop 4.16 netfilter patch
X-Git-Tag: v3.18.109~31
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=901df487428e2e65dafac7e4b701f4666886b766;p=thirdparty%2Fkernel%2Fstable-queue.git

drop 4.16 netfilter patch
---

diff --git a/queue-4.16/netfilter-x_tables-ensure-last-rule-in-base-chain-matches-underflow-policy.patch b/queue-4.16/netfilter-x_tables-ensure-last-rule-in-base-chain-matches-underflow-policy.patch
deleted file mode 100644
index 4d50db6fcfe..00000000000
--- a/queue-4.16/netfilter-x_tables-ensure-last-rule-in-base-chain-matches-underflow-policy.patch
+++ /dev/null
@@ -1,192 +0,0 @@
-From 0d7df906a0e78079a02108b06d32c3ef2238ad25 Mon Sep 17 00:00:00 2001
-From: Florian Westphal <fw@strlen.de>
-Date: Tue, 27 Feb 2018 19:42:37 +0100
-Subject: netfilter: x_tables: ensure last rule in base chain matches underflow/policy
-
-From: Florian Westphal <fw@strlen.de>
-
-commit 0d7df906a0e78079a02108b06d32c3ef2238ad25 upstream.
-
-Harmless from kernel point of view, but again iptables assumes that
-this is true when decoding ruleset coming from kernel.
-
-If a (syzkaller generated) ruleset doesn't have the underflow/policy
-stored as the last rule in the base chain, then iptables will abort()
-because it doesn't find the chain policy.
-
-libiptc assumes that the policy is the last rule in the basechain, which
-is only true for iptables-generated rulesets.
-
-Unfortunately this needs code duplication -- the functions need the
-struct layout of the rule head, but that is different for
-ip/ip6/arptables.
-
-NB: pr_warn could be pr_debug but in case this break rulesets somehow its
-useful to know why blob was rejected.
-
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- net/ipv4/netfilter/arp_tables.c |   17 ++++++++++++++++-
- net/ipv4/netfilter/ip_tables.c  |   17 ++++++++++++++++-
- net/ipv6/netfilter/ip6_tables.c |   17 ++++++++++++++++-
- 3 files changed, 48 insertions(+), 3 deletions(-)
-
---- a/net/ipv4/netfilter/arp_tables.c
-+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -309,10 +309,13 @@ static int mark_source_chains(const stru
- 	for (hook = 0; hook < NF_ARP_NUMHOOKS; hook++) {
- 		unsigned int pos = newinfo->hook_entry[hook];
- 		struct arpt_entry *e = entry0 + pos;
-+		unsigned int last_pos, depth;
- 
- 		if (!(valid_hooks & (1 << hook)))
- 			continue;
- 
-+		depth = 0;
-+		last_pos = pos;
- 		/* Set initial back pointer. */
- 		e->counters.pcnt = pos;
- 
-@@ -348,6 +351,8 @@ static int mark_source_chains(const stru
- 					pos = e->counters.pcnt;
- 					e->counters.pcnt = 0;
- 
-+					if (depth)
-+						--depth;
- 					/* We're at the start. */
- 					if (pos == oldpos)
- 						goto next;
-@@ -372,6 +377,9 @@ static int mark_source_chains(const stru
- 					if (!xt_find_jump_offset(offsets, newpos,
- 								 newinfo->number))
- 						return 0;
-+
-+					if (entry0 + newpos != arpt_next_entry(e))
-+						++depth;
- 				} else {
- 					/* ... this is a fallthru */
- 					newpos = pos + e->next_offset;
-@@ -382,8 +390,15 @@ static int mark_source_chains(const stru
- 				e->counters.pcnt = pos;
- 				pos = newpos;
- 			}
-+			if (depth == 0)
-+				last_pos = pos;
-+		}
-+next:
-+		if (last_pos != newinfo->underflow[hook]) {
-+			pr_err_ratelimited("last base chain position %u doesn't match underflow %u (hook %u)\n",
-+					   last_pos, newinfo->underflow[hook], hook);
-+			return 0;
- 		}
--next:		;
- 	}
- 	return 1;
- }
---- a/net/ipv4/netfilter/ip_tables.c
-+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -378,10 +378,13 @@ mark_source_chains(const struct xt_table
- 	for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
- 		unsigned int pos = newinfo->hook_entry[hook];
- 		struct ipt_entry *e = entry0 + pos;
-+		unsigned int last_pos, depth;
- 
- 		if (!(valid_hooks & (1 << hook)))
- 			continue;
- 
-+		depth = 0;
-+		last_pos = pos;
- 		/* Set initial back pointer. */
- 		e->counters.pcnt = pos;
- 
-@@ -415,6 +418,8 @@ mark_source_chains(const struct xt_table
- 					pos = e->counters.pcnt;
- 					e->counters.pcnt = 0;
- 
-+					if (depth)
-+						--depth;
- 					/* We're at the start. */
- 					if (pos == oldpos)
- 						goto next;
-@@ -439,6 +444,9 @@ mark_source_chains(const struct xt_table
- 					if (!xt_find_jump_offset(offsets, newpos,
- 								 newinfo->number))
- 						return 0;
-+
-+					if (entry0 + newpos != ipt_next_entry(e))
-+						++depth;
- 				} else {
- 					/* ... this is a fallthru */
- 					newpos = pos + e->next_offset;
-@@ -449,8 +457,15 @@ mark_source_chains(const struct xt_table
- 				e->counters.pcnt = pos;
- 				pos = newpos;
- 			}
-+			if (depth == 0)
-+				last_pos = pos;
-+		}
-+next:
-+		if (last_pos != newinfo->underflow[hook]) {
-+			pr_err_ratelimited("last base chain position %u doesn't match underflow %u (hook %u)\n",
-+					   last_pos, newinfo->underflow[hook], hook);
-+			return 0;
- 		}
--next:		;
- 	}
- 	return 1;
- }
---- a/net/ipv6/netfilter/ip6_tables.c
-+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -396,10 +396,13 @@ mark_source_chains(const struct xt_table
- 	for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
- 		unsigned int pos = newinfo->hook_entry[hook];
- 		struct ip6t_entry *e = entry0 + pos;
-+		unsigned int last_pos, depth;
- 
- 		if (!(valid_hooks & (1 << hook)))
- 			continue;
- 
-+		depth = 0;
-+		last_pos = pos;
- 		/* Set initial back pointer. */
- 		e->counters.pcnt = pos;
- 
-@@ -433,6 +436,8 @@ mark_source_chains(const struct xt_table
- 					pos = e->counters.pcnt;
- 					e->counters.pcnt = 0;
- 
-+					if (depth)
-+						--depth;
- 					/* We're at the start. */
- 					if (pos == oldpos)
- 						goto next;
-@@ -457,6 +462,9 @@ mark_source_chains(const struct xt_table
- 					if (!xt_find_jump_offset(offsets, newpos,
- 								 newinfo->number))
- 						return 0;
-+
-+					if (entry0 + newpos != ip6t_next_entry(e))
-+						++depth;
- 				} else {
- 					/* ... this is a fallthru */
- 					newpos = pos + e->next_offset;
-@@ -467,8 +475,15 @@ mark_source_chains(const struct xt_table
- 				e->counters.pcnt = pos;
- 				pos = newpos;
- 			}
-+			if (depth == 0)
-+				last_pos = pos;
-+		}
-+next:
-+		if (last_pos != newinfo->underflow[hook]) {
-+			pr_err_ratelimited("last base chain position %u doesn't match underflow %u (hook %u)\n",
-+					   last_pos, newinfo->underflow[hook], hook);
-+			return 0;
- 		}
--next:		;
- 	}
- 	return 1;
- }
diff --git a/queue-4.16/series b/queue-4.16/series
index e8c29e6f7cf..3a045163518 100644
--- a/queue-4.16/series
+++ b/queue-4.16/series
@@ -2,7 +2,6 @@ ipvs-fix-rtnl_lock-lockups-caused-by-start_sync_thread.patch
 netfilter-ebtables-don-t-attempt-to-allocate-0-sized-compat-array.patch
 clk-ti-fix-flag-space-conflict-with-clkctrl-clocks.patch
 kcm-call-strp_stop-before-strp_done-in-kcm_attach.patch
-netfilter-x_tables-ensure-last-rule-in-base-chain-matches-underflow-policy.patch
 rds-tcp-must-use-spin_lock_irq-and-not-spin_lock_bh-with-rds_tcp_conn_lock.patch
 crypto-af_alg-fix-possible-uninit-value-in-alg_bind.patch
 netlink-fix-uninit-value-in-netlink_sendmsg.patch