From fbbfdd9cab4e0887487d75eaa941e7a96696b24c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 3 Apr 2018 19:26:14 +0200 Subject: [PATCH] 4.9-stable patches added patches: llist-clang-introduce-member_address_is_nonnull.patch --- ...-introduce-member_address_is_nonnull.patch | 73 ++++++++++++ ...emplate-ct-when-conntrack-is-skipped.patch | 108 ------------------ queue-4.9/series | 2 +- 3 files changed, 74 insertions(+), 109 deletions(-) create mode 100644 queue-4.9/llist-clang-introduce-member_address_is_nonnull.patch delete mode 100644 queue-4.9/netfilter-drop-template-ct-when-conntrack-is-skipped.patch diff --git a/queue-4.9/llist-clang-introduce-member_address_is_nonnull.patch b/queue-4.9/llist-clang-introduce-member_address_is_nonnull.patch new file mode 100644 index 00000000000..a9fe6ed7e7f --- /dev/null +++ b/queue-4.9/llist-clang-introduce-member_address_is_nonnull.patch @@ -0,0 +1,73 @@ +From beaec533fc2701a28a4d667f67c9f59c6e4e0d13 Mon Sep 17 00:00:00 2001 +From: Alexander Potapenko +Date: Wed, 19 Jul 2017 20:27:30 +0200 +Subject: llist: clang: introduce member_address_is_nonnull() + +From: Alexander Potapenko + +commit beaec533fc2701a28a4d667f67c9f59c6e4e0d13 upstream. + +Currently llist_for_each_entry() and llist_for_each_entry_safe() iterate +until &pos->member != NULL. But when building the kernel with Clang, +the compiler assumes &pos->member cannot be NULL if the member's offset +is greater than 0 (which would be equivalent to the object being +non-contiguous in memory). Therefore the loop condition is always true, +and the loops become infinite. + +To work around this, introduce the member_address_is_nonnull() macro, +which casts object pointer to uintptr_t, thus letting the member pointer +to be NULL. + +Signed-off-by: Alexander Potapenko +Tested-by: Sodagudi Prasad +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/llist.h | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +--- a/include/linux/llist.h ++++ b/include/linux/llist.h +@@ -88,6 +88,23 @@ static inline void init_llist_head(struc + container_of(ptr, type, member) + + /** ++ * member_address_is_nonnull - check whether the member address is not NULL ++ * @ptr: the object pointer (struct type * that contains the llist_node) ++ * @member: the name of the llist_node within the struct. ++ * ++ * This macro is conceptually the same as ++ * &ptr->member != NULL ++ * but it works around the fact that compilers can decide that taking a member ++ * address is never a NULL pointer. ++ * ++ * Real objects that start at a high address and have a member at NULL are ++ * unlikely to exist, but such pointers may be returned e.g. by the ++ * container_of() macro. ++ */ ++#define member_address_is_nonnull(ptr, member) \ ++ ((uintptr_t)(ptr) + offsetof(typeof(*(ptr)), member) != 0) ++ ++/** + * llist_for_each - iterate over some deleted entries of a lock-less list + * @pos: the &struct llist_node to use as a loop cursor + * @node: the first entry of deleted list entries +@@ -121,7 +138,7 @@ static inline void init_llist_head(struc + */ + #define llist_for_each_entry(pos, node, member) \ + for ((pos) = llist_entry((node), typeof(*(pos)), member); \ +- &(pos)->member != NULL; \ ++ member_address_is_nonnull(pos, member); \ + (pos) = llist_entry((pos)->member.next, typeof(*(pos)), member)) + + /** +@@ -143,7 +160,7 @@ static inline void init_llist_head(struc + */ + #define llist_for_each_entry_safe(pos, n, node, member) \ + for (pos = llist_entry((node), typeof(*pos), member); \ +- &pos->member != NULL && \ ++ member_address_is_nonnull(pos, member) && \ + (n = llist_entry(pos->member.next, typeof(*n), member), true); \ + pos = n) + diff --git a/queue-4.9/netfilter-drop-template-ct-when-conntrack-is-skipped.patch b/queue-4.9/netfilter-drop-template-ct-when-conntrack-is-skipped.patch deleted file mode 100644 index 47ef9c44f2a..00000000000 --- a/queue-4.9/netfilter-drop-template-ct-when-conntrack-is-skipped.patch +++ /dev/null @@ -1,108 +0,0 @@ -From aebfa52a925d701114afd6af0def35bab16d4f47 Mon Sep 17 00:00:00 2001 -From: Paolo Abeni -Date: Thu, 22 Mar 2018 11:08:50 +0100 -Subject: netfilter: drop template ct when conntrack is skipped. - -From: Paolo Abeni - -commit aebfa52a925d701114afd6af0def35bab16d4f47 upstream. - -The ipv4 nf_ct code currently skips the nf_conntrak_in() call -for fragmented packets. As a results later matches/target can end -up manipulating template ct entry instead of 'real' ones. - -Exploiting the above, syzbot found a way to trigger the following -splat: - -WARNING: CPU: 1 PID: 4242 at net/netfilter/xt_cluster.c:55 -xt_cluster_mt+0x6c1/0x840 net/netfilter/xt_cluster.c:127 -Kernel panic - not syncing: panic_on_warn set ... - -CPU: 1 PID: 4242 Comm: syzkaller027971 Not tainted 4.16.0-rc2+ #243 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS -Google 01/01/2011 -Call Trace: - __dump_stack lib/dump_stack.c:17 [inline] - dump_stack+0x194/0x24d lib/dump_stack.c:53 - panic+0x1e4/0x41c kernel/panic.c:183 - __warn+0x1dc/0x200 kernel/panic.c:547 - report_bug+0x211/0x2d0 lib/bug.c:184 - fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178 - fixup_bug arch/x86/kernel/traps.c:247 [inline] - do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296 - do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 - invalid_op+0x58/0x80 arch/x86/entry/entry_64.S:957 -RIP: 0010:xt_cluster_hash net/netfilter/xt_cluster.c:55 [inline] -RIP: 0010:xt_cluster_mt+0x6c1/0x840 net/netfilter/xt_cluster.c:127 -RSP: 0018:ffff8801d2f6f2d0 EFLAGS: 00010293 -RAX: ffff8801af700540 RBX: 0000000000000000 RCX: ffffffff84a2d1e1 -RDX: 0000000000000000 RSI: ffff8801d2f6f478 RDI: ffff8801cafd336a -RBP: ffff8801d2f6f2e8 R08: 0000000000000000 R09: 0000000000000001 -R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801b03b3d18 -R13: ffff8801cafd3300 R14: dffffc0000000000 R15: ffff8801d2f6f478 - ipt_do_table+0xa91/0x19b0 net/ipv4/netfilter/ip_tables.c:296 - iptable_filter_hook+0x65/0x80 net/ipv4/netfilter/iptable_filter.c:41 - nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline] - nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483 - nf_hook include/linux/netfilter.h:243 [inline] - NF_HOOK include/linux/netfilter.h:286 [inline] - raw_send_hdrinc.isra.17+0xf39/0x1880 net/ipv4/raw.c:432 - raw_sendmsg+0x14cd/0x26b0 net/ipv4/raw.c:669 - inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763 - sock_sendmsg_nosec net/socket.c:629 [inline] - sock_sendmsg+0xca/0x110 net/socket.c:639 - SYSC_sendto+0x361/0x5c0 net/socket.c:1748 - SyS_sendto+0x40/0x50 net/socket.c:1716 - do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 - entry_SYSCALL_64_after_hwframe+0x42/0xb7 -RIP: 0033:0x441b49 -RSP: 002b:00007ffff5ca8b18 EFLAGS: 00000216 ORIG_RAX: 000000000000002c -RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000441b49 -RDX: 0000000000000030 RSI: 0000000020ff7000 RDI: 0000000000000003 -RBP: 00000000006cc018 R08: 000000002066354c R09: 0000000000000010 -R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000403470 -R13: 0000000000403500 R14: 0000000000000000 R15: 0000000000000000 -Dumping ftrace buffer: - (ftrace buffer empty) -Kernel Offset: disabled -Rebooting in 86400 seconds.. - -Instead of adding checks for template ct on every target/match -manipulating skb->_nfct, simply drop the template ct when skipping -nf_conntrack_in(). - -Fixes: 7b4fdf77a450ec ("netfilter: don't track fragmented packets") -Reported-and-tested-by: syzbot+0346441ae0545cfcea3a@syzkaller.appspotmail.com -Signed-off-by: Paolo Abeni -Acked-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Greg Kroah-Hartman - ---- - net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 14 +++++++++++++- - 1 file changed, 13 insertions(+), 1 deletion(-) - ---- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c -+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c -@@ -159,8 +159,20 @@ static unsigned int ipv4_conntrack_local - ip_hdrlen(skb) < sizeof(struct iphdr)) - return NF_ACCEPT; - -- if (ip_is_fragment(ip_hdr(skb))) /* IP_NODEFRAG setsockopt set */ -+ if (ip_is_fragment(ip_hdr(skb))) { /* IP_NODEFRAG setsockopt set */ -+ enum ip_conntrack_info ctinfo; -+ struct nf_conn *tmpl; -+ -+ tmpl = nf_ct_get(skb, &ctinfo); -+ if (tmpl && nf_ct_is_template(tmpl)) { -+ /* when skipping ct, clear templates to avoid fooling -+ * later targets/matches -+ */ -+ skb->_nfct = 0; -+ nf_ct_put(tmpl); -+ } - return NF_ACCEPT; -+ } - - return nf_conntrack_in(state->net, PF_INET, state->hook, skb); - } diff --git a/queue-4.9/series b/queue-4.9/series index 3405083bfa7..709e07b69e6 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -42,6 +42,6 @@ rdma-ucma-introduce-safer-rdma_addr_size-variants.patch net-xfrm-use-preempt-safe-this_cpu_read-in-ipcomp_alloc_tfms.patch xfrm-refuse-to-insert-32-bit-userspace-socket-policies-on-64-bit-systems.patch netfilter-bridge-ebt_among-add-more-missing-match-size-checks.patch -netfilter-drop-template-ct-when-conntrack-is-skipped.patch netfilter-x_tables-add-and-use-xt_check_proc_name.patch bluetooth-fix-missing-encryption-refresh-on-security-request.patch +llist-clang-introduce-member_address_is_nonnull.patch -- 2.47.2