From patchwork Fri Oct 11 14:02:05 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: holger@eitzenberger.org
X-Patchwork-Id: 282765
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 9C1082C00BA
	for <incoming@patchwork.ozlabs.org>;
	Sat, 12 Oct 2013 01:04:49 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752705Ab3JKOEp (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Fri, 11 Oct 2013 10:04:45 -0400
Received: from moutng.kundenserver.de ([212.227.17.10]:62118 "EHLO
	moutng.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1757525Ab3JKOEn (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Fri, 11 Oct 2013 10:04:43 -0400
Received: from kruemel.eitzenberger.org (p54AD0F41.dip0.t-ipconnect.de
	[84.173.15.65])
	by mrelayeu.kundenserver.de (node=mrbap4) with ESMTP (Nemesis)
	id 0LiUtY-1W2sDd3dKm-00ces8; Fri, 11 Oct 2013 16:04:42 +0200
Received: from holger by kruemel.eitzenberger.org with local (Exim 4.76)
	(envelope-from <holger@eitzenberger.org>)
	id 1VUdKa-0004Dy-L2; Fri, 11 Oct 2013 16:04:40 +0200
Message-Id: <20131011140440.339579297@eitzenberger.org>
User-Agent: quilt/0.50-1
Date: Fri, 11 Oct 2013 16:02:05 +0200
From: Holger Eitzenberger <holger@eitzenberger.org>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter-devel@vger.kernel.org
Subject: [OOPS PATCH 1/1] netfilter: fix OOPS in flush_expectations()
References: <20131011140204.916097373@eitzenberger.org>
Content-Disposition: inline; filename=sip-fix.diff
X-Provags-ID: V02:K0:wOKGb1lQHigBi/9bSH55bow76uaruf7FjxhjOmFqnBl
	FAUHckH0Iexr10zOXoxrCfWtIABhBPH3/21MwqWVL//xbOmAfR
	3cQYsaSa2jxlMxEpDKHSX8z26wW0C5aLDn/VMb1z5RHXSVjmJA
	4yL22LJvew6qsEBOsYEwPGecaDUvNK2STVFqo8V4PWQmPNa47b
	zHdKUO9WEgV1el1Jen/yW+jugYG6EeO7lmW/UnWtlSYBIRWVuE
	aNv6gWKbDFQuRI/rTNGgLvDeLO43TPvmlYot4tRNnXY8aTgrIU
	GFoo7fwYwkLEleTgq+/6A+sxUtlcCg5gKcoCUKqwkSpzwoi/a5
	l/RZGHao+J/JLtkES3RldPaob18ECHav2KxYMJN04iGj0DkjMe
	tFe/u6CviwT7Q==
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

This is the initial report I got:

  [ 2886.953175] BUG: unable to handle kernel paging request at 00100100
  [ 2886.956435] IP: [<f88a4ab8>] flush_expectations+0x68/0x85 [nf_conntrack_sip]
  [ 2886.956435] *pde = 00000000
  [ 2886.956435] Oops: 0000 [001] SMP
  ...
  [ 2886.956435] Pid: 5606, comm: red_server.plc Tainted: G O
  3.3.8-79.g20f5c30-smp 001 Astaro AG ASG/i845GV-W83627HF
  [ 2886.956435] EIP: 0060:[<f88a4ab8>] EFLAGS: 00210246 CPU: 0
  [ 2886.956435] EIP is at flush_expectations+0x68/0x85 [nf_conntrack_sip]
  [ 2886.956435] EAX: 00000000 EBX: 00100100 ECX: 00000000 EDX: effdc0a0
  [ 2886.956435] ESI: 00100100 EDI: 00000001 EBP: 00000001 ESP: f5c0bd54
  [ 2886.956435] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
  [ 2886.956435] Process red_server.plc (pid: 5606, ti=f5c0a000 task=f5da2a20 task.ti=efc62000)
  [ 2886.956435] Stack:
  [ 2886.956435] f490b948 00000001 00000197 f45f4f00 f88a5918 f5c0bde0 f5c0bddc 0000001c
  [ 2886.956435] 00000014 f88a72a8 0000015d f5c0bddc 00000001 f88a472e f5c0bddc f5c0bde0
  [ 2886.956435] 00000001 00000197 00000014 f490b948 f45f4f00 f88a72a8 00000197 00000001

Which is due to nf_conntrack_expect.lnode hlist entry not being reset
to NULL after being removed from the list in hlist_del(), but instead to
LIST_POISON1.  And because of this hlist_for_each_entry_safe() does
not terminate correctly.

Therefore change nf_ct_unlink_expect_report() to use __hlist_del()
instead.

Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
---
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Index: linux-stable-3.8.y/net/netfilter/nf_conntrack_expect.c
===================================================================
--- linux-stable-3.8.y.orig/net/netfilter/nf_conntrack_expect.c
+++ linux-stable-3.8.y/net/netfilter/nf_conntrack_expect.c
@@ -51,7 +51,7 @@ void nf_ct_unlink_expect_report(struct n
 	hlist_del_rcu(&exp->hnode);
 	net->ct.expect_count--;
 
-	hlist_del(&exp->lnode);
+	__hlist_del(&exp->lnode);
 	master_help->expecting[exp->class]--;
 
 	nf_ct_expect_event_report(IPEXP_DESTROY, exp, pid, report);