• Steven Rostedt (VMware)'s avatar
    netfilter: Force fake conntrack entry to be at least 8 bytes aligned · 170a1fb9
    Steven Rostedt (VMware) authored
    Since the nfct and nfctinfo have been combined, the nf_conn structure
    must be at least 8 bytes aligned, as the 3 LSB bits are used for the
    nfctinfo. But there's a fake nf_conn structure to denote untracked
    connections, which is created by a PER_CPU construct. This does not
    guarantee that it will be 8 bytes aligned and can break the logic in
    determining the correct nfctinfo.
    
    I triggered this on a 32bit machine with the following error:
    
    BUG: unable to handle kernel NULL pointer dereference at 00000af4
    IP: nf_ct_deliver_cached_events+0x1b/0xfb
    *pdpt = 0000000031962001 *pde = 0000000000000000
    
    Oops: 0000 [#1] SMP
    [Modules linked in: ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables ipv6 crc_ccitt ppdev r8169 parport_pc parport
      OK  ]
    CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.10.0-test+ #75
    Hardware name: MSI MS-7823/CSM-H87M-G43 (MS-7823), BIOS V1.6 02/22/2014
    task: c126ec00 task.stack: c1258000
    EIP: nf_ct_deliver_cached_events+0x1b/0xfb
    EFLAGS: 00010202 CPU: 0
    EAX: 0021cd01 EBX: 00000000 ECX: 27b0c767 EDX: 32bcb17a
    ESI: f34135c0 EDI: f34135c0 EBP: f2debd60 ESP: f2debd3c
     DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
    CR0: 80050033 CR2: 00000af4 CR3: 309a0440 CR4: 001406f0
    Call Trace:
     <SOFTIRQ>
     ? ipv6_skip_exthdr+0xac/0xcb
     ipv6_confirm+0x10c/0x119 [nf_conntrack_ipv6]
     nf_hook_slow+0x22/0xc7
     nf_hook+0x9a/0xad [ipv6]
     ? ip6t_do_table+0x356/0x379 [ip6_tables]
     ? ip6_fragment+0x9e9/0x9e9 [ipv6]
     ip6_output+0xee/0x107 [ipv6]
     ? ip6_fragment+0x9e9/0x9e9 [ipv6]
     dst_output+0x36/0x4d [ipv6]
     NF_HOOK.constprop.37+0xb2/0xba [ipv6]
     ? icmp6_dst_alloc+0x2c/0xfd [ipv6]
     ? local_bh_enable+0x14/0x14 [ipv6]
     mld_sendpack+0x1c5/0x281 [ipv6]
     ? mark_held_locks+0x40/0x5c
     mld_ifc_timer_expire+0x1f6/0x21e [ipv6]
     call_timer_fn+0x135/0x283
     ? detach_if_pending+0x55/0x55
     ? mld_dad_timer_expire+0x3e/0x3e [ipv6]
     __run_timers+0x111/0x14b
     ? mld_dad_timer_expire+0x3e/0x3e [ipv6]
     run_timer_softirq+0x1c/0x36
     __do_softirq+0x185/0x37c
     ? test_ti_thread_flag.constprop.19+0xd/0xd
     do_softirq_own_stack+0x22/0x28
     </SOFTIRQ>
     irq_exit+0x5a/0xa4
     smp_apic_timer_interrupt+0x2a/0x34
     apic_timer_interrupt+0x37/0x3c
    
    By using DEFINE/DECLARE_PER_CPU_ALIGNED we can enforce at least 8 byte
    alignment as all cache line sizes are at least 8 bytes or more.
    
    Fixes: a9e419dc
    
     ("netfilter: merge ctinfo into nfct pointer storage area")
    Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
    Acked-by: default avatarFlorian Westphal <fw@strlen.de>
    Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    170a1fb9