Patch "[PATCH 2/2] Revert "netfilter: move nat hlist_head to nf_conn"" has been added to the 4.8-stable tree

[<gregkh@linuxfoundation.org>]

This is a note to let you know that I've just added the patch titled

    [PATCH 2/2] Revert "netfilter: move nat hlist_head to nf_conn"

to the 4.8-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     revert-netfilter-move-nat-hlist_head-to-nf_conn.patch
and it can be found in the queue-4.8 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 394d96406cae0936778587a09d8be0d998132166 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 4 Jan 2017 18:29:16 +0100
Subject: [PATCH 2/2] Revert "netfilter: move nat hlist_head to nf_conn"

This reverts commit 7c9664351980aaa6a4b8837a314360b3a4ad382a as it is
not working properly.  Please move to 4.9 to get the full fix.

Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/netfilter/nf_conntrack.h        |    3 --
 include/net/netfilter/nf_conntrack_extend.h |    3 ++
 include/net/netfilter/nf_nat.h              |    2 +
 net/netfilter/nf_conntrack_extend.c         |   15 +++++++++++-
 net/netfilter/nf_nat_core.c                 |   33 ++++++++++++++++++++++------
 5 files changed, 44 insertions(+), 12 deletions(-)

--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -117,9 +117,6 @@ struct nf_conn {
 	/* Extensions */
 	struct nf_ct_ext *ext;
 
-#if IS_ENABLED(CONFIG_NF_NAT)
-	struct hlist_node	nat_bysource;
-#endif
 	/* Storage reserved for other modules, must be the last member */
 	union nf_conntrack_proto proto;
 };
--- a/include/net/netfilter/nf_conntrack_extend.h
+++ b/include/net/netfilter/nf_conntrack_extend.h
@@ -99,6 +99,9 @@ void *__nf_ct_ext_add_length(struct nf_c
 struct nf_ct_ext_type {
 	/* Destroys relationships (can be NULL). */
 	void (*destroy)(struct nf_conn *ct);
+	/* Called when realloacted (can be NULL).
+	   Contents has already been moved. */
+	void (*move)(void *new, void *old);
 
 	enum nf_ct_ext_id id;
 
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -29,6 +29,8 @@ struct nf_conn;
 
 /* The structure embedded in the conntrack structure. */
 struct nf_conn_nat {
+	struct hlist_node bysource;
+	struct nf_conn *ct;
 	union nf_conntrack_nat_help help;
 #if IS_ENABLED(CONFIG_NF_NAT_MASQUERADE_IPV4) || \
     IS_ENABLED(CONFIG_NF_NAT_MASQUERADE_IPV6)
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -73,7 +73,7 @@ void *__nf_ct_ext_add_length(struct nf_c
 			     size_t var_alloc_len, gfp_t gfp)
 {
 	struct nf_ct_ext *old, *new;
-	int newlen, newoff;
+	int i, newlen, newoff;
 	struct nf_ct_ext_type *t;
 
 	/* Conntrack must not be confirmed to avoid races on reallocation. */
@@ -99,8 +99,19 @@ void *__nf_ct_ext_add_length(struct nf_c
 		return NULL;
 
 	if (new != old) {
+		for (i = 0; i < NF_CT_EXT_NUM; i++) {
+			if (!__nf_ct_ext_exist(old, i))
+				continue;
+
+			rcu_read_lock();
+			t = rcu_dereference(nf_ct_ext_types[i]);
+			if (t && t->move)
+				t->move((void *)new + new->offset[i],
+					(void *)old + old->offset[i]);
+			rcu_read_unlock();
+		}
 		kfree_rcu(old, rcu);
-		rcu_assign_pointer(ct->ext, new);
+		ct->ext = new;
 	}
 
 	new->offset[id] = newoff;
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -198,9 +198,11 @@ find_appropriate_src(struct net *net,
 		     const struct nf_nat_range *range)
 {
 	unsigned int h = hash_by_src(net, tuple);
+	const struct nf_conn_nat *nat;
 	const struct nf_conn *ct;
 
-	hlist_for_each_entry_rcu(ct, &nf_nat_bysource[h], nat_bysource) {
+	hlist_for_each_entry_rcu(nat, &nf_nat_bysource[h], bysource) {
+		ct = nat->ct;
 		if (same_src(ct, tuple) &&
 		    net_eq(net, nf_ct_net(ct)) &&
 		    nf_ct_zone_equal(ct, zone, IP_CT_DIR_ORIGINAL)) {
@@ -434,7 +436,8 @@ nf_nat_setup_info(struct nf_conn *ct,
 		spin_lock_bh(&nf_nat_lock);
 		/* nf_conntrack_alter_reply might re-allocate extension aera */
 		nat = nfct_nat(ct);
-		hlist_add_head_rcu(&ct->nat_bysource,
+		nat->ct = ct;
+		hlist_add_head_rcu(&nat->bysource,
 				   &nf_nat_bysource[srchash]);
 		spin_unlock_bh(&nf_nat_lock);
 	}
@@ -541,7 +544,7 @@ static int nf_nat_proto_clean(struct nf_
 	if (nf_nat_proto_remove(ct, data))
 		return 1;
 
-	if (!nat)
+	if (!nat || !nat->ct)
 		return 0;
 
 	/* This netns is being destroyed, and conntrack has nat null binding.
@@ -554,8 +557,9 @@ static int nf_nat_proto_clean(struct nf_
 		return 1;
 
 	spin_lock_bh(&nf_nat_lock);
-	hlist_del_rcu(&ct->nat_bysource);
+	hlist_del_rcu(&nat->bysource);
 	ct->status &= ~IPS_NAT_DONE_MASK;
+	nat->ct = NULL;
 	spin_unlock_bh(&nf_nat_lock);
 
 	add_timer(&ct->timeout);
@@ -685,13 +689,27 @@ static void nf_nat_cleanup_conntrack(str
 {
 	struct nf_conn_nat *nat = nf_ct_ext_find(ct, NF_CT_EXT_NAT);
 
-	if (!nat)
+	if (nat == NULL || nat->ct == NULL)
 		return;
 
-	NF_CT_ASSERT(ct->status & IPS_SRC_NAT_DONE);
+	NF_CT_ASSERT(nat->ct->status & IPS_SRC_NAT_DONE);
+
+	spin_lock_bh(&nf_nat_lock);
+	hlist_del_rcu(&nat->bysource);
+	spin_unlock_bh(&nf_nat_lock);
+}
+
+static void nf_nat_move_storage(void *new, void *old)
+{
+	struct nf_conn_nat *new_nat = new;
+	struct nf_conn_nat *old_nat = old;
+	struct nf_conn *ct = old_nat->ct;
+
+	if (!ct || !(ct->status & IPS_SRC_NAT_DONE))
+		return;
 
 	spin_lock_bh(&nf_nat_lock);
-	hlist_del_rcu(&ct->nat_bysource);
+	hlist_replace_rcu(&old_nat->bysource, &new_nat->bysource);
 	spin_unlock_bh(&nf_nat_lock);
 }
 
@@ -699,6 +717,7 @@ static struct nf_ct_ext_type nat_extend
 	.len		= sizeof(struct nf_conn_nat),
 	.align		= __alignof__(struct nf_conn_nat),
 	.destroy	= nf_nat_cleanup_conntrack,
+	.move		= nf_nat_move_storage,
 	.id		= NF_CT_EXT_NAT,
 	.flags		= NF_CT_EXT_F_PREALLOC,
 };


Patches currently in stable-queue which might be from gregkh@linuxfoundation.org are

queue-4.8/btrfs-make-file-clone-aware-of-fatal-signals.patch
queue-4.8/cifs-fix-missing-nls-unload-in-smb2_reconnect.patch
queue-4.8/ext4-reject-inodes-with-negative-size.patch
queue-4.8/alsa-hda-ignore-the-assoc-and-seq-when-comparing-pin-configurations.patch
queue-4.8/btrfs-fix-qgroup-rescan-worker-initialization.patch
queue-4.8/btrfs-fix-memory-leak-in-reading-btree-blocks.patch
queue-4.8/watchdog-qcom-fix-kernel-panic-due-to-external-abort-on-non-linefetch.patch
queue-4.8/block_dev-don-t-test-bdev-bd_contains-when-it-is-not-stable.patch
queue-4.8/dm-raid-fix-discard-support-regression.patch
queue-4.8/asoc-intel-fix-crash-at-suspend-resume-without-card-registration.patch
queue-4.8/usb-serial-kl5kusb105-fix-open-error-path.patch
queue-4.8/nvmet-fix-possible-infinite-loop-triggered-on-hot-namespace-removal.patch
queue-4.8/btrfs-fix-relocation-incorrectly-dropping-data-references.patch
queue-4.8/ext4-fix-in-superblock-mount-options-processing.patch
queue-4.8/btrfs-fix-deadlock-caused-by-fsync-when-logging-directory-entries.patch
queue-4.8/fs-exec-apply-cloexec-before-changing-dumpable-task-flags.patch
queue-4.8/btrfs-fix-a-possible-umount-deadlock.patch
queue-4.8/mm-add-a-user_ns-owner-to-mm_struct-and-fix-ptrace-permission-checks.patch
queue-4.8/exec-ensure-mm-user_ns-contains-the-execed-files.patch
queue-4.8/usb-gadget-composite-always-set-ep-mult-to-a-sensible-value.patch
queue-4.8/btrfs-fix-emptiness-check-for-dirtied-extent-buffers-at-check_leaf.patch
queue-4.8/usb-serial-option-add-dlink-dwm-158.patch
queue-4.8/btrfs-limit-async_work-allocation-and-worker-func-duration.patch
queue-4.8/btrfs-clean-the-old-superblocks-before-freeing-the-device.patch
queue-4.8/arm64-mark-reserved-memblock-regions-explicitly-in-iomem.patch
queue-4.8/watchdog-mei_wdt-request-stop-on-reboot-to-prevent-false-positive-event.patch
queue-4.8/crypto-caam-fix-aead-givenc-descriptors.patch
queue-4.8/btrfs-bail-out-if-block-group-has-different-mixed-flag.patch
queue-4.8/dm-rq-fix-a-race-condition-in-rq_completed.patch
queue-4.8/loop-return-proper-error-from-loop_queue_rq.patch
queue-4.8/ext4-fix-mballoc-breakage-with-64k-block-size.patch
queue-4.8/btrfs-fix-incremental-send-failure-caused-by-balance.patch
queue-4.8/ptrace-capture-the-ptracer-s-creds-not-pt_ptrace_cap.patch
queue-4.8/ext4-do-not-perform-data-journaling-when-data-is-encrypted.patch
queue-4.8/usb-gadget-f_uac2-fix-error-handling-at-afunc_bind.patch
queue-4.8/ext4-use-more-strict-checks-for-inodes_per_block-on-mount.patch
queue-4.8/btrfs-return-gracefully-from-balance-if-fs-tree-is-corrupted.patch
queue-4.8/btrfs-fix-tree-search-logic-when-replaying-directory-entry-deletes.patch
queue-4.8/ext4-add-sanity-checking-to-count_overhead.patch
queue-4.8/mm-page_alloc-keep-pcp-count-and-list-contents-in-sync-if-struct-page-is-corrupted.patch
queue-4.8/usb-cdc-acm-add-device-id-for-gw-instek-afg-125.patch
queue-4.8/alsa-hda-when-comparing-pin-configurations-ignore-assoc-in-addition-to-seq.patch
queue-4.8/btrfs-store-and-load-values-of-stripes_min-stripes_max-in-balance-status-item.patch
queue-4.8/xen-gntdev-use-vm_mixedmap-instead-of-vm_io-to-avoid-numa-balancing.patch
queue-4.8/btrfs-don-t-bug-during-drop-snapshot.patch
queue-4.8/alsa-hda-ca0132-add-quirk-for-alienware-15-r2-2016.patch
queue-4.8/revert-netfilter-nat-convert-nat-bysrc-hash-to.patch
queue-4.8/dm-flakey-return-einval-on-interval-bounds-error-in-flakey_ctr.patch
queue-4.8/blk-mq-do-not-invoke-.queue_rq-for-a-stopped-queue.patch
queue-4.8/dm-space-map-metadata-fix-struct-sm_metadata-leak-on-failed-create.patch
queue-4.8/btrfs-don-t-leak-reloc-root-nodes-on-error.patch
queue-4.8/usb-dwc3-gadget-set-pcm1-field-of-isochronous-first-trbs.patch
queue-4.8/f2fs-fix-overflow-due-to-condition-check-order.patch
queue-4.8/revert-f2fs-use-percpu_counter-for-of-dirty-pages-in-inode.patch
queue-4.8/mm-vmscan.c-set-correct-defer-count-for-shrinker.patch
queue-4.8/ext4-return-enomem-instead-of-success.patch
queue-4.8/driver-core-fix-race-between-creating-querying-glue-dir-and-its-cleanup.patch
queue-4.8/alsa-hda-gate-the-mic-jack-on-hp-z1-gen3-aio.patch
queue-4.8/xfs-set-agi-buffer-type-in-xlog_recover_clear_agi_bucket.patch
queue-4.8/btrfs-fix-bug_on-in-btrfs_mark_buffer_dirty.patch
queue-4.8/alsa-usb-audio-add-quickcam-communicate-deluxe-s7500-to-volume_control_quirks.patch
queue-4.8/kernel-debug-debug_core.c-more-properly-delay-for-secondary-cpus.patch
queue-4.8/usb-serial-option-add-support-for-telit-le922a-pids-0x1040-0x1041.patch
queue-4.8/f2fs-set-owner-for-debugfs-status-file-s-file_operations.patch
queue-4.8/arm-xen-use-alloc_percpu-rather-than-__alloc_percpu.patch
queue-4.8/alsa-hda-fix-headset-mic-problem-on-a-dell-laptop.patch
queue-4.8/kernel-watchdog-use-nmi-registers-snapshot-in-hardlockup-handler.patch
queue-4.8/usbip-vudc-fix-clear-already_seen-flag-also-for-ep0.patch
queue-4.8/dm-table-fix-all_blk_mq-inconsistency-when-an-empty-table-is-loaded.patch
queue-4.8/aoe-fix-crash-in-page-count-manipulation.patch
queue-4.8/dm-crypt-mark-key-as-invalid-until-properly-loaded.patch
queue-4.8/revert-netfilter-move-nat-hlist_head-to-nf_conn.patch
queue-4.8/cifs-fix-a-possible-memory-corruption-in-push-locks.patch
queue-4.8/cifs-fix-a-possible-memory-corruption-during-reconnect.patch
queue-4.8/usb-uhci-report-non-pme-wakeup-signalling-for-intel-hardware.patch
queue-4.8/usb-gadget-composite-correctly-initialize-ep-maxpacket.patch
queue-4.8/pm-opp-pass-opp_table-to-dev_pm_opp_put_regulator.patch
queue-4.8/alsa-hiface-fix-m2tech-hiface-driver-sampling-rate-change.patch
queue-4.8/tpm-xen-remove-bogus-tpm_chip_unregister.patch
queue-4.8/dm-table-an-all_blk_mq-table-must-be-loaded-for-a-blk-mq-dm-device.patch
queue-4.8/ext4-fix-stack-memory-corruption-with-64k-block-size.patch
queue-4.8/vfs-mm-fix-return-value-of-read-at-s_maxbytes.patch
queue-4.8/btrfs-fix-memory-leak-in-do_walk_down.patch
queue-4.8/usb-hub-fix-auto-remount-of-safely-removed-or-ejected-usb-3-devices.patch
queue-4.8/clk-ti-omap36xx-work-around-sprz319-advisory-2.1.patch