[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1014705: marked as done (bullseye-pu: package xtables-addons/3.13-1+deb11u1)

Your message dated Sat, 10 Sep 2022 13:36:19 +0100
with message-id <92fe43e7805e82e43100a6471ccbf91cd9a12944.camel@adam-barratt.org.uk>
and subject line Closing requests for updates in 11.5
has caused the Debian Bug report #1014705,
regarding bullseye-pu: package xtables-addons/3.13-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1014705: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014705
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

The related xtables-addons bug is:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014680

[ Reason ]
xtables-addons-dkms and xtables-addons-source contain sources for building
kernel modules with DKMS and module-assistant, respectively.  The 5.10.0-16
kernel introduced in the 11.4 point release included a patch back-ported from
5.11 to 5.10.121:

  https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/include/net/route.h?h=linux-5.10.y&id=6950ee32c1879818de03f13a9a5de1be41ad2782

This changes the parameters of the `security_skb_classify_flow` function, which
is called by one of the xtables-addons kernel modules, xt_ECHO.c.  The calling
code has been updated to pass the correct argument in a later upstream release.
However, the version in Bullseye now fails to build:

  /var/lib/dkms/xtables-addons/3.13/build/extensions/xt_ECHO.c: In function 'echo_tg6':
  /var/lib/dkms/xtables-addons/3.13/build/extensions/xt_ECHO.c:100:55: error: passing argument 2 of 'security_skb_classify_flow' from incompatible pointer type [-Werror=incompatible-pointer-types]
    100 |  security_skb_classify_flow((struct sk_buff *)oldskb, flowi6_to_flowi(&fl));
        |                                                       ^~~~~~~~~~~~~~~~~~~~
        |                                                       |
        |                                                       struct flowi *
  In file included from /usr/src/linux-headers-5.10.0-16-common/include/net/scm.h:8,
                   from /usr/src/linux-headers-5.10.0-16-common/include/linux/netlink.h:9,
                   from /usr/src/linux-headers-5.10.0-16-common/include/uapi/linux/neighbour.h:6,
                   from /usr/src/linux-headers-5.10.0-16-common/include/linux/netdevice.h:46,
                   from /usr/src/linux-headers-5.10.0-16-common/include/net/inet_sock.h:19,
                   from /usr/src/linux-headers-5.10.0-16-common/include/linux/udp.h:16,
                   from /var/lib/dkms/xtables-addons/3.13/build/extensions/xt_ECHO.c:15:
  /usr/src/linux-headers-5.10.0-16-common/include/linux/security.h:1660:75: note: expected 'struct flowi_common *' but argument is of type 'struct flowi *'
   1660 | void security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic);
        |                                                      ~~~~~~~~~~~~~~~~~~~~~^~~~

[ Impact ]
Building the modules fails.  This also means that installing the -dkms package
may fail:

  Loading new xtables-addons-3.13 DKMS files...
  It is likely that 5.19.0-rc3-nf-next-ulthar-20220707+ belongs to a chroot's host
  Building for 5.10.0-16-amd64
  Building initial module for 5.10.0-16-amd64
  Error!  Build of xt_ACCOUNT.ko failed for: 5.10.0-16-amd64 (x86_64)
  Make sure the name of the generated module is correct and at the root of the
  build directory, or consult make.log in the build directory
  /var/lib/dkms/xtables-addons/3.13/build/ for more information.
  dpkg: error processing package xtables-addons-dkms (--configure):
   installed xtables-addons-dkms package post-installation script subprocess returned error exit status 7

[ Tests ]
I've used piuparts and manual installation into a Bullseye chroot to verify that
the build fails with the version currently in Bullseye, but succeeds with the
proposed update.

[ Risks ]
The changes are minimal and reuse the upstream fix.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Upstream introduced a C preprocessor conditional to check the kernel version and
ensure that the function is called with the correct arguments.  I have added a
patch to the package to make the same change to the packaged source.

diff -Nru xtables-addons-3.13/debian/changelog xtables-addons-3.13/debian/changelog
--- xtables-addons-3.13/debian/changelog	2020-11-26 08:57:43.000000000 +0000
+++ xtables-addons-3.13/debian/changelog	2022-07-10 13:55:40.000000000 +0100
@@ -1,3 +1,10 @@
+xtables-addons (3.13-1+deb11u1) bullseye; urgency=medium
+
+  * d/patches: add patch to correct `security_skb_classify_flow` argument
+    (closes: #1014680)
+
+ -- Jeremy Sowden <jeremy@azazel.net>  Sun, 10 Jul 2022 13:55:40 +0100
+
 xtables-addons (3.13-1) unstable; urgency=medium
 
   * New upstream version 3.13.
diff -Nru xtables-addons-3.13/debian/patches/correct-security_skb_classify_flow-argument.patch xtables-addons-3.13/debian/patches/correct-security_skb_classify_flow-argument.patch
--- xtables-addons-3.13/debian/patches/correct-security_skb_classify_flow-argument.patch	1970-01-01 01:00:00.000000000 +0100
+++ xtables-addons-3.13/debian/patches/correct-security_skb_classify_flow-argument.patch	2022-07-10 13:55:40.000000000 +0100
@@ -0,0 +1,24 @@
+Last-Update: 2022-07-10
+Forwarded: not-needed
+Author: Jeremy Sowden <jeremy@azazel.net>
+Bug-Debian: https://bugs.debian.org/1014680
+Description: pass correct argument to `security_skb_classify_flow`
+ The second parameter was changed in 5.11.  This change has since
+ been back-ported to 5.10.121 and included in Debian 11.4.
+ .
+ This patch contains the upstream fix.
+
+--- a/extensions/xt_ECHO.c
++++ b/extensions/xt_ECHO.c
+@@ -97,7 +97,11 @@
+ 	memcpy(&fl.daddr, &newip->daddr, sizeof(fl.daddr));
+ 	fl.fl6_sport = newudp->source;
+ 	fl.fl6_dport = newudp->dest;
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 121)
++	security_skb_classify_flow((struct sk_buff *)oldskb, flowi6_to_flowi_common(&fl));
++#else
+ 	security_skb_classify_flow((struct sk_buff *)oldskb, flowi6_to_flowi(&fl));
++#endif
+ 	dst = ip6_route_output(net, NULL, &fl);
+ 	if (dst == NULL || dst->error != 0) {
+ 		dst_release(dst);
diff -Nru xtables-addons-3.13/debian/patches/series xtables-addons-3.13/debian/patches/series
--- xtables-addons-3.13/debian/patches/series	2020-11-26 08:57:43.000000000 +0000
+++ xtables-addons-3.13/debian/patches/series	2022-07-10 13:55:40.000000000 +0100
@@ -3,3 +3,4 @@
 fix-man-page-typo.patch
 add-man-pages-for-MaxMind-scripts.patch
 use-correct-download-URL-for-MaxMind-DB-s.patch
+correct-security_skb_classify_flow-argument.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.5

Hi,

The updates referred to in each of these bugs were included in today's
11.5 point release.

Regards,

Adam

--- End Message ---
Reply to: