Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
The related xtables-addons bug is:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014680
[ Reason ]
xtables-addons-dkms and xtables-addons-source contain sources for building
kernel modules with DKMS and module-assistant, respectively. The 5.10.0-16
kernel introduced in the 11.4 point release included a patch back-ported from
5.11 to 5.10.121:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/include/net/route.h?h=linux-5.10.y&id=6950ee32c1879818de03f13a9a5de1be41ad2782
This changes the parameters of the `security_skb_classify_flow` function, which
is called by one of the xtables-addons kernel modules, xt_ECHO.c. The calling
code has been updated to pass the correct argument in a later upstream release.
However, the version in Bullseye now fails to build:
/var/lib/dkms/xtables-addons/3.13/build/extensions/xt_ECHO.c: In function
'echo_tg6':
/var/lib/dkms/xtables-addons/3.13/build/extensions/xt_ECHO.c:100:55: error:
passing argument 2 of 'security_skb_classify_flow' from incompatible pointer
type [-Werror=incompatible-pointer-types]
100 | security_skb_classify_flow((struct sk_buff *)oldskb,
flowi6_to_flowi(&fl));
|
^~~~~~~~~~~~~~~~~~~~
| |
| struct flowi *
In file included from
/usr/src/linux-headers-5.10.0-16-common/include/net/scm.h:8,
from
/usr/src/linux-headers-5.10.0-16-common/include/linux/netlink.h:9,
from
/usr/src/linux-headers-5.10.0-16-common/include/uapi/linux/neighbour.h:6,
from
/usr/src/linux-headers-5.10.0-16-common/include/linux/netdevice.h:46,
from
/usr/src/linux-headers-5.10.0-16-common/include/net/inet_sock.h:19,
from
/usr/src/linux-headers-5.10.0-16-common/include/linux/udp.h:16,
from
/var/lib/dkms/xtables-addons/3.13/build/extensions/xt_ECHO.c:15:
/usr/src/linux-headers-5.10.0-16-common/include/linux/security.h:1660:75:
note: expected 'struct flowi_common *' but argument is of type 'struct flowi *'
1660 | void security_skb_classify_flow(struct sk_buff *skb, struct
flowi_common *flic);
|
~~~~~~~~~~~~~~~~~~~~~^~~~
[ Impact ]
Building the modules fails. This also means that installing the -dkms package
may fail:
Loading new xtables-addons-3.13 DKMS files...
It is likely that 5.19.0-rc3-nf-next-ulthar-20220707+ belongs to a chroot's
host
Building for 5.10.0-16-amd64
Building initial module for 5.10.0-16-amd64
Error! Build of xt_ACCOUNT.ko failed for: 5.10.0-16-amd64 (x86_64)
Make sure the name of the generated module is correct and at the root of the
build directory, or consult make.log in the build directory
/var/lib/dkms/xtables-addons/3.13/build/ for more information.
dpkg: error processing package xtables-addons-dkms (--configure):
installed xtables-addons-dkms package post-installation script subprocess
returned error exit status 7
[ Tests ]
I've used piuparts and manual installation into a Bullseye chroot to verify that
the build fails with the version currently in Bullseye, but succeeds with the
proposed update.
[ Risks ]
The changes are minimal and reuse the upstream fix.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Upstream introduced a C preprocessor conditional to check the kernel version and
ensure that the function is called with the correct arguments. I have added a
patch to the package to make the same change to the packaged source.
diff -Nru xtables-addons-3.13/debian/changelog
xtables-addons-3.13/debian/changelog
--- xtables-addons-3.13/debian/changelog 2020-11-26 08:57:43.000000000
+0000
+++ xtables-addons-3.13/debian/changelog 2022-07-10 13:55:40.000000000
+0100
@@ -1,3 +1,10 @@
+xtables-addons (3.13-1+deb11u1) bullseye; urgency=medium
+
+ * d/patches: add patch to correct `security_skb_classify_flow` argument
+ (closes: #1014680)
+
+ -- Jeremy Sowden <jer...@azazel.net> Sun, 10 Jul 2022 13:55:40 +0100
+
xtables-addons (3.13-1) unstable; urgency=medium
* New upstream version 3.13.
diff -Nru
xtables-addons-3.13/debian/patches/correct-security_skb_classify_flow-argument.patch
xtables-addons-3.13/debian/patches/correct-security_skb_classify_flow-argument.patch
---
xtables-addons-3.13/debian/patches/correct-security_skb_classify_flow-argument.patch
1970-01-01 01:00:00.000000000 +0100
+++
xtables-addons-3.13/debian/patches/correct-security_skb_classify_flow-argument.patch
2022-07-10 13:55:40.000000000 +0100
@@ -0,0 +1,24 @@
+Last-Update: 2022-07-10
+Forwarded: not-needed
+Author: Jeremy Sowden <jer...@azazel.net>
+Bug-Debian: https://bugs.debian.org/1014680
+Description: pass correct argument to `security_skb_classify_flow`
+ The second parameter was changed in 5.11. This change has since
+ been back-ported to 5.10.121 and included in Debian 11.4.
+ .
+ This patch contains the upstream fix.
+
+--- a/extensions/xt_ECHO.c
++++ b/extensions/xt_ECHO.c
+@@ -97,7 +97,11 @@
+ memcpy(&fl.daddr, &newip->daddr, sizeof(fl.daddr));
+ fl.fl6_sport = newudp->source;
+ fl.fl6_dport = newudp->dest;
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 121)
++ security_skb_classify_flow((struct sk_buff *)oldskb,
flowi6_to_flowi_common(&fl));
++#else
+ security_skb_classify_flow((struct sk_buff *)oldskb,
flowi6_to_flowi(&fl));
++#endif
+ dst = ip6_route_output(net, NULL, &fl);
+ if (dst == NULL || dst->error != 0) {
+ dst_release(dst);
diff -Nru xtables-addons-3.13/debian/patches/series
xtables-addons-3.13/debian/patches/series
--- xtables-addons-3.13/debian/patches/series 2020-11-26 08:57:43.000000000
+0000
+++ xtables-addons-3.13/debian/patches/series 2022-07-10 13:55:40.000000000
+0100
@@ -3,3 +3,4 @@
fix-man-page-typo.patch
add-man-pages-for-MaxMind-scripts.patch
use-correct-download-URL-for-MaxMind-DB-s.patch
+correct-security_skb_classify_flow-argument.patch
