Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9e069367 authored by Min Chong's avatar Min Chong Committed by Amit Pundir
Browse files

netfilter: Change %p to %pK in debug messages 



The format specifier %p can leak kernel addresses
while not valuing the kptr_restrict system settings.
Use %pK instead of %p, which also evaluates whether
kptr_restrict is set.

Bug: 31796940
Change-Id: Ia2946d6b493126d68281f97778faf578247f088e
Signed-off-by: default avatarMin Chong <mchong@google.com>
[AmitP: cherry-picked from kernel/msm]
Signed-off-by: default avatarAmit Pundir <amit.pundir@linaro.org>
parent 960f02c7

net/netfilter/nf_conntrack_core.c

+9 −9
Original line number Diff line number Diff line
@@ -235,7 +235,7 @@ EXPORT_SYMBOL_GPL(nf_ct_invert_tuple); 
static void

clean_from_lists(struct nf_conn *ct)

{

	pr_debug("clean_from_lists(%p)\n", ct);

	pr_debug("clean_from_lists(%pK)\n", ct);

	hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode);

	hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_REPLY].hnnode);
@@ -294,7 +294,7 @@ destroy_conntrack(struct nf_conntrack *nfct) 
	struct net *net = nf_ct_net(ct);

	struct nf_conntrack_l4proto *l4proto;



	pr_debug("destroy_conntrack(%p)\n", ct);

	pr_debug("destroy_conntrack(%pK)\n", ct);

	NF_CT_ASSERT(atomic_read(&nfct->use) == 0);

	NF_CT_ASSERT(!timer_pending(&ct->timeout));
@@ -321,7 +321,7 @@ destroy_conntrack(struct nf_conntrack *nfct) 
	if (ct->master)

		nf_ct_put(ct->master);



	pr_debug("destroy_conntrack: returning ct=%p to slab\n", ct);

	pr_debug("destroy_conntrack: returning ct=%pK to slab\n", ct);

	nf_conntrack_free(ct);

}
@@ -954,7 +954,7 @@ init_conntrack(struct net *net, struct nf_conn *tmpl, 
		spin_lock(&nf_conntrack_expect_lock);

		exp = nf_ct_find_expectation(net, zone, tuple);

		if (exp) {

			pr_debug("conntrack: expectation arrives ct=%p exp=%p\n",

			pr_debug("conntrack: expectation arrives ct=%pK exp=%pK\n",

				 ct, exp);

			/* Welcome, Mr. Bond.  We've been expecting you... */

			__set_bit(IPS_EXPECTED_BIT, &ct->status);
@@ -1043,14 +1043,14 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl, 
	} else {

		/* Once we've had two way comms, always ESTABLISHED. */

		if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {

			pr_debug("nf_conntrack_in: normal packet for %p\n", ct);

			pr_debug("nf_conntrack_in: normal packet for %pK\n", ct);

			*ctinfo = IP_CT_ESTABLISHED;

		} else if (test_bit(IPS_EXPECTED_BIT, &ct->status)) {

			pr_debug("nf_conntrack_in: related packet for %p\n",

			pr_debug("nf_conntrack_in: related packet for %pK\n",

				 ct);

			*ctinfo = IP_CT_RELATED;

		} else {

			pr_debug("nf_conntrack_in: new packet for %p\n", ct);

			pr_debug("nf_conntrack_in: new packet for %pK\n", ct);

			*ctinfo = IP_CT_NEW;

		}

		*set_reply = 0;
@@ -1192,7 +1192,7 @@ void nf_conntrack_alter_reply(struct nf_conn *ct, 
	/* Should be unconfirmed, so not in hash table yet */

	NF_CT_ASSERT(!nf_ct_is_confirmed(ct));



	pr_debug("Altering reply tuple of %p to ", ct);

	pr_debug("Altering reply tuple of %pK to ", ct);

	nf_ct_dump_tuple(newreply);



	ct->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply;
@@ -1764,7 +1764,7 @@ int nf_conntrack_init_net(struct net *net) 
	if (!net->ct.stat)

		goto err_pcpu_lists;



	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);

	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%pK", net);

	if (!net->ct.slabname)

		goto err_slabname;