[pkg-netfilter-team] nftables: kernel BUG at lib/list_debug.c:53

Tim Düsterhus public+debian.org at bastelstu.be
Tue Sep 10 22:00:01 BST 2019 

Vincent,
Maintainers,

Am 17.07.19 um 19:32 schrieb Vincent Tondellier:
> I think it's fixed by this patch:
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/plain/releases/4.19.38/netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=203039
> 
> There were some critical bugfixes for nftables in 4.19.38 and 4.19.44,
> but buster is still using 4.19.37.
> 
> I tried building a vanilla 4.19.59 and excepting a (harmless ?) warning
> ("WARNING: CPU: 0 PID: 176 at net/netfilter/nf_tables_api.c:3588
> nft_set_destroy+0x45/0x50 [nf_tables]) when the nf_tables_set module
> is not loaded before using nftables, everything seems to work fine.
> 

I've re-attempted the upgrade after the point release. With Linux
4.19.67-2 I'm still seeing the issue. The backtrace is slightly
different, though. `nf_tables_rule_destroy` no longer appears. Instead
it's `nf_tables_rule_release` now.

> Sep 10 20:53:35 buster-test kernel: list_del corruption. prev->next should be ffff9dbc35050000, but was 0000028800000f78
> Sep 10 20:53:35 buster-test kernel: ------------[ cut here ]------------
> Sep 10 20:53:35 buster-test kernel: kernel BUG at lib/list_debug.c:53!
> Sep 10 20:53:35 buster-test kernel: invalid opcode: 0000 [#1] SMP PTI
> Sep 10 20:53:35 buster-test kernel: CPU: 0 PID: 394 Comm: nft Tainted: P           OE     4.19.0-6-amd64 #1 Debian 4.19.67-2
> Sep 10 20:53:35 buster-test kernel: Hardware name: Hetzner vServer, BIOS 20171111 11/11/2017
> Sep 10 20:53:35 buster-test kernel: RIP: 0010:__list_del_entry_valid.cold.1+0x34/0x4c
> Sep 10 20:53:35 buster-test kernel: Code: ae c9 9e e8 78 96 d0 ff 0f 0b 48 c7 c7 c8 ae c9 9e e8 6a 96 d0 ff 0f 0b 48 89 f2 48 89 fe 48 c7 c7 88 ae c9 9e e8 56 96 d0 ff <0f> 0b 48 89 fe 48 c7 c7 50 ae c9 9e e8 45 96 d0 ff 0f 0b 90 90 90
> Sep 10 20:53:35 buster-test kernel: RSP: 0018:ffffb031804bb968 EFLAGS: 00010246
> Sep 10 20:53:35 buster-test kernel: RAX: 0000000000000054 RBX: ffff9dbc35e56260 RCX: 0000000000000000
> Sep 10 20:53:35 buster-test kernel: RDX: 0000000000000000 RSI: ffff9dbc3aa166b8 RDI: ffff9dbc3aa166b8
> Sep 10 20:53:35 buster-test kernel: RBP: ffff9dbc35050000 R08: 00000000000001c4 R09: 0000000000000007
> Sep 10 20:53:35 buster-test kernel: R10: 0000000000000738 R11: ffffffff9f3f26ed R12: 0000000000000000
> Sep 10 20:53:35 buster-test kernel: R13: ffffb031804bb9f8 R14: 000000000000000c R15: ffff9dbc353386c8
> Sep 10 20:53:35 buster-test kernel: FS:  00007f1eafda3200(0000) GS:ffff9dbc3aa00000(0000) knlGS:0000000000000000
> Sep 10 20:53:35 buster-test kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> Sep 10 20:53:35 buster-test kernel: CR2: 00007f49072a8114 CR3: 0000000076502004 CR4: 00000000003606f0
> Sep 10 20:53:35 buster-test kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> Sep 10 20:53:35 buster-test kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Sep 10 20:53:35 buster-test kernel: Call Trace:
> Sep 10 20:53:35 buster-test kernel:  nf_tables_unbind_set+0x64/0xa0 [nf_tables]
> Sep 10 20:53:35 buster-test kernel:  nf_tables_rule_release+0x56/0x90 [nf_tables]
> Sep 10 20:53:35 buster-test kernel:  nf_tables_newrule+0x5c1/0x970 [nf_tables]
> Sep 10 20:53:35 buster-test kernel:  ? unmap_page_range+0x851/0xa60
> Sep 10 20:53:35 buster-test kernel:  nfnetlink_rcv_batch+0x4aa/0x660 [nfnetlink]
> Sep 10 20:53:35 buster-test kernel:  ? vmap_page_range_noflush+0x26e/0x380
> Sep 10 20:53:35 buster-test kernel:  ? refcount_inc_checked+0x5/0x30
> Sep 10 20:53:35 buster-test kernel:  ? apparmor_capable+0x6b/0xc0
> Sep 10 20:53:35 buster-test kernel:  ? nla_parse+0x31/0xe0
> Sep 10 20:53:35 buster-test kernel:  nfnetlink_rcv+0x10c/0x141 [nfnetlink]
> Sep 10 20:53:35 buster-test kernel:  netlink_unicast+0x181/0x210
> Sep 10 20:53:35 buster-test kernel:  netlink_sendmsg+0x204/0x3d0
> Sep 10 20:53:35 buster-test kernel:  sock_sendmsg+0x36/0x40
> Sep 10 20:53:35 buster-test kernel:  ___sys_sendmsg+0x295/0x2f0
> Sep 10 20:53:35 buster-test kernel:  ? mem_cgroup_commit_charge+0x7a/0x560
> Sep 10 20:53:35 buster-test kernel:  ? mem_cgroup_try_charge+0x86/0x190
> Sep 10 20:53:35 buster-test kernel:  ? refcount_inc_checked+0x5/0x30
> Sep 10 20:53:35 buster-test kernel:  ? apparmor_capable+0x6b/0xc0
> Sep 10 20:53:35 buster-test kernel:  ? security_capable+0x35/0x50
> Sep 10 20:53:35 buster-test kernel:  ? release_sock+0x19/0x90
> Sep 10 20:53:35 buster-test kernel:  __sys_sendmsg+0x57/0xa0
> Sep 10 20:53:35 buster-test kernel:  do_syscall_64+0x53/0x110
> Sep 10 20:53:35 buster-test kernel:  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> Sep 10 20:53:35 buster-test kernel: RIP: 0033:0x7f1eb011b914
> Sep 10 20:53:35 buster-test kernel: Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 48 8d 05 e9 5d 0c 00 8b 00 85 c0 75 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 41 89 d4 55 48 89 f5 53
> Sep 10 20:53:35 buster-test kernel: RSP: 002b:00007ffffc696508 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> Sep 10 20:53:35 buster-test kernel: RAX: ffffffffffffffda RBX: 00007ffffc696520 RCX: 00007f1eb011b914
> Sep 10 20:53:35 buster-test kernel: RDX: 0000000000000000 RSI: 00007ffffc697580 RDI: 0000000000000003
> Sep 10 20:53:35 buster-test kernel: RBP: 00007ffffc697680 R08: 0000000000000004 R09: 000055ff26b15c90
> Sep 10 20:53:35 buster-test kernel: R10: 00007ffffc69756c R11: 0000000000000246 R12: 00007ffffc6976f0
> Sep 10 20:53:35 buster-test kernel: R13: 00007ffffc696520 R14: 00007ffffc696520 R15: 000055ff26b0ef20
> Sep 10 20:53:35 buster-test kernel: Modules linked in: nft_limit nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c crc32c_generic nf_tables_set nf_tables nfnetlink ip_tables x_tables autofs4 hid_generic usbhid hid zfs(POE) zunicode(POE) zavl(POE) icp(POE) zcommon(POE) znvpair(POE) spl(OE) sr_mod cdrom sd_mod ata_generic virtio_scsi virtio_net net_failover failover crc32c_intel ata_piix uhci_hcd libata ehci_hcd aesni_intel scsi_mod aes_x86_64 psmouse crypto_simd usbcore cryptd glue_helper virtio_pci virtio_ring virtio i2c_piix4 usb_common floppy
> Sep 10 20:53:35 buster-test kernel: ---[ end trace 736fb626f5cf6389 ]---
> Sep 10 20:53:35 buster-test kernel: RIP: 0010:__list_del_entry_valid.cold.1+0x34/0x4c
> Sep 10 20:53:35 buster-test kernel: Code: ae c9 9e e8 78 96 d0 ff 0f 0b 48 c7 c7 c8 ae c9 9e e8 6a 96 d0 ff 0f 0b 48 89 f2 48 89 fe 48 c7 c7 88 ae c9 9e e8 56 96 d0 ff <0f> 0b 48 89 fe 48 c7 c7 50 ae c9 9e e8 45 96 d0 ff 0f 0b 90 90 90
> Sep 10 20:53:35 buster-test kernel: RSP: 0018:ffffb031804bb968 EFLAGS: 00010246
> Sep 10 20:53:35 buster-test kernel: RAX: 0000000000000054 RBX: ffff9dbc35e56260 RCX: 0000000000000000
> Sep 10 20:53:35 buster-test kernel: RDX: 0000000000000000 RSI: ffff9dbc3aa166b8 RDI: ffff9dbc3aa166b8
> Sep 10 20:53:35 buster-test kernel: RBP: ffff9dbc35050000 R08: 00000000000001c4 R09: 0000000000000007
> Sep 10 20:53:35 buster-test kernel: R10: 0000000000000738 R11: ffffffff9f3f26ed R12: 0000000000000000
> Sep 10 20:53:35 buster-test kernel: R13: ffffb031804bb9f8 R14: 000000000000000c R15: ffff9dbc353386c8
> Sep 10 20:53:35 buster-test kernel: FS:  00007f1eafda3200(0000) GS:ffff9dbc3aa00000(0000) knlGS:0000000000000000
> Sep 10 20:53:35 buster-test kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> Sep 10 20:53:35 buster-test kernel: CR2: 00007f49072a8114 CR3: 0000000076502004 CR4: 00000000003606f0
> Sep 10 20:53:35 buster-test kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> Sep 10 20:53:35 buster-test kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Best regards
Tim Düsterhus

More information about the pkg-netfilter-team mailing list