[pkg-netfilter-team] Bug#931574: nftables: kernel BUG at lib/list_debug.c:53

Vincent Tondellier tonton+dbug at team1664.org
Wed Jul 17 18:32:21 BST 2019 

Control: reassign -1 linux

(reassigning to the linux package because it's a kernel bug)

On sunday 7 july 2019 21:26:40 CEST, Tim Duesterhus wrote:
> I performed a test upgrade of a cloud VM running Debian Stretch
> to buster. After the upgrade the VM does not boot any longer if
> the `nftables.service` is enabled and the 4.19 kernel is used,
> because a kernel assertion is violated.
>
> The old 4.9 kernel from stretch works fine. 

Same here. I tried to update a VM with a moderatly complex firewall (and an 
untainted kernel), and it randomly crashs when loading nftables rules with 
a similar trace. No problems with 4.9. Fails with 4.19 from backports.

[...]

> It looks like (one of) the two `flow table` lines are at fault,
> but I am not able to confirm this for sure, because the assertion
> is not 100% reliably triggered.

I can reproduce your crash quite reliably, maybe because I have kernel 
hardening enabled (page_poison=1 slab_nomerge).

Can you try removing the anonymous sets from your configuration ?
Replacing "tcp dport { 22 }" with "tcp dport 22" in your example seems 
to resolve the crash.
Unfortunatly, doing the same in my config is almost a full rewrite ...

I think it's fixed by this patch:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/plain/releases/4.19.38/netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
https://bugzilla.kernel.org/show_bug.cgi?id=203039

There were some critical bugfixes for nftables in 4.19.38 and 4.19.44, 
but buster is still using 4.19.37.

I tried building a vanilla 4.19.59 and excepting a (harmless ?) warning 
("WARNING: CPU: 0 PID: 176 at net/netfilter/nf_tables_api.c:3588 
nft_set_destroy+0x45/0x50 [nf_tables]) when the nf_tables_set module
is not loaded before using nftables, everything seems to work fine.

Kernel team: can we get an update in testing/s-p-u/... before the next 
point 
release to confirm it's fixed for good ? nftables is almost unusable with 
anything but the most simple configuration right now.

Thanks.

More information about the pkg-netfilter-team mailing list