Re: Oops with latest (netfilter) nf-next tree, when unloading iptable_nat

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Jesper Dangaard Brouer <brouer@redhat.com>
Cc: Pablo Neira Ayuso <pablo@gnumonks.org>,
	netfilter-devel <netfilter-devel@vger.kernel.org>,
	netdev <netdev@vger.kernel.org>, Florian Westphal <fw@strlen.de>,
	yongjun_wei@trendmicro.com.cn, kaber@trash.net
Subject: Re: Oops with latest (netfilter) nf-next tree, when unloading iptable_nat
Date: Wed, 12 Sep 2012 23:36:27 +0200	[thread overview]
Message-ID: <20120912213627.GJ14750@breakpoint.cc> (raw)
In-Reply-To: <1347357081.3928.32.camel@localhost>

Jesper Dangaard Brouer <brouer@redhat.com> wrote:

[ CC'd Patrick ]

> I'm hitting this general protection fault, when unloading iptables_nat.
> [  524.591067] Pid: 5842, comm: modprobe Not tainted 3.6.0-rc3-pablo-nf-next+ #1 Red Hat KVM
> [  524.591067] RIP: 0010:[<ffffffffa002c2fd>]  [<ffffffffa002c2fd>] nf_nat_proto_clean+0x6d/0xc0 [nf_nat]
> [  524.591067] RSP: 0018:ffff880073203e18  EFLAGS: 00010246
> [  524.591067] RAX: 0000000000000000 RBX: ffff880077dff2c8 RCX: ffff8800797fab70
> [  524.591067] RDX: dead000000200200 RSI: ffff880073203e88 RDI: ffffffffa002f208
> [  524.591067] RBP: ffff880073203e28 R08: ffff880073202000 R09: 0000000000000000
> [  524.591067] R10: dead000000200200 R11: dead000000100100 R12: ffffffff81c6dc00
>  list corruption?   ^^^^^^^^^^^^^^^^      ^^^^^^^^^^^^^^^^

Yep, looks like it.

> [  524.591067]  [<ffffffffa002c290>] ? nf_nat_net_exit+0x50/0x50 [nf_nat]
> [  524.591067]  [<ffffffff815614e3>] nf_ct_iterate_cleanup+0xc3/0x170
> [  524.591067]  [<ffffffffa002c54a>] nf_nat_l3proto_unregister+0x8a/0x100 [nf_nat]
> [  524.591067]  [<ffffffff812a0303>] ? compat_prepare_timeout+0x13/0xb0
> [  524.591067]  [<ffffffffa0035848>] nf_nat_l3proto_ipv4_exit+0x10/0x23 [nf_nat_ipv4]

On module removal nf_nat_ipv4 calls nf_iterate_cleanup which invokes
nf_nat_proto_clean() for each conntrack.  That will then call
hlist_del_rcu(&nat->bysource) using eachs conntracks nat ext area.

Problem is that nf_nat_proto_clean() is called multiple times for the same
conntrack:
a) nf_ct_iterate_cleanup() returns each ct twice (origin, reply)
b) we call it both for l3 and for l4 protocol ids

We barf in hlist_del_rcu the 2nd time because ->pprev is poisoned.

This was introduced with the ipv6 nat patches.

--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -487,7 +487,7 @@ static int nf_nat_proto_clean(struct nf_conn *i, void *data)
 
        if (clean->hash) {
                spin_lock_bh(&nf_nat_lock);
-               hlist_del_rcu(&nat->bysource);
+               hlist_del_init_rcu(&nat->bysource);
                spin_unlock_bh(&nf_nat_lock);
        } else {

Would probably avoid it.  I guess it would be nicer to only call this
once for each ct.

Patrick, any other idea?

next prev parent reply	other threads:[~2012-09-12 21:36 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-09-11  9:51 Oops with latest (netfilter) nf-next tree, when unloading iptable_nat Jesper Dangaard Brouer
2012-09-12 21:36 ` Florian Westphal [this message]
2012-09-14 12:07   ` Pablo Neira Ayuso
2012-09-14 13:15     ` Patrick McHardy
2012-09-19 12:46       ` Jesper Dangaard Brouer
2012-09-20  6:57         ` Patrick McHardy
2012-09-20  7:29           ` Jesper Dangaard Brouer
2012-09-20  7:31             ` Patrick McHardy
2012-09-20 10:08           ` Pablo Neira Ayuso
2012-09-20 10:31             ` Patrick McHardy
2012-09-20 17:06               ` Patrick McHardy
2012-09-21  1:00                 ` Pablo Neira Ayuso
2012-09-21  9:47                   ` Jesper Dangaard Brouer
2012-09-21 10:03                     ` Pablo Neira Ayuso
2012-09-21 10:17                       ` Pablo Neira Ayuso
2012-09-19 19:14   ` Jesper Dangaard Brouer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120912213627.GJ14750@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=brouer@redhat.com \
    --cc=kaber@trash.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@gnumonks.org \
    --cc=yongjun_wei@trendmicro.com.cn \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.