nftables null pointer

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* nftables null pointer
@ 2014-08-05  8:01 Matteo Croce
  2014-08-05 10:01 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 6+ messages in thread
From: Matteo Croce @ 2014-08-05  8:01 UTC (permalink / raw)
  To: netfilter-devel

with vanilla linux 3.16.0 and  ntf 0.3:

# nft list table nat
Killed
nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>
BUG: unable to handle kernel NULL pointer dereference at 00000008
IP: [<d0b4beef>] nf_tables_fill_chain_info+0x27f/0x350 [nf_tables]
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: nft_nat nft_meta nft_chain_nat_ipv4 nf_tables_ipv4
nf_tables nfnetlink ctr ccm tun sit tunnel4 ip_tunnel ipt_MASQUERADE
xt_TCPMSS xt_tcpudp xt_nat xt_multiport iptable_nat nf_conntrack_ipv4
nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_filter
ip_tables x_tables geodewdt ppp_async crc_ccitt ppp_generic slhc
bridge stp llc ftdi_sio usbserial ohci_pci arc4 ath9k ohci_hcd
ath9k_common ath9k_hw ehci_pci ath ehci_hcd mac80211 cfg80211
geode_aes usbcore firmware_class usb_common nls_base via_rhine
geode_rng rng_core mii gpio_cs5535 lm90 hwmon cs5535_clockevt
cs5535_mfd mfd_core cs5535_mfgpt scx200_acb i2c_core autofs4
CPU: 0 PID: 9836 Comm: nft Not tainted 3.16.0-alix #1
task: cf91c3e0 ti: c85a2000 task.ti: c85a2000
EIP: 0060:[<d0b4beef>] EFLAGS: 00010046 CPU: 0
EIP is at nf_tables_fill_chain_info+0x27f/0x350 [nf_tables]
EAX: 00000000 EBX: cd4820c0 ECX: 00000000 EDX: 00000000
ESI: cc3e8fc0 EDI: c85a3afc EBP: cc3e8fc0 ESP: c85a3ab8
 DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
CR0: 8005003b CR2: 00000008 CR3: 03b24000 CR4: 00000090
Stack:
 d0b10024 00000004 00000002 c85a3aec 00000000 00000000 01000000 00000000
 03000000 00000000 0f690000 00000000 9b010000 00000000 00000000 00000000
 00000000 cfb794cc c39135bc cc3b0840 00000001 d0b4c1b7 00000003 00000002
Call Trace:
 [<d0b4c1b7>] ? nf_tables_dump_chains+0xf7/0x190 [nf_tables]
 [<c12078f8>] ? netlink_dump+0x108/0x280
 [<c1208099>] ? __netlink_dump_start+0x189/0x1e0
 [<c1208099>] ? __netlink_dump_start+0x189/0x1e0
 [<d0b4c3ae>] ? nf_tables_getchain+0x15e/0x1a0 [nf_tables]
 [<d0b4c0c0>] ? nf_tables_chain_notify+0x100/0x100 [nf_tables]
 [<d0b4c250>] ? nf_tables_dump_chains+0x190/0x190 [nf_tables]
 [<d0c36379>] ? nfnetlink_rcv_msg+0x1d9/0x1f0 [nfnetlink]
 [<d0c361a0>] ? nfnetlink_bind+0x50/0x50 [nfnetlink]
 [<c120991e>] ? netlink_rcv_skb+0x8e/0xb0
 [<c1208f83>] ? netlink_unicast+0xe3/0x160
 [<c12092e9>] ? netlink_sendmsg+0x2e9/0x740
 [<c11d2162>] ? sock_sendmsg+0x62/0x80
 [<c107367c>] ? __alloc_pages_nodemask+0xdc/0x760
 [<c11d4239>] ? SYSC_sendto+0xd9/0x120
 [<c11d62fb>] ? sock_init_data+0x6b/0x1c0
 [<c1205997>] ? __netlink_create+0x77/0xd0
 [<c11d4bfb>] ? __sys_recvmsg+0x4b/0x90
 [<c11d5742>] ? SYSC_socketcall+0x892/0xa60
 [<c1087ef4>] ? do_set_pte+0x74/0xb0
 [<c106cb9f>] ? filemap_map_pages+0x28f/0x2a0
 [<c108813b>] ? do_read_fault.isra.113+0x20b/0x260
 [<c108882e>] ? handle_mm_fault+0x36e/0x6a0
 [<c1013e51>] ? __do_page_fault+0x1c1/0x480
 [<c108cebc>] ? do_mmap_pgoff+0x29c/0x380
 [<c107f8eb>] ? vm_mmap_pgoff+0x5b/0x80
 [<c11d59dd>] ? SyS_socketcall+0xd/0x10
 [<c1290d9d>] ? sysenter_do_call+0x12/0x12
Code: 3c 24 8d 48 01 89 d8 e8 50 41 62 f0 85 c0 0f 85 2f fe ff ff 8b
7c 24 68 b9 04 00 00 00 8b 57 fc 8d 7c 24 34 89 7c 24 0c f3 ab fa <8b>
7a 08 8b 6a 0c 8b 02 8b 52 04 fb 01 7c 24 3c 8b bb 98 00 00
EIP: [<d0b4beef>] nf_tables_fill_chain_info+0x27f/0x350 [nf_tables]
SS:ESP 0068:c85a3ab8
CR2: 0000000000000008
---[ end trace 3ca575d06b5960d9 ]---

-- 
Matteo Croce
OpenWrt Developer

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: nftables null pointer
  2014-08-05  8:01 nftables null pointer Matteo Croce
@ 2014-08-05 10:01 ` Pablo Neira Ayuso
  2014-08-05 10:21   ` Matteo Croce
  0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2014-08-05 10:01 UTC (permalink / raw)
  To: Matteo Croce; +Cc: netfilter-devel

On Tue, Aug 05, 2014 at 10:01:56AM +0200, Matteo Croce wrote:
> with vanilla linux 3.16.0 and  ntf 0.3:
> 
> # nft list table nat
> Killed
> nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>
> BUG: unable to handle kernel NULL pointer dereference at 00000008
> IP: [<d0b4beef>] nf_tables_fill_chain_info+0x27f/0x350 [nf_tables]

Is this reproducible? If so, please indicate the sequence of commands.
Thanks.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: nftables null pointer
  2014-08-05 10:01 ` Pablo Neira Ayuso
@ 2014-08-05 10:21   ` Matteo Croce
  2014-08-05 13:39     ` Pablo Neira Ayuso
  0 siblings, 1 reply; 6+ messages in thread
From: Matteo Croce @ 2014-08-05 10:21 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Yes it's reproducible with two config and two list:

# nft -f /dev/stdin <<EOF
table ip nat {
        chain post {
                type nat hook postrouting priority 0;
                ip saddr 192.168.0.0/24 oif eth0 snat 192.168.1.2
        }
}
EOF

# nft -n list table nat

# nft -f /dev/stdin <<EOF
table ip nat {
        chain post {
                type nat hook postrouting priority 0;
                ip saddr 192.168.0.0/24 oif eth0 snat 192.168.1.2
        }
}
EOF

# nft -n list table nat

2014-08-05 12:01 GMT+02:00 Pablo Neira Ayuso <pablo@netfilter.org>:
> On Tue, Aug 05, 2014 at 10:01:56AM +0200, Matteo Croce wrote:
>> with vanilla linux 3.16.0 and  ntf 0.3:
>>
>> # nft list table nat
>> Killed
>> nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>
>> BUG: unable to handle kernel NULL pointer dereference at 00000008
>> IP: [<d0b4beef>] nf_tables_fill_chain_info+0x27f/0x350 [nf_tables]
>
> Is this reproducible? If so, please indicate the sequence of commands.
> Thanks.



-- 
Matteo Croce
OpenWrt Developer

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: nftables null pointer
  2014-08-05 10:21   ` Matteo Croce
@ 2014-08-05 13:39     ` Pablo Neira Ayuso
  2014-08-05 15:07       ` Matteo Croce
  0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2014-08-05 13:39 UTC (permalink / raw)
  To: Matteo Croce; +Cc: netfilter-devel

[-- Attachment #1: Type: text/plain, Size: 663 bytes --]

On Tue, Aug 05, 2014 at 12:21:30PM +0200, Matteo Croce wrote:
> Yes it's reproducible with two config and two list:
> 
> # nft -f /dev/stdin <<EOF
> table ip nat {
>         chain post {
>                 type nat hook postrouting priority 0;
>                 ip saddr 192.168.0.0/24 oif eth0 snat 192.168.1.2
>         }
> }
> EOF
> 
> # nft -n list table nat
> 
> # nft -f /dev/stdin <<EOF
> table ip nat {
>         chain post {
>                 type nat hook postrouting priority 0;
>                 ip saddr 192.168.0.0/24 oif eth0 snat 192.168.1.2
>         }
> }
> EOF
> 
> # nft -n list table nat

Could you give a try to the following patch? Thanks.


[-- Attachment #2: x --]
[-- Type: text/plain, Size: 526 bytes --]

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index f95dc95..f7dce2b 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -899,6 +899,9 @@ static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
 static void nft_chain_stats_replace(struct nft_base_chain *chain,
 				    struct nft_stats __percpu *newstats)
 {
+	if (newstats == NULL)
+		return;
+
 	if (chain->stats) {
 		struct nft_stats __percpu *oldstats =
 				nft_dereference(chain->stats);

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: nftables null pointer
  2014-08-05 13:39     ` Pablo Neira Ayuso
@ 2014-08-05 15:07       ` Matteo Croce
  2014-08-05 15:25         ` Pablo Neira Ayuso
  0 siblings, 1 reply; 6+ messages in thread
From: Matteo Croce @ 2014-08-05 15:07 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

2014-08-05 15:39 GMT+02:00 Pablo Neira Ayuso <pablo@netfilter.org>:
> Could you give a try to the following patch? Thanks.

yes it works, but the rules are appended every time, not overwritten,
is it the intended behaviour?
I have this after a few run:

table ip nat {
        chain post {
                 type nat hook postrouting priority 0;
                 ip saddr 192.168.0.0/24 oif eth0 snat 192.168.1.2
                 ip saddr 192.168.0.0/24 oif eth0 snat 192.168.1.2
                 ip saddr 192.168.0.0/24 oif eth0 snat 192.168.1.2
                 ip saddr 192.168.0.0/24 oif eth0 snat 192.168.1.2
                 ip saddr 192.168.0.0/24 oif eth0 snat 192.168.1.2
                 ip saddr 192.168.0.0/24 oif eth0 snat 192.168.1.2
                 ip saddr 192.168.0.0/24 oif eth0 snat 192.168.1.2
                 ip saddr 192.168.0.0/24 oif eth0 snat 192.168.1.2
        }

        chain pre {
                 type nat hook prerouting priority 0;
                 iif eth0 tcp dport { 51413, 4665, 4672} dnat 192.168.0.20
                 iif eth0 udp dport { 51413, 4665, 4672} dnat 192.168.0.20
                 iif eth0 tcp dport { 51413, 4665, 4672} dnat 192.168.0.20
                 iif eth0 udp dport { 51413, 4665, 4672} dnat 192.168.0.20
                 iif eth0 tcp dport { 51413, 4665, 4672} dnat 192.168.0.20
                 iif eth0 udp dport { 51413, 4665, 4672} dnat 192.168.0.20
                 iif eth0 tcp dport { 51413, 4665, 4672} dnat 192.168.0.20
                 iif eth0 udp dport { 51413, 4665, 4672} dnat 192.168.0.20
                 iif eth0 tcp dport { 51413, 4665, 4672} dnat 192.168.0.20
                 iif eth0 udp dport { 51413, 4665, 4672} dnat 192.168.0.20
                 iif eth0 tcp dport { 51413, 4665, 4672} dnat 192.168.0.20
                 iif eth0 udp dport { 51413, 4665, 4672} dnat 192.168.0.20
                 iif eth0 tcp dport { 51413, 4665, 4672} dnat 192.168.0.20
                 iif eth0 udp dport { 51413, 4665, 4672} dnat 192.168.0.20
                 iif eth0 tcp dport { 51413, 4665, 4672} dnat 192.168.0.20
                 iif eth0 udp dport { 51413, 4665, 4672} dnat 192.168.0.20
        }
}

-- 
Matteo Croce
OpenWrt Developer

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: nftables null pointer
  2014-08-05 15:07       ` Matteo Croce
@ 2014-08-05 15:25         ` Pablo Neira Ayuso
  0 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2014-08-05 15:25 UTC (permalink / raw)
  To: Matteo Croce; +Cc: netfilter-devel

On Tue, Aug 05, 2014 at 05:07:28PM +0200, Matteo Croce wrote:
> 2014-08-05 15:39 GMT+02:00 Pablo Neira Ayuso <pablo@netfilter.org>:
> > Could you give a try to the following patch? Thanks.
> 
> yes it works, but the rules are appended every time, not overwritten,
> is it the intended behaviour?

Yes. You have to flush the table before nft -f, eg. nft flush table ip
nat, before you load your ruleset again.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2014-08-05 15:25 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-08-05  8:01 nftables null pointer Matteo Croce
2014-08-05 10:01 ` Pablo Neira Ayuso
2014-08-05 10:21   ` Matteo Croce
2014-08-05 13:39     ` Pablo Neira Ayuso
2014-08-05 15:07       ` Matteo Croce
2014-08-05 15:25         ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).