From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Taehee Yoo <ap420073@gmail.com>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.14 52/94] netfilter: nf_tables: release chain in flushing set
Date: Mon, 8 Oct 2018 20:31:33 +0200 [thread overview]
Message-ID: <20181008175607.699475628@linuxfoundation.org> (raw)
In-Reply-To: <20181008175605.067676667@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Taehee Yoo <ap420073@gmail.com>
[ Upstream commit 7acfda539c0b9636a58bfee56abfb3aeee806d96 ]
When element of verdict map is deleted, the delete routine should
release chain. however, flush element of verdict map routine doesn't
release chain.
test commands:
%nft add table ip filter
%nft add chain ip filter c1
%nft add map ip filter map1 { type ipv4_addr : verdict \; }
%nft add element ip filter map1 { 1 : jump c1 }
%nft flush map ip filter map1
%nft flush ruleset
splat looks like:
[ 4895.170899] kernel BUG at net/netfilter/nf_tables_api.c:1415!
[ 4895.178114] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[ 4895.178880] CPU: 0 PID: 1670 Comm: nft Not tainted 4.18.0+ #55
[ 4895.178880] RIP: 0010:nf_tables_chain_destroy.isra.28+0x39/0x220 [nf_tables]
[ 4895.178880] Code: fc ff df 53 48 89 fb 48 83 c7 50 48 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 09 3c 03 7f 05 e8 3e 4c 25 e1 8b 43 50 85 c0 74 02 <0f> 0b 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02
[ 4895.228342] RSP: 0018:ffff88010b98f4c0 EFLAGS: 00010202
[ 4895.234841] RAX: 0000000000000001 RBX: ffff8801131c6968 RCX: ffff8801146585b0
[ 4895.234841] RDX: 1ffff10022638d37 RSI: ffff8801191a9348 RDI: ffff8801131c69b8
[ 4895.234841] RBP: ffff8801146585a8 R08: 1ffff1002323526a R09: 0000000000000000
[ 4895.234841] R10: 0000000000000000 R11: 0000000000000000 R12: dead000000000200
[ 4895.234841] R13: dead000000000100 R14: ffffffffa3638af8 R15: dffffc0000000000
[ 4895.234841] FS: 00007f6d188e6700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000
[ 4895.234841] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4895.234841] CR2: 00007ffe72b8df88 CR3: 000000010e2d4000 CR4: 00000000001006f0
[ 4895.234841] Call Trace:
[ 4895.234841] nf_tables_commit+0x2704/0x2c70 [nf_tables]
[ 4895.234841] ? nfnetlink_rcv_batch+0xa4f/0x11b0 [nfnetlink]
[ 4895.234841] ? nf_tables_setelem_notify.constprop.48+0x1a0/0x1a0 [nf_tables]
[ 4895.323824] ? __lock_is_held+0x9d/0x130
[ 4895.323824] ? kasan_unpoison_shadow+0x30/0x40
[ 4895.333299] ? kasan_kmalloc+0xa9/0xc0
[ 4895.333299] ? kmem_cache_alloc_trace+0x2c0/0x310
[ 4895.333299] ? nfnetlink_rcv_batch+0xa4f/0x11b0 [nfnetlink]
[ 4895.333299] nfnetlink_rcv_batch+0xdb9/0x11b0 [nfnetlink]
[ 4895.333299] ? debug_show_all_locks+0x290/0x290
[ 4895.333299] ? nfnetlink_net_init+0x150/0x150 [nfnetlink]
[ 4895.333299] ? sched_clock_cpu+0xe5/0x170
[ 4895.333299] ? sched_clock_local+0xff/0x130
[ 4895.333299] ? sched_clock_cpu+0xe5/0x170
[ 4895.333299] ? find_held_lock+0x39/0x1b0
[ 4895.333299] ? sched_clock_local+0xff/0x130
[ 4895.333299] ? memset+0x1f/0x40
[ 4895.333299] ? nla_parse+0x33/0x260
[ 4895.333299] ? ns_capable_common+0x6e/0x110
[ 4895.333299] nfnetlink_rcv+0x2c0/0x310 [nfnetlink]
[ ... ]
Fixes: 591054469b3e ("netfilter: nf_tables: revisit chain/object refcounting from elements")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_tables_api.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4250,6 +4250,7 @@ static int nft_flush_set(const struct nf
}
set->ndeact++;
+ nft_set_elem_deactivate(ctx->net, set, elem);
nft_trans_elem_set(trans) = set;
nft_trans_elem(trans) = *elem;
list_add_tail(&trans->list, &ctx->net->nft.commit_list);
next prev parent reply other threads:[~2018-10-09 1:56 UTC|newest]
Thread overview: 103+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-08 18:30 [PATCH 4.14 00/94] 4.14.75-stable review Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 01/94] drm/amd/pp: initialize result to before oring in data Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 02/94] drm/amdgpu: add another ATPX quirk for TOPAZ Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 03/94] serial: mvebu-uart: Fix reporting of effective CSIZE to userspace Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 04/94] tools/power turbostat: fix possible sprintf buffer overflow Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 05/94] mac80211: Run TXQ teardown code before de-registering interfaces Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 06/94] mac80211_hwsim: require at least one channel Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 07/94] KVM: PPC: Book3S HV: Dont truncate HPTE index in xlate function Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 08/94] btrfs: btrfs_shrink_device should call commit transaction at the end Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 09/94] scsi: csiostor: add a check for NULL pointer after kmalloc() Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 10/94] mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 11/94] mac80211_hwsim: " Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 12/94] gpio: adp5588: Fix sleep-in-atomic-context bug Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 13/94] mac80211: mesh: fix HWMP sequence numbering to follow standard Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 14/94] mac80211: avoid kernel panic when building AMSDU from non-linear SKB Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 15/94] gpiolib: acpi: Switch to cansleep version of GPIO library call Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 16/94] gpiolib-acpi: Register GpioInt ACPI event handlers from a late_initcall Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 17/94] net: hns: add the code for cleaning pkt in chip Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 18/94] net: hns: add netif_carrier_off before change speed and duplex Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 19/94] cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 20/94] mac80211: do not convert to A-MSDU if frag/subframe limited Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 21/94] mac80211: always account for A-MSDU header changes Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 22/94] tools/kvm_stat: fix python3 issues Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 23/94] tools/kvm_stat: fix handling of invalid paths in debugfs provider Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 24/94] gpio: Fix crash due to registration race Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 25/94] ARC: atomics: unbork atomic_fetch_##op() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 26/94] md/raid5-cache: disable reshape completely Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 27/94] RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0 Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 28/94] i2c: uniphier: issue STOP only for last message or I2C_M_STOP Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 29/94] i2c: uniphier-f: " Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 30/94] net: cadence: Fix a sleep-in-atomic-context bug in macb_halt_tx() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 31/94] fs/cifs: dont translate SFM_SLASH (U+F026) to backslash Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 32/94] mac80211: fix an off-by-one issue in A-MSDU max_subframe computation Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 33/94] cfg80211: fix a type issue in ieee80211_chandef_to_operating_class() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 34/94] mac80211: fix a race between restart and CSA flows Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 35/94] mac80211: Fix station bandwidth setting after channel switch Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 36/94] mac80211: dont Tx a deauth frame if the AP forbade Tx Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 37/94] mac80211: shorten the IBSS debug messages Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 38/94] tools/vm/slabinfo.c: fix sign-compare warning Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 39/94] tools/vm/page-types.c: fix "defined but not used" warning Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 40/94] mm: madvise(MADV_DODUMP): allow hugetlbfs pages Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 41/94] bpf: 32-bit RSH verification must truncate input before the ALU op Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 42/94] netfilter: xt_cluster: add dependency on conntrack module Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 43/94] HID: add support for Apple Magic Keyboards Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 44/94] usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i] Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 45/94] pinctrl: msm: Really mask level interrupts to prevent latching Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 46/94] HID: hid-saitek: Add device ID for RAT 7 Contagion Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 47/94] scsi: iscsi: target: Set conn->sess to NULL when iscsi_login_set_conn_values fails Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 48/94] scsi: qedi: Add the CRC size within iSCSI NVM image Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 49/94] perf evsel: Fix potential null pointer dereference in perf_evsel__new_idx() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 50/94] perf util: Fix bad memory access in trace info Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 51/94] perf probe powerpc: Ignore SyS symbols irrespective of endianness Greg Kroah-Hartman
2018-10-08 18:31 ` Greg Kroah-Hartman [this message]
2018-10-08 18:31 ` [PATCH 4.14 53/94] Revert "iio: temperature: maxim_thermocouple: add MAX31856 part" Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 54/94] RDMA/ucma: check fd type in ucma_migrate_id() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 55/94] HID: sensor-hub: Restore fixup for Lenovo ThinkPad Helix 2 sensor hub report Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 56/94] USB: yurex: Check for truncation in yurex_read() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 57/94] nvmet-rdma: fix possible bogus dereference under heavy load Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 58/94] net/mlx5: Consider PCI domain in search for next dev Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 59/94] drm/nouveau/TBDdevinit: dont fail when PMU/PRE_OS is missing from VBIOS Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 60/94] drm/nouveau/disp: fix DP disable race Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 61/94] dm raid: fix rebuild of specific devices by updating superblock Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 62/94] fs/cifs: suppress a string overflow warning Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 63/94] net: ena: fix driver when PAGE_SIZE == 64kB Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 64/94] net: ena: fix missing calls to READ_ONCE Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 65/94] perf/x86/intel: Add support/quirk for the MISPREDICT bit on Knights Landing CPUs Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 66/94] dm thin metadata: try to avoid ever aborting transactions Greg Kroah-Hartman
2018-10-08 19:45 ` Sudip Mukherjee
2018-10-09 9:30 ` Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 67/94] netfilter: conntrack: timeout interface depend on CONFIG_NF_CONNTRACK_TIMEOUT Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 68/94] arch/hexagon: fix kernel/dma.c build warning Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 69/94] hexagon: modify ffs() and fls() to return int Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 70/94] arm64: jump_label.h: use asm_volatile_goto macro instead of "asm goto" Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 71/94] drm/amdgpu: fix error handling in amdgpu_cs_user_fence_chunk Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 72/94] r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 73/94] s390/qeth: use vzalloc for QUERY OAT buffer Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 74/94] s390/qeth: dont dump past end of unknown HW header Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 75/94] cifs: read overflow in is_valid_oplock_break() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 76/94] xen/manage: dont complain about an empty value in control/sysrq node Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 77/94] xen: avoid crash in disable_hotplug_cpu Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 78/94] xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 79/94] ovl: fix access beyond unterminated strings Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 80/94] ovl: fix memory leak on unlink of indexed file Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 81/94] ovl: fix format of setxattr debug Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 82/94] sysfs: Do not return POSIX ACL xattrs via listxattr Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 83/94] smb2: fix missing files in root share directory listing Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 84/94] iommu/amd: Clear memory encryption mask from physical address Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 85/94] ALSA: hda/realtek - Cannot adjust speakers volume on Dell XPS 27 7760 Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 86/94] crypto: qat - Fix KASAN stack-out-of-bounds bug in adf_probe() Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 87/94] crypto: mxs-dcp - Fix wait logic on chan threads Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 88/94] crypto: caam/jr - fix ablkcipher_edesc pointer arithmetic Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 89/94] gpiolib: Free the last requested descriptor Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 90/94] Drivers: hv: vmbus: Use get/put_cpu() in vmbus_connect() Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 91/94] tools: hv: fcopy: set error in case an unknown operation was requested Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 92/94] proc: restrict kernel stack dumps to root Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 93/94] ocfs2: fix locking for res->tracking and dlm->tracking_list Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 94/94] ixgbe: check return value of napi_complete_done() Greg Kroah-Hartman
2018-10-08 23:14 ` [PATCH 4.14 00/94] 4.14.75-stable review Shuah Khan
2018-10-09 16:15 ` Greg Kroah-Hartman
2018-10-10 4:13 ` Naresh Kamboju
2018-10-09 21:06 ` Guenter Roeck
2018-10-10 6:54 ` Jon Hunter
2018-10-10 7:42 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181008175607.699475628@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@microsoft.com \
--cc=ap420073@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).