* nft 0.4, crash on list
@ 2015-03-21 22:32 Denys Fedoryshchenko
2015-03-21 22:49 ` Denys Fedoryshchenko
0 siblings, 1 reply; 7+ messages in thread
From: Denys Fedoryshchenko @ 2015-03-21 22:32 UTC (permalink / raw)
To: Netdev, Pablo, Kaber
Hi
Just attempted to use nft, and got a bit strange crash (but sure it is
possible i am using it wrong way)
Table that was inserted there:
FIBERNET-NAT ~ # cat /etc/nft.cfg
#!/sbin/nft -f
table mangle {
chain output {
type route hook output priority -150;
meta mark set ip daddr map {
1.1.1.1/32 : 1
}
}
}
FIBERNET-NAT ~ # nft --debug all list table mangle
Entering state 0
Reducing stack by rule 1 (line 544):
-> $$ = nterm input (: )
Stack now 0
Entering state 1
Reading a token: --accepting rule at line 261 ("list")
Next token is token "list" (: )
Shifting token "list" (: )
Entering state 19
Reading a token: --accepting rule at line 515 (" ")
--accepting rule at line 234 ("table")
Next token is token "table" (: )
Shifting token "table" (: )
Entering state 63
Reading a token: --accepting rule at line 515 (" ")
--(end of buffer or a NUL)
--accepting rule at line 486 ("mangle")
Next token is token "string" (: )
Reducing stack by rule 113 (line 1052):
-> $$ = nterm family_spec (: )
Stack now 0 1 19 63
Entering state 34
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 41
Reducing stack by rule 110 (line 1045):
$1 = token "string" (: )
-> $$ = nterm identifier (: )
Stack now 0 1 19 63 34
Entering state 167
Reducing stack by rule 120 (line 1063):
$1 = nterm family_spec (: )
$2 = nterm identifier (: )
-> $$ = nterm table_spec (: )
Stack now 0 1 19 63
Entering state 250
Reducing stack by rule 45 (line 752):
$1 = token "table" (: )
$2 = nterm table_spec (: )
-> $$ = nterm list_cmd (: )
Stack now 0 1 19
Entering state 69
Reducing stack by rule 19 (line 636):
$1 = token "list" (: )
$2 = nterm list_cmd (: )
-> $$ = nterm base_cmd (: )
Stack now 0 1
Entering state 32
Reading a token: --(end of buffer or a NUL)
--EOF (start condition 0)
Now at end of input.
Shifting token "end of file" (: )
Entering state 165
Reducing stack by rule 13 (line 602):
$1 = nterm base_cmd (: )
$2 = token "end of file" (: )
<cmdline>:1:1-17: Evaluate
list table mangle
^^^^^^^^^^^^^^^^^
Stack now 0 1
Cleanup: popping nterm input (: )
---------------- ------------------
| 0000000020 | | message length |
| 02576 | R--- | | type | flags |
| 0000000003 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 00 00 00 00 | | extra header |
---------------- ------------------
---------------- ------------------
| 0000000032 | | message length |
| 02570 | R-A- | | type | flags |
| 0000000005 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 02 00 00 00 | | extra header |
|00011|--|00001| |len |flags| type|
| 6d 61 6e 67 | | data | m a n g
| 6c 65 00 00 | | data | l e
---------------- ------------------
map0 mangle f
map0 mangle 0
---------------- ------------------
| 0000000044 | | message length |
| 02573 | R-A- | | type | flags |
| 0000000005 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 02 00 00 00 | | extra header |
|00011|--|00001| |len |flags| type|
| 6d 61 6e 67 | | data | m a n g
| 6c 65 00 00 | | data | l e
|00009|--|00002| |len |flags| type|
| 6d 61 70 30 | | data | m a p 0
| 00 61 6e 67 | | data | a n g
---------------- ------------------
---------------- ------------------
| 0000000020 | | message length |
| 02564 | R--- | | type | flags |
| 0000000005 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 02 00 00 00 | | extra header |
---------------- ------------------
---------------- ------------------
| 0000000020 | | message length |
| 02567 | R--- | | type | flags |
| 0000000005 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 02 00 00 00 | | extra header |
---------------- ------------------
ip mangle output 3
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 0 => reg 1 ]
[ cmp eq reg 1 0x00005000 ]
[ immediate reg 1 0x0100ff7f ]
[ meta set priority with reg 1 ]
update network layer protocol context:
link layer : none
network layer : ip <-
transport layer : none
update transport layer protocol context:
link layer : none
network layer : ip
transport layer : tcp <-
ip mangle output 4 3
[ payload load 4b @ network header + 16 => reg 1 ]
[ lookup reg 1 set map0 dreg 1 ]
[ meta set mark with reg 1 ]
Segmentation fault
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: nft 0.4, crash on list
2015-03-21 22:32 nft 0.4, crash on list Denys Fedoryshchenko
@ 2015-03-21 22:49 ` Denys Fedoryshchenko
2015-03-21 23:40 ` Denys Fedoryshchenko
0 siblings, 1 reply; 7+ messages in thread
From: Denys Fedoryshchenko @ 2015-03-21 22:49 UTC (permalink / raw)
To: Netdev, Pablo, Kaber
Additionally, if i will do "nft flush table mangle" , with this table
added i will get this:
[ 42.800078] ------------[ cut here ]------------
[ 42.800092] WARNING: CPU: 3 PID: 2868 at
net/netfilter/nf_tables_api.c:4122 nft_data_uninit+0x35/0x50
[nf_tables]()
[ 42.800094] Modules linked in: nft_meta nft_chain_route_ipv4 nft_hash
nft_rbtree nf_tables_ipv4 nf_tables nfnetlink ramoops reed_solomon
intel_rapl iosf_mbi x86_pkg_temp_thermal intel_powerclamp coretemp
kvm_intel kvm uas usb_storage mei_me iTCO_wdt mei iTCO_vendor_support
lpc_ich mfd_core intel_smartconnect
[ 42.800116] CPU: 3 PID: 2868 Comm: nft Not tainted 3.19.2-test #1
[ 42.800118] Hardware name: /DH87MC, BIOS
MCH8710H.86A.0157.2014.0530.1830 05/30/2014
[ 42.800120] ffffffffa00ea9c9 ffff8807efe97928 ffffffff81873caa
0000000000000000
[ 42.800124] 0000000000000000 ffff8807efe97968 ffffffff8104feca
ffff8807fabc4100
[ 42.800127] ffff8807d4550800 ffff8807d817c600 ffff8807d817c690
ffff8807fabc4200
[ 42.800130] Call Trace:
[ 42.800139] [<ffffffff81873caa>] dump_stack+0x45/0x57
[ 42.800146] [<ffffffff8104feca>] warn_slowpath_common+0x8a/0xc0
[ 42.800150] [<ffffffff8104ffba>] warn_slowpath_null+0x1a/0x20
[ 42.800154] [<ffffffffa00e2665>] nft_data_uninit+0x35/0x50
[nf_tables]
[ 42.800158] [<ffffffffa00f10e5>] nft_rbtree_destroy+0x65/0x90
[nft_rbtree]
[ 42.800162] [<ffffffffa00e1cdb>] nft_set_destroy+0x1b/0x40
[nf_tables]
[ 42.800166] [<ffffffffa00e6844>] nf_tables_set_destroy+0x44/0x50
[nf_tables]
[ 42.800171] [<ffffffffa00e8af9>] nf_tables_unbind_set+0x49/0x50
[nf_tables]
[ 42.800175] [<ffffffffa00e9076>] nft_lookup_destroy+0x16/0x20
[nf_tables]
[ 42.800179] [<ffffffffa00e1d41>] nf_tables_rule_destroy+0x41/0x90
[nf_tables]
[ 42.800183] [<ffffffffa00e735d>] nf_tables_commit+0x41d/0x570
[nf_tables]
[ 42.800187] [<ffffffffa00d7a11>] nfnetlink_rcv+0x3f1/0x4bd
[nfnetlink]
[ 42.800193] [<ffffffff817bc816>] netlink_unicast+0xf6/0x200
[ 42.800196] [<ffffffff817bcc33>] netlink_sendmsg+0x313/0x690
[ 42.800201] [<ffffffff817747ec>] do_sock_sendmsg+0x8c/0x100
[ 42.800204] [<ffffffff81773e4e>] ? copy_msghdr_from_user+0x15e/0x1f0
[ 42.800207] [<ffffffff81774de3>] ___sys_sendmsg+0x313/0x320
[ 42.800214] [<ffffffff81153b12>] ? mmap_region+0x192/0x600
[ 42.800220] [<ffffffff812e6580>] ? apparmor_capable+0x20/0x60
[ 42.800224] [<ffffffff8187b07a>] ? _raw_spin_unlock_bh+0x1a/0x20
[ 42.800228] [<ffffffff81778ed6>] ? release_sock+0x106/0x150
[ 42.800232] [<ffffffff817754c2>] __sys_sendmsg+0x42/0x80
[ 42.800235] [<ffffffff81775512>] SyS_sendmsg+0x12/0x20
[ 42.800238] [<ffffffff8187b6f6>] system_call_fastpath+0x16/0x1b
[ 42.800240] ---[ end trace 905dd3f1732b3bda ]---
On 2015-03-22 00:32, Denys Fedoryshchenko wrote:
> Hi
>
> Just attempted to use nft, and got a bit strange crash (but sure it is
> possible i am using it wrong way)
> Table that was inserted there:
>
> FIBERNET-NAT ~ # cat /etc/nft.cfg
> #!/sbin/nft -f
> table mangle {
> chain output {
> type route hook output priority -150;
> meta mark set ip daddr map {
> 1.1.1.1/32 : 1
> }
> }
> }
>
>
> FIBERNET-NAT ~ # nft --debug all list table mangle
> Entering state 0
> Reducing stack by rule 1 (line 544):
> -> $$ = nterm input (: )
> Stack now 0
> Entering state 1
> Reading a token: --accepting rule at line 261 ("list")
> Next token is token "list" (: )
> Shifting token "list" (: )
> Entering state 19
> Reading a token: --accepting rule at line 515 (" ")
> --accepting rule at line 234 ("table")
> Next token is token "table" (: )
> Shifting token "table" (: )
> Entering state 63
> Reading a token: --accepting rule at line 515 (" ")
> --(end of buffer or a NUL)
> --accepting rule at line 486 ("mangle")
> Next token is token "string" (: )
> Reducing stack by rule 113 (line 1052):
> -> $$ = nterm family_spec (: )
> Stack now 0 1 19 63
> Entering state 34
> Next token is token "string" (: )
> Shifting token "string" (: )
> Entering state 41
> Reducing stack by rule 110 (line 1045):
> $1 = token "string" (: )
> -> $$ = nterm identifier (: )
> Stack now 0 1 19 63 34
> Entering state 167
> Reducing stack by rule 120 (line 1063):
> $1 = nterm family_spec (: )
> $2 = nterm identifier (: )
> -> $$ = nterm table_spec (: )
> Stack now 0 1 19 63
> Entering state 250
> Reducing stack by rule 45 (line 752):
> $1 = token "table" (: )
> $2 = nterm table_spec (: )
> -> $$ = nterm list_cmd (: )
> Stack now 0 1 19
> Entering state 69
> Reducing stack by rule 19 (line 636):
> $1 = token "list" (: )
> $2 = nterm list_cmd (: )
> -> $$ = nterm base_cmd (: )
> Stack now 0 1
> Entering state 32
> Reading a token: --(end of buffer or a NUL)
> --EOF (start condition 0)
> Now at end of input.
> Shifting token "end of file" (: )
> Entering state 165
> Reducing stack by rule 13 (line 602):
> $1 = nterm base_cmd (: )
> $2 = token "end of file" (: )
> <cmdline>:1:1-17: Evaluate
> list table mangle
> ^^^^^^^^^^^^^^^^^
>
>
> Stack now 0 1
> Cleanup: popping nterm input (: )
> ---------------- ------------------
> | 0000000020 | | message length |
> | 02576 | R--- | | type | flags |
> | 0000000003 | | sequence number|
> | 0000000000 | | port ID |
> ---------------- ------------------
> | 00 00 00 00 | | extra header |
> ---------------- ------------------
> ---------------- ------------------
> | 0000000032 | | message length |
> | 02570 | R-A- | | type | flags |
> | 0000000005 | | sequence number|
> | 0000000000 | | port ID |
> ---------------- ------------------
> | 02 00 00 00 | | extra header |
> |00011|--|00001| |len |flags| type|
> | 6d 61 6e 67 | | data | m a n g
> | 6c 65 00 00 | | data | l e
> ---------------- ------------------
> map0 mangle f
> map0 mangle 0
> ---------------- ------------------
> | 0000000044 | | message length |
> | 02573 | R-A- | | type | flags |
> | 0000000005 | | sequence number|
> | 0000000000 | | port ID |
> ---------------- ------------------
> | 02 00 00 00 | | extra header |
> |00011|--|00001| |len |flags| type|
> | 6d 61 6e 67 | | data | m a n g
> | 6c 65 00 00 | | data | l e
> |00009|--|00002| |len |flags| type|
> | 6d 61 70 30 | | data | m a p 0
> | 00 61 6e 67 | | data | a n g
> ---------------- ------------------
> ---------------- ------------------
> | 0000000020 | | message length |
> | 02564 | R--- | | type | flags |
> | 0000000005 | | sequence number|
> | 0000000000 | | port ID |
> ---------------- ------------------
> | 02 00 00 00 | | extra header |
> ---------------- ------------------
> ---------------- ------------------
> | 0000000020 | | message length |
> | 02567 | R--- | | type | flags |
> | 0000000005 | | sequence number|
> | 0000000000 | | port ID |
> ---------------- ------------------
> | 02 00 00 00 | | extra header |
> ---------------- ------------------
> ip mangle output 3
> [ payload load 1b @ network header + 9 => reg 1 ]
> [ cmp eq reg 1 0x00000006 ]
> [ payload load 2b @ transport header + 0 => reg 1 ]
> [ cmp eq reg 1 0x00005000 ]
> [ immediate reg 1 0x0100ff7f ]
> [ meta set priority with reg 1 ]
>
> update network layer protocol context:
> link layer : none
> network layer : ip <-
> transport layer : none
>
> update transport layer protocol context:
> link layer : none
> network layer : ip
> transport layer : tcp <-
>
> ip mangle output 4 3
> [ payload load 4b @ network header + 16 => reg 1 ]
> [ lookup reg 1 set map0 dreg 1 ]
> [ meta set mark with reg 1 ]
>
> Segmentation fault
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: nft 0.4, crash on list
2015-03-21 22:49 ` Denys Fedoryshchenko
@ 2015-03-21 23:40 ` Denys Fedoryshchenko
2015-03-22 5:33 ` Patrick McHardy
0 siblings, 1 reply; 7+ messages in thread
From: Denys Fedoryshchenko @ 2015-03-21 23:40 UTC (permalink / raw)
To: Netdev, Pablo, Kaber
Sorry for noise, seems git version working fine!
On 2015-03-22 00:49, Denys Fedoryshchenko wrote:
> Additionally, if i will do "nft flush table mangle" , with this table
> added i will get this:
> [ 42.800078] ------------[ cut here ]------------
> [ 42.800092] WARNING: CPU: 3 PID: 2868 at
> net/netfilter/nf_tables_api.c:4122 nft_data_uninit+0x35/0x50
> [nf_tables]()
> [ 42.800094] Modules linked in: nft_meta nft_chain_route_ipv4
> nft_hash nft_rbtree nf_tables_ipv4 nf_tables nfnetlink ramoops
> reed_solomon intel_rapl iosf_mbi x86_pkg_temp_thermal intel_powerclamp
> coretemp kvm_intel kvm uas usb_storage mei_me iTCO_wdt mei
> iTCO_vendor_support lpc_ich mfd_core intel_smartconnect
> [ 42.800116] CPU: 3 PID: 2868 Comm: nft Not tainted 3.19.2-test #1
> [ 42.800118] Hardware name: /DH87MC, BIOS
> MCH8710H.86A.0157.2014.0530.1830 05/30/2014
> [ 42.800120] ffffffffa00ea9c9 ffff8807efe97928 ffffffff81873caa
> 0000000000000000
> [ 42.800124] 0000000000000000 ffff8807efe97968 ffffffff8104feca
> ffff8807fabc4100
> [ 42.800127] ffff8807d4550800 ffff8807d817c600 ffff8807d817c690
> ffff8807fabc4200
> [ 42.800130] Call Trace:
> [ 42.800139] [<ffffffff81873caa>] dump_stack+0x45/0x57
> [ 42.800146] [<ffffffff8104feca>] warn_slowpath_common+0x8a/0xc0
> [ 42.800150] [<ffffffff8104ffba>] warn_slowpath_null+0x1a/0x20
> [ 42.800154] [<ffffffffa00e2665>] nft_data_uninit+0x35/0x50
> [nf_tables]
> [ 42.800158] [<ffffffffa00f10e5>] nft_rbtree_destroy+0x65/0x90
> [nft_rbtree]
> [ 42.800162] [<ffffffffa00e1cdb>] nft_set_destroy+0x1b/0x40
> [nf_tables]
> [ 42.800166] [<ffffffffa00e6844>] nf_tables_set_destroy+0x44/0x50
> [nf_tables]
> [ 42.800171] [<ffffffffa00e8af9>] nf_tables_unbind_set+0x49/0x50
> [nf_tables]
> [ 42.800175] [<ffffffffa00e9076>] nft_lookup_destroy+0x16/0x20
> [nf_tables]
> [ 42.800179] [<ffffffffa00e1d41>] nf_tables_rule_destroy+0x41/0x90
> [nf_tables]
> [ 42.800183] [<ffffffffa00e735d>] nf_tables_commit+0x41d/0x570
> [nf_tables]
> [ 42.800187] [<ffffffffa00d7a11>] nfnetlink_rcv+0x3f1/0x4bd
> [nfnetlink]
> [ 42.800193] [<ffffffff817bc816>] netlink_unicast+0xf6/0x200
> [ 42.800196] [<ffffffff817bcc33>] netlink_sendmsg+0x313/0x690
> [ 42.800201] [<ffffffff817747ec>] do_sock_sendmsg+0x8c/0x100
> [ 42.800204] [<ffffffff81773e4e>] ?
> copy_msghdr_from_user+0x15e/0x1f0
> [ 42.800207] [<ffffffff81774de3>] ___sys_sendmsg+0x313/0x320
> [ 42.800214] [<ffffffff81153b12>] ? mmap_region+0x192/0x600
> [ 42.800220] [<ffffffff812e6580>] ? apparmor_capable+0x20/0x60
> [ 42.800224] [<ffffffff8187b07a>] ? _raw_spin_unlock_bh+0x1a/0x20
> [ 42.800228] [<ffffffff81778ed6>] ? release_sock+0x106/0x150
> [ 42.800232] [<ffffffff817754c2>] __sys_sendmsg+0x42/0x80
> [ 42.800235] [<ffffffff81775512>] SyS_sendmsg+0x12/0x20
> [ 42.800238] [<ffffffff8187b6f6>] system_call_fastpath+0x16/0x1b
> [ 42.800240] ---[ end trace 905dd3f1732b3bda ]---
>
>
> On 2015-03-22 00:32, Denys Fedoryshchenko wrote:
>> Hi
>>
>> Just attempted to use nft, and got a bit strange crash (but sure it is
>> possible i am using it wrong way)
>> Table that was inserted there:
>>
>> FIBERNET-NAT ~ # cat /etc/nft.cfg
>> #!/sbin/nft -f
>> table mangle {
>> chain output {
>> type route hook output priority -150;
>> meta mark set ip daddr map {
>> 1.1.1.1/32 : 1
>> }
>> }
>> }
>>
>>
>> FIBERNET-NAT ~ # nft --debug all list table mangle
>> Entering state 0
>> Reducing stack by rule 1 (line 544):
>> -> $$ = nterm input (: )
>> Stack now 0
>> Entering state 1
>> Reading a token: --accepting rule at line 261 ("list")
>> Next token is token "list" (: )
>> Shifting token "list" (: )
>> Entering state 19
>> Reading a token: --accepting rule at line 515 (" ")
>> --accepting rule at line 234 ("table")
>> Next token is token "table" (: )
>> Shifting token "table" (: )
>> Entering state 63
>> Reading a token: --accepting rule at line 515 (" ")
>> --(end of buffer or a NUL)
>> --accepting rule at line 486 ("mangle")
>> Next token is token "string" (: )
>> Reducing stack by rule 113 (line 1052):
>> -> $$ = nterm family_spec (: )
>> Stack now 0 1 19 63
>> Entering state 34
>> Next token is token "string" (: )
>> Shifting token "string" (: )
>> Entering state 41
>> Reducing stack by rule 110 (line 1045):
>> $1 = token "string" (: )
>> -> $$ = nterm identifier (: )
>> Stack now 0 1 19 63 34
>> Entering state 167
>> Reducing stack by rule 120 (line 1063):
>> $1 = nterm family_spec (: )
>> $2 = nterm identifier (: )
>> -> $$ = nterm table_spec (: )
>> Stack now 0 1 19 63
>> Entering state 250
>> Reducing stack by rule 45 (line 752):
>> $1 = token "table" (: )
>> $2 = nterm table_spec (: )
>> -> $$ = nterm list_cmd (: )
>> Stack now 0 1 19
>> Entering state 69
>> Reducing stack by rule 19 (line 636):
>> $1 = token "list" (: )
>> $2 = nterm list_cmd (: )
>> -> $$ = nterm base_cmd (: )
>> Stack now 0 1
>> Entering state 32
>> Reading a token: --(end of buffer or a NUL)
>> --EOF (start condition 0)
>> Now at end of input.
>> Shifting token "end of file" (: )
>> Entering state 165
>> Reducing stack by rule 13 (line 602):
>> $1 = nterm base_cmd (: )
>> $2 = token "end of file" (: )
>> <cmdline>:1:1-17: Evaluate
>> list table mangle
>> ^^^^^^^^^^^^^^^^^
>>
>>
>> Stack now 0 1
>> Cleanup: popping nterm input (: )
>> ---------------- ------------------
>> | 0000000020 | | message length |
>> | 02576 | R--- | | type | flags |
>> | 0000000003 | | sequence number|
>> | 0000000000 | | port ID |
>> ---------------- ------------------
>> | 00 00 00 00 | | extra header |
>> ---------------- ------------------
>> ---------------- ------------------
>> | 0000000032 | | message length |
>> | 02570 | R-A- | | type | flags |
>> | 0000000005 | | sequence number|
>> | 0000000000 | | port ID |
>> ---------------- ------------------
>> | 02 00 00 00 | | extra header |
>> |00011|--|00001| |len |flags| type|
>> | 6d 61 6e 67 | | data | m a n g
>> | 6c 65 00 00 | | data | l e
>> ---------------- ------------------
>> map0 mangle f
>> map0 mangle 0
>> ---------------- ------------------
>> | 0000000044 | | message length |
>> | 02573 | R-A- | | type | flags |
>> | 0000000005 | | sequence number|
>> | 0000000000 | | port ID |
>> ---------------- ------------------
>> | 02 00 00 00 | | extra header |
>> |00011|--|00001| |len |flags| type|
>> | 6d 61 6e 67 | | data | m a n g
>> | 6c 65 00 00 | | data | l e
>> |00009|--|00002| |len |flags| type|
>> | 6d 61 70 30 | | data | m a p 0
>> | 00 61 6e 67 | | data | a n g
>> ---------------- ------------------
>> ---------------- ------------------
>> | 0000000020 | | message length |
>> | 02564 | R--- | | type | flags |
>> | 0000000005 | | sequence number|
>> | 0000000000 | | port ID |
>> ---------------- ------------------
>> | 02 00 00 00 | | extra header |
>> ---------------- ------------------
>> ---------------- ------------------
>> | 0000000020 | | message length |
>> | 02567 | R--- | | type | flags |
>> | 0000000005 | | sequence number|
>> | 0000000000 | | port ID |
>> ---------------- ------------------
>> | 02 00 00 00 | | extra header |
>> ---------------- ------------------
>> ip mangle output 3
>> [ payload load 1b @ network header + 9 => reg 1 ]
>> [ cmp eq reg 1 0x00000006 ]
>> [ payload load 2b @ transport header + 0 => reg 1 ]
>> [ cmp eq reg 1 0x00005000 ]
>> [ immediate reg 1 0x0100ff7f ]
>> [ meta set priority with reg 1 ]
>>
>> update network layer protocol context:
>> link layer : none
>> network layer : ip <-
>> transport layer : none
>>
>> update transport layer protocol context:
>> link layer : none
>> network layer : ip
>> transport layer : tcp <-
>>
>> ip mangle output 4 3
>> [ payload load 4b @ network header + 16 => reg 1 ]
>> [ lookup reg 1 set map0 dreg 1 ]
>> [ meta set mark with reg 1 ]
>>
>> Segmentation fault
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: nft 0.4, crash on list
2015-03-21 23:40 ` Denys Fedoryshchenko
@ 2015-03-22 5:33 ` Patrick McHardy
2015-03-22 8:05 ` Denys Fedoryshchenko
0 siblings, 1 reply; 7+ messages in thread
From: Patrick McHardy @ 2015-03-22 5:33 UTC (permalink / raw)
To: Denys Fedoryshchenko; +Cc: Netdev, Pablo, netfilter-devel
On 22.03, Denys Fedoryshchenko wrote:
> Sorry for noise, seems git version working fine!
Still this shouldn't be happening. Just to confirm, you were using an
unpatched kernel and by git you mean nftables git?
> On 2015-03-22 00:49, Denys Fedoryshchenko wrote:
> >Additionally, if i will do "nft flush table mangle" , with this table
> >added i will get this:
> >[ 42.800078] ------------[ cut here ]------------
> >[ 42.800092] WARNING: CPU: 3 PID: 2868 at
> >net/netfilter/nf_tables_api.c:4122 nft_data_uninit+0x35/0x50
> >[nf_tables]()
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: nft 0.4, crash on list
2015-03-22 5:33 ` Patrick McHardy
@ 2015-03-22 8:05 ` Denys Fedoryshchenko
2015-03-22 19:29 ` Pablo Neira Ayuso
0 siblings, 1 reply; 7+ messages in thread
From: Denys Fedoryshchenko @ 2015-03-22 8:05 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netdev, Pablo, netfilter-devel
On 2015-03-22 07:33, Patrick McHardy wrote:
> On 22.03, Denys Fedoryshchenko wrote:
>> Sorry for noise, seems git version working fine!
>
> Still this shouldn't be happening. Just to confirm, you were using an
> unpatched kernel and by git you mean nftables git?
Yes, correct. I tested on 3.18.8 and 3.19.2 vanilla kernels (x86_64).
On nftables 0.4 it does crash, on nftables git it doesn't.
>
>
>> On 2015-03-22 00:49, Denys Fedoryshchenko wrote:
>> >Additionally, if i will do "nft flush table mangle" , with this table
>> >added i will get this:
>> >[ 42.800078] ------------[ cut here ]------------
>> >[ 42.800092] WARNING: CPU: 3 PID: 2868 at
>> >net/netfilter/nf_tables_api.c:4122 nft_data_uninit+0x35/0x50
>> >[nf_tables]()
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: nft 0.4, crash on list
2015-03-22 8:05 ` Denys Fedoryshchenko
@ 2015-03-22 19:29 ` Pablo Neira Ayuso
2015-03-22 19:29 ` Patrick McHardy
0 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-03-22 19:29 UTC (permalink / raw)
To: Denys Fedoryshchenko; +Cc: Patrick McHardy, Netdev, netfilter-devel, stable
On Sun, Mar 22, 2015 at 10:05:10AM +0200, Denys Fedoryshchenko wrote:
> On 2015-03-22 07:33, Patrick McHardy wrote:
> >On 22.03, Denys Fedoryshchenko wrote:
> >>Sorry for noise, seems git version working fine!
> >
> >Still this shouldn't be happening. Just to confirm, you were using an
> >unpatched kernel and by git you mean nftables git?
>
> Yes, correct. I tested on 3.18.8 and 3.19.2 vanilla kernels (x86_64).
> On nftables 0.4 it does crash, on nftables git it doesn't.
I sent this fix to -stable by March 10th but this doesn't show up in
3.18.x and 3.19.x yet.
[ upstream commit 02263db00b6cb98701332aa257c07ca549c2324b ]
We have several problems in this path:
1) There is a use-after-free when removing individual elements from
the commit path.
2) We have to uninit() the data part of the element from the abort
path to avoid a chain refcount leak.
3) We have to check for set->flags to see if there's a mapping,
instead
of the element flags.
4) We have to check for !(flags & NFT_SET_ELEM_INTERVAL_END) to skip
elements that are part of the interval that have no data part, so
they don't need to be uninit().
Cc: <stable@vger.kernel.org> # 3.18.x
Cc: <stable@vger.kernel.org> # 3.19.x
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> >>On 2015-03-22 00:49, Denys Fedoryshchenko wrote:
> >>>Additionally, if i will do "nft flush table mangle" , with this table
> >>>added i will get this:
> >>>[ 42.800078] ------------[ cut here ]------------
> >>>[ 42.800092] WARNING: CPU: 3 PID: 2868 at
> >>>net/netfilter/nf_tables_api.c:4122 nft_data_uninit+0x35/0x50
> >>>[nf_tables]()
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: nft 0.4, crash on list
2015-03-22 19:29 ` Pablo Neira Ayuso
@ 2015-03-22 19:29 ` Patrick McHardy
0 siblings, 0 replies; 7+ messages in thread
From: Patrick McHardy @ 2015-03-22 19:29 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Denys Fedoryshchenko, Netdev, netfilter-devel, stable
On 22.03, Pablo Neira Ayuso wrote:
> On Sun, Mar 22, 2015 at 10:05:10AM +0200, Denys Fedoryshchenko wrote:
> > On 2015-03-22 07:33, Patrick McHardy wrote:
> > >On 22.03, Denys Fedoryshchenko wrote:
> > >>Sorry for noise, seems git version working fine!
> > >
> > >Still this shouldn't be happening. Just to confirm, you were using an
> > >unpatched kernel and by git you mean nftables git?
> >
> > Yes, correct. I tested on 3.18.8 and 3.19.2 vanilla kernels (x86_64).
> > On nftables 0.4 it does crash, on nftables git it doesn't.
>
> I sent this fix to -stable by March 10th but this doesn't show up in
> 3.18.x and 3.19.x yet.
>
> [ upstream commit 02263db00b6cb98701332aa257c07ca549c2324b ]
I think this is actually a different problem. We're using set->dtype
for uninit of the element's data, but unless it's NFT_DATA_VERDICT,
its holding the user encoding of the type.
Basically all the types except NFT_DATA_RESERVED_MASK map to
NFT_DATA_VALUE, and it seems we're not properly handling it in
that path.
>
> We have several problems in this path:
>
> 1) There is a use-after-free when removing individual elements from
> the commit path.
>
> 2) We have to uninit() the data part of the element from the abort
> path to avoid a chain refcount leak.
>
> 3) We have to check for set->flags to see if there's a mapping,
> instead
> of the element flags.
>
> 4) We have to check for !(flags & NFT_SET_ELEM_INTERVAL_END) to skip
> elements that are part of the interval that have no data part, so
> they don't need to be uninit().
>
> Cc: <stable@vger.kernel.org> # 3.18.x
> Cc: <stable@vger.kernel.org> # 3.19.x
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
>
> > >>On 2015-03-22 00:49, Denys Fedoryshchenko wrote:
> > >>>Additionally, if i will do "nft flush table mangle" , with this table
> > >>>added i will get this:
> > >>>[ 42.800078] ------------[ cut here ]------------
> > >>>[ 42.800092] WARNING: CPU: 3 PID: 2868 at
> > >>>net/netfilter/nf_tables_api.c:4122 nft_data_uninit+0x35/0x50
> > >>>[nf_tables]()
>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-03-22 19:29 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-21 22:32 nft 0.4, crash on list Denys Fedoryshchenko
2015-03-21 22:49 ` Denys Fedoryshchenko
2015-03-21 23:40 ` Denys Fedoryshchenko
2015-03-22 5:33 ` Patrick McHardy
2015-03-22 8:05 ` Denys Fedoryshchenko
2015-03-22 19:29 ` Pablo Neira Ayuso
2015-03-22 19:29 ` Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.