Bug 199107
| Summary: | Massive use of "ipset" utility: NULL pointer dereference in kernel (ip_set_hash_netiface, hash_netiface4_resize) | ||
|---|---|---|---|
| Product: | Networking | Reporter: | Dmitry Yu Okunev (dyokunev) |
| Component: | Netfilter/Iptables | Assignee: | networking_netfilter-iptables (networking_netfilter-iptables) |
| Status: | NEW --- | ||
| Severity: | normal | CC: | dxu, dyokunev |
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | 4.14.13 | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
| Attachments: | Logs of dmesg and "strace -f ipset list" | ||
The command causes the bug (I mean the last command before the bug) in my case is: /sbin/ipset add ACL.IN.ALL_PERMIT 0.0.0.0/0,kaf_54 timeout 0 -exist To repeat the bug on my machine it's enough just to copy this into the root terminal:
ipset create ACL.IN.ALL_PERMIT hash:net,iface hashsize 1048576 timeout 0
for i in $(seq 0 100); do
/sbin/ipset add ACL.IN.ALL_PERMIT 0.0.0.0/0,kaf_$i timeout 0 -exist
done
It seems problems appears when I add the 65th such row into a set. I've tuned some constants in the code and it helped: linux-4.14.26/net/netfilter/ipset/ip_set_core.c: #define IP_SET_INC 2048 linux-4.14.26/net/netfilter/ipset/ip_set_hash_gen.h: #define AHASH_MAX_TUNED 2048 However it works quite strange. It claims that there're 101 entry, however doesn't display any member: # ipset list ACL.IN.ALL_PERMIT Name: ACL.IN.ALL_PERMIT Type: hash:net,iface Revision: 6 Header: family inet hashsize 2097152 maxelem 65536 timeout 0 Size in memory: 10984 References: 0 Number of entries: 101 Members: # Hit same issue as well. Testing / analysis points to https://github.com/torvalds/linux/commit/2b33d6ffa9e38f344418976b06 as the fix. |
Created attachment 274713 [details] Logs of dmesg and "strace -f ipset list" If I massively work with "ipset" utility then I get a NULL pointer dereference and netfilter hangs after that. The logs are attached.