Bug 69341
| Summary: | Kernel BUG/Panic deleting chain used in jump in nftables | ||
|---|---|---|---|
| Product: | Networking | Reporter: | Matthew Ife (deleriux1) |
| Component: | Netfilter/Iptables | Assignee: | networking_netfilter-iptables (networking_netfilter-iptables) |
| Status: | RESOLVED CODE_FIX | ||
| Severity: | high | CC: | kaber |
| Priority: | P1 | ||
| Hardware: | x86-64 | ||
| OS: | Linux | ||
| Kernel Version: | 3.13.0 | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
| Attachments: | Check chain use count before allowing deletion | ||
bugzilla-daemon@bugzilla.kernel.org schrieb: >https://bugzilla.kernel.org/show_bug.cgi?id=69341 > > Bug ID: 69341 > Summary: Kernel BUG/Panic deleting chain used in jump in > nftables > Product: Networking > Version: 2.5 > Kernel Version: 3.13.0 > Hardware: x86-64 > OS: Linux > Tree: Fedora > Status: NEW > Severity: high > Priority: P1 > Component: Netfilter/Iptables > Assignee: networking_netfilter-iptables@kernel-bugs.osdl.org > Reporter: deleriux1@gmail.com > Regression: No > >Creating a rule that jumps to a chain which you subsequently delete >will >result in the kernel throwing a BUG message with the following: > >kernel BUG at net/netfilter/nf_tables_api.c:1014! >invalid opcode: 0000 [#1] SMP >Modules linked in: nft_meta nft_reject_ipv4 nft_hash nft_rbtree >nf_tables_ipv4_ > >The host displays no more console output suggesting a panic however the >console >is no longer responsive and does not respond to ping. > >Here is the interactive session I used. > ># nft -i >nft> add table filter >nft> add chain filter input { type filter hook input priority 0; } >nft> add chain filter test >nft> add rule filter input jump test >nft> delete chain filter test > >-- >You are receiving this mail because: >You are watching the assignee of the bug. Thx, I've queued up a fix. Currently travelling, will send it later today. Created attachment 123291 [details]
Check chain use count before allowing deletion
Here we go. Please test whether this fixes the problem. Thanks.
Looks good. The two mechs that I was able to cause this problem have gone away. Provided the new transcript in case it is reporting anything you dont expect.
nft> add table filter
nft> add chain ip filter input { type filter hook input priority 0; }
nft> add chain ip filter test
nft> add rule ip filter input jump test
nft> delete chain ip filter test
<cli>:1:1-27: Error: Could not delete chain: Device or resource busy
delete chain ip filter test
^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add map filter mymap { type ifindex : verdict ; }
nft> add element filter mymap { lo : jump test }
nft> add element filter mymap { eth0 : jump test }
nft> list table filter
table ip filter {
map mymap {
type ifindex : verdict
elements = { eth0 : jump test, lo : jump test}
}
chain input {
type filter hook input priority 0;
jump test # handle 3
}
chain test {
}
}
nft> delete rule filter input handle 3
nft> delete chain ip filter test
<cli>:1:1-27: Error: Could not delete chain: Device or resource busy
delete chain ip filter test
^^^^^^^^^^^^^^^^^^^^^^^^^^^
Thanks, patch pushed upstream. |
Creating a rule that jumps to a chain which you subsequently delete will result in the kernel throwing a BUG message with the following: kernel BUG at net/netfilter/nf_tables_api.c:1014! invalid opcode: 0000 [#1] SMP Modules linked in: nft_meta nft_reject_ipv4 nft_hash nft_rbtree nf_tables_ipv4_ The host displays no more console output suggesting a panic however the console is no longer responsive and does not respond to ping. Here is the interactive session I used. # nft -i nft> add table filter nft> add chain filter input { type filter hook input priority 0; } nft> add chain filter test nft> add rule filter input jump test nft> delete chain filter test