197123 – nftables oops with 4.14.0-rc3 on arm64 (Rock64 board)

Bug 197123 - nftables oops with 4.14.0-rc3 on arm64 (Rock64 board)

Summary: nftables oops with 4.14.0-rc3 on arm64 (Rock64 board)

Status:	NEW

Alias:	None

Product:	Networking
Classification:	Unclassified
Component:	Netfilter/Iptables (show other bugs)
Hardware:	ARM Linux

Importance:	P1 normal
Assignee:	networking_netfilter-iptables@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-10-04 05:58 UTC by Johny Mattsson
Modified:	2017-10-08 16:06 UTC (History)
CC List:	2 users (show)

See Also:
Kernel Version:	4.14.0-rc3
Subsystem:
Regression:	Yes
Bisected commit-id:

Attachments
kernel config used (150.15 KB, text/plain) 2017-10-04 05:58 UTC, Johny Mattsson	Details
Add an attachment (proposed patch, testcase, etc.)

Description Johny Mattsson 2017-10-04 05:58:49 UTC

Created attachment 258711 [details]
kernel config used

On attempting to list the nftables ruleset with at least one chain added, I get a fully reproducible oops:

```
root@devuan:~# nft list ruleset
root@devuan:~# nft add table inet filter
root@devuan:~# nft list ruleset
table inet filter {
}
root@devuan:~# nft add chain inet filter input { type filter hook input priority 0 \; }
root@devuan:~# nft list ruleset

Message from syslogd@devuan at Oct  4 16:34:45 ...
 kernel:[   79.562937] Internal error: Oops: 96000005 [#1] SMP
Segmentation fault

Message from syslogd@devuan at Oct  4 16:34:45 ...
 kernel:[   79.574887] Process nft (pid: 1540, stack limit = 0xffffff800bae0000)
root@devuan:~# 
Message from syslogd@devuan at Oct  4 16:34:45 ...
 kernel:[   79.597555] Code: 14000009 f860db03 a94887a2 8b0302c4 (f8636ac3) 

```


The full oops trace looks like this:
```
[   60.837572] nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>
[   79.558809] Unable to handle kernel paging request at virtual address 4036fa3000
[   79.559471] Mem abort info:
[   79.559755]   Exception class = DABT (current EL), IL = 32 bits
[   79.560281]   SET = 0, FnV = 0
[   79.560552]   EA = 0, S1PTW = 0
[   79.560847] Data abort info:
[   79.561108]   ISV = 0, ISS = 0x00000005
[   79.561447]   CM = 0, WnR = 0
[   79.561729] user pgtable: 4k pages, 39-bit VAs, pgd = ffffffc03d173000
[   79.562305] [0000004036fa3000] *pgd=0000000000000000, *pud=0000000000000000
[   79.562937] Internal error: Oops: 96000005 [#1] SMP
[   79.563370] Modules linked in: nf_tables_inet nf_tables_ipv6 nf_tables_ipv4 nf_tables
[   79.564077] CPU: 3 PID: 1540 Comm: nft Not tainted 4.14.0-rc3test1 #3
[   79.564644] Hardware name: Pine64 Rock64 (DT)
[   79.565030] task: ffffffc03e3b4880 task.stack: ffffff800bae0000
[   79.565570] PC is at nf_tables_fill_chain_info.isra.20+0x2bc/0x3c8 [nf_tables]
[   79.566219] LR is at nf_tables_fill_chain_info.isra.20+0x2d8/0x3c8 [nf_tables]
[   79.566856] pc : [<ffffff8000b85634>] lr : [<ffffff8000b85650>] pstate: 80000145
[   79.567507] sp : ffffff800bae37a0
[   79.567802] x29: ffffff800bae37a0 x28: 0000000000000002 
[   79.568274] x27: 0000000000000000 x26: ffffffc03d097068 
[   79.568746] x25: ffffff8008fead04 x24: ffffff8008feb5d0 
[   79.569218] x23: ffffff8008feab58 x22: 0000000000000000 
[   79.569691] x21: ffffff8008feab08 x20: ffffffc03c2d0000 
[   79.570163] x19: ffffffc03d097600 x18: 0000000000040e00 
[   79.570636] x17: 0000007fa70e1cc0 x16: ffffff80088f8ae8 
[   79.571108] x15: 00000000000000be x14: 0000000000000000 
[   79.571581] x13: 0000000000000000 x12: 0000000000000030 
[   79.572053] x11: 0101010101010101 x10: 7f7f7f7f7f7f7f7f 
[   79.572525] x9 : feff7164736b6865 x8 : ffffffc03c2d005f 
[   79.572998] x7 : 0000000000000000 x6 : ffffffc03c2d005f 
[   79.573470] x5 : 000000000000000f x4 : 0000004036fa3000 
[   79.573942] x3 : 0000004036fa3000 x2 : 0000000000000000 
[   79.574415] x1 : 0000000000000000 x0 : 0000000000000000 
[   79.574887] Process nft (pid: 1540, stack limit = 0xffffff800bae0000)
[   79.575453] Call trace:
[   79.575675] Exception stack(0xffffff800bae3660 to 0xffffff800bae37a0)
[   79.576244] 3660: 0000000000000000 0000000000000000 0000000000000000 0000004036fa3000
[   79.576933] 3680: 0000004036fa3000 000000000000000f ffffffc03c2d005f 0000000000000000
[   79.577625] 36a0: ffffffc03c2d005f feff7164736b6865 7f7f7f7f7f7f7f7f 0101010101010101
[   79.578315] 36c0: 0000000000000030 0000000000000000 0000000000000000 00000000000000be
[   79.579005] 36e0: ffffff80088f8ae8 0000007fa70e1cc0 0000000000040e00 ffffffc03d097600
[   79.579697] 3700: ffffffc03c2d0000 ffffff8008feab08 0000000000000000 ffffff8008feab58
[   79.580386] 3720: ffffff8008feb5d0 ffffff8008fead04 ffffffc03d097068 0000000000000000
[   79.581078] 3740: 0000000000000002 ffffff800bae37a0 ffffff8000b85650 ffffff800bae37a0
[   79.581768] 3760: ffffff8000b85634 0000000080000145 ffffff800bae3790 ffffff80084ff918
[   79.582460] 3780: 0000008000000000 ffffff8008b56b3c ffffff800bae37a0 ffffff8000b85634
[   79.583165] [<ffffff8000b85634>] nf_tables_fill_chain_info.isra.20+0x2bc/0x3c8 [nf_tables]
[   79.583907] [<ffffff8000b85bac>] nf_tables_dump_chains+0x18c/0x1d8 [nf_tables]
[   79.584550] [<ffffff80089600c0>] netlink_dump+0xf8/0x288
[   79.585022] [<ffffff8008960950>] __netlink_dump_start+0x150/0x1b0
[   79.585574] [<ffffff8000b859d0>] nf_tables_getchain+0x1a8/0x1f8 [nf_tables]
[   79.586189] [<ffffff800896854c>] nfnetlink_rcv_msg+0x28c/0x2a0
[   79.586706] [<ffffff8008962d28>] netlink_rcv_skb+0x100/0x148
[   79.587207] [<ffffff80089686a0>] nfnetlink_rcv+0xc0/0x608
[   79.587686] [<ffffff8008962418>] netlink_unicast+0x1b8/0x240
[   79.588188] [<ffffff8008962850>] netlink_sendmsg+0x288/0x360
[   79.588692] [<ffffff80088f72a8>] sock_sendmsg+0x60/0x70
[   79.589154] [<ffffff80088f8bbc>] SyS_sendto+0xd4/0x160
[   79.589607] Exception stack(0xffffff800bae3ec0 to 0xffffff800bae4000)
[   79.590174] 3ec0: 0000000000000003 0000007fc957ea70 0000000000000014 0000000000000000
[   79.590866] 3ee0: 0000007fa72980b0 000000000000000c 0000000000000000 0000000000000020
[   79.591556] 3f00: 00000000000000ce 00000055728c9820 0101010101010101 0000000000000038
[   79.592247] 3f20: 0000000000000000 0000000000000000 0000000000000000 00000000000000be
[   79.592937] 3f40: 0000000000000000 0000007fa70e1cc0 0000000000040e00 0000000000000014
[   79.593627] 3f60: 0000007fc957ea70 0000000000000001 00000055728c9470 0000000000000000
[   79.594318] 3f80: 000000555c354008 00000055728c9820 0000007fc9588cd8 000000555c397000
[   79.595009] 3fa0: 0000007fc9580080 0000007fc957ea10 000000555c353d28 0000007fc957ea10
[   79.595702] 3fc0: 0000007fa70e1ca8 0000000080000000 0000000000000003 00000000000000ce
[   79.596391] 3fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[   79.597084] [<ffffff8008082fb0>] el0_svc_naked+0x24/0x28
[   79.597555] Code: 14000009 f860db03 a94887a2 8b0302c4 (f8636ac3) 
[   79.598094] ---[ end trace 9080eb98007bbebf ]---
```

Rebuilding the nft binary did not change or improve the situation (I thought it might've been an ABI breakage).

Increasing stack guard protection settings did not yield any new information.

I also saw this on 4.14.0-rc2 which was the first mainline kernel I tried on the Rock64.

I'm hoping it's just me having somehow screwed up the kernel config when I went from the Rockchip-specific 4.4 kernel to mainline, but right now I don't see how/where. Happy to run tests and provide additional information. As I say at the top, this one is trivially reproducible here.

Thanks
/Johny

Comment 1 Pablo Neira Ayuso 2017-10-04 15:23:41 UTC

Could you give a try to this patch?

http://patchwork.ozlabs.org/patch/821334/

Thanks.

Comment 2 Johny Mattsson 2017-10-04 23:59:42 UTC

Thanks Pablo!

I can confirm that patch fixes the issue. No more oops:

```
root@devuan:~# nft add chain inet filter input { type filter hook input priority 0 \; } 
root@devuan:~# nft list ruleset
table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
        }
}
root@devuan:~#

```

Comment 3 Johny Mattsson 2017-10-05 02:05:20 UTC

(Do I mark this as resolved now, or will you do it when the patch goes in?)

Comment 4 David Kozub 2017-10-08 16:06:11 UTC

I've run into the same on my ALIX 2c3 (http://pcengines.ch/alix2c3.htm). The issue is not present in 4.13.5, but it is in 4.14.0-rc1, and -rc3 (and I assume i -rc2 too).

The patch mentioned above solves the issue for me too.

Note You need to log in before you can comment on or make changes to this bug.