Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2015600imu; Fri, 14 Dec 2018 04:32:48 -0800 (PST) X-Google-Smtp-Source: AFSGD/WTpvPVLnKQqS8rUFJRdXYKgm4IfroDVVzNR10rhp67kmhxT4lJvPhWm4Orpi28Mc8q6tx/ X-Received: by 2002:a17:902:8607:: with SMTP id f7mr2635149plo.123.1544790768625; Fri, 14 Dec 2018 04:32:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544790768; cv=none; d=google.com; s=arc-20160816; b=hP7SMKlx5FjrncQIS/9ibswxE1EXRJhfaRp38/wvgEuHS3/RWFy5m0UKxmHTv8i4J5 RVRZGBJmQPv22r7EruiW16hXzRFLOGDu2MmHh86LKfJ/naP4omRZ+YlpHELiWsoA3BQY dcLeOhtH+7PCiMvGEluylH11560CmEFXF+gJsFhh744x1qwQPiQ4/KHIXtkkHQ/DpiST 5rxiOzjkrMCx5ShEl6rp97Q15mt7rQFTPEV2R+ZORkc9fuwnDude/VrmhXAtR33iM3VL TpNvGpd1ismmwz9xJVuptF+yGQDA6QI9UeT8/Q6CyEdCjLDaDdIXLHhHdgO/9viGupYr pSkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=hXfRqwNwNUCzjv5brV6x9cIZSNn31UrOpIxI9XcocLE=; b=FPoHJllyYffzU6pc/iRZvpBiZbGUMYSd0FqzoOmKJNXvqvqjdT6xES5ySxbySPoill cnlaJ9Al78eYnI1otp7BCLD17umIBDOuv4puzEbAa3oATFY4WeAjrObv6cc4aLgIBQtF uz8byQkRLitUwoPEoH+lZ/WBInVsdR2l/FiP27bcT1vXsLKsvpbHNKZOCjHdVZugWME2 Pzp4IGA2JRTIOU9P2cBPOIPnH7bEuLr2fj2h2b9tNYn0UJBILBC01/U3JZAa4iSKTqgI BZvZMfXvk7no+CeHpoWjaG2tBjVWrdWQRgITV0/7TvmIbuWQcgwswqPfPvUKwTbp647l mQ1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=tSKSPqnZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s73si3906151pfs.54.2018.12.14.04.32.33; Fri, 14 Dec 2018 04:32:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=tSKSPqnZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731490AbeLNMJo (ORCPT + 99 others); Fri, 14 Dec 2018 07:09:44 -0500 Received: from mail.kernel.org ([198.145.29.99]:55388 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730131AbeLNMJk (ORCPT ); Fri, 14 Dec 2018 07:09:40 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5750D21486; Fri, 14 Dec 2018 12:09:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1544789379; bh=NYoppy5cNTuvTgQ0sKRaobGJc20XkgCxYB63BRoc4ck=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tSKSPqnZYaVaNYXoKody/UBErRvUtbfuiHa+xipi09LuaoN/ptfEhFYsToEjD3aZC 6q4pf1u2f/9kAKcOjyAfADA2eeTfODi0/TZUvsROz69om6zw9GKcfpsZaxsamaXtJH C4ROecTb5CsedizNov/vCsoHtiBiTbuCrkFLD3tE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Taehee Yoo , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.14 59/89] netfilter: nf_tables: deactivate expressions in rule replecement routine Date: Fri, 14 Dec 2018 13:00:12 +0100 Message-Id: <20181214115732.584176166@linuxfoundation.org> X-Mailer: git-send-email 2.20.0 In-Reply-To: <20181214115729.658859279@linuxfoundation.org> References: <20181214115729.658859279@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit ca08987885a147643817d02bf260bc4756ce8cd4 ] There is no expression deactivation call from the rule replacement path, hence, chain counter is not decremented. A few steps to reproduce the problem: %nft add table ip filter %nft add chain ip filter c1 %nft add chain ip filter c1 %nft add rule ip filter c1 jump c2 %nft replace rule ip filter c1 handle 3 accept %nft flush ruleset expression means immediate NFT_JUMP to chain c2. Reference count of chain c2 is increased when the rule is added. When rule is deleted or replaced, the reference counter of c2 should be decreased via nft_rule_expr_deactivate() which calls nft_immediate_deactivate(). Splat looks like: [ 214.396453] WARNING: CPU: 1 PID: 21 at net/netfilter/nf_tables_api.c:1432 nf_tables_chain_destroy.isra.38+0x2f9/0x3a0 [nf_tables] [ 214.398983] Modules linked in: nf_tables nfnetlink [ 214.398983] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 4.20.0-rc2+ #44 [ 214.398983] Workqueue: events nf_tables_trans_destroy_work [nf_tables] [ 214.398983] RIP: 0010:nf_tables_chain_destroy.isra.38+0x2f9/0x3a0 [nf_tables] [ 214.398983] Code: 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 8e 00 00 00 48 8b 7b 58 e8 e1 2c 4e c6 48 89 df e8 d9 2c 4e c6 eb 9a <0f> 0b eb 96 0f 0b e9 7e fe ff ff e8 a7 7e 4e c6 e9 a4 fe ff ff e8 [ 214.398983] RSP: 0018:ffff8881152874e8 EFLAGS: 00010202 [ 214.398983] RAX: 0000000000000001 RBX: ffff88810ef9fc28 RCX: ffff8881152876f0 [ 214.398983] RDX: dffffc0000000000 RSI: 1ffff11022a50ede RDI: ffff88810ef9fc78 [ 214.398983] RBP: 1ffff11022a50e9d R08: 0000000080000000 R09: 0000000000000000 [ 214.398983] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff11022a50eba [ 214.398983] R13: ffff888114446e08 R14: ffff8881152876f0 R15: ffffed1022a50ed6 [ 214.398983] FS: 0000000000000000(0000) GS:ffff888116400000(0000) knlGS:0000000000000000 [ 214.398983] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 214.398983] CR2: 00007fab9bb5f868 CR3: 000000012aa16000 CR4: 00000000001006e0 [ 214.398983] Call Trace: [ 214.398983] ? nf_tables_table_destroy.isra.37+0x100/0x100 [nf_tables] [ 214.398983] ? __kasan_slab_free+0x145/0x180 [ 214.398983] ? nf_tables_trans_destroy_work+0x439/0x830 [nf_tables] [ 214.398983] ? kfree+0xdb/0x280 [ 214.398983] nf_tables_trans_destroy_work+0x5f5/0x830 [nf_tables] [ ... ] Fixes: bb7b40aecbf7 ("netfilter: nf_tables: bogus EBUSY in chain deletions") Reported by: Christoph Anton Mitterer Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914505 Link: https://bugzilla.kernel.org/show_bug.cgi?id=201791 Signed-off-by: Taehee Yoo Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nf_tables_api.c | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index ea1e57daf50e..623ec29ade26 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2400,21 +2400,14 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk, } if (nlh->nlmsg_flags & NLM_F_REPLACE) { - if (!nft_is_active_next(net, old_rule)) { - err = -ENOENT; - goto err2; - } - trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE, - old_rule); + trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); if (trans == NULL) { err = -ENOMEM; goto err2; } - nft_deactivate_next(net, old_rule); - chain->use--; - - if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) { - err = -ENOMEM; + err = nft_delrule(&ctx, old_rule); + if (err < 0) { + nft_trans_destroy(trans); goto err2; } -- 2.19.1