• Taehee Yoo's avatar
    netfilter: nf_tables: deactivate expressions in rule replecement routine · ca089878
    Taehee Yoo authored
    There is no expression deactivation call from the rule replacement path,
    hence, chain counter is not decremented. A few steps to reproduce the
    problem:
    
       %nft add table ip filter
       %nft add chain ip filter c1
       %nft add chain ip filter c1
       %nft add rule ip filter c1 jump c2
       %nft replace rule ip filter c1 handle 3 accept
       %nft flush ruleset
    
    <jump c2> expression means immediate NFT_JUMP to chain c2.
    Reference count of chain c2 is increased when the rule is added.
    
    When rule is deleted or replaced, the reference counter of c2 should be
    decreased via nft_rule_expr_deactivate() which calls
    nft_immediate_deactivate().
    
    Splat looks like:
    [  214.396453] WARNING: CPU: 1 PID: 21 at net/netfilter/nf_tables_api.c:1432 nf_tables_chain_destroy.isra.38+0x2f9/0x3a0 [nf_tables]
    [  214.398983] Modules linked in: nf_tables nfnetlink
    [  214.398983] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 4.20.0-rc2+ #44
    [  214.398983] Workqueue: events nf_tables_trans_destroy_work [nf_tables]
    [  214.398983] RIP: 0010:nf_tables_chain_destroy.isra.38+0x2f9/0x3a0 [nf_tables]
    [  214.398983] Code: 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 8e 00 00 00 48 8b 7b 58 e8 e1 2c 4e c6 48 89 df e8 d9 2c 4e c6 eb 9a <0f> 0b eb 96 0f 0b e9 7e fe ff ff e8 a7 7e 4e c6 e9 a4 fe ff ff e8
    [  214.398983] RSP: 0018:ffff8881152874e8 EFLAGS: 00010202
    [  214.398983] RAX: 0000000000000001 RBX: ffff88810ef9fc28 RCX: ffff8881152876f0
    [  214.398983] RDX: dffffc0000000000 RSI: 1ffff11022a50ede RDI: ffff88810ef9fc78
    [  214.398983] RBP: 1ffff11022a50e9d R08: 0000000080000000 R09: 0000000000000000
    [  214.398983] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff11022a50eba
    [  214.398983] R13: ffff888114446e08 R14: ffff8881152876f0 R15: ffffed1022a50ed6
    [  214.398983] FS:  0000000000000000(0000) GS:ffff888116400000(0000) knlGS:0000000000000000
    [  214.398983] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  214.398983] CR2: 00007fab9bb5f868 CR3: 000000012aa16000 CR4: 00000000001006e0
    [  214.398983] Call Trace:
    [  214.398983]  ? nf_tables_table_destroy.isra.37+0x100/0x100 [nf_tables]
    [  214.398983]  ? __kasan_slab_free+0x145/0x180
    [  214.398983]  ? nf_tables_trans_destroy_work+0x439/0x830 [nf_tables]
    [  214.398983]  ? kfree+0xdb/0x280
    [  214.398983]  nf_tables_trans_destroy_work+0x5f5/0x830 [nf_tables]
    [ ... ]
    
    Fixes: bb7b40ae ("netfilter: nf_tables: bogus EBUSY in chain deletions")
    Reported by: Christoph Anton Mitterer <calestyo@scientia.net>
    Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914505
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=201791Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
    Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    ca089878
nf_tables_api.c 178 KB