Kernel oops with netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE
From: Matthias Maier
Date: Sun Jun 25 2023 - 13:46:20 EST
Dear all,
commit 1240eb93f0616b21c675416516ff3d74798fdc97
aka bdace3b1a51887211d3e49417a18fdbd315a313b (linux-6.3.y)
netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE
causes a kernel oops on my side when booting my machine; see attached.
Reverting this commit fixes the kernel oops.
Tested on 6.3.9 and 6.4.0-rc7
Best,
Matthias
<3>[ 61.206481] list_del corruption. next->prev should be ffff8ceb11b24f60, but was 0000000000000000. (next=ffff8ceb11b27ac8)
<4>[ 61.206494] ------------[ cut here ]------------
<2>[ 61.206495] kernel BUG at lib/list_debug.c:62!
<4>[ 61.207649] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
<4>[ 61.208812] CPU: 10 PID: 2226 Comm: nft Tainted: P O T 6.4.0-rc7-x86_64 #1
<4>[ 61.210059] Hardware name: LENOVO 20SUS2QV00/20SUS2QV00, BIOS N30ET49W (1.32 ) 12/14/2022
<4>[ 61.211327] RIP: 0010:__list_del_entry_valid+0xc6/0xd0
<4>[ 61.212563] Code: 0b 48 89 fe 48 89 c2 48 c7 c7 a0 ed 85 88 e8 57 4e 9c ff 0f 0b 48 89 d1 48 c7 c7 f0 ed 85 88 48 89 f2 48 89 c6 e8 40 4e 9c ff <0f> 0b 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 65 48 c1 3c 25 10
<4>[ 61.214030] RSP: 0018:ffffa4be03647778 EFLAGS: 00010287
<4>[ 61.215488] RAX: 000000000000006d RBX: ffff8ceb11b26800 RCX: 0000000000000000
<4>[ 61.216932] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
<4>[ 61.218382] RBP: ffff8ceb11b24f60 R08: 0000000000000000 R09: 0000000000000000
<4>[ 61.219831] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
<4>[ 61.221286] R13: ffff8ceb2984d4f8 R14: ffff8ceb2984d4e0 R15: ffff8ceb11b24e00
<4>[ 61.222761] FS: 00007fd654220740(0000) GS:ffff8d09bc480000(0000) knlGS:0000000000000000
<4>[ 61.224298] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>[ 61.225854] CR2: 00007f27e3a370d8 CR3: 0000000115af0002 CR4: 00000000007706e0
<4>[ 61.227411] PKRU: 55555554
<4>[ 61.227412] Call Trace:
<4>[ 61.227414] <TASK>
<4>[ 61.227416] ? die+0x36/0x90
<4>[ 61.232948] ? do_trap+0xea/0x110
<4>[ 61.234503] ? __list_del_entry_valid+0xc6/0xd0
<4>[ 61.234506] ? do_error_trap+0x6a/0xa0
<4>[ 61.236987] ? __list_del_entry_valid+0xc6/0xd0
<4>[ 61.236990] ? exc_invalid_op+0x50/0x80
<4>[ 61.239396] ? __list_del_entry_valid+0xc6/0xd0
<4>[ 61.240955] ? asm_exc_invalid_op+0x1a/0x20
<4>[ 61.242526] ? __list_del_entry_valid+0xc6/0xd0
<4>[ 61.242528] ? __list_del_entry_valid+0xc6/0xd0
<4>[ 61.244998] nf_tables_deactivate_set+0x39/0x120 [nf_tables]
<4>[ 61.246613] __nf_tables_abort+0x81b/0xce0 [nf_tables]
<4>[ 61.248251] nf_tables_abort+0x39/0x60 [nf_tables]
<4>[ 61.249838] nfnetlink_rcv_batch+0x4f1/0x990 [nfnetlink]
<4>[ 61.251517] nfnetlink_rcv+0x18f/0x1b0 [nfnetlink]
<4>[ 61.253170] netlink_unicast+0x1a9/0x290
<4>[ 61.254816] netlink_sendmsg+0x259/0x4e0
<4>[ 61.256433] sock_sendmsg+0xa8/0xb0
<4>[ 61.258024] ____sys_sendmsg+0x28d/0x320
<4>[ 61.259665] ? copy_msghdr_from_user+0x7d/0xc0
<4>[ 61.261320] ___sys_sendmsg+0x9f/0xf0
<4>[ 61.262974] __sys_sendmsg+0x7f/0xe0
<4>[ 61.264565] do_syscall_64+0x5f/0x90
<4>[ 61.266210] entry_SYSCALL_64_after_hwframe+0x72/0xdc
<4>[ 61.267906] RIP: 0033:0x7fd65445e174
<4>[ 61.269545] Code: 15 a9 3c 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 80 3d 8d c2 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89
<4>[ 61.271387] RSP: 002b:00007ffe8b535ed8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
<4>[ 61.273275] RAX: ffffffffffffffda RBX: 00007ffe8b5470e0 RCX: 00007fd65445e174
<4>[ 61.275117] RDX: 0000000000000000 RSI: 00007ffe8b546f90 RDI: 0000000000000003
<4>[ 61.276968] RBP: 00007ffe8b547090 R08: 00007ffe8b535eb4 R09: 00007ffe8b535ee0
<4>[ 61.278897] R10: 00007fd654662ec0 R11: 0000000000000202 R12: 0000000000000001
<4>[ 61.280774] R13: 0000000000011c00 R14: 0000000000000003 R15: 00007ffe8b535ef0
<4>[ 61.282653] </TASK>
<4>[ 61.284505] Modules linked in: nft_log nft_masq nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 cmac bnep nf_tables nfnetlink vfat fat binfmt_misc snd_sof_pci_intel_cnl snd_sof_intel_hda_common snd_soc_hdac_hda soundwire_intel soundwire_generic_allocation soundwire_cadence snd_sof_intel_hda_mlink snd_sof_intel_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_soc_skl snd_soc_sst_ipc snd_soc_sst_dsp snd_soc_acpi_intel_match snd_soc_acpi snd_hda_ext_core snd_soc_core snd_ctl_led iwlmvm snd_compress snd_hda_codec_realtek snd_pcm_dmaengine x86_pkg_temp_thermal ac97_bus snd_hda_codec_generic snd_hda_codec_hdmi uvcvideo intel_powerclamp snd_hda_intel iTCO_wdt snd_intel_dspcfg uvc rapl mac80211 intel_pmc_bxt videobuf2_vmalloc mei_pxp mei_wdt mei_hdcp intel_rapl_msr intel_cstate ee1004 iTCO_vendor_support libarc4 btusb videobuf2_memops snd_intel_sdw_acpi videobuf2_v4l2 processor_thermal_device_pci_legacy btrtl snd_hda_codec
<4>[ 61.284566] videobuf2_common processor_thermal_device btbcm thinkpad_acpi intel_uncore btintel processor_thermal_rfim videodev iwlwifi snd_hda_core thunderbolt processor_thermal_mbox ledtrig_audio efi_pstore mc intel_wmi_thunderbolt wmi_bmof snd_hwdep processor_thermal_rapl mei_me bluetooth platform_profile i2c_i801 intel_rapl_common e1000e ecdh_generic i2c_smbus cfg80211 snd_pcm mei idma64 intel_soc_dts_iosf intel_pch_thermal int3403_thermal rfkill int340x_thermal_zone int3400_thermal acpi_thermal_rel joydev acpi_pad fuse dm_crypt trusted asn1_encoder nvidia_drm(PO) nvidia_modeset(PO) mmc_block nvidia(PO) i915 i2c_algo_bit drm_buddy drm_display_helper drm_kms_helper syscopyarea rtsx_pci_sdmmc cec sysfillrect mmc_core sysimgblt ttm ucsi_acpi crct10dif_pclmul crc32c_intel polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 typec_ucsi nvme roles rtsx_pci drm nvme_core typec video wmi pinctrl_cannonlake serio_raw coretemp vhost_net tun tap vhost vhost_iotlb uinput snd_seq snd_timer snd_seq_device snd
<4>[ 61.296399] soundcore kvm_intel kvm irqbypass f2fs crc32_generic crc32_pclmul lz4hc_compress lz4_compress
<4>[ 61.314164] ---[ end trace 0000000000000000 ]---