[Devel] [PATCH rh7] net: netfilter: clear xt_table on net exit

Konstantin Khorenko khorenko at virtuozzo.com
Mon Jul 6 06:41:23 PDT 2015 

Volodya,

and what about ip6table_nat_net_exit()?
Lost hunk?

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 07/03/2015 02:16 PM, Vladimir Davydov wrote:
> We use net->ipv[46].{ip,ip6,nat_}table* as a mark if the corresponding
> netfilter is enabled for the network namespace - see ipt_do_table ->
> ve_xt_table_forbidden. Therefore we must clear it on module removal,
> when {ipt,ip6t}_unregister_table is called, otherwise if a module gets
> reinserted with a feature disabled, we will still call ipt_do_table for
> it, which will result in a panic, because the table was freed:
> 
>   BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
>   IP: [<ffffffffa032bfae>] ipt_do_table+0xee/0x6f5 [ip_tables]
>   PGD 0
>   Oops: 0000 [#1] SMP
>   CPU: 0 PID: 0 Comm: swapper/0 ve: 0 Tainted: G          I --------------   3.10.0-123.1.2.vz7.5.24 #1 5.24
>   Hardware name: System Manufacturer System Product Name/KFSN4-DRE, BIOS 1008 09/03/2008
>   task: ffffffff818bb620 ti: ffffffff818a8000 task.ti: ffffffff818a8000
>   RIP: 0010:[<ffffffffa032bfae>]  [<ffffffffa032bfae>] ipt_do_table+0xee/0x6f5 [ip_tables]
>   RSP: 0018:ffff88007dc03880  EFLAGS: 00010206
>   RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
>   RDX: 0000000000000000 RSI: ffff88007bc60000 RDI: ffff88007c157800
>   RBP: ffff88007dc03998 R08: ffff8800df1d9a80 R09: ffff88007bc60000
>   R10: 0000000000000002 R11: ffff88007c518208 R12: ffff88003691dad0
>   R13: ffff8800df1d9a80 R14: ffff88007bc60000 R15: ffff88007c157800
>   FS:  00007f5e6e4a28c0(0000) GS:ffff88007dc00000(0000) knlGS:00000000f762b6c0
>   CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
>   CR2: 0000000000000050 CR3: 0000000036d27000 CR4: 00000000000007f0
>   DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>   DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
>   Stack:
>    ffffffff8109a84f ffff88007dc03920 ffffffff81578056 0000000000000046
>    ffff88007cff3e68 ffff88007dc183d8 ffff88007dc183c0 0000000000000000
>    0000000000000003 0000000000000246 ffff88007dc039f8 ffffffffa032c1f7
>   Call Trace:
>    <IRQ>
>    [<ffffffff8109a84f>] ? try_to_wake_up+0x20f/0x360
>    [<ffffffff81578056>] ? ip6_pol_route.isra.46+0x336/0x480
>    [<ffffffffa032c1f7>] ? ipt_do_table+0x337/0x6f5 [ip_tables]
>    [<ffffffffa03771d7>] nf_nat_ipv4_fn+0x1d7/0x320 [iptable_nat]
>    [<ffffffff814fc030>] ? inet_del_offload+0x40/0x40
>    [<ffffffffa037753e>] nf_nat_ipv4_in+0x2e/0x90 [iptable_nat]
>    [<ffffffff814fc030>] ? inet_del_offload+0x40/0x40
>    [<ffffffff814f2fda>] nf_iterate+0xaa/0xc0
>    [<ffffffff814fc030>] ? inet_del_offload+0x40/0x40
>    [<ffffffff814f3074>] nf_hook_slow+0x84/0x140
>    [<ffffffff814fc030>] ? inet_del_offload+0x40/0x40
>    [<ffffffff814fcaa4>] ip_rcv+0x344/0x380
>    [<ffffffff814c2606>] __netif_receive_skb_core+0x676/0x870
>    [<ffffffff814c2818>] __netif_receive_skb+0x18/0x60
>    [<ffffffff814c28a0>] netif_receive_skb+0x40/0xd0
>    [<ffffffffa0013747>] br_handle_frame_finish+0x247/0x400 [bridge]
>    [<ffffffffa0013a75>] br_handle_frame+0x175/0x260 [bridge]
>    [<ffffffff814c2212>] __netif_receive_skb_core+0x282/0x870
>    [<ffffffff81019fc9>] ? read_tsc+0x9/0x20
>    [<ffffffff814c2818>] __netif_receive_skb+0x18/0x60
>    [<ffffffff814c28a0>] netif_receive_skb+0x40/0xd0
>    [<ffffffff814c32f8>] napi_gro_receive+0x58/0x80
>    [<ffffffffa00aab43>] tg3_poll_work+0x943/0xf70 [tg3]
>    [<ffffffffa00aef49>] tg3_poll+0x79/0x3a0 [tg3]
>    [<ffffffff814c2c6a>] net_rx_action+0x15a/0x250
>    [<ffffffff81067777>] __do_softirq+0x117/0x2c0
>    [<ffffffff815dd9dc>] call_softirq+0x1c/0x30
>    [<ffffffff81014ca5>] do_softirq+0x65/0xa0
>    [<ffffffff81067b25>] irq_exit+0x115/0x120
>    [<ffffffff815de158>] do_IRQ+0x58/0xf0
>    [<ffffffff815d352d>] common_interrupt+0x6d/0x6d
>    <EOI>
> 
> https://jira.sw.ru/browse/PSBM-34657
> 
> Signed-off-by: Vladimir Davydov <vdavydov at parallels.com>
> ---
>  net/ipv4/netfilter/iptable_filter.c  | 1 +
>  net/ipv4/netfilter/iptable_mangle.c  | 1 +
>  net/ipv4/netfilter/iptable_nat.c     | 1 +
>  net/ipv6/netfilter/ip6table_filter.c | 1 +
>  net/ipv6/netfilter/ip6table_mangle.c | 1 +
>  5 files changed, 5 insertions(+)
> 
> diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
> index 4a9c627d05c9..10c18225c645 100644
> --- a/net/ipv4/netfilter/iptable_filter.c
> +++ b/net/ipv4/netfilter/iptable_filter.c
> @@ -86,6 +86,7 @@ static void __net_exit iptable_filter_net_exit(struct net *net)
>  		return;
>  
>  	ipt_unregister_table(net, net->ipv4.iptable_filter);
> +	net->ipv4.iptable_filter = NULL;
>  
>  	net_ipt_module_clear(net, VE_IP_FILTER);
>  }
> diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
> index be368e23f590..a881a7db2630 100644
> --- a/net/ipv4/netfilter/iptable_mangle.c
> +++ b/net/ipv4/netfilter/iptable_mangle.c
> @@ -123,6 +123,7 @@ static void __net_exit iptable_mangle_net_exit(struct net *net)
>  		return;
>  
>  	ipt_unregister_table(net, net->ipv4.iptable_mangle);
> +	net->ipv4.iptable_mangle = NULL;
>  
>  	net_ipt_module_clear(net, VE_IP_MANGLE);
>  }
> diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
> index f701df6dad50..182c11a1d560 100644
> --- a/net/ipv4/netfilter/iptable_nat.c
> +++ b/net/ipv4/netfilter/iptable_nat.c
> @@ -308,6 +308,7 @@ static void __net_exit iptable_nat_net_exit(struct net *net)
>  		return;
>  
>  	ipt_unregister_table(net, net->ipv4.nat_table);
> +	net->ipv4.nat_table = NULL;
>  
>  	net_ipt_module_clear(net, VE_IP_IPTABLE_NAT);
>  }
> diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
> index ae1198073c48..74afd759d91a 100644
> --- a/net/ipv6/netfilter/ip6table_filter.c
> +++ b/net/ipv6/netfilter/ip6table_filter.c
> @@ -78,6 +78,7 @@ static void __net_exit ip6table_filter_net_exit(struct net *net)
>  		return;
>  
>  	ip6t_unregister_table(net, net->ipv6.ip6table_filter);
> +	net->ipv6.ip6table_filter = NULL;
>  
>  	net_ipt_module_clear(net, VE_IP_FILTER6);
>  }
> diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
> index 631936490897..4bc73b9410ec 100644
> --- a/net/ipv6/netfilter/ip6table_mangle.c
> +++ b/net/ipv6/netfilter/ip6table_mangle.c
> @@ -117,6 +117,7 @@ static void __net_exit ip6table_mangle_net_exit(struct net *net)
>  		return;
>  
>  	ip6t_unregister_table(net, net->ipv6.ip6table_mangle);
> +	net->ipv6.ip6table_mangle = NULL;
>  
>  	net_ipt_module_clear(net, VE_IP_MANGLE6);
>  }
>

More information about the Devel mailing list