Re: nf_conncount_destroy bug in rb_erase()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Shawn Bohrer <sbohrer@xxxxxxxxxxxxxx> wrote:
> Hello,
> 
> I've got an easily reproducible bug that I'm seeing on 4.19.11 in the
> conncount code.
> 
> [   65.167660] CPU: 1 PID: 10375 Comm: iptables Not tainted 4.19.11+ #1
> [   65.167661] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20180724_192412-buildhw-07.phx2.fedoraproject.org-1.fc29 04/01/2014
> [   65.167665] RIP: 0010:rb_erase+0xae/0x360
> [   65.167666] Code: 4d 89 50 08 4d 85 c9 74 5b 48 83 c8 01 48 89 0a 49 89 01 c3 48 8b 0f 48 89 ca 48 83 e2 fc 48 85 d2 48 89 d0 0f 84 41 02 00 00 <48> 3b 7a 10 0f 84 3f 02 00 00 4c 89 42 08 4d 85 c0 0f 84 1b 02 00
> [   65.167667] RSP: 0018:ffffb5bec0af7d18 EFLAGS: 00010206
> [   65.167669] RAX: 6e3319b62019e1d4 RBX: ffff8ebe30766630 RCX: 6e3319b62019e1d5
> [   65.167669] RDX: 6e3319b62019e1d4 RSI: ffff8ebe38c8e348 RDI: ffff8ebe38dadde0
> [   65.167670] RBP: ffff8ebe38dade00 R08: 0000000000000000 R09: ffffffffc04ef301
> [   65.167671] R10: ffff8ebe38dadde0 R11: 0000000000000001 R12: ffff8ebe38dadde0
> [   65.167672] R13: ffff8ebe38c8e348 R14: ffff8ebe38c8e808 R15: ffff8ebe38c8e000
> [   65.167673] FS:  00007ff81d373700(0000) GS:ffff8ebe3c440000(0000) knlGS:0000000000000000
> [   65.167674] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   65.167677] CR2: 000055968cc0d008 CR3: 0000000138f52002 CR4: 00000000003606e0
> [   65.167678] Call Trace:
> [   65.167689]  nf_conncount_destroy+0x59/0xc0 [nf_conncount]
> [   65.167691]  cleanup_match+0x45/0x70 [ip_tables]
> [   65.167693]  ? next_arg+0x92/0x110
> [   65.167694]  cleanup_entry+0x3e/0xc0 [ip_tables]
> [   65.167696]  __do_replace+0x1a4/0x240 [ip_tables]
> [   65.167697]  do_ipt_set_ctl+0x150/0x1b0 [ip_tables]
> [   65.167700]  nf_setsockopt+0x44/0x70
> [   65.167702]  __sys_setsockopt+0x82/0xe0
> [   65.167703]  __x64_sys_setsockopt+0x20/0x30
> [   65.167704]  do_syscall_64+0x48/0xf0
> [   65.167706]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> 
> I can reproduce this by running a simple webserver.  Then running:
> 
> while true; do
>   sudo /sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j DROP
>   sleep 1
>   sudo iptables -D INPUT 1
> done
> 
> Then while that loop is running I hit the webserver:
> 
> for i in $(seq 1 100); do
>   curl --silent http://192.168.122.250 >/dev/null
> done

I've tried multiple netperf -t TCP_CC from host-to-vm and vice versa
plust parallel synflood but nothing shows up (not even with KASAN on).

How soon does this trigger?
Could you send me your .config offlist?

Thanks,
Florian



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux