Hello, Starting from Linux 5.0rc5, executing 'iptables-restore' command causes 'refcount_t: increment on 0; use-after-free' warning. Those didn't occur on Linux 5.0rc4 and earlier. Below are two examples: Linux version 5.0.0-rc5 (builduser@chroot) (gcc version 8.2.1 20181127 (GCC)) #1 SMP PREEMPT ... ------------[ cut here ]------------ refcount_t: increment on 0; use-after-free. WARNING: CPU: 3 PID: 685 at lib/refcount.c:153 refcount_inc_checked+0x2e/0x40 Modules linked in: nft_counter arc4 snd_soc_hdac_hda xt_mark snd_hda_ext_core ipt_REJECT nf_reject_ipv4 snd_soc_acpi_intel_match snd_soc_acpi xt_LOG snd_soc_skl_ipc xt_addrtype xt_tcpudp xt_conntrack snd_soc_sst_ipc nf_conntrack nf_defrag_ipv4 libcrc32c nft_compat snd_soc_sst_dsp iwlmvm nf_tables wmi_bmof intel_wmi_thunderbolt snd_soc_core nfnetlink mac80211 snd_hda_codec_hdmi intel_rapl snd_hda_codec_conexant snd_hda_codec_generic nls_iso8859_1 nls_cp437 x86_pkg_temp_thermal vfat fat intel_powerclamp coretemp snd_hda_intel iwlwifi kvm_intel snd_hda_codec snd_hwdep intel_cstate input_leds cfg80211 intel_uncore psmouse snd_hda_core intel_rapl_perf snd_pcm mei_me snd_timer intel_pch_thermal rtsx_pci_ms mei memstick ucsi_acpi typec_ucsi intel_ish_ipc(+) intel_ishtp typec wmi thinkpad_acpi ledtrig_audio nvram snd tpm_crb soundcore rfkill battery ac i2c_hid tpm_tis tpm_tis_core evdev tpm mac_hid rng_core pcc_cpufreq ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 fscrypto algif_skcipher af_alg hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid dm_crypt dm_mod crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel rtsx_pci_sdmmc mmc_core serio_raw atkbd libps2 aesni_intel aes_x86_64 crypto_simd cryptd glue_helper rtsx_pci xhci_pci i8042 serio xhci_hcd i915 intel_gtt i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm agpgart kvmgt vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass CPU: 3 PID: 685 Comm: iptables-restor Tainted: G T 5.0.0-rc5 #1 RIP: 0010:refcount_inc_checked+0x2e/0x40 Code: 48 89 df e8 94 ff ff ff 84 c0 74 02 5b c3 80 3d 8a 82 d2 00 00 75 f5 48 c7 c7 00 d9 e7 bc c6 05 7a 82 d2 00 01 e8 4f 13 ca ff <0f> 0b 5b c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 55 89 fd 53 RSP: 0000:ffffb57a419ef868 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff97d90a2759d8 RCX: 0000000000000000 RDX: 0000000000000007 RSI: ffffffffbce556d8 RDI: 0000000000000001 RBP: ffffb57a419ef9f0 R08: 0000000000000001 R09: 000000000000033f R10: 0000000000000001 R11: 0000000000000000 R12: ffffb57a419ef8b0 R13: ffff97d91631c440 R14: ffffffffc0ad3140 R15: ffff97d91631c438 FS: 00006e474a014000(0000) GS:ffff97d919580000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000e379fb6000 CR3: 0000000249456002 CR4: 00000000003606e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __nft_match_init+0x13f/0x1d0 [nft_compat] nf_tables_newrule+0x433/0x840 [nf_tables] nfnetlink_rcv_batch+0x4c6/0x680 [nfnetlink] ? __insert_vmap_area+0x99/0x100 ? _raw_spin_unlock+0x16/0x30 ? __nla_parse+0x37/0x130 ? apparmor_capable+0x48/0xe0 ? nla_parse+0x33/0x40 nfnetlink_rcv+0x108/0x140 [nfnetlink] netlink_unicast+0x17e/0x200 netlink_sendmsg+0x203/0x3c0 sock_sendmsg+0x39/0x50 ___sys_sendmsg+0x2af/0x310 __sys_sendmsg+0x7b/0xd0 do_syscall_64+0x4b/0xd0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x6e474a116fd8 Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 65 65 0c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 41 89 d4 55 RSP: 002b:00007e8355822458 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007e8355822470 RCX: 00006e474a116fd8 RDX: 0000000000000000 RSI: 00007e83558234f0 RDI: 0000000000000003 RBP: 00007e8355823b70 R08: 0000000000000004 R09: 0000000000000000 R10: 00007e83558234dc R11: 0000000000000246 R12: 0000025865902150 R13: 00007e8355826440 R14: 00007e8355822460 R15: 00007e8355826478 ---[ end trace 784b04e8ca283d58 ]--- Linux version 5.0.0-rc5 (builduser@chroot) (gcc version 8.2.1 20181127 (GCC)) #1 SMP PREEMPT ... ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 3 PID: 438 at lib/refcount.c:187 refcount_sub_and_test_checked+0x51/0x60 Modules linked in: ccm algif_aead cbc des_generic ecb cmac md4 algif_hash wacom hid_sensor_als hid_sensor_rotation hid_sensor_accel_3d hid_sensor_magn_3d hid_sensor_gyro_3d hid_sensor_trigger hid_sensor_iio_common industrialio_triggered_buffer kfifo_buf industrialio hid_sensor_hub arc4 intel_ishtp_hid joydev mousedev nf_log_ipv4 nf_log_common nft_counter iwlmvm snd_soc_skl mac80211 snd_soc_hdac_hda snd_hda_ext_core xt_mark ipt_REJECT nf_reject_ipv4 snd_soc_acpi_intel_match xt_LOG xt_addrtype xt_tcpudp snd_soc_acpi xt_conntrack snd_soc_skl_ipc intel_rapl nf_conntrack snd_soc_sst_ipc x86_pkg_temp_thermal snd_soc_sst_dsp nf_defrag_ipv4 iwlwifi intel_powerclamp libcrc32c coretemp wmi_bmof nft_compat snd_soc_core intel_wmi_thunderbolt nf_tables snd_hda_codec_hdmi nfnetlink snd_hda_codec_conexant kvm_intel snd_hda_codec_generic snd_hda_intel nls_iso8859_1 nls_cp437 vfat fat intel_cstate snd_hda_codec intel_uncore snd_hwdep intel_rapl_perf cfg80211 snd_hda_core psmouse input_leds snd_pcm mei_me snd_timer rtsx_pci_ms mei memstick intel_pch_thermal intel_ish_ipc intel_ishtp thinkpad_acpi ucsi_acpi typec_ucsi typec wmi ledtrig_audio nvram snd soundcore tpm_crb rfkill ac battery i2c_hid tpm_tis tpm_tis_core tpm evdev rng_core mac_hid pcc_cpufreq ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 fscrypto algif_skcipher af_alg hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid dm_crypt dm_mod crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel rtsx_pci_sdmmc mmc_core serio_raw atkbd libps2 aesni_intel aes_x86_64 crypto_simd cryptd glue_helper rtsx_pci xhci_pci i8042 serio xhci_hcd i915 intel_gtt i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm agpgart kvmgt vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass CPU: 3 PID: 438 Comm: kworker/3:2 Tainted: G W T 5.0.0-rc5 #1 Workqueue: events nf_tables_trans_destroy_work [nf_tables] RIP: 0010:refcount_sub_and_test_checked+0x51/0x60 Code: 0f 94 c0 c3 83 f8 ff 75 de 31 c0 5b 5d c3 80 3d 26 82 d2 00 00 75 f2 48 c7 c7 30 d9 e7 ba c6 05 16 82 d2 00 01 e8 ec 12 ca ff <0f> 0b 31 c0 eb db 66 0f 1f 84 00 00 00 00 00 53 48 89 fb 48 89 de RSP: 0018:ffffb6f8c1203da8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff949f94ac7848 RCX: 0000000000000000 RDX: 0000000000000007 RSI: ffffffffbae556d8 RDI: 0000000000000001 RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000384 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000002 R13: ffff949f924b2338 R14: ffffffffbb0e2d40 R15: ffffffffc0e51088 FS: 0000000000000000(0000) GS:ffff949f99580000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00006c539182f990 CR3: 000000003d00c003 CR4: 00000000003606e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __nft_match_destroy.isra.6+0x75/0xc0 [nft_compat] nf_tables_expr_destroy+0x24/0x40 [nf_tables] nf_tables_rule_destroy+0x54/0x80 [nf_tables] nf_tables_trans_destroy_work+0x1db/0x200 [nf_tables] process_one_work+0x19b/0x3c0 ? process_one_work+0x3c0/0x3c0 worker_thread+0x30/0x380 ? process_one_work+0x3c0/0x3c0 kthread+0x113/0x130 ? kthread_park+0x80/0x80 ret_from_fork+0x35/0x40 ---[ end trace 119599d3938fa2c8 ]--- Jordan
