On Thu, Jan 16, 2020 at 12:03:01PM +0100, Florian Westphal wrote: > syzbot reported following crash: > > list_del corruption, ffff88808c9bb000->prev is LIST_POISON2 (dead000000000122) > [..] > Call Trace: > __list_del_entry include/linux/list.h:131 [inline] > list_del_rcu include/linux/rculist.h:148 [inline] > nf_tables_commit+0x1068/0x3b30 net/netfilter/nf_tables_api.c:7183 > [..] > > The commit transaction list has: > > NFT_MSG_NEWTABLE > NFT_MSG_NEWFLOWTABLE > NFT_MSG_DELFLOWTABLE > NFT_MSG_DELTABLE > > A missing generation check during DELTABLE processing causes it to queue > the DELFLOWTABLE operation a second time, so we corrupt the list here: > > case NFT_MSG_DELFLOWTABLE: > list_del_rcu(&nft_trans_flowtable(trans)->list); > nf_tables_flowtable_notify(&trans->ctx, > > because we have two different DELFLOWTABLE transactions for the same > flowtable. We then call list_del_rcu() twice for the same flowtable->list. > > The object handling seems to suffer from the same bug so add a generation > check too and only queue delete transactions for flowtables/objects that > are still active in the next generation. Applied, thanks.
