This patch fixes a crash while trying to deactivate a table that
contains user chains. You can reproduce it via:
% nft add table table1
% nft add chain table1 chain1
% nft-table-upd ip table1 dormant
[ 253.021026] BUG: unable to handle kernel NULL pointer dereference at
0000000000000030
[ 253.021114] IP: [<
ffffffff8134cebd>] nf_register_hook+0x35/0x6f
[ 253.021167] PGD
30fa5067 PUD
30fa2067 PMD 0
[ 253.021208] Oops: 0000 [#1] SMP
[...]
[ 253.023305] Call Trace:
[ 253.023331] [<
ffffffffa0885020>] nf_tables_newtable+0x11c/0x258 [nf_tables]
[ 253.023385] [<
ffffffffa0878592>] nfnetlink_rcv_msg+0x1f4/0x226 [nfnetlink]
[ 253.023438] [<
ffffffffa0878418>] ? nfnetlink_rcv_msg+0x7a/0x226 [nfnetlink]
[ 253.023491] [<
ffffffffa087839e>] ? nfnetlink_bind+0x45/0x45 [nfnetlink]
[ 253.023542] [<
ffffffff8134b47e>] netlink_rcv_skb+0x3c/0x88
[ 253.023586] [<
ffffffffa0878973>] nfnetlink_rcv+0x3af/0x3e4 [nfnetlink]
[ 253.023638] [<
ffffffff813fb0d4>] ? _raw_read_unlock+0x22/0x34
[ 253.023683] [<
ffffffff8134af17>] netlink_unicast+0xe2/0x161
[ 253.023727] [<
ffffffff8134b29a>] netlink_sendmsg+0x304/0x332
[ 253.023773] [<
ffffffff8130d250>] __sock_sendmsg_nosec+0x25/0x27
[ 253.023820] [<
ffffffff8130fb93>] sock_sendmsg+0x5a/0x7b
[ 253.023861] [<
ffffffff8130d5d5>] ? copy_from_user+0x2a/0x2c
[ 253.023905] [<
ffffffff8131066f>] ? move_addr_to_kernel+0x35/0x60
[ 253.023952] [<
ffffffff813107b3>] SYSC_sendto+0x119/0x15c
[ 253.023995] [<
ffffffff81401107>] ? sysret_check+0x1b/0x56
[ 253.024039] [<
ffffffff8108dc30>] ? trace_hardirqs_on_caller+0x140/0x1db
[ 253.024090] [<
ffffffff8120164e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[ 253.024141] [<
ffffffff81310caf>] SyS_sendto+0x9/0xb
[ 253.026219] [<
ffffffff814010e2>] system_call_fastpath+0x16/0x1b
Reported-by: Alex Wei <alex.kern.mentor@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
int err, i = 0;
list_for_each_entry(chain, &table->chains, list) {
+ if (!(chain->flags & NFT_BASE_CHAIN))
+ continue;
+
err = nf_register_hook(&nft_base_chain(chain)->ops);
if (err < 0)
goto err;
return 0;
err:
list_for_each_entry(chain, &table->chains, list) {
+ if (!(chain->flags & NFT_BASE_CHAIN))
+ continue;
+
if (i-- <= 0)
break;
{
struct nft_chain *chain;
- list_for_each_entry(chain, &table->chains, list)
- nf_unregister_hook(&nft_base_chain(chain)->ops);
+ list_for_each_entry(chain, &table->chains, list) {
+ if (chain->flags & NFT_BASE_CHAIN)
+ nf_unregister_hook(&nft_base_chain(chain)->ops);
+ }
return 0;
}