Bug 1807811

Summary: iptables-restore Segmentation fault under stress testing
Product: Red Hat Enterprise Linux 8 Reporter: yiche <yiche>
Component: iptablesAssignee: Phil Sutter <psutter>
Status: CLOSED ERRATA QA Contact: Tomas Dolezal <todoleza>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 8.2CC: anbhat, bbennett, ccoleman, dcbw, iptables-maint-list, jiji, lmiksik, miabbott, psutter, todoleza
Target Milestone: rcKeywords: Regression
Target Release: 8.2Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: iptables-1.8.4-10.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 17:00:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 4 Jianwen Ji 2020-03-02 10:56:56 UTC 
Hi Tomas, please help check with devel if this is worth blocker.
Comment 13 Phil Sutter 2020-03-11 15:09:58 UTC 
Upstream commit to backport:

commit c550c81fd373e5753103d20f7902171f0fa79807
Author: Phil Sutter <phil>
Date:   Fri Feb 28 20:32:13 2020 +0100

    nft: cache: Fix nft_release_cache() under stress
    
    iptables-nft-restore calls nft_action(h, NFT_COMPAT_COMMIT) for each
    COMMIT line in input. When restoring a dump containing multiple large
    tables, chances are nft_rebuild_cache() has to run multiple times.
    
    If the above happens, consecutive table contents are added to __cache[1]
    which nft_rebuild_cache() then frees, so next commit attempt accesses
    invalid memory.
    
    Fix this by making nft_release_cache() (called after each successful
    commit) return things into pre-rebuild state again, but keeping the
    fresh cache copy.
    
    Fixes: f6ad231d698c7 ("nft: keep original cache in case of ERESTART")
    Signed-off-by: Phil Sutter <phil>
Comment 15 Aniket Bhat 2020-03-11 15:18:30 UTC 
@Phil, are the other two stack traces I posted above related?
Comment 22 Phil Sutter 2020-03-11 16:49:58 UTC 
Here's a scratch build including the patch from above, it fixes the segfaults we can reproduce: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=27208911
Does that help? Can you try that one?

As said, the stack traces don't look familiar, but this is also a case of memory corruption.
Comment 23 Dan Williams 2020-03-11 17:10:40 UTC 
*** Bug 1812261 has been marked as a duplicate of this bug. ***
Comment 53 errata-xmlrpc 2020-04-28 17:00:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:1889
Comment 54 Red Hat Bugzilla 2023-09-15 00:29:56 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days