[{"id":3673146,"web_url":"http://patchwork.ozlabs.org/comment/3673146/","msgid":"<ac_EY9ciqt5yQ6wr@strlen.de>","list_archive_url":null,"date":"2026-04-03T13:45:07","subject":"Re: nfnetlink_queue crashes kernel","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Florian Westphal <fw@strlen.de> wrote:\n> A probably better fix is to make the rhashtable perqueue, which is\n> much more intrusive at this late stage.\n\nTentative patch to do this, still misses selftest extensions:\n\ndiff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c\nindex 47f7f62906e2..15c6276f6592 100644\n--- a/net/netfilter/nfnetlink_queue.c\n+++ b/net/netfilter/nfnetlink_queue.c\n@@ -60,29 +60,10 @@\n  */\n #define NFQNL_MAX_COPY_RANGE (0xffff - NLA_HDRLEN)\n \n-/* Composite key for packet lookup: (net, queue_num, packet_id) */\n-struct nfqnl_packet_key {\n-\tpossible_net_t net;\n-\tu32 packet_id;\n-\tu16 queue_num;\n-} __aligned(sizeof(u32));  /* jhash2 requires 32-bit alignment */\n-\n-/* Global rhashtable - one for entire system, all netns */\n-static struct rhashtable nfqnl_packet_map __read_mostly;\n-\n-/* Helper to initialize composite key */\n-static inline void nfqnl_init_key(struct nfqnl_packet_key *key,\n-\t\t\t\t  struct net *net, u32 packet_id, u16 queue_num)\n-{\n-\tmemset(key, 0, sizeof(*key));\n-\twrite_pnet(&key->net, net);\n-\tkey->packet_id = packet_id;\n-\tkey->queue_num = queue_num;\n-}\n-\n struct nfqnl_instance {\n \tstruct hlist_node hlist;\t\t/* global list of queues */\n-\tstruct rcu_head rcu;\n+\tstruct rhashtable nfqnl_packet_map;\n+\tstruct rcu_work\trwork;\n \n \tu32 peer_portid;\n \tunsigned int queue_maxlen;\n@@ -106,6 +87,7 @@ struct nfqnl_instance {\n \n typedef int (*nfqnl_cmpfn)(struct nf_queue_entry *, unsigned long);\n \n+static struct workqueue_struct *nfq_cleanup_wq __read_mostly;\n static unsigned int nfnl_queue_net_id __read_mostly;\n \n #define INSTANCE_BUCKETS\t16\n@@ -124,34 +106,10 @@ static inline u_int8_t instance_hashfn(u_int16_t queue_num)\n \treturn ((queue_num >> 8) ^ queue_num) % INSTANCE_BUCKETS;\n }\n \n-/* Extract composite key from nf_queue_entry for hashing */\n-static u32 nfqnl_packet_obj_hashfn(const void *data, u32 len, u32 seed)\n-{\n-\tconst struct nf_queue_entry *entry = data;\n-\tstruct nfqnl_packet_key key;\n-\n-\tnfqnl_init_key(&key, entry->state.net, entry->id, entry->queue_num);\n-\n-\treturn jhash2((u32 *)&key, sizeof(key) / sizeof(u32), seed);\n-}\n-\n-/* Compare stack-allocated key against entry */\n-static int nfqnl_packet_obj_cmpfn(struct rhashtable_compare_arg *arg,\n-\t\t\t\t  const void *obj)\n-{\n-\tconst struct nfqnl_packet_key *key = arg->key;\n-\tconst struct nf_queue_entry *entry = obj;\n-\n-\treturn !net_eq(entry->state.net, read_pnet(&key->net)) ||\n-\t       entry->queue_num != key->queue_num ||\n-\t       entry->id != key->packet_id;\n-}\n-\n static const struct rhashtable_params nfqnl_rhashtable_params = {\n \t.head_offset = offsetof(struct nf_queue_entry, hash_node),\n-\t.key_len = sizeof(struct nfqnl_packet_key),\n-\t.obj_hashfn = nfqnl_packet_obj_hashfn,\n-\t.obj_cmpfn = nfqnl_packet_obj_cmpfn,\n+\t.key_offset = offsetof(struct nf_queue_entry, id),\n+\t.key_len = sizeof(u32),\n \t.automatic_shrinking = true,\n \t.min_size = NFQNL_HASH_MIN,\n \t.max_size = NFQNL_HASH_MAX,\n@@ -190,7 +148,11 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)\n \tspin_lock_init(&inst->lock);\n \tINIT_LIST_HEAD(&inst->queue_list);\n \n-\tspin_lock(&q->instances_lock);\n+\terr = rhashtable_init(&inst->nfqnl_packet_map, &nfqnl_rhashtable_params);\n+\tif (err < 0)\n+\t\tgoto out_free;\n+\n+\tspin_lock_bh(&q->instances_lock);\n \tif (instance_lookup(q, queue_num)) {\n \t\terr = -EEXIST;\n \t\tgoto out_unlock;\n@@ -204,12 +166,14 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)\n \th = instance_hashfn(queue_num);\n \thlist_add_head_rcu(&inst->hlist, &q->instance_table[h]);\n \n-\tspin_unlock(&q->instances_lock);\n+\tspin_unlock_bh(&q->instances_lock);\n \n \treturn inst;\n \n out_unlock:\n-\tspin_unlock(&q->instances_lock);\n+\tspin_unlock_bh(&q->instances_lock);\n+\trhashtable_destroy(&inst->nfqnl_packet_map);\n+out_free:\n \tkfree(inst);\n \treturn ERR_PTR(err);\n }\n@@ -217,15 +181,18 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)\n static void nfqnl_flush(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn,\n \t\t\tunsigned long data);\n \n-static void\n-instance_destroy_rcu(struct rcu_head *head)\n+static void instance_destroy_work(struct work_struct *work)\n {\n-\tstruct nfqnl_instance *inst = container_of(head, struct nfqnl_instance,\n-\t\t\t\t\t\t   rcu);\n+\tstruct nfqnl_instance *inst;\n \n+\tinst = container_of(to_rcu_work(work), struct nfqnl_instance,\n+\t\t\t    rwork);\n \trcu_read_lock();\n \tnfqnl_flush(inst, NULL, 0);\n \trcu_read_unlock();\n+\n+\trhashtable_destroy(&inst->nfqnl_packet_map);\n+\n \tkfree(inst);\n \tmodule_put(THIS_MODULE);\n }\n@@ -234,7 +201,9 @@ static void\n __instance_destroy(struct nfqnl_instance *inst)\n {\n \thlist_del_rcu(&inst->hlist);\n-\tcall_rcu(&inst->rcu, instance_destroy_rcu);\n+\n+\tINIT_RCU_WORK(&inst->rwork, instance_destroy_work);\n+\tqueue_rcu_work(nfq_cleanup_wq, &inst->rwork);\n }\n \n static void\n@@ -250,9 +219,7 @@ __enqueue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry)\n {\n \tint err;\n \n-\tentry->queue_num = queue->queue_num;\n-\n-\terr = rhashtable_insert_fast(&nfqnl_packet_map, &entry->hash_node,\n+\terr = rhashtable_insert_fast(&queue->nfqnl_packet_map, &entry->hash_node,\n \t\t\t\t     nfqnl_rhashtable_params);\n \tif (unlikely(err))\n \t\treturn err;\n@@ -266,23 +233,19 @@ __enqueue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry)\n static void\n __dequeue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry)\n {\n-\trhashtable_remove_fast(&nfqnl_packet_map, &entry->hash_node,\n+\trhashtable_remove_fast(&queue->nfqnl_packet_map, &entry->hash_node,\n \t\t\t       nfqnl_rhashtable_params);\n \tlist_del(&entry->list);\n \tqueue->queue_total--;\n }\n \n static struct nf_queue_entry *\n-find_dequeue_entry(struct nfqnl_instance *queue, unsigned int id,\n-\t\t   struct net *net)\n+find_dequeue_entry(struct nfqnl_instance *queue, unsigned int id)\n {\n-\tstruct nfqnl_packet_key key;\n \tstruct nf_queue_entry *entry;\n \n-\tnfqnl_init_key(&key, net, id, queue->queue_num);\n-\n \tspin_lock_bh(&queue->lock);\n-\tentry = rhashtable_lookup_fast(&nfqnl_packet_map, &key,\n+\tentry = rhashtable_lookup_fast(&queue->nfqnl_packet_map, &id,\n \t\t\t\t       nfqnl_rhashtable_params);\n \n \tif (entry)\n@@ -1531,7 +1494,7 @@ static int nfqnl_recv_verdict(struct sk_buff *skb, const struct nfnl_info *info,\n \n \tverdict = ntohl(vhdr->verdict);\n \n-\tentry = find_dequeue_entry(queue, ntohl(vhdr->id), info->net);\n+\tentry = find_dequeue_entry(queue, ntohl(vhdr->id));\n \tif (entry == NULL)\n \t\treturn -ENOENT;\n \n@@ -1880,40 +1843,38 @@ static int __init nfnetlink_queue_init(void)\n {\n \tint status;\n \n-\tstatus = rhashtable_init(&nfqnl_packet_map, &nfqnl_rhashtable_params);\n-\tif (status < 0)\n-\t\treturn status;\n+\tnfq_cleanup_wq = alloc_ordered_workqueue(\"nfq_workqueue\", 0);\n+\tif (!nfq_cleanup_wq)\n+\t\treturn -ENOMEM;\n \n \tstatus = register_pernet_subsys(&nfnl_queue_net_ops);\n-\tif (status < 0) {\n-\t\tpr_err(\"failed to register pernet ops\\n\");\n-\t\tgoto cleanup_rhashtable;\n-\t}\n+\tif (status < 0)\n+\t\tgoto cleanup_pernet_subsys;\n \n-\tnetlink_register_notifier(&nfqnl_rtnl_notifier);\n-\tstatus = nfnetlink_subsys_register(&nfqnl_subsys);\n-\tif (status < 0) {\n-\t\tpr_err(\"failed to create netlink socket\\n\");\n-\t\tgoto cleanup_netlink_notifier;\n-\t}\n+\tstatus = netlink_register_notifier(&nfqnl_rtnl_notifier);\n+\tif (status < 0)\n+\t       goto cleanup_rtnl_notifier;\n \n \tstatus = register_netdevice_notifier(&nfqnl_dev_notifier);\n-\tif (status < 0) {\n-\t\tpr_err(\"failed to register netdevice notifier\\n\");\n-\t\tgoto cleanup_netlink_subsys;\n-\t}\n+\tif (status < 0)\n+\t\tgoto cleanup_dev_notifier;\n+\n+\tstatus = nfnetlink_subsys_register(&nfqnl_subsys);\n+\tif (status < 0)\n+\t\tgoto cleanup_nfqnl_subsys;\n \n \tnf_register_queue_handler(&nfqh);\n \n \treturn status;\n \n-cleanup_netlink_subsys:\n-\tnfnetlink_subsys_unregister(&nfqnl_subsys);\n-cleanup_netlink_notifier:\n+cleanup_nfqnl_subsys:\n+\tnetlink_unregister_notifier(&nfqnl_dev_notifier);\n+cleanup_dev_notifier:\n \tnetlink_unregister_notifier(&nfqnl_rtnl_notifier);\n+cleanup_rtnl_notifier:\n \tunregister_pernet_subsys(&nfnl_queue_net_ops);\n-cleanup_rhashtable:\n-\trhashtable_destroy(&nfqnl_packet_map);\n+cleanup_pernet_subsys:\n+\tdestroy_workqueue(nfq_cleanup_wq);\n \treturn status;\n }\n \n@@ -1924,9 +1885,7 @@ static void __exit nfnetlink_queue_fini(void)\n \tnfnetlink_subsys_unregister(&nfqnl_subsys);\n \tnetlink_unregister_notifier(&nfqnl_rtnl_notifier);\n \tunregister_pernet_subsys(&nfnl_queue_net_ops);\n-\n-\trhashtable_destroy(&nfqnl_packet_map);\n-\n+\tdestroy_workqueue(nfq_cleanup_wq);\n \trcu_barrier(); /* Wait for completion of call_rcu()'s */\n }","headers":{"Return-Path":"\n <netfilter-devel+bounces-11601-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11601-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fnKky72KNz1yCt\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 04 Apr 2026 00:46:34 +1100 (AEDT)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 07E83303FAEC\n\tfor <incoming@patchwork.ozlabs.org>; Fri,  3 Apr 2026 13:45:13 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 9B8F824BD03;\n\tFri,  3 Apr 2026 13:45:12 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 4B62B2DF15C\n\tfor <netfilter-devel@vger.kernel.org>; Fri,  3 Apr 2026 13:45:10 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid CF38860913; Fri, 03 Apr 2026 15:45:07 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775223912; cv=none;\n b=RsFnT/Ytz1gakYOnaPDOG+mtzjj894lb+Z0tbaIRZV6C/j/nGLPk3t5Fc9FIUcBVNuTaL4tNyM7pjhMJv7asB4G75lfRbMCJPQNRD9Rrs/K5yeBPfGJtQkSp6jJ58gj7NmIwF8I3UlKRT3Z3LGPK1TO2E5JwpdoodjmBb0EgUZ8=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775223912; c=relaxed/simple;\n\tbh=r+V6B06OouK+MmyMblZGORfna2I0Ld0m5iljWm4QJlI=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=LBHINWJzOG5hnXHh47FEMNDFGu6WOnKoOFZnUsPir6TJweBPtTtg2bJ57x8QYmWkjxjNEayTFiRFNbj6BG4Z0DhAo3hQggivXVBzb3Hr07LyZmzreqyRkBevONsL/wU5sGMPqZSt+RXyX5kcjEMBIWSBck9eouBrrW7CLrws0TI=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Fri, 3 Apr 2026 15:45:07 +0200","From":"Florian Westphal <fw@strlen.de>","To":"Scott Mitchell <scott.k.mitch1@gmail.com>","Cc":"netfilter-devel@vger.kernel.org","Subject":"Re: nfnetlink_queue crashes kernel","Message-ID":"<ac_EY9ciqt5yQ6wr@strlen.de>","References":"<ac-w6e33txkgTRJj@strlen.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<ac-w6e33txkgTRJj@strlen.de>"}},{"id":3673150,"web_url":"http://patchwork.ozlabs.org/comment/3673150/","msgid":"<ac_HuuPNrGxpW7CL@strlen.de>","list_archive_url":null,"date":"2026-04-03T13:59:22","subject":"Re: nfnetlink_queue crashes kernel","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Florian Westphal <fw@strlen.de> wrote:\n> 2) a4400a5b343d (\"netfilter: nfnetlink_queue: nfqnl_instance GFP_ATOMIC -> GFP_KERNEL_ACCOUNT allocation\") should have updated the spinlock to use the _bh variant, if the queue exists we risk deadlock via softirq recursion.\n\nNope, this one is fine, the instance lock is only taken from process\ncontext, but 1) still stands.","headers":{"Return-Path":"\n <netfilter-devel+bounces-11602-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11602-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fnL866qJqz1yCt\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 04 Apr 2026 01:04:54 +1100 (AEDT)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 2600730B9762\n\tfor <incoming@patchwork.ozlabs.org>; Fri,  3 Apr 2026 14:00:56 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id DD0C13148CF;\n\tFri,  3 Apr 2026 13:59:28 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 18D063AF65B\n\tfor <netfilter-devel@vger.kernel.org>; Fri,  3 Apr 2026 13:59:24 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 1392160913; Fri, 03 Apr 2026 15:59:23 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775224767; cv=none;\n b=b+zpdhKrjDrirWkHQfb3sHF6kopWAMQZnViFKNEvgq9KM45G5Kty5yUDbIinoi+LFRD+AanZd5obDqKiJSPUYJ+r79VgPv4N7cIAGe+B9jzQ8uKwGz3X9f60bKNZEqZMIpQIHgETgvcCN2kL4xv5HOQe4pdxcGquJ8FbEJwB7ug=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775224767; c=relaxed/simple;\n\tbh=63z81I2FhXg8ObOmxhSpuo9ppjedyhToTSLkmY9KQKI=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=MeSo90VdumexLulHYDHxwLHjE7uclRhxC+Nq8irojfzZNzRmTsUWRZZaeBdraWmQDmniNW/qBJIhp4IjZgzF/fX536QcFZu9SzpcEQtIsZX0Ah3HENjHBMagSu9vKEdYxmEz8fGGaGIRZK5+Uf6ggUZCbQsOnXUrNutpaXOfAHM=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Fri, 3 Apr 2026 15:59:22 +0200","From":"Florian Westphal <fw@strlen.de>","To":"Scott Mitchell <scott.k.mitch1@gmail.com>","Cc":"netfilter-devel@vger.kernel.org","Subject":"Re: nfnetlink_queue crashes kernel","Message-ID":"<ac_HuuPNrGxpW7CL@strlen.de>","References":"<ac-w6e33txkgTRJj@strlen.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<ac-w6e33txkgTRJj@strlen.de>"}},{"id":3673152,"web_url":"http://patchwork.ozlabs.org/comment/3673152/","msgid":"<ac_IheNLTM2crhl3@lemonverbena>","list_archive_url":null,"date":"2026-04-03T14:02:45","subject":"Re: nfnetlink_queue crashes kernel","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Fri, Apr 03, 2026 at 02:22:01PM +0200, Florian Westphal wrote:\n> Hello,\n> \n> nfnetlink_queue is currently broken in at least two ways.\n> 1). kernel will crash under pressure because\n>     struct nf_queue_entry is freed via kfree, but parallel\n>     cpu can still observe this while walking the (global) rhashtable.\n> \n> 2) a4400a5b343d (\"netfilter: nfnetlink_queue: nfqnl_instance GFP_ATOMIC -> GFP_KERNEL_ACCOUNT allocation\") should have updated the spinlock to use the _bh variant, if the queue exists we risk deadlock via softirq recursion.\n> \n> Minimal fix, that I am not a fan of:\n> \n> diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h\n> --- a/include/net/netfilter/nf_queue.h\n> +++ b/include/net/netfilter/nf_queue.h\n> @@ -24,6 +24,7 @@ struct nf_queue_entry {\n>  \tbool\t\t\tnf_ct_is_unconfirmed;\n>  \tu16\t\t\tsize; /* sizeof(entry) + saved route keys */\n>  \tu16\t\t\tqueue_num;\n> +\tstruct rcu_head\t\thead;\n>  \n>  \t/* extra space to store route keys */\n>  };\n> diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c\n> index 7f12e56e6e52..385d1fe704ae 100644\n> --- a/net/netfilter/nf_queue.c\n> +++ b/net/netfilter/nf_queue.c\n> @@ -74,7 +74,7 @@ static void nf_queue_entry_release_refs(struct nf_queue_entry *entry)\n>  void nf_queue_entry_free(struct nf_queue_entry *entry)\n>  {\n>  \tnf_queue_entry_release_refs(entry);\n> -\tkfree(entry);\n> +\tkfree_rcu(entry, head);\n>  }\n>  EXPORT_SYMBOL_GPL(nf_queue_entry_free);\n>  \n> diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c\n> index 47f7f62906e2..fc44ea4e5128 100644\n> --- a/net/netfilter/nfnetlink_queue.c\n> +++ b/net/netfilter/nfnetlink_queue.c\n> @@ -190,7 +190,7 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)\n>  \tspin_lock_init(&inst->lock);\n>  \tINIT_LIST_HEAD(&inst->queue_list);\n>  \n> -\tspin_lock(&q->instances_lock);\n> +\tspin_lock_bh(&q->instances_lock);\n>  \tif (instance_lookup(q, queue_num)) {\n>  \t\terr = -EEXIST;\n>  \t\tgoto out_unlock;\n> @@ -204,7 +204,7 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)\n>  \th = instance_hashfn(queue_num);\n>  \thlist_add_head_rcu(&inst->hlist, &q->instance_table[h]);\n>  \n> -\tspin_unlock(&q->instances_lock);\n> +\tspin_unlock_bh(&q->instances_lock);\n>  \n>  \treturn inst;\n>  \n> \n> \n> \n> A probably better fix is to make the rhashtable perqueue, which is\n> much more intrusive at this late stage.\n> \n> I prefer to revert both changes and not accept a reworked hashtable\n> until we have an extension to nft_queue.sh selftest.\n\n+1, then take a bit more time to get this right.","headers":{"Return-Path":"\n <netfilter-devel+bounces-11603-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=cD3RJNFl;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.105.105.114; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11603-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"cD3RJNFl\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org [172.105.105.114])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fnLBW010Pz1yCs\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 04 Apr 2026 01:06:58 +1100 (AEDT)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id F22383019381\n\tfor <incoming@patchwork.ozlabs.org>; Fri,  3 Apr 2026 14:02:53 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id D120E390208;\n\tFri,  3 Apr 2026 14:02:52 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 4B53F3A16A1\n\tfor <netfilter-devel@vger.kernel.org>; Fri,  3 Apr 2026 14:02:50 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 20D0560253;\n\tFri,  3 Apr 2026 16:02:48 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775224972; cv=none;\n b=p34nGGbimR/E2/a4PaynSTjsG4x/nXW5k6DYl7jiC4wPmuHju5evOaNlLeE9tYErbknQ5NWGVDDF+7NvYpGMIlpBpFLb+TvSmkg2YiSijnjvfW0QaUlIblh0H9poRHxBVGC+79rLxOP5z4NcP/6T+cGdb/8+dnYKg12B91fUBtg=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775224972; c=relaxed/simple;\n\tbh=Vn/Ft5V/Ag9AZC/Vhc+z2Q8am5/l7wN+gS54LfRTZtc=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=nRDFNgyQO7yS2G9tDvkstgfGvOVhadzs3nKLgBEff4FzgDEdVPBn8IOLGudggGtu6x7wem3PR3TzAENhGi8OX9LXGrXiCZkVy2hwtHgbtuPllYj+84dktk7HoN0TKmv9QXjXPa5B4+39K0hXwI+RFxGf6JtF8ZoewKlXZFfYlec=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=cD3RJNFl; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1775224968;\n\tbh=M40QkbEubt89bq6MU9/OJ7e7aB2WkoaDnEG7eVT5cDk=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=cD3RJNFlyaQBs1M4UIG/vxABNdq8dMtJvkwSgbJfarfpRG+QBq/959gbyKUwvllW7\n\t Nu/unH7YcC/tL+JBl5ifyzBGvB82Yo4M2/jKbnOXaCT7uxHPt1FSYIrHwDGOxwN70h\n\t N/oDHT9xjZj72EVKxUEXSLA1E9Le+k5Uvlxj14wxZm9yBri7JkABuKeDSHmG/Fq4SJ\n\t gsurUjj33upRjkhpYkZY9to1iZcXJYHtGgerCfuHbTsEUXOf3yb7z3IjdTnhsQ+Iah\n\t TzeICtLT9soUcyfISTwQi0IVZ8xO7IamH0uFtEw11LcTbkXY+a52GAMJ79yCGc7WZ0\n\t WDL/Dqa/O2vrg==","Date":"Fri, 3 Apr 2026 16:02:45 +0200","From":"Pablo Neira Ayuso <pablo@netfilter.org>","To":"Florian Westphal <fw@strlen.de>","Cc":"Scott Mitchell <scott.k.mitch1@gmail.com>,\n\tnetfilter-devel@vger.kernel.org","Subject":"Re: nfnetlink_queue crashes kernel","Message-ID":"<ac_IheNLTM2crhl3@lemonverbena>","References":"<ac-w6e33txkgTRJj@strlen.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<ac-w6e33txkgTRJj@strlen.de>"}},{"id":3673190,"web_url":"http://patchwork.ozlabs.org/comment/3673190/","msgid":"<CAFn2buDAPLPjS5fXejDiuY5pV1rduMes2Ho=sSYmFVMVmh5xAw@mail.gmail.com>","list_archive_url":null,"date":"2026-04-03T15:55:27","subject":"Re: nfnetlink_queue crashes kernel","submitter":{"id":92081,"url":"http://patchwork.ozlabs.org/api/people/92081/","name":"Scott Mitchell","email":"scott.k.mitch1@gmail.com"},"content":"> diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c\n> index 47f7f62906e2..15c6276f6592 100644\n> --- a/net/netfilter/nfnetlink_queue.c\n> +++ b/net/netfilter/nfnetlink_queue.c\n> @@ -60,29 +60,10 @@\n>   */\n>  #define NFQNL_MAX_COPY_RANGE (0xffff - NLA_HDRLEN)\n\nNFQNL_HASH_MIN (1024) and NFQNL_HASH_MAX(1048576) were set when the\ntable was global, but if table is moved to per queue it can likely be\nreduced. Suggested values:\n\n#define NFQNL_HASH_MIN 8\n#define NFQNL_HASH_MAX 32768\n\n>\n> -cleanup_netlink_subsys:\n> -       nfnetlink_subsys_unregister(&nfqnl_subsys);\n> -cleanup_netlink_notifier:\n> +cleanup_nfqnl_subsys:\n> +       netlink_unregister_notifier(&nfqnl_dev_notifier);\n\nShould `netlink_unregister_notifier(&nfqnl_dev_notifier);` be\n'unregister_netdevice_notifier(&nfqnl_dev_notifier);' ?\n\n> +cleanup_dev_notifier:\n>         netlink_unregister_notifier(&nfqnl_rtnl_notifier);\n> +cleanup_rtnl_notifier:\n>         unregister_pernet_subsys(&nfnl_queue_net_ops);\n> -cleanup_rhashtable:\n> -       rhashtable_destroy(&nfqnl_packet_map);\n> +cleanup_pernet_subsys:\n> +       destroy_workqueue(nfq_cleanup_wq);\n>         return status;\n>  }","headers":{"Return-Path":"\n <netfilter-devel+bounces-11612-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=F11tEcvP;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11612-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"F11tEcvP\"","smtp.subspace.kernel.org;\n arc=pass smtp.client-ip=209.85.222.45","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fnNfc4mXWz1xtJ\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 04 Apr 2026 02:58:00 +1100 (AEDT)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 8378D303F7F1\n\tfor <incoming@patchwork.ozlabs.org>; Fri,  3 Apr 2026 15:55:42 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 53DC33CA4A2;\n\tFri,  3 Apr 2026 15:55:41 +0000 (UTC)","from mail-ua1-f45.google.com (mail-ua1-f45.google.com\n [209.85.222.45])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 6AD2C3CB2E1\n\tfor <netfilter-devel@vger.kernel.org>; Fri,  3 Apr 2026 15:55:39 +0000 (UTC)","by mail-ua1-f45.google.com with SMTP id\n a1e0cc1a2514c-953b9fd8ebdso1318507241.1\n        for <netfilter-devel@vger.kernel.org>;\n Fri, 03 Apr 2026 08:55:39 -0700 (PDT)"],"ARC-Seal":["i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775231740; cv=pass;\n b=S5Wl3HjQr0ToP5UP3iGJKUMCvNutYrIjkBhdjwCj0VixLZgv+KVfAMw9opXVYLeG5kc3h79pOn5aGjGXS2zh5/3e/a2HIxKnDfSr7fzVBUzgMd+W6UD8bErVgcCKAlgdt3Ys9RIZ1eHHw/gjFE4onl92mmjcvAvgg7g2OiRfWaU=","i=1; a=rsa-sha256; t=1775231738; cv=none;\n        d=google.com; s=arc-20240605;\n        b=FwWXuLy0AGGBIEvtJ68LaiNpx5qgUMqrEvyqYQJbYNOwFliu0jI25PIr9+wb7s61oA\n         OwnOmgGBx24yqc+cPW/yh2pny0WVlEGMs/AJ1XGI6CuqQ26l7JarEL3Uo563Yj20rHgN\n         AXGiEkt94zTX6xlgzK/k1dvsEstVRa1kap8/19VwDKDkIVzt2tgGg2QoHfXCB5q3yiqU\n         tTmkRC+uccTM3PlXmXNNusUjYrYwvyTvBMaWDrs9unwHbLjPO2P6i07cEjlHwasyrXUQ\n         1obMEZDygxTmKAvROivOshffzQMAPtzOF7qwVJ0o0/prXgY8SrONqY2aqPI9hhZiT6aq\n         D/IA=="],"ARC-Message-Signature":["i=2; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775231740; c=relaxed/simple;\n\tbh=vvWbGlNi6TFlplucfWZOlihteJtMnLTcNCquKtF8bUU=;\n\th=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:\n\t To:Cc:Content-Type;\n b=ngpSK200AfWjiqpKfFvQ+ycCbjHlY5skUtUgBKDbr09frzVZfpjMjmGZOHIx7n0N+FdAR2YxiXn/YS6Mv2FnI/ew4X9XBGqkwH6H3vRwjt6IrZ3Tx0gyQVcxfydo+4qF5Nvly/564yRENLUpoMKVOG+RMVlH+XqLus1/S0a4ZBg=","i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n        h=cc:to:subject:message-id:date:from:in-reply-to:references\n         :mime-version:dkim-signature;\n        bh=bSlULmnrafbTFmkOz05b2qK30GDxC9T/cfATlW/fQBg=;\n        fh=n5dbouMqIJ5MdRme7pWNhtW7d6Cas+P+7EHDjxWUlbg=;\n        b=YTujGcv2KxdCtv6/yvtwyK8O9MgoPcq32ip5aqDT9++dwiGXSuVAMQn8yPkia8K+4D\n         1KkF96ZXBOsQmLsCc5VLedMtu/eGhwjaSU0L34S2kP4cS5UgbI10Gb0qvkNR7v3ARx8Z\n         1kGW2xGwboPZA3WiQ28UzXIbaoYkN5z2pBBr3UY6cvlvkV6nGnYmebzAYDXI95n7XCJV\n         J1RvrW6BF1p2pMNjdhj5JCWNVRBCWstY99JuFaIQ4PQ9eQv9Q/ANRgIgD4+9IrE2elp2\n         bGpajl0gveBaX54jfkxckGkRFBwQEAAq/A2yqEKdHtGDasVU+dp2S5UC2/kmqS++Pm7e\n         beMg==;\n        darn=vger.kernel.org"],"ARC-Authentication-Results":["i=2; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=F11tEcvP; arc=pass smtp.client-ip=209.85.222.45","i=1; mx.google.com; arc=none"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=gmail.com; s=20251104; t=1775231738; x=1775836538;\n darn=vger.kernel.org;\n        h=cc:to:subject:message-id:date:from:in-reply-to:references\n         :mime-version:from:to:cc:subject:date:message-id:reply-to;\n        bh=bSlULmnrafbTFmkOz05b2qK30GDxC9T/cfATlW/fQBg=;\n        b=F11tEcvPgqKYb4KPaaxtaHz3a+/FG9H+7KF3zMtysUDl+QqDCj8NDdfo7HDVjEQWQD\n         qjWK7b3ASXW4y7mkbFYc2KjDoxGE5JJE8LQz4YMAlTgNdCf741vK8AcMzTlisf+Cq1Ze\n         onMNXEXJTvJP/apFU3SJ4x1CX43iWesyQcXBlJ/oRdqvFtjeMUWjZEuUESQvfQHOYjHc\n         XtHk7425VGN3jbe2a75NNatKsJC2LhrbfybRuz8w2W670txaLoOrlqCTbfRW9++jbFux\n         7rmqCTfR+LzPyVyBp81XLiexTZ3E5aC0oTap28BYYvlIKLDy6KmsXPvpBZTg/yPf9lAd\n         MBDw==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=1e100.net; s=20251104; t=1775231738; x=1775836538;\n        h=cc:to:subject:message-id:date:from:in-reply-to:references\n         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n         :message-id:reply-to;\n        bh=bSlULmnrafbTFmkOz05b2qK30GDxC9T/cfATlW/fQBg=;\n        b=htcmbxBuIRohSzFpxcbysV52ryugoLZn8LHmVGAdDHEJaBh8JyDaYpQ0T8Flr2aQp/\n         xbo1u7pCAHAHknufd0qrfdcVbEbHLBCBn5Os3xg1lCgr4BSvw9Y+w9bHgY+4pUNAY+EC\n         tfRLr8mrTAcnOse3Am+Dc6fDS1g0LfqZt8Jjbs+MFBDEsIGOEvs90TcDMJ6OmQ+fMdNn\n         KJZ2O0parhzBo1w748pse2PVczEjnr3YAtApLvTWhBH9dLKiDDi/bdBMwW6n6SDenm7w\n         zHICjjpphRQK3l2ou8azvtWN401z9BJe3NGmMBp/ManAC5zrCNbReixgaii7JWvrapaC\n         68yQ==","X-Gm-Message-State":"AOJu0Yzt4uENw6oHP8Wnqbq3X/FzNWUGSXzB/B69alsAyZ226cuWec7B\n\tZ/R4wRYs8GaB2hM2EJys6vcO/ABg3ubdlwGh3t2ZAEdGc0TAJCSYawbbEM82kNN7dHTlKQvHVg8\n\t/kEwk8e6inIRS9aM9c3wYN9e71fRRvQij/XP7","X-Gm-Gg":"AeBDietib4ck44MwfJ7KRwtt72KVhoruvvHRmwTy0kD0nYv+QEAvVbZMnL5FY9dr3dN\n\t1E6SS0NlkK+zS2XpV7NT7NrOLmbBg0CXKkO0jx+sVfM2EC1nDOkvNykzKG/+9tB1gl2SP/LdR0j\n\tUh31S3bOz979eQxLCeoRiZ9GR5uUwznRAWO9gK5WB7BZrdo5wPTpwakiLjOILdDWnWd/dp1R7Yk\n\tlFi5zwlQUz0PZ94rhmt6pzFxb011Vuxjs0/8Gfu0E1MfKPtZ3NLuHlZoUS/vesIyWB9Vy9z3vK2\n\ttPWqHqE=","X-Received":"by 2002:a05:6102:358d:b0:5ff:be25:894a with SMTP id\n ada2fe7eead31-605a5139644mr1403489137.32.1775231738311; Fri, 03 Apr 2026\n 08:55:38 -0700 (PDT)","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","References":"<ac-w6e33txkgTRJj@strlen.de> <ac_EY9ciqt5yQ6wr@strlen.de>","In-Reply-To":"<ac_EY9ciqt5yQ6wr@strlen.de>","From":"Scott Mitchell <scott.k.mitch1@gmail.com>","Date":"Fri, 3 Apr 2026 08:55:27 -0700","X-Gm-Features":"AQROBzDt5ARLDV79X-KOKclhATQ7c5tLSV8mUTRzkTu_Zfk9b8SQmhf-nx8sbrY","Message-ID":"\n <CAFn2buDAPLPjS5fXejDiuY5pV1rduMes2Ho=sSYmFVMVmh5xAw@mail.gmail.com>","Subject":"Re: nfnetlink_queue crashes kernel","To":"Florian Westphal <fw@strlen.de>","Cc":"netfilter-devel@vger.kernel.org","Content-Type":"text/plain; charset=\"UTF-8\""}},{"id":3673267,"web_url":"http://patchwork.ozlabs.org/comment/3673267/","msgid":"<adARe9HW3emmdj6q@strlen.de>","list_archive_url":null,"date":"2026-04-03T19:14:03","subject":"Re: nfnetlink_queue crashes kernel","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Scott Mitchell <scott.k.mitch1@gmail.com> wrote:\n> > diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c\n> > index 47f7f62906e2..15c6276f6592 100644\n> > --- a/net/netfilter/nfnetlink_queue.c\n> > +++ b/net/netfilter/nfnetlink_queue.c\n> > @@ -60,29 +60,10 @@\n> >   */\n> >  #define NFQNL_MAX_COPY_RANGE (0xffff - NLA_HDRLEN)\n> \n> NFQNL_HASH_MIN (1024) and NFQNL_HASH_MAX(1048576) were set when the\n> table was global, but if table is moved to per queue it can likely be\n> reduced. Suggested values:\n> \n> #define NFQNL_HASH_MIN 8\n> #define NFQNL_HASH_MAX 32768\n\nChanged, thanks.\n\n> Should `netlink_unregister_notifier(&nfqnl_dev_notifier);` be\n> 'unregister_netdevice_notifier(&nfqnl_dev_notifier);' ?\n\nYes, thanks.","headers":{"Return-Path":"\n <netfilter-devel+bounces-11614-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11614-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fnT20587kz1xtJ\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 04 Apr 2026 06:15:04 +1100 (AEDT)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 9F7E0301584A\n\tfor <incoming@patchwork.ozlabs.org>; Fri,  3 Apr 2026 19:14:10 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 60A2A2EDD62;\n\tFri,  3 Apr 2026 19:14:08 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 197B033E34B\n\tfor <netfilter-devel@vger.kernel.org>; Fri,  3 Apr 2026 19:14:05 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 84E5F60913; Fri, 03 Apr 2026 21:14:03 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775243648; cv=none;\n b=YqJUG91pj2mhjhR1Cww3KKJI4XnUcsU1hARE2LpXQ8tmH+iLGQBxm1R2Qiy+SusfeqLvd5T+b9kx77KgUHALEaV+5e70naKP8bS9ayZ7t8Jfj+2jO1D3kPEQ2ImgPRC3VlAQUem627po/1w/r2EPqBZsCEoQhAIIxx27d8vUh4A=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775243648; c=relaxed/simple;\n\tbh=IXasO1xs/DT2h4F3bBVfO3tOxnJDfDW4U1odhqahIWU=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=TpCkdV9o35rBJisSo6ZziavsAhefNxKA0v3vmi0ed7zoLXJdJvRFoC95w8w3QQhm9uPAzeDKt0yifZY3ZLRSRNS8b8g1ntbk7DPsXOXhaxlHFimg5jLNrUacRqTvbGlQSQO+Rb0IEyzSlmu/aTL1vdNWCX+bzIsXO1ZataFwcis=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Fri, 3 Apr 2026 21:14:03 +0200","From":"Florian Westphal <fw@strlen.de>","To":"Scott Mitchell <scott.k.mitch1@gmail.com>","Cc":"netfilter-devel@vger.kernel.org","Subject":"Re: nfnetlink_queue crashes kernel","Message-ID":"<adARe9HW3emmdj6q@strlen.de>","References":"<ac-w6e33txkgTRJj@strlen.de>\n <ac_EY9ciqt5yQ6wr@strlen.de>\n <CAFn2buDAPLPjS5fXejDiuY5pV1rduMes2Ho=sSYmFVMVmh5xAw@mail.gmail.com>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"\n <CAFn2buDAPLPjS5fXejDiuY5pV1rduMes2Ho=sSYmFVMVmh5xAw@mail.gmail.com>"}},{"id":3673352,"web_url":"http://patchwork.ozlabs.org/comment/3673352/","msgid":"<b0c495e4-2137-443b-986e-ed0c10251d0c@suse.de>","list_archive_url":null,"date":"2026-04-03T23:57:31","subject":"Re: nfnetlink_queue crashes kernel","submitter":{"id":90904,"url":"http://patchwork.ozlabs.org/api/people/90904/","name":"Fernando Fernandez Mancera","email":"fmancera@suse.de"},"content":"On 4/3/26 3:45 PM, Florian Westphal wrote:\n> Florian Westphal <fw@strlen.de> wrote:\n>> A probably better fix is to make the rhashtable perqueue, which is\n>> much more intrusive at this late stage.\n> \n> Tentative patch to do this, still misses selftest extensions:\n> \n\nI could help with selftests. I have written a couple already. Let me \nprepare some this week and I will send them as proposals on the list.\n\nThanks,\nFernando.","headers":{"Return-Path":"\n <netfilter-devel+bounces-11623-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=DWm/WCfm;\n\tdkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=LyBrtKT4;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.a=rsa-sha256 header.s=susede2_rsa header.b=IbilKQbk;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=qKyYdxO6;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11623-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"DWm/WCfm\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"LyBrtKT4\";\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"IbilKQbk\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"qKyYdxO6\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.131","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.de","smtp-out2.suse.de;\n\tdkim=pass header.d=suse.de header.s=susede2_rsa header.b=IbilKQbk;\n\tdkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=qKyYdxO6"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fnbJG6nC0z1xtJ\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 04 Apr 2026 10:57:50 +1100 (AEDT)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 9830D303AF2A\n\tfor <incoming@patchwork.ozlabs.org>; Fri,  3 Apr 2026 23:57:45 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id C0CCF3624A7;\n\tFri,  3 Apr 2026 23:57:44 +0000 (UTC)","from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 126751DC198\n\tfor <netfilter-devel@vger.kernel.org>; Fri,  3 Apr 2026 23:57:42 +0000 (UTC)","from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org\n [IPv6:2a07:de40:b281:104:10:150:64:97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out2.suse.de (Postfix) with ESMTPS id 892965BD23;\n\tFri,  3 Apr 2026 23:57:39 +0000 (UTC)","from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 509B74A0A6;\n\tFri,  3 Apr 2026 23:57:39 +0000 (UTC)","from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid Y3SdEPNT0GnObgAAD6G6ig\n\t(envelope-from <fmancera@suse.de>); Fri, 03 Apr 2026 23:57:39 +0000"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775260664; cv=none;\n b=qDM3hy8JeA9xOPDHUyhxJ5zLPgKHT+OYMxxVJW+TF0KNmelGPLx+6CZHpXgyXDwKeCPw2vw4ijwDUVqZDU9UmEHvcbSDiY4GgqkDh7zju8AKRdFYc/rE1kHHLJpDWv2gHzKJ842ru7PHhj1NTQ/RRm1uZv0vFrWOJJiAHdg+E/Y=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775260664; c=relaxed/simple;\n\tbh=hQZRt6WSgad+U+Pssq0KM4l6zxY4hq+Y/zwvXhp1K4M=;\n\th=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:\n\t In-Reply-To:Content-Type;\n b=k9NbHZVNjfOU1WFYzxTubU+fJ3KvIlZeLIv0PAK4bc6WPVRd4YbMxDxEjzj/Qil4wZsRfTccLbn6njJIr2gOxFF15GuS86VsiCPUM+asie8P5WI5r+SdQcrqDBYhl8bAn64bYgL/KSkE1gVZu7CWjnA1R0YEx2b4I2+08CaxRaE=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de;\n spf=pass smtp.mailfrom=suse.de;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=DWm/WCfm;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=LyBrtKT4;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=IbilKQbk;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=qKyYdxO6; arc=none smtp.client-ip=195.135.223.131","DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1775260660;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=NnoRqdUzNz0azZfM3b8bxze0ANQ+k8KxBHbyif5QGc4=;\n\tb=DWm/WCfmU2Sl0a8JBoazZ32/EkmZLi1k7GUPtfr2jyK1baB6K6l4xzzm5MUW+ZHuAG3isA\n\twr6VwyJpPTfwSHXJdSbCGGy1UsoUl898nYhGXI54SPJMAWHBHl429KnWjE9MspgkSjuQvm\n\tiWd0O8OTb4h0x5On48iP7rF1OaaAIRw=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1775260660;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=NnoRqdUzNz0azZfM3b8bxze0ANQ+k8KxBHbyif5QGc4=;\n\tb=LyBrtKT4Vejik99h7ClA0vh6Livh2N5zDtUP4IrVKLzWbQ0Nghd4AyvKT73kP/sS+kwKcL\n\tv8UkavyTYSIVQ+Dw==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1775260659;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=NnoRqdUzNz0azZfM3b8bxze0ANQ+k8KxBHbyif5QGc4=;\n\tb=IbilKQbkSlGLC5Tv4w909FE7+Ih/LS9E3edJR7kPmHPCwyLAQirUXGXFUrQWydzWKKsLig\n\tPPxsOD/CJRcFf8hXLGIwDdNf8TGRznVJfZCrbvEMUR5y9DELKiOLKKmeH/jh8b0YfrrUJm\n\t0unzGmM93wbaeaAQThrkYIRDOh2+BdA=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1775260659;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=NnoRqdUzNz0azZfM3b8bxze0ANQ+k8KxBHbyif5QGc4=;\n\tb=qKyYdxO6Ej7NYxrF06rEDNc0N5AF8k/Oo0HP+IkOPOnRPvvWADCytrxniUKWRcjXlV1UfM\n\tuMsHML5Oy0ZDPSBg=="],"Message-ID":"<b0c495e4-2137-443b-986e-ed0c10251d0c@suse.de>","Date":"Sat, 4 Apr 2026 01:57:31 +0200","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"Re: nfnetlink_queue crashes kernel","To":"Florian Westphal <fw@strlen.de>, Scott Mitchell <scott.k.mitch1@gmail.com>","Cc":"netfilter-devel@vger.kernel.org","References":"<ac-w6e33txkgTRJj@strlen.de> <ac_EY9ciqt5yQ6wr@strlen.de>","Content-Language":"en-US","From":"Fernando Fernandez Mancera <fmancera@suse.de>","In-Reply-To":"<ac_EY9ciqt5yQ6wr@strlen.de>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-Spamd-Result":"default: False [-4.51 / 50.00];\n\tBAYES_HAM(-3.00)[99.99%];\n\tNEURAL_HAM_LONG(-1.00)[-1.000];\n\tR_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tNEURAL_HAM_SHORT(-0.20)[-1.000];\n\tMIME_GOOD(-0.10)[text/plain];\n\tMX_GOOD(-0.01)[];\n\tTAGGED_RCPT(0.00)[];\n\tFREEMAIL_ENVRCPT(0.00)[gmail.com];\n\tRCVD_VIA_SMTP_AUTH(0.00)[];\n\tMIME_TRACE(0.00)[0:+];\n\tARC_NA(0.00)[];\n\tSPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from];\n\tTO_DN_SOME(0.00)[];\n\tFREEMAIL_TO(0.00)[strlen.de,gmail.com];\n\tMID_RHS_MATCH_FROM(0.00)[];\n\tDKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tFROM_EQ_ENVFROM(0.00)[];\n\tFROM_HAS_DN(0.00)[];\n\tRCPT_COUNT_THREE(0.00)[3];\n\tRCVD_TLS_ALL(0.00)[];\n\tDBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:dkim,suse.de:mid,strlen.de:email,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns];\n\tRCVD_COUNT_TWO(0.00)[2];\n\tTO_MATCH_ENVRCPT_ALL(0.00)[];\n\tDKIM_TRACE(0.00)[suse.de:+]","X-Rspamd-Action":"no action","X-Spam-Flag":"NO","X-Spam-Score":"-4.51","X-Spam-Level":"","X-Rspamd-Server":"rspamd1.dmz-prg2.suse.org","X-Rspamd-Queue-Id":"892965BD23"}},{"id":3673414,"web_url":"http://patchwork.ozlabs.org/comment/3673414/","msgid":"<adDccAnxkl4to_ta@strlen.de>","list_archive_url":null,"date":"2026-04-04T09:40:00","subject":"Re: nfnetlink_queue crashes kernel","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Fernando Fernandez Mancera <fmancera@suse.de> wrote:\n> On 4/3/26 3:45 PM, Florian Westphal wrote:\n> > Florian Westphal <fw@strlen.de> wrote:\n> > > A probably better fix is to make the rhashtable perqueue, which is\n> > > much more intrusive at this late stage.\n> > \n> > Tentative patch to do this, still misses selftest extensions:\n> > \n> \n> I could help with selftests. I have written a couple already. Let me prepare\n> some this week and I will send them as proposals on the list.\n\nThanks Fernando, much appreciated.\nThis will be hard to trigger, the autoresize means that we'll typically\nnot have two entries per bucket.\n\nWhat might help is to add a mode to nf_queue.c to:\n1. send out-of-order-verdicts\n2. send *bogus* verdicts that are expected to\n   fail w. -ENOENT.\n\nI had a go at adding a stress test but its not\ntriggering for me even if i run it for 10m.\n\nI'm attaching what I had:\n\nselftests: nft_queue.sh: add a parallel stress test\n\nXXX: Not complete, should extend nf_queue.c to allow\nOOO verdicts + bogus verdicts to increase likelyhood of\naccessing already-freed objects in the hash table.\n\nSigned-off-by: Florian Westphal <fw@strlen.de>\n\ndiff --git a/tools/testing/selftests/net/netfilter/nft_queue.sh b/tools/testing/selftests/net/netfilter/nft_queue.sh\nindex ea766bdc5d04..c05f2e5fef0b 100755\n--- a/tools/testing/selftests/net/netfilter/nft_queue.sh\n+++ b/tools/testing/selftests/net/netfilter/nft_queue.sh\n@@ -11,6 +11,7 @@ ret=0\n timeout=5\n \n SCTP_TEST_TIMEOUT=60\n+STRESS_TEST_TIMEOUT=300\n \n cleanup()\n {\n@@ -719,6 +720,64 @@ EOF\n \tfi\n }\n \n+check_tainted()\n+{\n+\tlocal msg=\"$1\"\n+\n+\tif [ \"$tainted_then\" -ne 0 ];then\n+\t\treturn\n+\tfi\n+\n+\tread tainted_now < /proc/sys/kernel/tainted\n+\tif [ \"$tainted_now\" -eq 0 ];then\n+\t\techo \"PASS: $msg\"\n+\telse\n+\t\techo \"TAINT: $msg\"\n+\t\tdmesg\n+\t\tret=1\n+\tfi\n+}\n+\n+test_queue_stress()\n+{\n+\tread tainted_then < /proc/sys/kernel/tainted\n+\tlocal i\n+\n+        ip netns exec \"$nsrouter\" nft -f /dev/stdin <<EOF\n+flush ruleset\n+table inet t {\n+\tchain forward {\n+\t\ttype filter hook forward priority 0; policy accept;\n+\n+\t\tqueue flags bypass to numgen random mod 8\n+\t}\n+}\n+EOF\n+\ttimeout \"$STRESS_TEST_TIMEOUT\" ip netns exec \"$ns2\" socat -u UDP-LISTEN:12345,fork,pf=ipv4 STDOUT > /dev/null &\n+\ttimeout \"$STRESS_TEST_TIMEOUT\" ip netns exec \"$ns3\" socat -u UDP-LISTEN:12345,fork,pf=ipv4 STDOUT > /dev/null &\n+\n+\tfor i in $(seq 0 7); do\n+\t\tip netns exec \"$nsrouter\" timeout \"$STRESS_TEST_TIMEOUT\" ./nf_queue -q $i -t 2 > /dev/null &\n+\tdone\n+\n+\tip netns exec \"$ns1\" timeout \"$STRESS_TEST_IMEOUT\" ping -q -f 10.0.2.99 > /dev/null 2>&1 &\n+\tip netns exec \"$ns1\" timeout \"$STRESS_TEST_TIMEOUT\" ping -q -f 10.0.3.99 > /dev/null 2>&1 &\n+\tip netns exec \"$ns1\" timeout \"$STRESS_TEST_TIMEOUT\" ping -q -f \"dead:2::99\" > /dev/null 2>&1 &\n+\tip netns exec \"$ns1\" timeout \"$STRESS_TEST_TIMEOUT\" ping -q -f \"dead:3::99\" > /dev/null 2>&1 &\n+\n+\tbusywait \"$BUSYWAIT_TIMEOUT\" udp_listener_ready \"$ns2\" 12345\n+\tbusywait \"$BUSYWAIT_TIMEOUT\" udp_listener_ready \"$ns3\" 12345\n+\n+\tfor i in $(seq 1 4);do\n+\t\tip netns exec \"$ns1\" timeout \"$STRESS_TEST_TIMEOUT\" socat -u STDIN UDP-DATAGRAM:10.0.2.99:12345 < /dev/zero > /dev/null &\n+\t\tip netns exec \"$ns1\" timeout \"$STRESS_TEST_TIMEOUT\" socat -u STDIN UDP-DATAGRAM:10.0.3.99:12345 < /dev/zero > /dev/null &\n+\tdone\n+\n+\twait\n+\n+\tcheck_tainted \"concurrent queueing\"\n+}\n+\n test_queue_removal()\n {\n \tread tainted_then < /proc/sys/kernel/tainted\n@@ -742,18 +801,7 @@ EOF\n \n \tip netns exec \"$ns1\" nft flush ruleset\n \n-\tif [ \"$tainted_then\" -ne 0 ];then\n-\t\treturn\n-\tfi\n-\n-\tread tainted_now < /proc/sys/kernel/tainted\n-\tif [ \"$tainted_now\" -eq 0 ];then\n-\t\techo \"PASS: queue program exiting while packets queued\"\n-\telse\n-\t\techo \"TAINT: queue program exiting while packets queued\"\n-\t\tdmesg\n-\t\tret=1\n-\tfi\n+\tcheck_tainted \"queue program exiting while packets queued\"\n }\n \n ip netns exec \"$nsrouter\" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null\n@@ -799,6 +847,7 @@ test_sctp_forward\n test_sctp_output\n test_udp_nat_race\n test_udp_gro_ct\n+test_queue_stress\n \n # should be last, adds vrf device in ns1 and changes routes\n test_icmp_vrf","headers":{"Return-Path":"\n <netfilter-devel+bounces-11626-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.105.105.114; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11626-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org [172.105.105.114])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fnrDc0Nwvz1xtJ\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 04 Apr 2026 20:40:31 +1100 (AEDT)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 03857301451C\n\tfor <incoming@patchwork.ozlabs.org>; Sat,  4 Apr 2026 09:40:14 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 1D06738D003;\n\tSat,  4 Apr 2026 09:40:11 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 0B3183537EF\n\tfor <netfilter-devel@vger.kernel.org>; Sat,  4 Apr 2026 09:40:08 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 9548260508; Sat, 04 Apr 2026 11:40:06 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775295610; cv=none;\n b=B1geVS/ynjaaWH8g9EtRFabgnuEe+KZW1p79/BFvmKhkv8SNmH0VcyWPTKVZ/a1hHl+g2IIgDB3bw3FjKhGH8qmydiexL2LWMoRPG3P2QYHkDBubS+DB7xSGkx0aiF1ATGuna9f6Ma9WzvC46bSZrxtwaM3JLxfFIf6JTIcFwpU=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775295610; c=relaxed/simple;\n\tbh=w1XitjBBnouKais+OpvibSw5CtCyRfJ6XXTfrCt4kdQ=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=mqCxAljGlaSukzVi9wK7AZDvABOybmZiWODxy2qX+njJrNW35J/KV7zbDY7GLbuA6cSkK/yiXu2xMvB42yXpVXI42R1t9/6EbPkG5pvYXYDbOvGI32fKdj1+U56h/i9s64htq7Ta7ssRFJ96zTKjUqmmxYqAp1RUStu2iqZvClU=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Sat, 4 Apr 2026 11:40:00 +0200","From":"Florian Westphal <fw@strlen.de>","To":"Fernando Fernandez Mancera <fmancera@suse.de>","Cc":"Scott Mitchell <scott.k.mitch1@gmail.com>,\n\tnetfilter-devel@vger.kernel.org","Subject":"Re: nfnetlink_queue crashes kernel","Message-ID":"<adDccAnxkl4to_ta@strlen.de>","References":"<ac-w6e33txkgTRJj@strlen.de>\n <ac_EY9ciqt5yQ6wr@strlen.de>\n <b0c495e4-2137-443b-986e-ed0c10251d0c@suse.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<b0c495e4-2137-443b-986e-ed0c10251d0c@suse.de>"}}]