[nf] netfilter: xt_cpu: prefer raw_smp_processor_id

With PREEMPT_RCU we get splat:

BUG: using smp_processor_id() in preemptible [..]
caller is cpu_mt+0x53/0xd0 net/netfilter/xt_cpu.c:37
CPU: 1 .. Comm: syz.3.1377 #0 PREEMPT(full)
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47
 cpu_mt+0x53/0xd0 net/netfilter/xt_cpu.c:37
 [..]

Similar to 14d14a5d2957 ("netfilter: nft_meta: use raw_smp_processor_id()").

Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
Reported-by: syzbot+690d3e3ffa7335ac10eb@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/xt_cpu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

On 5/19/26 8:34 PM, Florian Westphal wrote:
> With PREEMPT_RCU we get splat:
> 
> BUG: using smp_processor_id() in preemptible [..]
> caller is cpu_mt+0x53/0xd0 net/netfilter/xt_cpu.c:37
> CPU: 1 .. Comm: syz.3.1377 #0 PREEMPT(full)
> Call Trace:
>   <TASK>
>   dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
>   check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47
>   cpu_mt+0x53/0xd0 net/netfilter/xt_cpu.c:37
>   [..]
> 
> Similar to 14d14a5d2957 ("netfilter: nft_meta: use raw_smp_processor_id()").
> 
> Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
> Reported-by: syzbot+690d3e3ffa7335ac10eb@syzkaller.appspotmail.com
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
>   net/netfilter/xt_cpu.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/xt_cpu.c b/net/netfilter/xt_cpu.c
> index 3bdc302a0f91..9cb259902a58 100644
> --- a/net/netfilter/xt_cpu.c
> +++ b/net/netfilter/xt_cpu.c
> @@ -34,7 +34,7 @@ static bool cpu_mt(const struct sk_buff *skb, struct xt_action_param *par)
>   {
>   	const struct xt_cpu_info *info = par->matchinfo;
>   
> -	return (info->cpu == smp_processor_id()) ^ info->invert;
> +	return (info->cpu == raw_smp_processor_id()) ^ info->invert;
>   }
>   
>   static struct xt_match cpu_mt_reg __read_mostly = {


Hi Florian,

I agree with the fix but the same should be needed for xt_NFQUEUE no?

I see I can use the compat layer to configure NFQUEUE target see:

# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
	chain FORWARD {
		type filter hook forward priority filter; policy accept;
		tcp dport 80 counter packets 0 bytes 0 xt target "NFQUEUE"
	}
}

I would suggest this too:

diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index 466da23e36ff..b32d153e3a18 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -91,7 +91,7 @@ nfqueue_tg_v3(struct sk_buff *skb, const struct 
xt_action_param *par)

  	if (info->queues_total > 1) {
  		if (info->flags & NFQ_FLAG_CPU_FANOUT) {
-			int cpu = smp_processor_id();
+			int cpu = raw_smp_processor_id();

  			queue = info->queuenum + cpu % info->queues_total;
  		} else {


Thanks,
Fernando.

Fernando Fernandez Mancera <fmancera@suse.de> wrote:
> I see I can use the compat layer to configure NFQUEUE target see:
> 
> # Warning: table ip filter is managed by iptables-nft, do not touch!
> table ip filter {
> 	chain FORWARD {
> 		type filter hook forward priority filter; policy accept;
> 		tcp dport 80 counter packets 0 bytes 0 xt target "NFQUEUE"
> 	}

Please send a patch.

On 5/22/26 12:27 PM, Florian Westphal wrote:
> Fernando Fernandez Mancera <fmancera@suse.de> wrote:
>> I see I can use the compat layer to configure NFQUEUE target see:
>>
>> # Warning: table ip filter is managed by iptables-nft, do not touch!
>> table ip filter {
>> 	chain FORWARD {
>> 		type filter hook forward priority filter; policy accept;
>> 		tcp dport 80 counter packets 0 bytes 0 xt target "NFQUEUE"
>> 	}
> 
> Please send a patch.

Sure!

Thanks Florian!