Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables

To: Timo Sigurdsson <public_timo.s@silentcreek.de>
Cc: 1051592@bugs.debian.org
Subject: Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 11 Sep 2023 22:52:12 +0200
Message-id: <ZP99/Pz+R9tdtcex@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1051592@bugs.debian.org
In-reply-to: <[🔎] 20230911203156.4CA1E63200C8@dd20004.kasserver.com>
References: <[🔎] 20230910083845.8232D6320570@dd20004.kasserver.com> <[🔎] 20230911011518.4A9AA6320354@dd20004.kasserver.com> <[🔎] 20230910083845.8232D6320570@dd20004.kasserver.com> <[🔎] ZP8fR0gKpsCTfAaJ@eldamar.lan> <[🔎] 20230910083845.8232D6320570@dd20004.kasserver.com> <[🔎] ZP8himWb0eCBfgBG@eldamar.lan> <[🔎] 20230910083845.8232D6320570@dd20004.kasserver.com> <[🔎] ZP8kEsjqdWDKSRYv@eldamar.lan> <[🔎] ZP92fkGzD8f3q30a@eldamar.lan> <[🔎] 20230911203156.4CA1E63200C8@dd20004.kasserver.com> <[🔎] 20230910083845.8232D6320570@dd20004.kasserver.com>

Hi Timo,

On Mon, Sep 11, 2023 at 10:31:56PM +0200, Timo Sigurdsson wrote:
> Hi Salvatore,
> 
> Salvatore Bonaccorso schrieb am 11.09.2023 22:20 (GMT +02:00):
> 
> > Bisected the issue:
> > 
> > $ git bisect log
> > git bisect start
> > # status: waiting for both good and bad commits
> > # good: [61fd484b2cf6bc8022e8e5ea6f693a9991740ac2] Linux 6.1.38
> > git bisect good 61fd484b2cf6bc8022e8e5ea6f693a9991740ac2
> > # status: waiting for bad commit, 1 good commit known
> > # bad: [1321ab403b38366a4cfb283145bb2c005becb1e5] Linux 6.1.45
> > git bisect bad 1321ab403b38366a4cfb283145bb2c005becb1e5
> > # good: [95d49f79e94d4fa8105c880a266789609f3e791a] ext4: only update
> > i_reserved_data_blocks on successful block allocation
> > git bisect good 95d49f79e94d4fa8105c880a266789609f3e791a
> > # good: [f8b61a2c29fc70f64daad698cf09c1f79a0e39f9] drm/amd/display: Set minimum
> > requirement for using PSR-SU on Rembrandt
> > git bisect good f8b61a2c29fc70f64daad698cf09c1f79a0e39f9
> > # bad: [bd2decac7345134ea0bd3f4b978478ef53367cd8] mptcp: ensure subflow is
> > unhashed before cleaning the backlog
> > git bisect bad bd2decac7345134ea0bd3f4b978478ef53367cd8
> > # bad: [fe3409cd013cfd10d3e6787b49f33a5dda39cffd] RDMA/irdma: Fix op_type
> > reporting in CQEs
> > git bisect bad fe3409cd013cfd10d3e6787b49f33a5dda39cffd
> > # good: [85c38ac62c1372cc1ab05426315aad61025d33ef] atheros: fix return value
> > check in atl1_tso()
> > git bisect good 85c38ac62c1372cc1ab05426315aad61025d33ef
> > # bad: [539cf23cb48835c69cc3d22edff28b92bd82bb18] tipc: stop tipc crypto on
> > failure in tipc_node_create
> > git bisect bad 539cf23cb48835c69cc3d22edff28b92bd82bb18
> > # good: [1ecdbf2467ae4bc4df00c5cfab427cb1aaa5e3e1] x86/traps: Fix
> > load_unaligned_zeropad() handling for shared TDX memory
> > git bisect good 1ecdbf2467ae4bc4df00c5cfab427cb1aaa5e3e1
> > # bad: [7218974aba07ff60c646d5a512b02b871402b03e] mm: suppress mm fault logging
> > if fatal signal already pending
> > git bisect bad 7218974aba07ff60c646d5a512b02b871402b03e
> > # good: [89a4d1a89751a0fbd520e64091873e19cc0979e8] netfilter: nft_set_rbtree:
> > fix overlap expiration walk
> > git bisect good 89a4d1a89751a0fbd520e64091873e19cc0979e8
> > # bad: [268cb07ef3ee17b5454a7c4b23376802c5b00c79] netfilter: nf_tables:
> > disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID
> > git bisect bad 268cb07ef3ee17b5454a7c4b23376802c5b00c79
> > # good: [4237462a073e24f71c700f3e5929f07b6ee1bcaa] netfilter: nf_tables: skip
> > immediate deactivate in _PREPARE_ERROR
> > git bisect good 4237462a073e24f71c700f3e5929f07b6ee1bcaa
> > # first bad commit: [268cb07ef3ee17b5454a7c4b23376802c5b00c79] netfilter:
> > nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID
> > 
> > $ git bisect visualize
> > commit 268cb07ef3ee17b5454a7c4b23376802c5b00c79
> > Author: Pablo Neira Ayuso <pablo@netfilter.org>
> > Date:   Sun Jul 23 16:41:48 2023 +0200
> > 
> >     netfilter: nf_tables: disallow rule addition to bound chain via
> >     NFTA_RULE_CHAIN_ID
> >     
> >     [ Upstream commit 0ebc1064e4874d5987722a2ddbc18f94aa53b211 ]
> >     
> >     Bail out with EOPNOTSUPP when adding rule to bound chain via
> >     NFTA_RULE_CHAIN_ID. The following warning splat is shown when
> >     adding a rule to a deleted bound chain:
> >     
> >      WARNING: CPU: 2 PID: 13692 at net/netfilter/nf_tables_api.c:2013
> >      nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]
> >      CPU: 2 PID: 13692 Comm: chain-bound-rul Not tainted 6.1.39 #1
> >      RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]
> >     
> >     Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
> >     Reported-by: Kevin Rich <kevinrich1337@gmail.com>
> >     Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> >     Signed-off-by: Florian Westphal <fw@strlen.de>
> >     Signed-off-by: Sasha Levin <sashal@kernel.org>
> 
> Hehe, yes, I was just about to write you the same. My test build
> with this one reverted lets me load the ruleset again.
> 
> Would you like to take this upstream? I was just about to file a
> report in netfilter's bugzilla, but since you also worked on it as
> well, I don't mean to interfere...
> 
> I'll try to further reduce my test ruleset to see what actually
> triggers this.

I'm fine if you report it upstream, as you have the best position for
making further tests further stripped down rulesets. But instread of
bugzilla I think it's best to directly mail Pablo Neira Ayuso
<pablo@netfilter.org>, the people in the Signed-off-by, additionally
the stable list (stable@vger.kernel.org) and the regressions
mailinglist (regressions@lists.linux.dev, cf.
https://www.kernel.org/doc/html/latest/process/handling-regressions.html).

It should be noted:

0ebc1064e487 ("netfilter: nf_tables: disallow rule addition to bound
chain via NFTA_RULE_CHAIN_ID") in 6.5-rc4 was backported to several
stable series, namely in 5.10.190, 5.15.124, 6.1.43, 6.4.8.

While I can reproduce the issue in 5.10.191-1 and 6.1.52-1, I cannot
in 6.4.13-1 or 6.5.2-1 (not yet released in Debian).

Possibly for the older series there is a prerequisite commit missing
which is present in the series where the issue is not triggered.

Can you report it upstream, but keep this bug as well in the loop (or
me directly as well)?

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
  - From: "Timo Sigurdsson" <public_timo.s@silentcreek.de>
- Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
  - From: "Timo Sigurdsson" <public_timo.s@silentcreek.de>
- Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
  - From: "Timo Sigurdsson" <public_timo.s@silentcreek.de>

Prev by Date: Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Next by Date: Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Previous by thread: Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Next by thread: Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Index(es):
- Date
- Thread