Bug#1059891: linux-image-6.1.0-17-amd64: netfilter (nftables) breaks since bookworm

[Daniel Haryo Sugondo <sugondo@hlrs.de>]

Hi,

thank you for your answer.

On 1/5/24 20:18, Salvatore Bonaccorso wrote:
> Control: tags -1 + moreinfo
>
> On Wed, Jan 03, 2024 at 07:35:23AM +0100, Daniel Haryo Sugondo wrote:
> > Package: src:linux
> > Version: 6.1.69-1
> > Severity: normal
> >
> > Dear Maintainer,
> >
> > since Debian 12 (Bookworm) the nft with named set ends with kernel trace and the
> > nft stalled (D)
> > # ps aux
> > root       82373  0.0  0.0      0     0 ?        D    Jan02   0:00 [nft]
> >
> > The message looks like:
> > [ 3566.525419] ------------[ cut here ]------------
> > [ 3566.525424] kernel BUG at mm/slub.c:419!
> > [ 3566.529834] invalid opcode: 0000 [#1] PREEMPT SMP PTI
> > [ 3566.535474] CPU: 19 PID: 8146 Comm: kworker/19:0 Not tainted 6.1.0-17-amd64 #1  Debian 6.1.69-1
> > [ 3566.545182] Hardware name:  /0X3D66, BIOS 2.2.2 01/16/2014
> > [ 3566.551304] Workqueue: events nf_tables_trans_destroy_work [nf_tables]
> > [ 3566.558609] RIP: 0010:__slab_free+0x118/0x2d0
> > [ 3566.563474] Code: 74 35 49 8b 06 48 89 4c 24 20 48 c1 e8 36 4c 8b a4 c3 d8 00 00 00 4c 89 e7 e8 74 6a 71 00 48 8b 4c 24 20 48 89 44 24 18 eb 8f <0f> 0b f7 43 08 00 0d 21 00 75 cd eb c6 80 4c 24 53 80 e9 75 ff ff
> > [ 3566.584431] RSP: 0018:ffffa76066effdb0 EFLAGS: 00010246
> > [ 3566.590262] RAX: ffff95430ba21930 RBX: ffff952b80043300 RCX: 00000000802a001a
> > [ 3566.598223] RDX: ffffa76066effdd8 RSI: ffffeed9a22e8840 RDI: ffffa76066effe18
> > [ 3566.606189] RBP: ffff95430ba21900 R08: 0000000000000001 R09: ffffffffc0d89ecc
> > [ 3566.614152] R10: 0000000000000013 R11: 0000000000000001 R12: ffffa76066effe50
> > [ 3566.622114] R13: ffff95430ba21900 R14: ffffeed9a22e8840 R15: ffff95430ba21900
> > [ 3566.630079] FS:  0000000000000000(0000) GS:ffff955a9fa40000(0000) knlGS:0000000000000000
> > [ 3566.639107] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [ 3566.645518] CR2: 00007f255e9eb3d8 CR3: 0000002a6d410006 CR4: 00000000001706e0
> > [ 3566.653479] Call Trace:
> > [ 3566.656210]  <TASK>
> > [ 3566.658552]  ? __die_body.cold+0x1a/0x1f
> > [ 3566.662928]  ? die+0x2a/0x50
> > [ 3566.666144]  ? do_trap+0xc5/0x110
> > [ 3566.669848]  ? __slab_free+0x118/0x2d0
> > [ 3566.674029]  ? do_error_trap+0x6a/0x90
> > [ 3566.678211]  ? __slab_free+0x118/0x2d0
> > [ 3566.682393]  ? exc_invalid_op+0x4c/0x60
> > [ 3566.686676]  ? __slab_free+0x118/0x2d0
> > [ 3566.690857]  ? asm_exc_invalid_op+0x16/0x20
> > [ 3566.695529]  ? nf_tables_trans_destroy_work+0x1cc/0x250 [nf_tables]
> > [ 3566.702532]  ? __slab_free+0x118/0x2d0
> > [ 3566.706714]  ? obj_cgroup_uncharge_pages+0xd0/0xd0
> > [ 3566.712066]  nf_tables_trans_destroy_work+0x1cc/0x250 [nf_tables]
> > [ 3566.718874]  process_one_work+0x1c7/0x380
> > [ 3566.723351]  worker_thread+0x4d/0x380
> > [ 3566.727436]  ? rescuer_thread+0x3a0/0x3a0
> > [ 3566.731908]  kthread+0xda/0x100
> > [ 3566.735417]  ? kthread_complete_and_exit+0x20/0x20
> > [ 3566.740763]  ret_from_fork+0x22/0x30
> > [ 3566.744759]  </TASK>
> > [ 3566.747195] Modules linked in: xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype nft_compat br_netfilter bridge 8021q garp stp mrp llc overlay bonding tls nft_nat nft_chain_nat nf_nat nft_log qrtr nft_limit nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables libcrc32c nfnetlink_log nfnetlink binfmt_misc intel_rapl_msr intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp nls_ascii nls_cp437 coretemp kvm_intel vfat fat kvm ipmi_ssif irqbypass ghash_clmulni_intel sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel crypto_simd cryptd ipmi_si iTCO_wdt rapl intel_pmc_bxt ipmi_devintf joydev intel_cstate iTCO_vendor_support ipmi_msghandler sg acpi_power_meter watchdog intel_uncore mei_me mei pcspkr evdev parport_pc ppdev lp parport efi_pstore dm_mod fuse loop configfs efivarfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic hid_generic usbhid hid sr_mod cdrom sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif
> > [ 3566.747268]  crct10dif_generic mgag200 i2c_algo_bit drm_shmem_helper ahci drm_kms_helper libahci ehci_pci ehci_hcd libata crct10dif_pclmul megaraid_sas drm crct10dif_common crc32_pclmul crc32c_intel usbcore tg3 scsi_mod lpc_ich libphy usb_common scsi_common wmi button
> > [ 3566.870202] ---[ end trace 0000000000000000 ]---
> > [ 3566.878075] RIP: 0010:__slab_free+0x118/0x2d0
> > [ 3566.882954] Code: 74 35 49 8b 06 48 89 4c 24 20 48 c1 e8 36 4c 8b a4 c3 d8 00 00 00 4c 89 e7 e8 74 6a 71 00 48 8b 4c 24 20 48 89 44 24 18 eb 8f <0f> 0b f7 43 08 00 0d 21 00 75 cd eb c6 80 4c 24 53 80 e9 75 ff ff
> > [ 3566.903925] RSP: 0018:ffffa76066effdb0 EFLAGS: 00010246
> > [ 3566.909772] RAX: ffff95430ba21930 RBX: ffff952b80043300 RCX: 00000000802a001a
> > [ 3566.917752] RDX: ffffa76066effdd8 RSI: ffffeed9a22e8840 RDI: ffffa76066effe18
> > [ 3566.925747] RBP: ffff95430ba21900 R08: 0000000000000001 R09: ffffffffc0d89ecc
> > [ 3566.933714] R10: 0000000000000013 R11: 0000000000000001 R12: ffffa76066effe50
> > [ 3566.941694] R13: ffff95430ba21900 R14: ffffeed9a22e8840 R15: ffff95430ba21900
> > [ 3566.949670] FS:  0000000000000000(0000) GS:ffff955a9fa40000(0000) knlGS:0000000000000000
> > [ 3566.958717] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [ 3566.965144] CR2: 00007f255e9eb3d8 CR3: 0000002a6d410006 CR4: 00000000001706e0
> >
> > After this status, the host is still running, but without nft and if I call or
> > edit nft, then it hungs, so I have to reboot the host.
> >
> > Please refer to Bug#1053564 too.
>
> Would you be able to bisect the kernel upstream between the last known
> which does not trigger the problem and 6.1.69 please? If you
> additionally can trim down your ruleset to a minimal reroducer I guess
> this would be helpful as well.
The last known, that the nft named set without problem is on debian 11. 
It has kernel 5.10.205.
With git bisect, I got:
$ git bisect start v6.1.69 v5.10.205
Bisecting: a merge base must be tested
[2c85ebc57b3e1817b6ce1a6b703928e113a90442] Linux 5.10

Sorry, that I can't give you more information, since I do not have any 
experience with programming. But I hope I can answer your next question 
better.


About the nftables. The main intend was, I want to get my nftables works 
with some fqdn, as the ip address of the host dynamically changed. Then 
I create a shell skript, that use "while true" and "dig" as tools, to 
get the relation of fqdn and ip address up to date. This script pushs 
the information about the relation to nftables. (nft section and script 
for fqdn is attached). After about max. 5 minutes, the following named 
set will be refreshed and rewritten:

        set fq4-acc-o {
                type ipv4_addr . inet_proto . inet_service
                flags interval,timeout
                timeout 5m15s
                elements = { 143.204.98.3 . tcp . 443 timeout 1m3s 
expires 58s676ms,
                             194.147.139.20 . tcp . 443 expires 
5m10s676ms }
        }
        set fq6-acc-o {
                type ipv6_addr . inet_proto . inet_service
                flags interval,timeout
                timeout 5m15s
                elements = { 2600:9000:2156:2200:e:f4d2:20c0:93a1 . tcp 
. 443 timeout 1m3s expires 58s676ms,
                             2a07:e480:2::1106 . tcp . 443 expires 
5m10s676ms }
        }

Example to fqdn:
$ cat /etc/nftables.d/fqdn/isloc/ao/tcp443
download.docker.com

> Regards,
> Salvatore

--

Regards,

Daniel

table inet filter {
	set fq4-acc-o {
		type ipv4_addr . inet_proto . inet_service
		flags interval,timeout
		timeout 5m15s
		elements = { 143.204.98.3 . tcp . 443 timeout 1m3s expires 58s676ms,
			     194.147.139.20 . tcp . 443 expires 5m10s676ms }
	}
	set fq6-acc-o {
		type ipv6_addr . inet_proto . inet_service
		flags interval,timeout
		timeout 5m15s
		elements = { 2600:9000:2156:2200:e:f4d2:20c0:93a1 . tcp . 443 timeout 1m3s expires 58s676ms,
			     2a07:e480:2::1106 . tcp . 443 expires 5m10s676ms }
	}

	chain input {
		type filter hook input priority filter; policy drop;
		iifname "lo" accept
		ip protocol icmp icmp type { 1-2, source-quench, 6-7, 9-10, 12-13, 15-255 } counter packets 0 bytes 0 drop
		ip6 nexthdr ipv6-icmp icmpv6 type { 0, 5-127, router-renumbering, 144-147, 150, 154-199, 202-255 } counter packets 0 bytes 0 drop
		ct state established,related accept
		ip saddr 0.0.0.0/0 accept
		ip6 saddr ::/0 accept
		drop
	}

	chain output {
		type filter hook output priority filter; policy drop;
		oifname "lo" accept
		ct state established,related accept
		ip protocol icmp counter packets 0 bytes 0 accept
		ip6 nexthdr ipv6-icmp counter packets 0 bytes 0 accept
		udp dport { 53, 123 } ct state new counter packets 0 bytes 0 accept
		tcp dport 53 ct state new counter packets 0 bytes 0 accept
		jump fq-acc-o
		drop
	}

	chain fq-acc-o {
		ip daddr . meta l4proto . th dport @fq4-acc-o ct state new counter packets 0 bytes 0 accept
		ip6 daddr . meta l4proto . th dport @fq6-acc-o ct state new counter packets 0 bytes 0 accept
	}

}

Attachment: nftfqdn.sh
Description: application/shellscript

Attachment: OpenPGP_0x2EA5BDE197A21C82.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature