CPU load on queued_spin_lock_slowpath

Hi All, My server had a locking problem with the logs located below. I can not reproduce this erroneous situation again but I think that there is an active vulnerability at my server because of this error. My server's kernel version is v4.6.4. What can be the cause of this error or do you have

[nf:flow-offload-hw-v2 6/6] net/netfilter/nf_flow_table_inet.o:undefined reference to `nf_flow_table_init'

tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git flow-offload-hw-v2 head: d2a66b6aae8b1294d8cb550520485eeb03fa1619 commit: d2a66b6aae8b1294d8cb550520485eeb03fa1619 [6/6] netfilter: nf_flow_table: add hardware offload support config: sparc64-allyesconfig (attached as

[nf:flow-offload-hw-v2 6/6] net/netfilter/nf_flow_table_inet.o:undefined reference to `nf_flow_table_init'

tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git flow-offload-hw-v2 head: d2a66b6aae8b1294d8cb550520485eeb03fa1619 commit: d2a66b6aae8b1294d8cb550520485eeb03fa1619 [6/6] netfilter: nf_flow_table: add hardware offload support config: alpha-allyesconfig (attached as .config)

[PATCH nf 3/3] netfilter: nf_tables: fix flowtable free

Every flow_offload entry is added into the table twice. Because of this, rhashtable_free_and_destroy can't be used, since it would call kfree for each flow_offload object twice. This patch adds a call to nf_flow_table_iterate_cleanup() to schedule removal of entries, then there is an explicitly

[PATCH nf 2/3] netfilter: nft_flow_offload: move flowtable cleanup routines to nf_flow_table

Move the flowtable cleanup routines to nf_flow_table and expose the nf_flow_table_cleanup() helper function. Signed-off-by: Pablo Neira Ayuso --- This is another dependency for the fix in patch 3/3. include/net/netfilter/nf_flow_table.h | 3 +++

[PATCH nf 1/3] netfilter: nft_flow_offload: no need to flush entries on module removal

nft_flow_offload module removal does not require to flush existing flowtables, it is valid to remove this module while keeping flowtables around. Signed-off-by: Pablo Neira Ayuso --- This patch is a dependency for bugfix in patch 3/3. PATCH 2/3 moves flowtable cleanup to the

Re: IPv6 Parameter problem with no ICMPv6 response ?

Pablo Neira Ayuso wrote the following: > On Mon, Feb 05, 2018 at 01:16:08PM +0100, Pablo Neira Ayuso wrote: > > On Mon, Feb 05, 2018 at 01:58:26PM +1000, David McCullough wrote: > > > > > > Hi devel, > > > > > > I am looking for some feedback on IPv6 behaviour with/without netfilter in > > >

Re: [Patch net v2] xt_RATEEST: acquire xt_rateest_mutex for hash insert

On Mon, 2018-02-05 at 14:41 -0800, Cong Wang wrote: > rateest_hash is supposed to be protected by xt_rateest_mutex, > and, as suggested by Eric, lookup and insert should be atomic, > so we should acquire the xt_rateest_mutex once for both. > > So introduce a non-locking helper for internal use

Re: [Patch net v2] xt_RATEEST: acquire xt_rateest_mutex for hash insert

Cong Wang wrote: > rateest_hash is supposed to be protected by xt_rateest_mutex, > and, as suggested by Eric, lookup and insert should be atomic, > so we should acquire the xt_rateest_mutex once for both. > > So introduce a non-locking helper for internal use and keep

[Patch net v2] xt_RATEEST: acquire xt_rateest_mutex for hash insert

rateest_hash is supposed to be protected by xt_rateest_mutex, and, as suggested by Eric, lookup and insert should be atomic, so we should acquire the xt_rateest_mutex once for both. So introduce a non-locking helper for internal use and keep the locking one for external. Reported-by:

[PATCH 2/2] netfilter: nf_tables: fix flowtable resource leak

When cleaning up flowtable entries, associated dst and ct entries need to be released as well Signed-off-by: Felix Fietkau --- net/netfilter/nf_flow_table.c | 19 +-- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/net/netfilter/nf_flow_table.c

[PATCH 1/2] netfilter: nf_tables: fix flowtable free

Every flow_offload entry is added into the table twice. Because of this, rhashtable_free_and_destroy can't be used, since it would call kfree for each flow_offload object twice. Signed-off-by: Felix Fietkau --- include/net/netfilter/nf_flow_table.h | 2 ++

Re: KASAN: slab-out-of-bounds Read in clusterip_tg_check

syzbot wrote: #syz-fix: netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check() -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More

Re: IPv6 Parameter problem with no ICMPv6 response ?

On Mon, Feb 05, 2018 at 01:16:08PM +0100, Pablo Neira Ayuso wrote: > On Mon, Feb 05, 2018 at 01:58:26PM +1000, David McCullough wrote: > > > > Hi devel, > > > > I am looking for some feedback on IPv6 behaviour with/without netfilter in > > the path. We are in process of some IPv6 certification

Re: IPv6 Parameter problem with no ICMPv6 response ?

On Mon, Feb 05, 2018 at 01:58:26PM +1000, David McCullough wrote: > > Hi devel, > > I am looking for some feedback on IPv6 behaviour with/without netfilter in > the path. We are in process of some IPv6 certification at a lab. > > RFC2460 has a bunch of conditions under which certain ICMPv6