From: Florian Westphal <fw@strlen.de>
To: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: Scott Mitchell <scott.k.mitch1@gmail.com>,
netfilter-devel@vger.kernel.org
Subject: Re: nfnetlink_queue crashes kernel
Date: Sat, 4 Apr 2026 11:40:00 +0200 [thread overview]
Message-ID: <adDccAnxkl4to_ta@strlen.de> (raw)
In-Reply-To: <b0c495e4-2137-443b-986e-ed0c10251d0c@suse.de>
Fernando Fernandez Mancera <fmancera@suse.de> wrote:
> On 4/3/26 3:45 PM, Florian Westphal wrote:
> > Florian Westphal <fw@strlen.de> wrote:
> > > A probably better fix is to make the rhashtable perqueue, which is
> > > much more intrusive at this late stage.
> >
> > Tentative patch to do this, still misses selftest extensions:
> >
>
> I could help with selftests. I have written a couple already. Let me prepare
> some this week and I will send them as proposals on the list.
Thanks Fernando, much appreciated.
This will be hard to trigger, the autoresize means that we'll typically
not have two entries per bucket.
What might help is to add a mode to nf_queue.c to:
1. send out-of-order-verdicts
2. send *bogus* verdicts that are expected to
fail w. -ENOENT.
I had a go at adding a stress test but its not
triggering for me even if i run it for 10m.
I'm attaching what I had:
selftests: nft_queue.sh: add a parallel stress test
XXX: Not complete, should extend nf_queue.c to allow
OOO verdicts + bogus verdicts to increase likelyhood of
accessing already-freed objects in the hash table.
Signed-off-by: Florian Westphal <fw@strlen.de>
diff --git a/tools/testing/selftests/net/netfilter/nft_queue.sh b/tools/testing/selftests/net/netfilter/nft_queue.sh
index ea766bdc5d04..c05f2e5fef0b 100755
--- a/tools/testing/selftests/net/netfilter/nft_queue.sh
+++ b/tools/testing/selftests/net/netfilter/nft_queue.sh
@@ -11,6 +11,7 @@ ret=0
timeout=5
SCTP_TEST_TIMEOUT=60
+STRESS_TEST_TIMEOUT=300
cleanup()
{
@@ -719,6 +720,64 @@ EOF
fi
}
+check_tainted()
+{
+ local msg="$1"
+
+ if [ "$tainted_then" -ne 0 ];then
+ return
+ fi
+
+ read tainted_now < /proc/sys/kernel/tainted
+ if [ "$tainted_now" -eq 0 ];then
+ echo "PASS: $msg"
+ else
+ echo "TAINT: $msg"
+ dmesg
+ ret=1
+ fi
+}
+
+test_queue_stress()
+{
+ read tainted_then < /proc/sys/kernel/tainted
+ local i
+
+ ip netns exec "$nsrouter" nft -f /dev/stdin <<EOF
+flush ruleset
+table inet t {
+ chain forward {
+ type filter hook forward priority 0; policy accept;
+
+ queue flags bypass to numgen random mod 8
+ }
+}
+EOF
+ timeout "$STRESS_TEST_TIMEOUT" ip netns exec "$ns2" socat -u UDP-LISTEN:12345,fork,pf=ipv4 STDOUT > /dev/null &
+ timeout "$STRESS_TEST_TIMEOUT" ip netns exec "$ns3" socat -u UDP-LISTEN:12345,fork,pf=ipv4 STDOUT > /dev/null &
+
+ for i in $(seq 0 7); do
+ ip netns exec "$nsrouter" timeout "$STRESS_TEST_TIMEOUT" ./nf_queue -q $i -t 2 > /dev/null &
+ done
+
+ ip netns exec "$ns1" timeout "$STRESS_TEST_IMEOUT" ping -q -f 10.0.2.99 > /dev/null 2>&1 &
+ ip netns exec "$ns1" timeout "$STRESS_TEST_TIMEOUT" ping -q -f 10.0.3.99 > /dev/null 2>&1 &
+ ip netns exec "$ns1" timeout "$STRESS_TEST_TIMEOUT" ping -q -f "dead:2::99" > /dev/null 2>&1 &
+ ip netns exec "$ns1" timeout "$STRESS_TEST_TIMEOUT" ping -q -f "dead:3::99" > /dev/null 2>&1 &
+
+ busywait "$BUSYWAIT_TIMEOUT" udp_listener_ready "$ns2" 12345
+ busywait "$BUSYWAIT_TIMEOUT" udp_listener_ready "$ns3" 12345
+
+ for i in $(seq 1 4);do
+ ip netns exec "$ns1" timeout "$STRESS_TEST_TIMEOUT" socat -u STDIN UDP-DATAGRAM:10.0.2.99:12345 < /dev/zero > /dev/null &
+ ip netns exec "$ns1" timeout "$STRESS_TEST_TIMEOUT" socat -u STDIN UDP-DATAGRAM:10.0.3.99:12345 < /dev/zero > /dev/null &
+ done
+
+ wait
+
+ check_tainted "concurrent queueing"
+}
+
test_queue_removal()
{
read tainted_then < /proc/sys/kernel/tainted
@@ -742,18 +801,7 @@ EOF
ip netns exec "$ns1" nft flush ruleset
- if [ "$tainted_then" -ne 0 ];then
- return
- fi
-
- read tainted_now < /proc/sys/kernel/tainted
- if [ "$tainted_now" -eq 0 ];then
- echo "PASS: queue program exiting while packets queued"
- else
- echo "TAINT: queue program exiting while packets queued"
- dmesg
- ret=1
- fi
+ check_tainted "queue program exiting while packets queued"
}
ip netns exec "$nsrouter" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
@@ -799,6 +847,7 @@ test_sctp_forward
test_sctp_output
test_udp_nat_race
test_udp_gro_ct
+test_queue_stress
# should be last, adds vrf device in ns1 and changes routes
test_icmp_vrf
next prev parent reply other threads:[~2026-04-04 9:40 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-03 12:22 nfnetlink_queue crashes kernel Florian Westphal
2026-04-03 13:45 ` Florian Westphal
2026-04-03 15:55 ` Scott Mitchell
2026-04-03 19:14 ` Florian Westphal
2026-04-03 23:57 ` Fernando Fernandez Mancera
2026-04-04 9:40 ` Florian Westphal [this message]
2026-04-06 12:54 ` Fernando Fernandez Mancera
2026-04-06 17:10 ` Florian Westphal
2026-04-06 20:04 ` Fernando Fernandez Mancera
2026-04-06 14:01 ` Fernando Fernandez Mancera
2026-04-03 13:59 ` Florian Westphal
2026-04-03 14:02 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=adDccAnxkl4to_ta@strlen.de \
--to=fw@strlen.de \
--cc=fmancera@suse.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=scott.k.mitch1@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox