Hi folks, today I joined to testing Kernel 5.10 and see that every boot happens this warning: [ 22.180180] ------------[ cut here ]------------ [ 22.180193] WARNING: CPU: 28 PID: 1205 at net/netfilter/nf_tables_api.c:622 nft_chain_parse_hook+0x224/0x330 [nf_tables] [ 22.180194] Modules linked in: nf_tables nfnetlink ip6table_filter ip6_tables iptable_filter cmac bnep sunrpc vfat fat snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi mt76x2u mt76x2_common mt76x02_usb iwlmvm mt76_usb uvcvideo snd_hda_intel mt76x02_lib gspca_zc3xx snd_intel_dspcfg btusb gspca_main videobuf2_vmalloc btrtl mt76 edac_mce_amd snd_hda_codec btbcm videobuf2_memops btintel kvm_amd snd_usb_audio videobuf2_v4l2 snd_hda_core mac80211 kvm bluetooth snd_usbmidi_lib joydev videobuf2_common iwlwifi snd_seq xpad snd_hwdep ff_memless videodev snd_rawmidi snd_seq_device libarc4 eeepc_wmi snd_pcm ecdh_generic irqbypass asus_wmi mc rapl sparse_keymap ecc snd_timer sp5100_tco video cfg80211 wmi_bmof pcspkr snd k10temp i2c_piix4 soundcore rfkill acpi_cpufreq binfmt_misc zram ip_tables hid_logitech_hidpp hid_logitech_dj amdgpu iommu_v2 gpu_sched ttm drm_kms_helper crct10dif_pclmul crc32_pclmul crc32c_intel cec drm ccp ghash_clmulni_intel igb nvme dca nvme_core [ 22.180273] i2c_algo_bit wmi pinctrl_amd fuse [ 22.180279] CPU: 28 PID: 1205 Comm: ebtables Not tainted 5.10.0-0.rc0.20201014gitb5fc7a89e58b.41.fc34.x86_64 #1 [ 22.180281] Hardware name: System manufacturer System Product Name/ROG STRIX X570-I GAMING, BIOS 2606 08/13/2020 [ 22.180289] RIP: 0010:nft_chain_parse_hook+0x224/0x330 [nf_tables] [ 22.180292] Code: a0 14 00 00 be ff ff ff ff e8 68 82 e1 e4 85 c0 0f 85 21 fe ff ff 0f 0b bf 0a 00 00 00 e8 14 60 97 ff 84 c0 0f 84 1f fe ff ff <0f> 0b e9 18 fe ff ff 48 85 f6 74 61 4c 89 ef e8 78 d0 ff ff 48 89 [ 22.180294] RSP: 0018:ffffa9850214f780 EFLAGS: 00010202 [ 22.180296] RAX: 0000000000000001 RBX: ffffa9850214f810 RCX: 0000000000000000 [ 22.180297] RDX: ffffa9850214f810 RSI: 00000000ffffffff RDI: ffffffffc0851c20 [ 22.180299] RBP: 0000000000000007 R08: 0000000000000001 R09: ffffa9850214f847 [ 22.180300] R10: 0000000000000000 R11: 0000000000000007 R12: ffffa9850214fa88 [ 22.180301] R13: ffffffffa6fdfcc0 R14: ffffa9850214fa88 R15: ffff993c5c12c800 [ 22.180304] FS: 00007ff92ed99540(0000) GS:ffff993c8a200000(0000) knlGS:0000000000000000 [ 22.180305] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 22.180307] CR2: 00007ff92ed1e000 CR3: 00000007d3714000 CR4: 0000000000350ee0 [ 22.180308] Call Trace: [ 22.180319] ? __rhashtable_lookup+0x11d/0x210 [nf_tables] [ 22.180329] nf_tables_addchain.constprop.0+0xab/0x5e0 [nf_tables] [ 22.180337] ? nft_chain_lookup.part.0+0x12c/0x1e0 [nf_tables] [ 22.180344] ? get_order+0x20/0x20 [nf_tables] [ 22.180350] ? nft_chain_hash+0x30/0x30 [nf_tables] [ 22.180356] ? nft_dump_register+0x40/0x40 [nf_tables] [ 22.180368] nf_tables_newchain+0x54d/0x730 [nf_tables] [ 22.180376] nfnetlink_rcv_batch+0x2a4/0x950 [nfnetlink] [ 22.180385] ? lock_acquire+0x175/0x400 [ 22.180387] ? lock_release+0x1e7/0x400 [ 22.180391] ? cred_has_capability.isra.0+0x68/0x100 [ 22.180395] ? __nla_validate_parse+0x4f/0x8d0 [ 22.180401] nfnetlink_rcv+0x115/0x130 [nfnetlink] [ 22.180407] netlink_unicast+0x16d/0x230 [ 22.180426] netlink_sendmsg+0x23f/0x460 [ 22.180431] sock_sendmsg+0x5e/0x60 [ 22.180434] ____sys_sendmsg+0x231/0x270 [ 22.180438] ? import_iovec+0x17/0x20 [ 22.180440] ? sendmsg_copy_msghdr+0x5c/0x80 [ 22.180444] ___sys_sendmsg+0x75/0xb0 [ 22.180450] ? cred_has_capability.isra.0+0x68/0x100 [ 22.180452] ? lock_acquire+0x175/0x400 [ 22.180454] ? lock_acquire+0x93/0x400 [ 22.180457] ? lock_release+0x1e7/0x400 [ 22.180459] ? lock_release+0x1e7/0x400 [ 22.180462] ? trace_hardirqs_on+0x1b/0xe0 [ 22.180465] ? sock_setsockopt+0xdf/0x1010 [ 22.180467] ? __local_bh_enable_ip+0x82/0xd0 [ 22.180470] ? sock_setsockopt+0xdf/0x1010 [ 22.180473] __sys_sendmsg+0x49/0x80 [ 22.180480] do_syscall_64+0x33/0x40 [ 22.180483] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 22.180486] RIP: 0033:0x7ff92efdb087 [ 22.180488] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 [ 22.180490] RSP: 002b:00007fff54436b38 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 22.180492] RAX: ffffffffffffffda RBX: 00007fff54436b40 RCX: 00007ff92efdb087 [ 22.180494] RDX: 0000000000000000 RSI: 00007fff54437be0 RDI: 0000000000000003 [ 22.180495] RBP: 00007fff544381e0 R08: 0000000000000004 R09: 000055b281bcf1d0 [ 22.180496] R10: 00007fff54437bcc R11: 0000000000000246 R12: 0000000000007000 [ 22.180497] R13: 0000000000000001 R14: 00007fff54436b50 R15: 00007fff54438200 [ 22.180503] irq event stamp: 0 [ 22.180505] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [ 22.180507] hardirqs last disabled at (0): [<ffffffffa50d7683>] copy_process+0x723/0x1c80 [ 22.180509] softirqs last enabled at (0): [<ffffffffa50d7683>] copy_process+0x723/0x1c80 [ 22.180511] softirqs last disabled at (0): [<0000000000000000>] 0x0 [ 22.180512] ---[ end trace 6a0904ace1916b5d ]--- reproductivity 100% reliable on my system $ /usr/src/kernels/`uname -r`/scripts/faddr2line /lib/debug/lib/modules/`uname -r`/kernel/net/netfilter/nf_tables.ko.debug nft_chain_parse_hook+0x224 nft_chain_parse_hook+0x224/0x330: lockdep_nfnl_nft_mutex_not_held at /usr/src/debug/kernel-20201014gitb5fc7a89e58b/linux-5.10.0-0.rc0.20201014gitb5fc7a89e58b.41.fc34.x86_64/net/netfilter/nf_tables_api.c:622 (inlined by) lockdep_nfnl_nft_mutex_not_held at /usr/src/debug/kernel-20201014gitb5fc7a89e58b/linux-5.10.0-0.rc0.20201014gitb5fc7a89e58b.41.fc34.x86_64/net/netfilter/nf_tables_api.c:619 (inlined by) nft_chain_parse_hook at /usr/src/debug/kernel-20201014gitb5fc7a89e58b/linux-5.10.0-0.rc0.20201014gitb5fc7a89e58b.41.fc34.x86_64/net/netfilter/nf_tables_api.c:1816 $ git blame -L 617,627 net/netfilter/nf_tables_api.c 452238e8d5ffd (Florian Westphal 2018-07-11 13:45:10 +0200 617) #endif 452238e8d5ffd (Florian Westphal 2018-07-11 13:45:10 +0200 618) f102d66b335a4 (Florian Westphal 2018-07-11 13:45:14 +0200 619) static void lockdep_nfnl_nft_mutex_not_held(void) f102d66b335a4 (Florian Westphal 2018-07-11 13:45:14 +0200 620) { f102d66b335a4 (Florian Westphal 2018-07-11 13:45:14 +0200 621) #ifdef CONFIG_PROVE_LOCKING f102d66b335a4 (Florian Westphal 2018-07-11 13:45:14 +0200 622) WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES)); f102d66b335a4 (Florian Westphal 2018-07-11 13:45:14 +0200 623) #endif f102d66b335a4 (Florian Westphal 2018-07-11 13:45:14 +0200 624) } f102d66b335a4 (Florian Westphal 2018-07-11 13:45:14 +0200 625) 32537e91847a5 (Pablo Neira Ayuso 2018-03-27 11:53:05 +0200 626) static const struct nft_chain_type * 452238e8d5ffd (Florian Westphal 2018-07-11 13:45:10 +0200 627) nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla, $ git show f102d66b335a4 commit f102d66b335a417d4848da9441f585695a838934 Author: Florian Westphal <fw@xxxxxxxxx> Date: Wed Jul 11 13:45:14 2018 +0200 netfilter: nf_tables: use dedicated mutex to guard transactions Continue to use nftnl subsys mutex to protect (un)registration of hook types, expressions and so on, but force batch operations to do their own locking. This allows distinct net namespaces to perform transactions in parallel. Signed-off-by: Florian Westphal <fw@xxxxxxxxx> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> diff --git a/include/net/netns/nftables.h b/include/net/netns/nftables.h index 94767ea3a490..286fd960896f 100644 --- a/include/net/netns/nftables.h +++ b/include/net/netns/nftables.h @@ -7,6 +7,7 @@ struct netns_nftables { struct list_head tables; struct list_head commit_list; + struct mutex commit_mutex; unsigned int base_seq; u8 gencursor; u8 validate_state; diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 68436edd9cdf..c0fb2bcd30fe 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -480,12 +480,19 @@ static void nft_request_module(struct net *net, const char *fmt, ...) if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret)) return; - nfnl_unlock(NFNL_SUBSYS_NFTABLES); + mutex_unlock(&net->nft.commit_mutex); request_module("%s", module_name); - nfnl_lock(NFNL_SUBSYS_NFTABLES); + mutex_lock(&net->nft.commit_mutex); } #endif +static void lockdep_nfnl_nft_mutex_not_held(void) +{ +#ifdef CONFIG_PROVE_LOCKING + WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES)); +#endif +} + static const struct nft_chain_type * nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla, The last changes were made by Florian. That is why I invited you here, can you clarify the situation. Full dmesg output: https://pastebin.com/tZY3npHG -- Best Regards, Mike Gavrilov.