Hi Florian,
On Tue, May 14, 2024 at 12:31:30PM +0200, Florian Westphal wrote:
> If userspace program exits while the queue its subscribed to has packets
> available we get following (harmless) RCU splat:
>
> net/netfilter/nfnetlink_queue.c:261 suspicious rcu_dereference_check() usage!
> other info that might help us debug this:
> rcu_scheduler_active = 2, debug_locks = 1
> 2 locks held by swapper/0/0:
> #0: (rcu_callback){....}-{0:0}, at: rcu_core
> #1: (&inst->lock){+.-.}-{3:3}, at: instance_destroy_rcu
> [..] Call Trace:
> lockdep_rcu_suspicious+0x1ab/0x250
> nfqnl_reinject+0x5d3/0xfb0
> instance_destroy_rcu+0x1b5/0x220
> rcu_core+0xe32 [..]
>
> This is harmless because the incorrectly-obtained pointer will not be
> dereferenced in case nfqnl_reinject is called with NF_DROP verdict.
>
> Fix this by open-coding skb+entry release without going through
> nfqnl_reinject(). kfree_skb+release_ref is exactly what nfql_reinject
> ends up doing when called with NF_DROP, except that it also does a
> truckload of other things that are irrelevant for DROP.
>
> A similar warning can be triggered by flushing the ruleset while
> packets are being reinjected.
>
> This is harmless as well, the WARN_ON_ONCE() should be removed.
>
> Reported-by: Yi Chen <yiche@xxxxxxxxxx>
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> ---
> Due to MR cloed this patch is actually vs nf-next tree.
> It will also conflict with the pending sctp checksum patch
> from Antonio Ojea (nft_queue.sh), I can resend if needed once
> Antonios patch is applied (conflict resulution is simple: use
> both changes).
I can route this through nf.git and deal with conflict resolution if
you prefer it that way.
Thanks.
