Re: BUG: soft lockup on kernel 5.19.9 when attempting FTP connections

[Reindl Harald <h.reindl@xxxxxxxxxxxxx>]

ah that was the reason why after update our Fedora 36 based firewall 
from 5.18.8 to 5.19.7 and everything looked fine from 1:00 AM to 4:40 AM 
and started to crash at 5:00 AM several times until VMware HA gave up to 
reset the VM

i didn't wish to see my boss the first time since 2019 in front of my 
apartment because of this and Google broke Anrdoid's "repeated callers 
are allowed" to ring...

----------------

and no i didn't have anything useful in the serial console file on the 
host except tons of "CPU#1 stuck for MANYs!"

obiosuly the webcams of some customers are starting to upload images at 
that time every few minutes.....

Am 20.09.22 um 16:12 schrieb Bruno de Paula Larini:
> While testing my iptables ruleset on a Fedora 36, I've encountered an 
> unexpected behaviour regarding FTP connection forwarding.
> I've reduced the ruleset to look like below.
> I've tried to "modprobe nf_conntrack_ftp" alone, but external clients 
> still won't get data connections.
> Then I "modprobe nf_nat_ftp". It loads normally but after the first 
> attempt to establish an FTP connection, the system freezes and sometimes 
> prints the following message:
>
> Message from syslogd@fw1-test at Sep 20 09:33:28 ...
>   kernel:watchdog: BUG: soft lockup - CPU#1 stuck for 26s! [swapper/1:0]
>
> This problem happens on the newest Fedora 36 stock kernel as of 
> 20/09/2022, version 5.19.9-200.fc36.x86_64 (and at least on the previous 
> 5.19.8-200.fc36.x86_64), but (apparently) works normally on version 
> 5.17.5-300.fc36.x86_64, which was the default kernel from ISO install.
>
> Is it a bug, maybe?
> Just wanted to report this, maybe someone on this list can do something 
> about it.
>
>
> ### My eclipsed ruleset in which this problem happens
> # eth0: LAN
> # eth1: Public
> # 192.168.22.5: internal FTP server
>
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
>
> modprobe nf_conntrack_ftp
> modprobe nf_nat_ftp
>
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -i eth0 -s 192.168.22.0/24 -j ACCEPT
>
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i eth0 -s 192.168.22.0/24 -j ACCEPT
> iptables -A FORWARD -i eth1 -d 192.168.22.5 -p tcp --dport 21 -j ACCEPT
>
> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT 
> --to-destination 192.168.22.5
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE