On Sun, Oct 25, 2015 at 10:30:36AM +0100, Gerhard Wiesinger wrote: > On 25.10.2015 10:03, Willy Tarreau wrote: > >On Sun, Oct 25, 2015 at 01:25:47AM -0700, Greg KH wrote: > >>On Sun, Oct 25, 2015 at 08:25:49AM +0100, Gerhard Wiesinger wrote: > >>>On 23.10.2015 02:33, Greg KH wrote: > >>>>I'm announcing the release of the 4.2.4 kernel. > >>>> > >>>>All users of the 4.2 kernel series must upgrade. > >>>> > >>>>The updated 4.2.y git tree can be found at: > >>>> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.2.y > >>>>and can be browsed at the normal kernel.org git web browser: > >>>> http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary > >>>> > >>>>thanks, > >>>> > >>>>greg k-h > >>>> > >>>Hello Greg, > >>> > >>>Kernel 4.2.4 is still broken regarding iptables/ipset: > >>>https://bugzilla.redhat.com/show_bug.cgi?id=1272645 > >>> > >>>Kernel 4.1.10 works well. > >>> > >>>Please fix it ASAP. > >>Fix it with what patch? > >It's not even sure there's a patch for this. There were numerous changes > >to ipset between 4.1 and 4.2 and very few in 4.3-rc, any you backported > >them all. Also, Gerhard's trace in the bugzilla report above is very > >poor, there's just one line of the panic, nothing exploitable at all, > >nothing even indicates that it is related to ipset at all. > > Sorry, don't have any more information. From the bugzilla report: > Message from syslogd@arm at Oct 24 20:05:09 ... > kernel:Process ipset (pid: 2055, stack limit = 0xe8404220) > > So ipset has a problem ... ipset *triggered* the problem. The whole stack dump would tell more. > >Gerhard, it would be easier if you could bisect between 4.1 and 4.2 to > >find what patch introduced the regression if you can easily reproduce > >the issue. That would make it more obvious what to look at and the > >patch author might have some ideas about the real problem. > > > > > > The device is in production so I can't play around here. Nevertheless I > can try a patch. But should be easy to reproduce in developers testing > environment with shorewall/netfilter and ipset. As shorewall6 is > activated it might also be an IPv6 issue. The problem is that without providing the rules that allow the issue to be reliably reproduced, it's unlikely that a developer will trigger the same issue, or the problem would have been fixed before the patch got merged. > Kernel 4.2 seems to me not well tested in the netfilter parts at all > (Bug with already known bugfix > https://lists.debian.org/debian-kernel/2015/10/msg00034.html was > triggered on 2 of 3 of my machines, the new bug on 1 of 1 tested machine). There's a reason why Greg maintains stable and LTS kernels :-) Willy -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html