This issue only impacts linux-bluefield/focal because it uniquely included a backport of upstream commit 339706bc21c1 ("netfilter: nft_lookup: update element stateful expression") from v5.7-rc1 without these follow up fixes that also landed in upstream before v5.7 final:
24791b9aa1ab0 netfilter: nft_set_bitmap: initialize set element extension in lookups a26c1e49c8e97 netfilter: nf_tables: do not update stateful expressions if lookup is inverted It impacts all linux-bluefield/focal kernels since the initial version, 5.4.0-1001.2 and is resolved in 5.4.0-1058.64. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-bluefield in Ubuntu. https://bugs.launchpad.net/bugs/2006397 Title: nft_lookup crash when running DDOS attack Status in linux-bluefield package in Ubuntu: Invalid Status in linux-bluefield source package in Focal: Fix Committed Bug description: * Explain the bug Running DDOS test on tcp port 22 will trigger kernel crash. * Brief explanation of fixes Do not update stateful expressions if lookup is inverted * How to test Configuration nftables with config file below: flush ruleset table inet filter { chain input { type filter hook input priority 0 jump filter_ssh } chain filter_ssh { tcp dport { 22 } ct state new accept } } * {22}: {} is mandatory to repro If we don’t add {}, nft_lookup_eval function is never called and kernel crush isn’t reproduced. Then apply nft by doing: # nft -f temp_nftables.conf Start hping3 from peer: # hping3 -I {Host Device} -p 22 -d 52 {SmartNIC IP Address} --flood DPU side will crash with kernel call trace without this fix. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/2006397/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp