Summary
nft_bandwidth.ko (from netfilter-match-modules/nftables/bandwidth/) corrupts the ext4 rootfs at runtime when loaded on kernel 6.12.94 (the kernel this branch builds against). This blocks booting any x86 ext4-combined image built from this branch with the module enabled — confirmed with the vnet-wifi profile, likely affects any profile that loads it.
nft_webmon.ko and nft_weburl.ko are confirmed not affected — isolated individually, both boot clean.
Evidence
Built x86.vnet-wifi from this branch (commit c817dfd), kernel 6.12.94. First boot corrupts within ~7 seconds:
EXT4-fs error (device vda2): ext4_lookup:1821: inode #91: comm find: deleted inode referenced: 2400
EXT4-fs (vda2): Remounting filesystem read-only
Failed to execute /usr/libexec/login.sh
(A repeat run against a different inode showed __ext4_new_inode:1282: comm ln: failed to insert inode 2395: doubly allocated? — same bug class, different inode, confirming it's not a one-off.)
Bisection: the same profile/package set built against the pre-bump kernel (6.6.143) boots perfectly clean. Kernel-version-specific.
Module isolation (loop-mounted the built image, moved .ko files + /etc/modules.d/45-nft-* entries aside one at a time, re-booted each combination — no rebuild needed):
| Module active alone |
Result |
nft_bandwidth |
Corrupts (same signature) |
nft_webmon |
Boots clean |
nft_weburl |
Boots clean |
Static filesystem inspection (e2fsck -fy, repeated passes) found nothing wrong at rest — the corruption happens live, during first-boot write activity, not baked into the built image.
That commit (mine, same day) fixes GCC implicit-declaration warnings so these modules compile cleanly on the newer toolchain this branch uses. It does not touch runtime logic and is unrelated to this bug — this corruption is a pre-existing issue in nft_bandwidth.c that simply never had a kernel 6.12 build to run on until now.
Suspected area (not confirmed)
nft_bandwidth.c's init() calls nf_register_sockopt() with hardcoded constants (BANDWIDTH_SET=2048/BANDWIDTH_GET=2049) — an old-style setsockopt/getsockopt registration mechanism. It's the only one of the three modules using this pattern, which lines up with the isolation result, but no collision or root cause has been confirmed yet. The packet-eval path and netlink attribute parsing haven't been fully audited against 6.6→6.12 kernel API changes.
Recommendation
Treat nft_bandwidth as unsafe on kernel 6.12 until root-caused. nft_webmon/nft_weburl can ship/be tested independently.
Summary
nft_bandwidth.ko(fromnetfilter-match-modules/nftables/bandwidth/) corrupts the ext4 rootfs at runtime when loaded on kernel 6.12.94 (the kernel this branch builds against). This blocks booting any x86 ext4-combined image built from this branch with the module enabled — confirmed with thevnet-wifiprofile, likely affects any profile that loads it.nft_webmon.koandnft_weburl.koare confirmed not affected — isolated individually, both boot clean.Evidence
Built
x86.vnet-wififrom this branch (commit c817dfd), kernel 6.12.94. First boot corrupts within ~7 seconds:(A repeat run against a different inode showed
__ext4_new_inode:1282: comm ln: failed to insert inode 2395: doubly allocated?— same bug class, different inode, confirming it's not a one-off.)Bisection: the same profile/package set built against the pre-bump kernel (6.6.143) boots perfectly clean. Kernel-version-specific.
Module isolation (loop-mounted the built image, moved
.kofiles +/etc/modules.d/45-nft-*entries aside one at a time, re-booted each combination — no rebuild needed):nft_bandwidthnft_webmonnft_weburlStatic filesystem inspection (
e2fsck -fy, repeated passes) found nothing wrong at rest — the corruption happens live, during first-boot write activity, not baked into the built image.Note on c817dfd
That commit (mine, same day) fixes GCC implicit-declaration warnings so these modules compile cleanly on the newer toolchain this branch uses. It does not touch runtime logic and is unrelated to this bug — this corruption is a pre-existing issue in
nft_bandwidth.cthat simply never had a kernel 6.12 build to run on until now.Suspected area (not confirmed)
nft_bandwidth.c'sinit()callsnf_register_sockopt()with hardcoded constants (BANDWIDTH_SET=2048/BANDWIDTH_GET=2049) — an old-style setsockopt/getsockopt registration mechanism. It's the only one of the three modules using this pattern, which lines up with the isolation result, but no collision or root cause has been confirmed yet. The packet-eval path and netlink attribute parsing haven't been fully audited against 6.6→6.12 kernel API changes.Recommendation
Treat
nft_bandwidthas unsafe on kernel 6.12 until root-caused.nft_webmon/nft_weburlcan ship/be tested independently.