Comment # 9 on bug 989176 from Michal Kube��ek

So far I haven't been able to reproduce a hang (soft lockup?). I'm testing
4.1.28-2.gae3ccbc-default but that should only differ in the ecryptfs fix.

However, I still can see some problems: SuSEfirewall does create only small
part of netfilter rules compared to a 3.12.61 kernel and when I dump the
rules with iptables-save on 3.12.61 and try to pass them to iptables-restore
on 4.1.28-2, I get an error (on "COMMIT" line).

I checked the source and it seems that current openSUSE-42.1 differs from my
original backport of bsc#986362 fixes in a few details. Apparently 4.1.28
also adds a backport of commit d7591f0c41 which I didn't include. But a more
important difference is IMHO that the stable-4.1 backport ignores the fact
that 4.1 doesn't have the simplification done in

  482cfc318559  netfilter: xtables: avoid percpu ruleset duplication

so that 4.1.28 is missing this part of check_compat_entry_size_and_hooks():

       /* And one copy for every other CPU */
       for_each_possible_cpu(i)
               if (newinfo->entries[i] && newinfo->entries[i] != entry1)
                       memcpy(newinfo->entries[i], entry1, newinfo->size);

This might explain why the rule set is incomplete. Worse, the 4.1.28 backport
doesn't handle entries being a per-cpu array in find_jump_target(), neither
in the way I did nor in the way it was done in other stable backports. I'll
try to fix these two problems on top of current openSUSE-42.1 so that we can
check if this is the cause.