ACK: [SRU][F/J][PATCH 0/1] netfilter: nf_tables: Fix EBUSY on deleting unreferenced chain
Jacob Martin
jacob.martin at canonical.com
Tue Dec 10 15:04:39 UTC 2024
On Fri, Dec 06, 2024 at 01:29:51PM -0800, Ian Whitfield wrote:
> BugLink: https://bugs.launchpad.net/bugs/2089699
>
> SRU Justification
>
> [Impact]
> Our backport of upstream commit e79b47a8615d introduced a bug in the
> reference counting of chains in nf_tables that resulted in some valid
> chain deletion transactions to fail with the error "Error: Could not
> process rule: Device or resource busy". This bug is not present in
> the upstream stable backport to linux-6.6.y, commit 164936b2fc88.
>
> [Fix]
> This patch modifies our backport to match commit
> 164936b2fc88883341fe7a2d9c42b69020e5cafd in linux-6.6.y
> Or in the case of Focal, match it as closely as possible.
>
> [Test Case]
> Execute the customer-provided reproducer at least 3 times. The
> reproducer is a series of nft commands derived from the Kubernetes
> project's test suite which could reproduce this bug reliably.
> Completing an end-to-end Kubernetes conformance test would also
> effectively test this fix.
>
> [Regression Potential]
> Because this retroactively changes the contents of a backport, it could
> introduce unexpected regressions in netfilter, although the change is
> minor and fairly contained to specific nft set operations. This patch
> additionally brings us closer to upstream stable, which generally
> indicates improved reliability.
>
> [Other]
> Later kernels (v6.8+) were able to cleanly cherry-pick the CVE patch
> and are therefore not affected by this bug.
>
> Ian Whitfield (1):
> UBUNTU: SAUCE: netfilter: nf_tables: Fix EBUSY on deleting
> unreferenced chain
>
> net/netfilter/nf_tables_api.c | 10 +++++-----
> net/netfilter/nft_set_pipapo.c | 1 -
> 2 files changed, 5 insertions(+), 6 deletions(-)
>
> --
> 2.43.0
>
Acked-by: Jacob Martin <jacob.martin at canonical.com>
More information about the kernel-team
mailing list