Ubuntu
linux package

Memory leak while using NFQUEUE to delegate the decision on TCP packets to userspace processes

Bug #1991774 reported by Chengen Du on 2022-10-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Committed	Undecided	Chengen Du
	Bionic	Fix Released	Undecided	Chengen Du

Bug Description

[Impact]

Environment: v4.15.0-177-generic Xenial ESM

Using NFQUEUE to delegate the decision on TCP packets to userspace processes will cause memory leak.
The symptom is that TCP slab objects will accumulate and eventually cause OOM.

[Fix]

There is a discrepancy between backport and upstream commit.

[Upstream Commit c3873070247d9e3c7a6b0cf9bf9b45e8018427b1]
diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h
index 9eed51e920e8..980daa6e1e3a 100644
--- a/include/net/netfilter/nf_queue.h
+++ b/include/net/netfilter/nf_queue.h
@@ -37,7 +37,7 @@ void nf_register_queue_handler(const struct nf_queue_handler *qh);
void nf_unregister_queue_handler(void);
void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict);

-void nf_queue_entry_get_refs(struct nf_queue_entry *entry);
+bool nf_queue_entry_get_refs(struct nf_queue_entry *entry);
void nf_queue_entry_free(struct nf_queue_entry *entry);

static inline void init_hashrandom(u32 *jhash_initval)
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 5ab0680db445..e39549c55945 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -96,19 +96,21 @@ static void __nf_queue_entry_init_physdevs(struct nf_queue_entry *entry)
}

/* Bump dev refs so they don't vanish while packet is out */
-void nf_queue_entry_get_refs(struct nf_queue_entry *entry)
+bool nf_queue_entry_get_refs(struct nf_queue_entry *entry)
{
struct nf_hook_state *state = &entry->state;

+ if (state->sk && !refcount_inc_not_zero(&state->sk->sk_refcnt))
+ return false;
+
dev_hold(state->in);
dev_hold(state->out);
- if (state->sk)
- sock_hold(state->sk);

#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
dev_hold(entry->physin);
dev_hold(entry->physout);
#endif
+ return true;
}
EXPORT_SYMBOL_GPL(nf_queue_entry_get_refs);

@@ -196,7 +198,10 @@ static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,

__nf_queue_entry_init_physdevs(entry);

- nf_queue_entry_get_refs(entry);
+ if (!nf_queue_entry_get_refs(entry)) {
+ kfree(entry);
+ return -ENOTCONN;
+ }

  switch (entry->state.pf) {
  case AF_INET:
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index ea2d9c2a44cf..64a6acb6aeae 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -710,9 +710,15 @@ static struct nf_queue_entry *
nf_queue_entry_dup(struct nf_queue_entry *e)
{
  struct nf_queue_entry *entry = kmemdup(e, e->size, GFP_ATOMIC);
- if (entry)
- nf_queue_entry_get_refs(entry);
- return entry;
+
+ if (!entry)
+ return NULL;
+
+ if (nf_queue_entry_get_refs(entry))
+ return entry;
+
+ kfree(entry);
+ return NULL;
}

#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)

[Backport Commit 4d032d60432327f068f03b516f5b6c51ceb17d15]
diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h
index 814058d0f167..f38cc6092c5a 100644
--- a/include/net/netfilter/nf_queue.h
+++ b/include/net/netfilter/nf_queue.h
@@ -32,7 +32,7 @@ void nf_register_queue_handler(struct net *net, const struct nf_queue_handler *q
void nf_unregister_queue_handler(struct net *net);
void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict);

-void nf_queue_entry_get_refs(struct nf_queue_entry *entry);
+bool nf_queue_entry_get_refs(struct nf_queue_entry *entry);
void nf_queue_entry_release_refs(struct nf_queue_entry *entry);

static inline void init_hashrandom(u32 *jhash_initval)
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 59340b3ef7ef..dbc45165c533 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -80,10 +80,13 @@ void nf_queue_entry_release_refs(struct nf_queue_entry *entry)
EXPORT_SYMBOL_GPL(nf_queue_entry_release_refs);

+ if (state->sk && !refcount_inc_not_zero(&state->sk->sk_refcnt))
+ return false;
+
  if (state->in)
   dev_hold(state->in);
  if (state->out)
@@ -102,6 +105,7 @@ void nf_queue_entry_get_refs(struct nf_queue_entry *entry)
    dev_hold(physdev);
  }
#endif
+ return true;
}
EXPORT_SYMBOL_GPL(nf_queue_entry_get_refs);

@@ -159,7 +163,11 @@ static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
.size = sizeof(*entry) + afinfo->route_key_size,
};

- nf_queue_entry_get_refs(entry);
+ if (!nf_queue_entry_get_refs(entry)) {
+ kfree(entry);
+ return -ENOTCONN;
+ }
+
afinfo->saveroute(skb, entry);
status = qh->outfn(entry, queuenum);

diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 48ed30e1b405..abad8bf6fa38 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -693,9 +693,15 @@ static struct nf_queue_entry *
nf_queue_entry_dup(struct nf_queue_entry *e)
{
struct nf_queue_entry *entry = kmemdup(e, e->size, GFP_ATOMIC);
- if (entry)
- nf_queue_entry_get_refs(entry);
- return entry;
+
+ if (!entry)
+ return NULL;
+
+ if (nf_queue_entry_get_refs(entry))
+ return entry;
+
+ kfree(entry);
+ return NULL;
}

#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)

[Difference between Commits]
50,57c57,62
< dev_hold(state->in);
< dev_hold(state->out);
< - if (state->sk)
< - sock_hold(state->sk);
<
< #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
< dev_hold(entry->physin);
< dev_hold(entry->physout);
---
> if (state->in)
> dev_hold(state->in);
> if (state->out)
> @@ -102,6 +105,7 @@ void nf_queue_entry_get_refs(struct nf_queue_entry *entry)
> dev_hold(physdev);
> }

The sock_hold() logic still remains in the backport commit, which will affect the reference count and result in memory leak.
The fix aligns the logic with the upstream commit.

[Test Plan]

1. Prepare a VM and run a TCP server on host.
2. Enter into the VM and set up a iptables rule.
iptables -I OUTPUT -p tcp --dst <-TCP_SERVER_IP-> -j NFQUEUE --queue-num=1 --queue-bypass
3. Run a nfnetlink client (should listen on NF queue 1) on VM.
4. Keep connecting the TCP server from VM.
while true; do netcat <-TCP_SERVER_IP-> 8080; done
5. The VM's TCP slab objects will accumulate and eventually encounter OOM situation.
cat /proc/slabinfo | grep TCP

[Where problems could occur]

The fix just aligns the logic with the upstream commit, so the regression can be considered as low.

See original description

Tags:

CVE References

Chengen Du (chengendu) on 2022-10-05

description:

updated

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2022-10-05: Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1991774

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete

Chengen Du (chengendu) on 2022-10-06

Changed in linux (Ubuntu Bionic):
assignee:	nobody → ChengEn, Du (chengendu)
Changed in linux (Ubuntu):
assignee:	nobody → ChengEn, Du (chengendu)
status:	Incomplete → In Progress
Changed in linux (Ubuntu Bionic):
status:	New → In Progress
tags:	added: bionic sts

Luke Nowakowski-Krijger (lukenow) on 2022-10-06

Changed in linux (Ubuntu Bionic):
status:	In Progress → Fix Committed

Chengen Du (chengendu) on 2022-10-07

Changed in linux (Ubuntu):
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2022-10-20:

This bug is awaiting verification that the linux/4.15.0-195.206 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Revision history for this message

Chengen Du (chengendu) wrote on 2022-10-20:

I have used the linux/4.15.0-195.206 kernel in -proposed for testing.
The issue no longer exists by testing with the same test plan.

tags:

added: verification-done-bionic

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-11-15:

Download full text (19.8 KiB)

This bug was fixed in the package linux - 4.15.0-197.208

---------------
linux (4.15.0-197.208) bionic; urgency=medium

* bionic/linux: 4.15.0-197.208 -proposed tracker (LP: #1994998)

  * Memory leak while using NFQUEUE to delegate the decision on TCP packets to
    userspace processes (LP: #1991774)
    - SAUCE: netfilter: nf_queue: Fix memory leak in nf_queue_entry_get_refs

This bug was fixed in the package linux - 4.15.0-197.208

---------------
linux (4.15.0-197.208) bionic; urgency=medium

* bionic/linux: 4.15.0-197.208 -proposed tracker (LP: #1994998)

* Memory leak while using NFQUEUE to delegate the decision on TCP packets to
    userspace processes (LP: #1991774)
    - SAUCE: netfilter: nf_queue: Fix memory leak in nf_queue_entry_get_refs

* Bionic update: upstream stable patchset 2022-09-23 (LP: #1990698)
    - Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put
    - ntfs: fix use-after-free in ntfs_ucsncmp()
    - ARM: crypto: comment out gcc warning that breaks clang builds
    - mt7601u: add USB device ID for some versions of XiaoDu WiFi Dongle.
    - ACPI: video: Force backlight native for some TongFang devices
    - macintosh/adb: fix oob read in do_adb_query() function
    - Makefile: link with -z noexecstack --no-warn-rwx-segments
    - x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments
    - ALSA: bcd2000: Fix a UAF bug on the error path of probing
    - add barriers to buffer_uptodate and set_buffer_uptodate
    - HID: wacom: Don't register pad_input for touch switch
    - KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0
    - KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks
    - KVM: x86: Set error code to segment selector on LLDT/LTR non-canonical #GP
    - ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model
    - ALSA: hda/cirrus - support for iMac 12,1 model
    - vfs: Check the truncate maximum size in inode_newsize_ok()
    - fs: Add missing umask strip in vfs_tmpfile
    - usbnet: Fix linkwatch use-after-free on disconnect
    - parisc: Fix device names in /proc/iomem
    - drm/nouveau: fix another off-by-one in nvbios_addr
    - drm/amdgpu: Check BO's requested pinning domains against its
      preferred_domains
    - iio: light: isl29028: Fix the warning in isl29028_remove()
    - fuse: limit nsec
    - md-raid10: fix KASAN warning
    - ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr()
    - PCI: Add defines for normal and subtractive PCI bridges
    - powerpc/fsl-pci: Fix Class Code of PCIe Root Port
    - powerpc/powernv: Avoid crashing if rng is NULL
    - MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
    - USB: HCD: Fix URB giveback issue in tasklet function
    - netfilter: nf_tables: fix null deref due to zeroed list head
    - arm64: Do not forget syscall when starting a new thread.
    - arm64: fix oops in concurrently setting insn_emulation sysctls
    - ext2: Add more validity checks for inode counts
    - ARM: dts: imx6ul: add missing properties for sram
    - ARM: dts: imx6ul: fix qspi node compatible
    - ARM: OMAP2+: display: Fix refcount leak bug
    - ACPI: PM: save NVS memory for Lenovo G40-45
    - ACPI: LPSS: Fix missing check in register_device_clock()
    - PM: hibernate: defer device probing when resuming from hibernation
    - selinux: Add boundary check in put_entry()
    - ARM: findbit: fix overflowing offset
    - ARM: bcm: Fix refcount leak in bcm_kona_smc_init
    - x86/pmem: Fix platform-device leak in error path
    - ARM: dts: ast2500-evb: fix board compatible
    - soc: fsl: guts: machine variable might be unset
    - cpufreq: zynq: Fix refcount leak in zynq_get_revision
    - ARM: dts: qcom: pm8841: add required thermal-sensor-cells
    - arm64: dts: qcom: msm8916: Fix typo in pronto remoteproc node
    - regulator: of: Fix refcount leak bug in of_get_regulation_constraints()
    - thermal/tools/tmon: Include pthread and time headers in tmon.h
    - dm: return early from dm_pr_call() if DM device is suspended
    - drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers()
    - drm/mediatek: Add pull-down MIPI operation in mtk_dsi_poweroff function
    - i2c: Fix a potential use after free
    - wifi: iwlegacy: 4965: fix potential off-by-one overflow in
      il4965_rs_fill_link_cmd()
    - drm: bridge: adv7511: Add check for mipi_dsi_driver_register
    - media: hdpvr: fix error value returns in hdpvr_read
    - drm/vc4: dsi: Correct DSI divider calculations
    - drm/rockchip: vop: Don't crash for invalid duplicate_state()
    - drm/mediatek: dpi: Remove output format of YUV
    - drm: bridge: sii8620: fix possible off-by-one
    - media: platform: mtk-mdp: Fix mdp_ipi_comm structure alignment
    - tcp: make retransmitted SKB fit into the send window
    - selftests: timers: valid-adjtimex: build fix for newer toolchains
    - selftests: timers: clocksource-switch: fix passing errors from child
    - fs: check FMODE_LSEEK to control internal pipe splicing
    - wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi()
    - wifi: p54: Fix an error handling path in p54spi_probe()
    - wifi: p54: add missing parentheses in p54_flush()
    - can: pch_can: do not report txerr and rxerr during bus-off
    - can: rcar_can: do not report txerr and rxerr during bus-off
    - can: sja1000: do not report txerr and rxerr during bus-off
    - can: hi311x: do not report txerr and rxerr during bus-off
    - can: sun4i_can: do not report txerr and rxerr during bus-off
    - can: usb_8dev: do not report txerr and rxerr during bus-off
    - can: error: specify the values of data[5..7] of CAN error frames
    - can: pch_can: pch_can_error(): initialize errc before using it
    - Bluetooth: hci_intel: Add check for platform_driver_register
    - i2c: cadence: Support PEC for SMBus block read
    - i2c: mux-gpmux: Add of_node_put() when breaking out of loop
    - wifi: wil6210: debugfs: fix uninitialized variable use in
      `wil_write_file_wmi()`
    - wifi: libertas: Fix possible refcount leak in if_usb_probe()
    - net: rose: fix netdev reference changes
    - dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock
    - mtd: maps: Fix refcount leak in of_flash_probe_versatile
    - mtd: maps: Fix refcount leak in ap_flash_init
    - mtd: sm_ftl: Fix deadlock caused by cancel_work_sync in sm_release
    - mtd: st_spi_fsm: Add a clk_disable_unprepare() in .probe()'s error path
    - fpga: altera-pr-ip: fix unsigned comparison with less than zero
    - usb: host: Fix refcount leak in ehci_hcd_ppc_of_probe
    - usb: ohci-nxp: Fix refcount leak in ohci_hcd_nxp_probe
    - misc: rtsx: Fix an error handling path in rtsx_pci_probe()
    - mmc: sdhci-of-esdhc: Fix refcount leak in esdhc_signal_voltage_switch
    - memstick/ms_block: Fix some incorrect memory allocation
    - memstick/ms_block: Fix a memory leak
    - mmc: sdhci-of-at91: fix set_uhs_signaling rewriting of MC1R
    - scsi: smartpqi: Fix DMA direction for RAID requests
    - usb: gadget: udc: amd5536 depends on HAS_DMA
    - RDMA/hfi1: fix potential memory leak in setup_base_ctxt()
    - gpio: gpiolib-of: Fix refcount bugs in of_mm_gpiochip_add_data()
    - mmc: cavium-octeon: Add of_node_put() when breaking out of loop
    - mmc: cavium-thunderx: Add of_node_put() when breaking out of loop
    - USB: serial: fix tty-port initialized comments
    - platform/olpc: Fix uninitialized data in debugfs write
    - mm/mmap.c: fix missing call to vm_unacct_memory in mmap_region
    - RDMA/rxe: Fix error unwind in rxe_create_qp()
    - ext4: recover csum seed of tmp_inode after migrating to extents
    - jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal aborted
    - ASoC: mediatek: mt8173: Fix refcount leak in mt8173_rt5650_rt5676_dev_probe
    - ASoC: codecs: da7210: add check for i2c_add_driver
    - ASoC: mediatek: mt8173-rt5650: Fix refcount leak in mt8173_rt5650_dev_probe
    - profiling: fix shift too large makes kernel panic
    - tty: n_gsm: fix non flow control frames during mux flow off
    - tty: n_gsm: fix packet re-transmission without open control channel
    - tty: n_gsm: fix race condition in gsmld_write()
    - remoteproc: qcom: wcnss: Fix handling of IRQs
    - vfio/ccw: Do not change FSM state in subchannel event
    - tty: n_gsm: fix wrong T1 retry count handling
    - tty: n_gsm: fix DM command
    - iommu/exynos: Handle failed IOMMU device registration properly
    - kfifo: fix kfifo_to_user() return type
    - mfd: t7l66xb: Drop platform disable callback
    - iommu/arm-smmu: qcom_iommu: Add of_node_put() when breaking out of loop
    - s390/zcore: fix race when reading from hardware system area
    - video: fbdev: amba-clcd: Fix refcount leak bugs
    - video: fbdev: sis: fix typos in SiS_GetModeID()
    - powerpc/pci: Prefer PCI domain assignment via DT 'linux,pci-domain' and
      alias
    - powerpc/spufs: Fix refcount leak in spufs_init_isolated_loader
    - powerpc/xive: Fix refcount leak in xive_get_max_prio
    - powerpc/cell/axon_msi: Fix refcount leak in setup_msi_msg_address
    - kprobes: Forbid probing on trampoline and BPF code areas
    - powerpc/pci: Fix PHB numbering when using opal-phbid
    - genelf: Use HAVE_LIBCRYPTO_SUPPORT, not the never defined HAVE_LIBCRYPTO
    - x86/numa: Use cpumask_available instead of hardcoded NULL check
    - video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock()
    - tools/thermal: Fix possible path truncations
    - video: fbdev: vt8623fb: Check the size of screen before memset_io()
    - video: fbdev: arkfb: Check the size of screen before memset_io()
    - video: fbdev: s3fb: Check the size of screen before memset_io()
    - scsi: zfcp: Fix missing auto port scan and thus missing target ports
    - x86/olpc: fix 'logical not is only applied to the left hand side'
    - spmi: trace: fix stack-out-of-bound access in SPMI tracing functions
    - ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h
    - ext4: make sure ext4_append() always allocates new block
    - ext4: fix use-after-free in ext4_xattr_set_entry
    - ext4: update s_overhead_clusters in the superblock during an on-line resize
    - ext4: fix extent status tree race in writeback error recovery path
    - ext4: correct max_inline_xattr_value_size computing
    - ext4: correct the misjudgment in ext4_iget_extra_inode
    - intel_th: pci: Add Raptor Lake-S CPU support
    - intel_th: pci: Add Raptor Lake-S PCH support
    - intel_th: pci: Add Meteor Lake-P support
    - dm raid: fix address sanitizer warning in raid_resume
    - dm raid: fix address sanitizer warning in raid_status
    - btrfs: reject log replay if there is unsupported RO compat flag
    - KVM: Add infrastructure and macro to mark VM as bugged
    - KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq
    - KVM: x86: Avoid theoretical NULL pointer dereference in
      kvm_irq_delivery_to_apic_fast()
    - tcp: fix over estimation in sk_forced_mem_schedule()
    - scsi: sg: Allow waiting for commands to complete on removed device
    - Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression
    - net/9p: Initialize the iounit field during fid creation
    - net_sched: cls_route: disallow handle of 0
    - powerpc/ptdump: Fix display of RW pages on FSL_BOOK3E
    - ALSA: info: Fix llseek return value when using callback
    - rds: add missing barrier to release_refill
    - ata: libata-eh: Add missing command name
    - btrfs: fix lost error handling when looking up extended ref on log replay
    - can: ems_usb: fix clang's -Wunaligned-access warning
    - apparmor: fix quiet_denied for file rules
    - apparmor: Fix failed mount permission check error message
    - apparmor: fix aa_label_asxprint return check
    - apparmor: fix reference count leak in aa_pivotroot()
    - NFSv4: Fix races in the legacy idmapper upcall
    - NFSv4.1: RECLAIM_COMPLETE must handle EACCES
    - SUNRPC: Reinitialise the backchannel request buffers before reuse
    - pinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map
    - pinctrl: qcom: msm8916: Allow CAMSS GP clocks to be muxed
    - ACPI: property: Return type of acpi_add_nondev_subnodes() should be bool
    - geneve: do not use RT_TOS for IPv6 flowlabel
    - vsock: Fix memory leak in vsock_connect()
    - vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout()
    - tools build: Switch to new openssl API for test-libcrypto
    - xen/xenbus: fix return type in xenbus_file_read()
    - atm: idt77252: fix use-after-free bugs caused by tst_timer
    - nios2: page fault et.al. are *not* restartable syscalls...
    - nios2: don't leave NULLs in sys_call_table[]
    - nios2: traced syscall does need to check the syscall number
    - nios2: fix syscall restart checks
    - nios2: restarts apply only to the first sigframe we build...
    - nios2: add force_successful_syscall_return()
    - netfilter: nf_tables: really skip inactive sets when allocating name
    - powerpc/pci: Fix get_phb_number() locking
    - i40e: Fix to stop tx_timeout recovery if GLOBR fails
    - fec: Fix timer capture timing in `fec_ptp_enable_pps()`
    - igb: Add lock to avoid data race
    - kbuild: clear LDFLAGS in the top Makefile
    - btrfs: only write the sectors in the vertical stripe which has data stripes
    - btrfs: raid56: don't trust any cached sector in __raid56_parity_recover()
    - drm/meson: Fix refcount bugs in meson_vpu_has_available_connectors()
    - PCI: Add ACS quirk for Broadcom BCM5750x NICs
    - irqchip/tegra: Fix overflow implicit truncation warnings
    - usb: host: ohci-ppc-of: Fix refcount leak bug
    - clk: qcom: ipq8074: dont disable gcc_sleep_clk_src
    - gadgetfs: ep_io - wait until IRQ finishes
    - cxl: Fix a memory leak in an error handling path
    - drivers:md:fix a potential use-after-free bug
    - ext4: avoid remove directory when directory is corrupted
    - ext4: avoid resizing to a partial cluster size
    - tty: serial: Fix refcount leak bug in ucc_uart.c
    - vfio: Clear the caps->buf to NULL after free
    - mips: cavium-octeon: Fix missing of_node_put() in octeon2_usb_clocks_start
    - ALSA: core: Add async signal helpers
    - ALSA: timer: Use deferred fasync helper
    - smb3: check xattr value length earlier
    - powerpc/64: Init jump labels before parse_early_param()
    - video: fbdev: i740fb: Check the argument of i740_calc_vclk()
    - MIPS: tlbex: Explicitly compare _PAGE_NO_EXEC against 0
    - meson-mx-socinfo: Fix refcount leak in meson_mx_socinfo_init
    - ARM: OMAP2+: Fix refcount leak in omap3xxx_prm_late_init
    - nohz/full, sched/rt: Fix missed tick-reenabling bug in dequeue_task_rt()
    - media: tw686x: Register the irq at the end of probe
    - HID: cp2112: prevent a buffer overflow in cp2112_xfer()
    - staging: rtl8192u: Fix sleep in atomic context bug in
      dm_fsync_timer_callback
    - HID: alps: Declare U1_UNICORN_LEGACY support
    - tty: n_gsm: fix missing corner cases in gsmld_poll()
    - rpmsg: qcom_smd: Fix refcount leak in qcom_smd_parse_edge
    - gcc-plugins: Undefine LATENT_ENTROPY_PLUGIN when plugin disabled for a file

* Bionic update: upstream stable patchset 2022-09-21 (LP: #1990434)
    - xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE
    - xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in
      xfrm_bundle_lookup()
    - power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe
    - perf/core: Fix data race between perf_event_set_output() and
      perf_mmap_close()
    - ip: Fix a data-race around sysctl_fwmark_reflect.
    - tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept.
    - tcp: Fix a data-race around sysctl_tcp_probe_threshold.
    - tcp: Fix a data-race around sysctl_tcp_probe_interval.
    - i2c: cadence: Change large transfer count reset logic to be unconditional
    - net: stmmac: fix dma queue left shift overflow issue
    - igmp: Fix data-races around sysctl_igmp_llm_reports.
    - igmp: Fix a data-race around sysctl_igmp_max_memberships.
    - tcp: Fix a data-race around sysctl_tcp_notsent_lowat.
    - be2net: Fix buffer overflow in be_get_module_eeprom
    - Revert "Revert "char/random: silence a lockdep splat with printk()""
    - mm/mempolicy: fix uninit-value in mpol_rebind_policy()
    - bpf: Make sure mac_header was set before using it
    - drm/tilcdc: Remove obsolete crtc_mode_valid() hack
    - tilcdc: tilcdc_external: fix an incorrect NULL check on list iterator
    - ALSA: memalloc: Align buffer allocations in page size
    - Bluetooth: Add bt_skb_sendmsg helper
    - Bluetooth: Add bt_skb_sendmmsg helper
    - Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg
    - Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg
    - Bluetooth: Fix passing NULL to PTR_ERR
    - Bluetooth: SCO: Fix sco_send_frame returning skb->len
    - Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks
    - tty: drivers/tty/, stop using tty_schedule_flip()
    - tty: the rest, stop using tty_schedule_flip()
    - tty: drop tty_schedule_flip()
    - tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push()
    - tty: use new tty_insert_flip_string_and_push_buffer() in pty_write()
    - PCI: hv: Fix multi-MSI to allow more than one MSI vector
    - PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI
    - PCI: hv: Reuse existing IRTE allocation in compose_msi_msg()
    - PCI: hv: Fix interrupt mapping for multi-MSI
    - ip: Fix data-races around sysctl_ip_fwd_use_pmtu.
    - ip: Fix data-races around sysctl_ip_nonlocal_bind.
    - tcp: Fix data-races around sysctl_tcp_mtu_probing.
    - tcp: Fix data-races around sysctl_tcp_reordering.
    - tcp: Fix data-races around some timeout sysctl knobs.
    - tcp: Fix a data-race around sysctl_tcp_tw_reuse.
    - tcp: Fix data-races around sysctl_tcp_fastopen.
    - tcp: Fix a data-race around sysctl_tcp_early_retrans.
    - tcp: Fix data-races around sysctl_tcp_recovery.
    - tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts.
    - tcp: Fix data-races around sysctl_tcp_slow_start_after_idle.
    - tcp: Fix a data-race around sysctl_tcp_retrans_collapse.
    - tcp: Fix a data-race around sysctl_tcp_stdurg.
    - tcp: Fix a data-race around sysctl_tcp_rfc1337.
    - tcp: Fix data-races around sysctl_tcp_max_reordering.
    - ima: remove the IMA_TEMPLATE Kconfig option
    - [Config] updateconfigs for IMA_TEMPLATE
    - tcp: Fix data-races around sysctl_tcp_dsack.
    - tcp: Fix a data-race around sysctl_tcp_app_win.
    - tcp: Fix a data-race around sysctl_tcp_adv_win_scale.
    - tcp: Fix a data-race around sysctl_tcp_frto.
    - tcp: Fix a data-race around sysctl_tcp_nometrics_save.
    - scsi: ufs: host: Hold reference returned by of_parse_phandle()
    - tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit.
    - net: ping6: Fix memleak in ipv6_renew_options().
    - igmp: Fix data-races around sysctl_igmp_qrv.
    - net: sungem_phy: Add of_node_put() for reference returned by of_get_parent()
    - tcp: Fix a data-race around sysctl_tcp_min_tso_segs.
    - tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen.
    - tcp: Fix a data-race around sysctl_tcp_autocorking.
    - tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit.
    - Documentation: fix sctp_wmem in ip-sysctl.rst
    - i40e: Fix interface init with MSI interrupts (no MSI-X)
    - sctp: fix sleep in atomic context bug in timer handlers
    - perf symbol: Correct address for bss symbols
    - scsi: core: Fix race between handling STS_RESOURCE and completion
    - ACPI: video: Shortening quirk list by identifying Clevo by board_name only

* unprivileged users may trigger page cache invalidation WARN (LP: #1989144)
    - iomap: fix WARN_ON_ONCE() from unprivileged users

* Users belonging to video group may trigger a deadlock WARN (LP: #1990690)
    - SAUCE: fbdev: remove redundant lock_fb_info

* ACPI: processor idle: Practically limit "Dummy wait" workaround to old Intel
    systems (LP: #1990985)
    - ACPI: processor_idle: Skip dummy wait if kernel is in guest
    - ACPI: processor idle: Practically limit "Dummy wait" workaround to old Intel
      systems

* CVE-2022-3028
    - af_key: Do not call xfrm_probe_algs in parallel

* CVE-2022-2978
    - fs: fix UAF/GPF bug in nilfs_mdt_destroy

* CVE-2022-40768
    - scsi: stex: Properly zero out the passthrough command structure

-- Luke Nowakowski-Krijger <luke.nowakowskikrijger@canonical.com>  Tue, 01 Nov 2022 17:52:05 +0100

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2022-12-07:

This bug is awaiting verification that the linux-azure-4.15/4.15.0-1157.172 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-bionic-linux-azure-4.15 verification-needed-bionic
removed: verification-done-bionic

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

Memory leak while using NFQUEUE to delegate the decision on TCP packets to userspace processes

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package