← Back to team overview

kernel-packages team mailing list archive

[Bug 1466135] Re: nf_conntrack releases a conntrack with non-zero refcnt

 

This bug was fixed in the package linux - 3.13.0-58.97

---------------
linux (3.13.0-58.97) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1472453

  [ Upstream Kernel Changes ]

  * vm: Fix incomplete backport of VM_FAULT_SIGSEGV handling support
    - LP: #1471892

linux (3.13.0-58.96) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1471991

  [ Iyappan Subramanian ]

  * SAUCE: (no-up): drivers: net: xgene: fix: Out of order descriptor bytes
    read
    - LP: #1425576

  [ Upstream Kernel Changes ]

  * NVMe: Add shutdown timeout as module parameter.
    - LP: #1465136
  * Drivers: hv: vmbus: Add support for VMBus panic notifier handler
    - LP: #1463584
  * Drivers: hv: vmbus: Correcting truncation error for constant
    HV_CRASH_CTL_CRASH_NOTIFY
    - LP: #1463584
  * netfilter: nf_conntrack: don't release a conntrack with non-zero refcnt
    - LP: #1466135
  * lpfc: Add iotag memory barrier
    - LP: #1468416
  * mm/slab_common: support the slub_debug boot option on specific object
    size
    - LP: #1456952
  * pipe: iovec: Fix memory corruption when retrying atomic copy as
    non-atomic
    - CVE-2015-1805
  * kvm: x86: fix kvm_apic_has_events to check for NULL pointer
  * staging, rtl8192e, LLVMLinux: Change extern inline to static inline
    - LP: #1471233
  * kernel: use the gnu89 standard explicitly
    - LP: #1471233
  * staging, rtl8192e, LLVMLinux: Remove unused inline prototype
    - LP: #1471233
  * staging: rtl8712, rtl8712: avoid lots of build warnings
    - LP: #1471233
  * qla2xxx: remove redundant declaration in 'qla_gbl.h'
    - LP: #1471233
  * staging: wlags49_h2: fix extern inline functions
    - LP: #1471233
  * ARM: 8307/1: psci: move psci firmware calls out of line
    - LP: #1471233
  * kconfig: Fix warning "‘jump’ may be used uninitialized"
    - LP: #1471233
  * scripts/sortextable: suppress warning: `relocs_size' may be used
    uninitialized
    - LP: #1471233
  * ASoC: dapm: Enable autodisable on SOC_DAPM_SINGLE_TLV_AUTODISABLE
    - LP: #1471233
  * ALSA: hda - Fix mute-LED fixed mode
    - LP: #1471233
  * ALSA: emu10k1: Fix card shortname string buffer overflow
    - LP: #1471233
  * ALSA: emux: Fix mutex deadlock at unloading
    - LP: #1471233
  * drm/radeon: add SI DPM quirk for Sapphire R9 270 Dual-X 2G GDDR5
    - LP: #1471233
  * SCSI: add 1024 max sectors black list flag
    - LP: #1471233
  * 3w-sas: fix command completion race
    - LP: #1471233
  * 3w-xxxx: fix command completion race
    - LP: #1471233
  * 3w-9xxx: fix command completion race
    - LP: #1471233
  * serial: xilinx: Use platform_get_irq to get irq description structure
    - LP: #1471233
  * serial: of-serial: Remove device_type = "serial" registration
    - LP: #1471233
  * tty/serial: at91: maxburst was missing for dma transfers
    - LP: #1471233
  * ALSA: emux: Fix mutex deadlock in OSS emulation
    - LP: #1471233
  * ALSA: emu10k1: Emu10k2 32 bit DMA mode
    - LP: #1471233
  * rbd: end I/O the entire obj_request on error
    - LP: #1471233
  * powerpc/pseries: Correct cpu affinity for dlpar added cpus
    - LP: #1471233
  * bridge/mdb: remove wrong use of NLM_F_MULTI
    - LP: #1471233
  * efivarfs: Ensure VariableName is NUL-terminated
    - LP: #1471233
  * x86/efi: Store upper bits of command line buffer address in
    ext_cmd_line_ptr
    - LP: #1471233
  * writeback: use |1 instead of +1 to protect against div by zero
    - LP: #1471233
  * ARM: mvebu: armada-xp-openblocks-ax3-4: Disable internal RTC
    - LP: #1471233
  * ARM: dts: imx23-olinuxino: Fix polarity of LED GPIO
    - LP: #1471233
  * ARM: dts: imx23-olinuxino: Fix dr_mode of usb0
    - LP: #1471233
  * ARM: dts: imx25: Add #pwm-cells to pwm4
    - LP: #1471233
  * ARM: dts: imx28: Fix AUART4 TX-DMA interrupt name
    - LP: #1471233
  * gpio: sysfs: fix memory leaks and device hotplug
    - LP: #1471233
  * drm/radeon: disable semaphores for UVD V1 (v2)
    - LP: #1471233
  * RDMA/CMA: Canonize IPv4 on IPV6 sockets properly
    - LP: #1471233
  * drm/i915: Assume dual channel LVDS if pixel clock necessitates it
    - LP: #1471233
  * drm/i915: Add missing MacBook Pro models with dual channel LVDS
    - LP: #1471233
  * xen/console: Update console event channel on resume
    - LP: #1471233
  * xen/events: Set irq_info->evtchn before binding the channel to CPU in
    __startup_pirq()
    - LP: #1471233
  * mm/memory-failure: call shake_page() when error hits thp tail page
    - LP: #1471233
  * nilfs2: fix sanity check of btree level in nilfs_btree_root_broken()
    - LP: #1471233
  * ocfs2: dlm: fix race between purge and get lock resource
    - LP: #1471233
  * drm/radeon: make UVD handle checking more strict
    - LP: #1471233
  * drm/radeon: more strictly validate the UVD codec
    - LP: #1471233
  * path_openat(): fix double fput()
    - LP: #1471233
  * mnt: Fix fs_fully_visible to verify the root directory is visible
    - LP: #1471233
  * pinctrl: Don't just pretend to protect pinctrl_maps, do it for real
    - LP: #1471233
  * mmc: sh_mmcif: Fix timeout value for command request
    - LP: #1471233
  * xen-pciback: Add name prefix to global 'permissive' variable
    - LP: #1471233
  * mmc: core: add missing pm event in mmc_pm_notify to fix hib restore
    - LP: #1471233
  * thermal: step_wise: Revert optimization
    - LP: #1471233
  * libata: Add helper to determine when PHY events should be ignored
    - LP: #1471233
  * libata: Ignore spurious PHY event on LPM policy change
    - LP: #1471233
  * usb: gadget: configfs: Fix interfaces array NULL-termination
    - LP: #1471233
  * rtlwifi: rtl8192cu: Fix kernel deadlock
    - LP: #1471233
  * USB: cp210x: add ID for KCF Technologies PRN device
    - LP: #1471233
  * USB: pl2303: Remove support for Samsung I330
    - LP: #1471233
  * USB: visor: Match I330 phone more precisely
    - LP: #1471233
  * nfsd: fix the check for confirmed openowner in
    nfs4_preprocess_stateid_op
    - LP: #1471233
  * svcrpc: fix potential GSSX_ACCEPT_SEC_CONTEXT decoding failures
    - LP: #1471233
  * ACPI / init: Fix the ordering of acpi_reserve_resources()
    - LP: #1471233
  * md/raid5: don't record new size if resize_stripes fails.
    - LP: #1471233
  * xhci: fix isoc endpoint dequeue from advancing too far on transaction
    error
    - LP: #1471233
  * xhci: Solve full event ring by increasing TRBS_PER_SEGMENT to 256
    - LP: #1471233
  * xhci: gracefully handle xhci_irq dead device
    - LP: #1471233
  * usb-storage: Add NO_WP_DETECT quirk for Lacie 059f:0651 devices
    - LP: #1471233
  * ARM: net fix emit_udiv() for BPF_ALU | BPF_DIV | BPF_K intruction.
    - LP: #1471233
  * drm/radeon: fix VM_CONTEXT*_PAGE_TABLE_END_ADDR handling
    - LP: #1471233
  * drm/radeon: add new bonaire pci id
    - LP: #1471233
  * firmware: dmi_scan: Fix ordering of product_uuid
    - LP: #1471233
  * ext4: fix NULL pointer dereference when journal restart fails
    - LP: #1471233
  * ext4: check for zero length extent explicitly
    - LP: #1471233
  * jbd2: fix r_count overflows leading to buffer overflow in journal
    recovery
    - LP: #1471233
  * mm, numa: really disable NUMA balancing by default on single node
    machines
    - LP: #1471233
  * spi: bitbang: Make setup_transfer() callback optional
    - LP: #1471233
  * igb: Fix NULL assignment to incorrect variable in igb_reset_q_vector
    - LP: #1471233
  * ARM: net: delegate filter to kernel interpreter when imm_offset()
    return value can't fit into 12bits.
    - LP: #1471233
  * ALSA: hda - Add headphone quirk for Lifebook E752
    - LP: #1471233
  * ASoC: mc13783: Fix wrong mask value used in mc13xxx_reg_rmw() calls
    - LP: #1471233
  * ASoC: uda1380: Avoid accessing i2c bus when codec is disabled
    - LP: #1471233
  * mac80211: move WEP tailroom size check
    - LP: #1471233
  * KVM: MMU: fix smap permission check
    - LP: #1471233
  * KVM: MMU: fix CR4.SMEP=1, CR0.WP=0 with shadow pages
    - LP: #1471233
  * KVM: MMU: fix SMAP virtualization
    - LP: #1471233
  * storvsc: Set the SRB flags correctly when no data transfer is needed
    - LP: #1471233
  * ASoC: wm8960: fix "RINPUT3" audio route error
    - LP: #1471233
  * ASoC: wm8994: correct BCLK DIV 348 to 384
    - LP: #1471233
  * Input: elantech - fix semi-mt protocol for v3 HW
    - LP: #1471233
  * powerpc: Align TOC to 256 bytes
    - LP: #1471233
  * ALSA: hda - Add Conexant codecs CX20721, CX20722, CX20723 and CX20724
    - LP: #1454656, #1471233
  * mmc: atmel-mci: fix bad variable type for clkdiv
    - LP: #1471233
  * sd: Disable support for 256 byte/sector disks
    - LP: #1471233
  * libceph: request a new osdmap if lingering request maps to no osd
    - LP: #1471233
  * crypto: s390/ghash - Fix incorrect ghash icv buffer handling.
    - LP: #1471233
  * ipvs: fix memory leak in ip_vs_ctl.c
    - LP: #1471233
  * net: phy: Allow EEE for all RGMII variants
    - LP: #1471233
  * bridge: fix parsing of MLDv2 reports
    - LP: #1471233
  * ipv4: Avoid crashing in ip_error
    - LP: #1471233
  * ipv6: do not delete previously existing ECMP routes if add fails
    - LP: #1471233
  * ipv6: fix ECMP route replacement
    - LP: #1471233
  * net: core: Correct an over-stringent device loop detection.
    - LP: #1471233
  * x86: bpf_jit: fix compilation of large bpf programs
    - LP: #1471233
  * net: dp83640: fix broken calibration routine.
    - LP: #1471233
  * unix/caif: sk_socket can disappear when state is unlocked
    - LP: #1471233
  * net_sched: invoke ->attach() after setting dev->qdisc
    - LP: #1471233
  * udp: fix behavior of wrong checksums
    - LP: #1471233
  * xen: netback: read hotplug script once at start of day.
    - LP: #1471233
  * ipv4/udp: Verify multicast group is ours in upd_v4_early_demux()
    - LP: #1471233
  * drm/radeon: partially revert "fix VM_CONTEXT*_PAGE_TABLE_END_ADDR
    handling"
    - LP: #1471233
  * Linux 3.13.11-ckt22
    - LP: #1471233

 -- Brad Figg <brad.figg@xxxxxxxxxxxxx>  Tue, 07 Jul 2015 18:48:51 -0700

** Changed in: linux (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1805

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1466135

Title:
  nf_conntrack releases a conntrack with non-zero refcnt

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released

Bug description:
  [Impact]
  Occasionally starting new containers or creating new net namespaces may soft lockup because of improper refcounting of conntrack entires.

  In the issue that I face, I can find a kworker thread using up an
  entire core, and when I cat /proc/$pid/stack I see this:

  <ffffffffbe01e9b6>] ___preempt_schedule+0x56/0xb0
  [<ffffffffc02223e4>] nf_ct_iterate_cleanup+0x134/0x160 [nf_conntrack]
  [<ffffffffc0223dae>] nf_conntrack_cleanup_net_list+0x4e/0x170
  [nf_conntrack]
  [<ffffffffc022436d>] nf_conntrack_pernet_exit+0x4d/0x60 [nf_conntrack]
  [<ffffffffbe6040d3>] ops_exit_list.isra.1+0x53/0x60
  [<ffffffffbe6048d0>] cleanup_net+0x100/0x1d0
  [<ffffffffbe084991>] process_one_work+0x171/0x470
  [<ffffffffbe08563b>] worker_thread+0x11b/0x3a0
  [<ffffffffbe08bb82>] kthread+0xd2/0xf0
  [<ffffffffbe71757c>] ret_from_fork+0x7c/0xb0
  [<ffffffffffffffff>] 0xffffffffffffffff

  The kworker is looping forever and failing to clean up conntrack state.
  All the while, it holds the global netns lock. Given that I've bisected
  to commit e53376bef2cd97d3e3f61fdc677fb8da7d03d0da which is to do with refcounting, I suspect that borked refcounting on conntrack entries makes them impossible to properly free/destroy, which prevents this worker from cleaning up the namespace, which then goes on to prevent anything else from interacting with namespaces (add/delete/etc).

  [Test Case]
  bug 1403152 has a testcase which can occasionally hit this issue

  [Fix]
  $ git describe --contains e53376bef2cd97d3e3f61fdc677fb8da7d03d0da
  v3.14-rc3~36^2~28^2~12

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1466135/+subscriptions


References