Bug#1070685: linux-image-6.1.0-21-amd64: Found Trace in the logs about br_netfilter and nf_conntrack

XXX XXX Sat, 07 Sep 2024 15:09:24 -0700

On Sat, 7 Sep 2024 09:13:09 +0200
Salvatore Bonaccorso <car...@debian.org> wrote:

> Hi,
> 
> On Fri, Sep 06, 2024 at 10:47:04PM +0200, XXX XXX wrote:
> > On Fri, 6 Sep 2024 22:04:27 +0200
> > Salvatore Bonaccorso <car...@debian.org> wrote:
> > 
> > > Control: tags -1 + moreinfo
> > > 
> > > Hi,
> > > 
> > > On Mon, Sep 02, 2024 at 11:09:42PM +0200, XXX XXX wrote:
> > > > Hi,
> > > > this bug seems to be fixed in linux kernel 6.1.107,
> > > > I suspect the commit that fixed it is:
> > > > 
> > > > commit 6dcc8ba8a6074bb79040f502dc66ad23a58a1c86
> > > > Author: Florian Westphal <f...@strlen.de>
> > > > Date:   Wed Aug 7 21:28:41 2024 +0200
> > > > 
> > > >     netfilter: nf_queue: drop packets with cloned unconfirmed conntracks
> > > >     
> > > >     [ Upstream commit 7d8dc1c7be8d3509e8f5164dd5df64c8e34d7eeb ]
> > > >     
> > > >     Conntrack assumes an unconfirmed entry (not yet committed to global 
> > > > hash
> > > >     table) has a refcount of 1 and is not visible to other cores.
> > > >     
> > > >     With multicast forwarding this assumption breaks down because such
> > > >     skbs get cloned after being picked up, i.e.  ct->use refcount is > 
> > > > 1.
> > > >     
> > > >     Likewise, bridge netfilter will clone broad/mutlicast frames and
> > > >     all frames in case they need to be flood-forwarded during learning
> > > >     phase.
> > > >     
> > > >     For ip multicast forwarding or plain bridge flood-forward this will
> > > >     "work" because packets don't leave softirq and are implicitly
> > > >     serialized.
> > > >     
> > > >     With nfqueue this no longer holds true, the packets get queued
> > > >     and can be reinjected in arbitrary ways.
> > > >     
> > > >     Disable this feature, I see no other solution.
> > > >     
> > > >     After this patch, nfqueue cannot queue packets except the last
> > > >     multicast/broadcast packet.
> > > >     
> > > >     Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > > >     Signed-off-by: Florian Westphal <f...@strlen.de>
> > > >     Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
> > > >     Signed-off-by: Sasha Levin <sas...@kernel.org>
> > > 
> > > Would you be able to confirm this? In case this is true, then this
> > > would imply that the issue should be visible as well current testing
> > > until <= 6.10.7-1.
> > > 
> > > Regards,
> > > Salvatore
> > 
> > Hi,
> > 
> > for sure it was visible in linux-image-6.10.6+bpo-amd64 that I tried from 
> > stable backports after the trace popped up again after upgrading to 
> > linux-image-6.1.0-25-amd64.
> > So  by checking the changelog for the source file and line shown in the 
> > traces on kernel.org 
> > I've spotted this patch that was interesting because  I use suricata in 
> > nfqueue
> > mode and because the trace happened always at boot (during the learning 
> > phase).
> > So I first erroneously I tried 6.1.106 and the trace was still there
> > and then 6.1.107 and it was gone.
> > Hope this helps.
> 
> Yes thanks. One option to get a final confirmation and proper closure
> tracking, would be if you can cherry-pick the commit on top of the
> 6.1.106-3 version and see if it resolved the issue.
> 
> You could proceed as described in
> 
> https://kernel-team.pages.debian.net/kernel-handbook/ch-common-tasks.html#id-1.6.6.4
> 
> Regards,
> Salvatore

Did so:

# apt-get install build-essential
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
build-essential is already the newest version (12.9).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
# apt install kernel-wedge -t daedalus-backports 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be upgraded:
  kernel-wedge
1 upgraded, 0 newly installed, 0 to remove and 166 not upgraded.
Need to get 21.0 kB of archives.
After this operation, 24.6 kB disk space will be freed.
Get:1 http://deb.devuan.org/merged daedalus-backports/main amd64 kernel-wedge 
all 2.105~bpo12+1 [21.0 kB]
Fetched 21.0 kB in 0s (43.3 kB/s) 
Reading changelogs... Done
(Reading database ... 563865 files and directories currently installed.)
Preparing to unpack .../kernel-wedge_2.105~bpo12+1_all.deb ...
Unpacking kernel-wedge (2.105~bpo12+1) over (2.104) ...
Setting up kernel-wedge (2.105~bpo12+1) ...
Processing triggers for man-db (2.11.2-2) ...
[ Rootkit Hunter version 1.4.6 ]
File updated: searched for 179 files, found 146
#  apt-get build-dep linux
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  asciidoctor docutils-common dvipng ed libaudit-dev libbabeltrace-dev 
libcap-dev libdebuginfod-dev libdw-dev libfontbox-java libnewt-dev libnuma-dev 
libopencsd-dev libopencsd1 libpdfbox-java libperl-dev libtraceevent-dev
  libtraceevent1 libtracefs-dev libtracefs1 libunwind-dev pahole 
preview-latex-style python-babel-localedata python3-alabaster python3-babel 
python3-dacite python3-docutils python3-imagesize python3-jinja2 
python3-markupsafe
  python3-roman python3-setuptools python3-snowballstemmer python3-sphinx 
python3-sphinx-rtd-theme python3-tz quilt ruby-asciidoctor sphinx-common 
texlive-latex-base texlive-latex-extra texlive-latex-recommended 
texlive-pictures
0 upgraded, 44 newly installed, 0 to remove and 0 not upgraded.
Need to get 63.3 MB of archives.
After this operation, 270 MB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 http://deb.devuan.org/merged daedalus/main amd64 ruby-asciidoctor all 
2.0.18-2 [211 kB]
Get:2 http://deb.devuan.org/merged daedalus/main amd64 asciidoctor all 2.0.18-2 
[86.6 kB]
Get:3 http://deb.devuan.org/merged daedalus/main amd64 docutils-common all 
0.19+dfsg-6 [127 kB]
Get:4 http://deb.devuan.org/merged daedalus/main amd64 dvipng amd64 1.15-1.1+b1 
[88.1 kB]
Get:5 http://deb.devuan.org/merged daedalus/main amd64 ed amd64 1.19-1 [58.1 kB]
Get:6 http://deb.devuan.org/merged daedalus/main amd64 libaudit-dev amd64 
1:3.0.9-1 [81.2 kB]
Get:7 http://deb.devuan.org/merged daedalus/main amd64 libbabeltrace-dev amd64 
1.5.11-1+b2 [204 kB]
Get:8 http://deb.devuan.org/merged daedalus/main amd64 libcap-dev amd64 
1:2.66-4 [522 kB]
Get:9 http://deb.devuan.org/merged daedalus/main amd64 libdebuginfod-dev amd64 
0.188-2.1 [22.0 kB]
Get:10 http://deb.devuan.org/merged daedalus/main amd64 libdw-dev amd64 
0.188-2.1 [311 kB]
Get:11 http://deb.devuan.org/merged daedalus/main amd64 libfontbox-java all 
1:1.8.16-2 [211 kB]
Get:12 http://deb.devuan.org/merged daedalus/main amd64 libnewt-dev amd64 
0.52.23-1+b1 [73.3 kB]
Get:13 http://deb.devuan.org/merged daedalus/main amd64 libnuma-dev amd64 
2.0.16-1 [35.0 kB]
Get:14 http://deb.devuan.org/merged daedalus/main amd64 libopencsd1 amd64 
1.3.3-1 [187 kB]
Get:15 http://deb.devuan.org/merged daedalus/main amd64 libopencsd-dev amd64 
1.3.3-1 [253 kB]
Get:16 http://deb.devuan.org/merged daedalus/main amd64 libpdfbox-java all 
1:1.8.16-2 [5,205 kB]
Get:17 http://deb.devuan.org/merged daedalus/main amd64 libperl-dev amd64 
5.36.0-7+deb12u1 [1,046 kB]
Get:18 http://deb.devuan.org/merged daedalus/main amd64 libtraceevent1 amd64 
1:1.7.1-1 [49.7 kB]
Get:19 http://deb.devuan.org/merged daedalus/main amd64 libtraceevent-dev amd64 
1:1.7.1-1 [58.7 kB]
Get:20 http://deb.devuan.org/merged daedalus/main amd64 libtracefs1 amd64 
1.6.4-1 [55.1 kB]
Get:21 http://deb.devuan.org/merged daedalus/main amd64 libtracefs-dev amd64 
1.6.4-1 [62.0 kB]
Get:22 http://deb.devuan.org/merged daedalus/main amd64 libunwind-dev amd64 
1.6.2-3 [441 kB]
Get:23 http://deb.devuan.org/merged daedalus/main amd64 pahole amd64 1.24-4.1 
[229 kB]
Get:24 http://deb.devuan.org/merged daedalus/main amd64 preview-latex-style all 
12.2-1 [201 kB]
Get:25 http://deb.devuan.org/merged daedalus/main amd64 python-babel-localedata 
all 2.10.3-1 [5,615 kB]
Get:26 http://deb.devuan.org/merged daedalus/main amd64 python3-alabaster all 
0.7.12-1 [20.8 kB]
Get:27 http://deb.devuan.org/merged daedalus/main amd64 python3-tz all 
2022.7.1-4 [30.1 kB]
Get:28 http://deb.devuan.org/merged daedalus/main amd64 python3-babel all 
2.10.3-1 [103 kB]
Get:29 http://deb.devuan.org/merged daedalus/main amd64 python3-dacite all 
1.8.0-1 [20.5 kB]
Get:30 http://deb.devuan.org/merged daedalus/main amd64 python3-roman all 3.3-3 
[9,880 B]
Get:31 http://deb.devuan.org/merged daedalus/main amd64 python3-docutils all 
0.19+dfsg-6 [382 kB]
Get:32 http://deb.devuan.org/merged daedalus/main amd64 python3-imagesize all 
1.4.1-1 [6,688 B]
Get:33 http://deb.devuan.org/merged daedalus/main amd64 python3-markupsafe 
amd64 2.1.2-1+b1 [13.2 kB]
Get:34 http://deb.devuan.org/merged daedalus/main amd64 python3-jinja2 all 
3.1.2-1 [119 kB]
Get:35 http://deb.devuan.org/merged daedalus/main amd64 python3-setuptools all 
66.1.1-1 [521 kB]
Get:36 http://deb.devuan.org/merged daedalus/main amd64 python3-snowballstemmer 
all 2.2.0-2 [57.8 kB]
Get:37 http://deb.devuan.org/merged daedalus/main amd64 sphinx-common all 
5.3.0-4 [653 kB]
Get:38 http://deb.devuan.org/merged daedalus/main amd64 python3-sphinx all 
5.3.0-4 [549 kB]
Get:39 http://deb.devuan.org/merged daedalus/main amd64 
python3-sphinx-rtd-theme all 1.2.0+dfsg-1 [27.7 kB]
Get:40 http://deb.devuan.org/merged daedalus/main amd64 quilt all 
0.67+really0.66-1 [303 kB]
Get:41 http://deb.devuan.org/merged daedalus/main amd64 texlive-latex-base all 
2022.20230122-3 [1,182 kB]
Get:42 http://deb.devuan.org/merged daedalus/main amd64 
texlive-latex-recommended all 2022.20230122-3 [8,880 kB]
Get:43 http://deb.devuan.org/merged daedalus/main amd64 texlive-pictures all 
2022.20230122-3 [15.8 MB]
Get:44 http://deb.devuan.org/merged daedalus/main amd64 texlive-latex-extra all 
2022.20230122-4 [19.2 MB]                                                       

Fetched 63.3 MB in 14s (4,627 kB/s)                                             

Extracting templates from packages: 100%
Selecting previously unselected package ruby-asciidoctor.
(Reading database ... 563865 files and directories currently installed.)
Preparing to unpack .../00-ruby-asciidoctor_2.0.18-2_all.deb ...
Unpacking ruby-asciidoctor (2.0.18-2) ...
Selecting previously unselected package asciidoctor.
Preparing to unpack .../01-asciidoctor_2.0.18-2_all.deb ...
Unpacking asciidoctor (2.0.18-2) ...
Selecting previously unselected package docutils-common.
Preparing to unpack .../02-docutils-common_0.19+dfsg-6_all.deb ...
Unpacking docutils-common (0.19+dfsg-6) ...
Selecting previously unselected package dvipng.
Preparing to unpack .../03-dvipng_1.15-1.1+b1_amd64.deb ...
Unpacking dvipng (1.15-1.1+b1) ...
Selecting previously unselected package ed.
Preparing to unpack .../04-ed_1.19-1_amd64.deb ...
Unpacking ed (1.19-1) ...
Selecting previously unselected package libaudit-dev:amd64.
Preparing to unpack .../05-libaudit-dev_1%3a3.0.9-1_amd64.deb ...
Unpacking libaudit-dev:amd64 (1:3.0.9-1) ...
Selecting previously unselected package libbabeltrace-dev:amd64.
Preparing to unpack .../06-libbabeltrace-dev_1.5.11-1+b2_amd64.deb ...
Unpacking libbabeltrace-dev:amd64 (1.5.11-1+b2) ...
Selecting previously unselected package libcap-dev:amd64.
Preparing to unpack .../07-libcap-dev_1%3a2.66-4_amd64.deb ...
Unpacking libcap-dev:amd64 (1:2.66-4) ...
Selecting previously unselected package libdebuginfod-dev:amd64.
Preparing to unpack .../08-libdebuginfod-dev_0.188-2.1_amd64.deb ...
Unpacking libdebuginfod-dev:amd64 (0.188-2.1) ...
Selecting previously unselected package libdw-dev:amd64.
Preparing to unpack .../09-libdw-dev_0.188-2.1_amd64.deb ...
Unpacking libdw-dev:amd64 (0.188-2.1) ...
Selecting previously unselected package libfontbox-java.
Preparing to unpack .../10-libfontbox-java_1%3a1.8.16-2_all.deb ...
Unpacking libfontbox-java (1:1.8.16-2) ...
Selecting previously unselected package libnewt-dev:amd64.
Preparing to unpack .../11-libnewt-dev_0.52.23-1+b1_amd64.deb ...
Unpacking libnewt-dev:amd64 (0.52.23-1+b1) ...
Selecting previously unselected package libnuma-dev:amd64.
Preparing to unpack .../12-libnuma-dev_2.0.16-1_amd64.deb ...
Unpacking libnuma-dev:amd64 (2.0.16-1) ...
Selecting previously unselected package libopencsd1:amd64.
Preparing to unpack .../13-libopencsd1_1.3.3-1_amd64.deb ...
Unpacking libopencsd1:amd64 (1.3.3-1) ...
Selecting previously unselected package libopencsd-dev:amd64.
Preparing to unpack .../14-libopencsd-dev_1.3.3-1_amd64.deb ...
Unpacking libopencsd-dev:amd64 (1.3.3-1) ...
Selecting previously unselected package libpdfbox-java.
Preparing to unpack .../15-libpdfbox-java_1%3a1.8.16-2_all.deb ...
Unpacking libpdfbox-java (1:1.8.16-2) ...
Selecting previously unselected package libperl-dev:amd64.
Preparing to unpack .../16-libperl-dev_5.36.0-7+deb12u1_amd64.deb ...
Unpacking libperl-dev:amd64 (5.36.0-7+deb12u1) ...
Selecting previously unselected package libtraceevent1:amd64.
Preparing to unpack .../17-libtraceevent1_1%3a1.7.1-1_amd64.deb ...
Unpacking libtraceevent1:amd64 (1:1.7.1-1) ...
Selecting previously unselected package libtraceevent-dev:amd64.
Preparing to unpack .../18-libtraceevent-dev_1%3a1.7.1-1_amd64.deb ...
Unpacking libtraceevent-dev:amd64 (1:1.7.1-1) ...
Selecting previously unselected package libtracefs1:amd64.
Preparing to unpack .../19-libtracefs1_1.6.4-1_amd64.deb ...
Unpacking libtracefs1:amd64 (1.6.4-1) ...
Selecting previously unselected package libtracefs-dev:amd64.
Preparing to unpack .../20-libtracefs-dev_1.6.4-1_amd64.deb ...
Unpacking libtracefs-dev:amd64 (1.6.4-1) ...
Selecting previously unselected package libunwind-dev:amd64.
Preparing to unpack .../21-libunwind-dev_1.6.2-3_amd64.deb ...
Unpacking libunwind-dev:amd64 (1.6.2-3) ...
Selecting previously unselected package pahole.
Preparing to unpack .../22-pahole_1.24-4.1_amd64.deb ...
Unpacking pahole (1.24-4.1) ...
Selecting previously unselected package preview-latex-style.
Preparing to unpack .../23-preview-latex-style_12.2-1_all.deb ...
Unpacking preview-latex-style (12.2-1) ...
Selecting previously unselected package python-babel-localedata.
Preparing to unpack .../24-python-babel-localedata_2.10.3-1_all.deb ...
Unpacking python-babel-localedata (2.10.3-1) ...
Selecting previously unselected package python3-alabaster.
Preparing to unpack .../25-python3-alabaster_0.7.12-1_all.deb ...
Unpacking python3-alabaster (0.7.12-1) ...
Selecting previously unselected package python3-tz.
Preparing to unpack .../26-python3-tz_2022.7.1-4_all.deb ...
Unpacking python3-tz (2022.7.1-4) ...
Selecting previously unselected package python3-babel.
Preparing to unpack .../27-python3-babel_2.10.3-1_all.deb ...
Unpacking python3-babel (2.10.3-1) ...
Selecting previously unselected package python3-dacite.
Preparing to unpack .../28-python3-dacite_1.8.0-1_all.deb ...
Unpacking python3-dacite (1.8.0-1) ...
Selecting previously unselected package python3-roman.
Preparing to unpack .../29-python3-roman_3.3-3_all.deb ...
Unpacking python3-roman (3.3-3) ...
Selecting previously unselected package python3-docutils.
Preparing to unpack .../30-python3-docutils_0.19+dfsg-6_all.deb ...
Unpacking python3-docutils (0.19+dfsg-6) ...
Selecting previously unselected package python3-imagesize.
Preparing to unpack .../31-python3-imagesize_1.4.1-1_all.deb ...
Unpacking python3-imagesize (1.4.1-1) ...
Selecting previously unselected package python3-markupsafe.
Preparing to unpack .../32-python3-markupsafe_2.1.2-1+b1_amd64.deb ...
Unpacking python3-markupsafe (2.1.2-1+b1) ...
Selecting previously unselected package python3-jinja2.
Preparing to unpack .../33-python3-jinja2_3.1.2-1_all.deb ...
Unpacking python3-jinja2 (3.1.2-1) ...
Selecting previously unselected package python3-setuptools.
Preparing to unpack .../34-python3-setuptools_66.1.1-1_all.deb ...
Unpacking python3-setuptools (66.1.1-1) ...
Selecting previously unselected package python3-snowballstemmer.
Preparing to unpack .../35-python3-snowballstemmer_2.2.0-2_all.deb ...
Unpacking python3-snowballstemmer (2.2.0-2) ...
Selecting previously unselected package sphinx-common.
Preparing to unpack .../36-sphinx-common_5.3.0-4_all.deb ...
Unpacking sphinx-common (5.3.0-4) ...
Selecting previously unselected package python3-sphinx.
Preparing to unpack .../37-python3-sphinx_5.3.0-4_all.deb ...
Unpacking python3-sphinx (5.3.0-4) ...
Selecting previously unselected package python3-sphinx-rtd-theme.
Preparing to unpack .../38-python3-sphinx-rtd-theme_1.2.0+dfsg-1_all.deb ...
Unpacking python3-sphinx-rtd-theme (1.2.0+dfsg-1) ...
Selecting previously unselected package quilt.
Preparing to unpack .../39-quilt_0.67+really0.66-1_all.deb ...
Unpacking quilt (0.67+really0.66-1) ...
Selecting previously unselected package texlive-latex-base.
Preparing to unpack .../40-texlive-latex-base_2022.20230122-3_all.deb ...
Unpacking texlive-latex-base (2022.20230122-3) ...
Selecting previously unselected package texlive-latex-recommended.
Preparing to unpack .../41-texlive-latex-recommended_2022.20230122-3_all.deb ...
Unpacking texlive-latex-recommended (2022.20230122-3) ...
Selecting previously unselected package texlive-pictures.
Preparing to unpack .../42-texlive-pictures_2022.20230122-3_all.deb ...
Unpacking texlive-pictures (2022.20230122-3) ...
Selecting previously unselected package texlive-latex-extra.
Preparing to unpack .../43-texlive-latex-extra_2022.20230122-4_all.deb ...
Unpacking texlive-latex-extra (2022.20230122-4) ...
Setting up python3-dacite (1.8.0-1) ...
Setting up libdebuginfod-dev:amd64 (0.188-2.1) ...
Setting up python3-setuptools (66.1.1-1) ...
Setting up libunwind-dev:amd64 (1.6.2-3) ...
Setting up python3-alabaster (0.7.12-1) ...
Setting up libbabeltrace-dev:amd64 (1.5.11-1+b2) ...
Setting up libaudit-dev:amd64 (1:3.0.9-1) ...
Setting up preview-latex-style (12.2-1) ...
Setting up dvipng (1.15-1.1+b1) ...
Setting up libfontbox-java (1:1.8.16-2) ...
Setting up libperl-dev:amd64 (5.36.0-7+deb12u1) ...
Setting up python3-markupsafe (2.1.2-1+b1) ...
Setting up libdw-dev:amd64 (0.188-2.1) ...
Setting up python3-tz (2022.7.1-4) ...
Setting up python-babel-localedata (2.10.3-1) ...
Setting up libnuma-dev:amd64 (2.0.16-1) ...
Setting up python3-roman (3.3-3) ...
Setting up python3-jinja2 (3.1.2-1) ...
Setting up libopencsd1:amd64 (1.3.3-1) ...
Setting up texlive-latex-base (2022.20230122-3) ...
Setting up ed (1.19-1) ...
Setting up python3-snowballstemmer (2.2.0-2) ...
Setting up sphinx-common (5.3.0-4) ...
Setting up texlive-latex-recommended (2022.20230122-3) ...
Setting up ruby-asciidoctor (2.0.18-2) ...
Setting up libnewt-dev:amd64 (0.52.23-1+b1) ...
Setting up pahole (1.24-4.1) ...
Setting up texlive-pictures (2022.20230122-3) ...
Setting up asciidoctor (2.0.18-2) ...
Setting up libtraceevent1:amd64 (1:1.7.1-1) ...
Setting up docutils-common (0.19+dfsg-6) ...
Setting up libopencsd-dev:amd64 (1.3.3-1) ...
Setting up libcap-dev:amd64 (1:2.66-4) ...
Setting up python3-imagesize (1.4.1-1) ...
Setting up libtraceevent-dev:amd64 (1:1.7.1-1) ...
Setting up libpdfbox-java (1:1.8.16-2) ...
Setting up python3-babel (2.10.3-1) ...
update-alternatives: using /usr/bin/pybabel-python3 to provide /usr/bin/pybabel 
(pybabel) in auto mode
Setting up texlive-latex-extra (2022.20230122-4) ...
Setting up quilt (0.67+really0.66-1) ...
Setting up libtracefs1:amd64 (1.6.4-1) ...
Setting up libtracefs-dev:amd64 (1.6.4-1) ...
Processing triggers for install-info (6.8-6+b1) ...
Processing triggers for libc-bin (2.36-9+deb12u8) ...
Processing triggers for man-db (2.11.2-2) ...
Processing triggers for tex-common (6.18) ...
Running mktexlsr. This may take some time... done.
Running updmap-sys. This may take some time... done.
Running mktexlsr /var/lib/texmf ... done.
Building format(s) --all.
        This may take some time... done.
Processing triggers for sgml-base (1.31) ...
Setting up python3-docutils (0.19+dfsg-6) ...
Setting up python3-sphinx (5.3.0-4) ...
Setting up python3-sphinx-rtd-theme (1.2.0+dfsg-1) ...
[ Rootkit Hunter version 1.4.6 ]
File updated: searched for 179 files, found 147
# apt-get source linux -t stable
Reading package lists... Done
Selected version '6.1.106-3' (stable) for linux
NOTICE: 'linux' packaging is maintained in the 'Git' version control system at:
https://salsa.debian.org/kernel-team/linux.git
Please use:
git clone https://salsa.debian.org/kernel-team/linux.git
to retrieve the latest (possibly unreleased) updates to the package.
Need to get 140 MB of source archives.
Get:1 http://deb.devuan.org/merged daedalus/main linux 6.1.106-3 (dsc) [291 kB]
Get:2 http://deb.devuan.org/merged daedalus/main linux 6.1.106-3 (tar) [138 MB]
Get:3 http://deb.devuan.org/merged daedalus/main linux 6.1.106-3 (diff) [1,669 
kB]                                                                             

Fetched 140 MB in 31s (4,529 kB/s)                                              

dpkg-source: info: extracting linux in linux-6.1.106
dpkg-source: info: unpacking linux_6.1.106.orig.tar.xz
dpkg-source: info: unpacking linux_6.1.106-3.debian.tar.xz
dpkg-source: info: using patch list from debian/patches/series
dpkg-source: info: applying debian/gitignore.patch
dpkg-source: info: applying 
debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch
dpkg-source: info: applying 
debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch
dpkg-source: info: applying debian/dfsg/vs6624-disable.patch
dpkg-source: info: applying debian/dfsg/drivers-net-appletalk-cops.patch
dpkg-source: info: applying debian/dfsg/video-remove-nvidiafb-and-rivafb.patch
dpkg-source: info: applying 
debian/dfsg/documentation-fix-broken-link-to-cipso-draft.patch
dpkg-source: info: applying debian/version.patch
dpkg-source: info: applying debian/uname-version-timestamp.patch
dpkg-source: info: applying debian/kernelvariables.patch
dpkg-source: info: applying debian/ia64-hardcode-arch-script-output.patch
dpkg-source: info: applying debian/mips-disable-werror.patch
dpkg-source: info: applying debian/mips-boston-disable-its.patch
dpkg-source: info: applying debian/mips-ieee754-relaxed.patch
dpkg-source: info: applying debian/arch-sh4-fix-uimage-build.patch
dpkg-source: info: applying debian/tools-perf-perf-read-vdso-in-libexec.patch
dpkg-source: info: applying debian/tools-perf-install-python-bindings.patch
dpkg-source: info: applying 
debian/wireless-add-debian-wireless-regdb-certificates.patch
dpkg-source: info: applying 
debian/export-symbols-needed-by-android-drivers.patch
dpkg-source: info: applying 
debian/android-enable-building-ashmem-and-binder-as-modules.patch
dpkg-source: info: applying debian/documentation-drop-sphinx-version-check.patch
dpkg-source: info: applying 
debian/perf-traceevent-support-asciidoctor-for-documentatio.patch
dpkg-source: info: applying 
debian/kbuild-look-for-module.lds-under-arch-directory-too.patch
dpkg-source: info: applying debian/kbuild-abort-build-if-subdirs-used.patch
dpkg-source: info: applying 
debian/module-avoid-abi-changes-when-debug-info-is-disabled.patch
dpkg-source: info: applying 
debian/makefile-make-compiler-version-comparison-optional.patch
dpkg-source: info: applying 
features/all/drivers-media-dvb-usb-af9005-request_firmware.patch
dpkg-source: info: applying 
debian/iwlwifi-do-not-request-unreleased-firmware.patch
dpkg-source: info: applying 
bugfix/all/firmware_class-log-every-success-and-failure.patch
dpkg-source: info: applying 
bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch
dpkg-source: info: applying 
bugfix/all/radeon-amdgpu-firmware-is-required-for-drm-and-kms-on-r600-onward.patch
dpkg-source: info: applying 
debian/firmware_class-refer-to-debian-wiki-firmware-page.patch
dpkg-source: info: applying 
bugfix/all/wifi-mt76-do-not-run-mt76_unregister_device-on-unregistered-hw.patch
dpkg-source: info: applying 
features/arm/arm-dts-bcm-Enable-device-tree-overlay-support-for-R.patch
dpkg-source: info: applying 
debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
dpkg-source: info: applying 
debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
dpkg-source: info: applying 
debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch
dpkg-source: info: applying 
debian/hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch
dpkg-source: info: applying 
debian/fs-enable-link-security-restrictions-by-default.patch
dpkg-source: info: applying debian/sched-autogroup-disabled.patch
dpkg-source: info: applying debian/yama-disable-by-default.patch
dpkg-source: info: applying 
debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
dpkg-source: info: applying 
features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
dpkg-source: info: applying 
features/x86/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch
dpkg-source: info: applying 
features/x86/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch
dpkg-source: info: applying debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch
dpkg-source: info: applying debian/snd-pcsp-disable-autoload.patch
dpkg-source: info: applying bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
dpkg-source: info: applying debian/fjes-disable-autoload.patch
dpkg-source: info: applying 
debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
dpkg-source: info: applying 
debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch
dpkg-source: info: applying 
bugfix/arm/arm-dts-kirkwood-fix-sata-pinmux-ing-for-ts419.patch
dpkg-source: info: applying bugfix/x86/perf-tools-fix-unwind-build-on-i386.patch
dpkg-source: info: applying 
bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch
dpkg-source: info: applying 
bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch
dpkg-source: info: applying 
bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch
dpkg-source: info: applying 
bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch
dpkg-source: info: applying 
bugfix/alpha/alpha-fix-missing-symbol-versions-for-str-n-cat-cpy.patch
dpkg-source: info: applying 
features/arm64/dt-bindings-rockchip-Add-Hardkernel-ODROID-M1-board.patch
dpkg-source: info: applying 
features/arm64/arm64-dts-rockchip-Add-Hardkernel-ODROID-M1-board.patch
dpkg-source: info: applying 
features/arm64/arm64-dts-rockchip-add-thermal-support-to-ODROID-M1.patch
dpkg-source: info: applying 
features/arm64/arm64-dts-rockchip-Add-NOR-flash-to-ODROID-M1.patch
dpkg-source: info: applying 
features/arm64/arm64-dts-rockchip-Add-analog-audio-on-ODROID-M1.patch
dpkg-source: info: applying 
features/arm64/arm64-dts-rockchip-Enable-vop2-and-hdmi-tx-on-ODROID.patch
dpkg-source: info: applying 
features/arm64/arm64-dts-rockchip-Enable-HDMI-audio-on-ODROID-M1.patch
dpkg-source: info: applying 
features/arm64/arm64-dts-rockchip-Enable-the-GPU-on-ODROID-M1.patch
dpkg-source: info: applying 
features/arm64/arm64-dts-rockchip-Enable-the-USB-2.0-ports-on-ODROI.patch
dpkg-source: info: applying 
features/arm64/arm64-dts-rockchip-Enable-the-USB-3.0-ports-on-ODROI.patch
dpkg-source: info: applying 
features/arm64/arm64-dts-rockchip-Add-SATA-support-to-ODROID-M1.patch
dpkg-source: info: applying 
features/arm64/arm64-dts-rockchip-Add-PCIEe-v3-nodes-to-ODROID-M1.patch
dpkg-source: info: applying 
features/arm64/arm64-dts-rockchip-Add-IR-receiver-node-to-ODROID-M1.patch
dpkg-source: info: applying features/x86/x86-memtest-WARN-if-bad-RAM-found.patch
dpkg-source: info: applying 
features/x86/x86-make-x32-syscall-support-conditional.patch
dpkg-source: info: applying 
bugfix/arm64/arm64-dts-rockchip-fix-spdif-fe460000-ordering-on-rk.patch
dpkg-source: info: applying 
features/arm64/quartz64/arm64-dts-rockchip-RK356x-Add-I2S2-device-node.patch
dpkg-source: info: applying 
features/arm64/quartz64/arm64-dts-rockchip-Enable-video-output-and-HDMI-on-S.patch
dpkg-source: info: applying 
features/arm64/quartz64/arm64-dts-rockchip-Enable-HDMI-sound-on-SOQuartz.patch
dpkg-source: info: applying 
features/arm64/quartz64/arm64-dts-rockchip-Enable-PCIe-2-on-SOQuartz-CM4IO.patch
dpkg-source: info: applying 
features/arm64/quartz64/dt-bindings-arm-rockchip-Add-SOQuartz-Blade.patch
dpkg-source: info: applying 
features/arm64/quartz64/arm64-dts-rockchip-Add-SOQuartz-blade-board.patch
dpkg-source: info: applying 
features/arm64/quartz64/dt-bindings-arm-rockchip-Add-SOQuartz-Model-A.patch
dpkg-source: info: applying 
features/arm64/quartz64/arm64-dts-rockchip-Add-SOQuartz-Model-A-baseboard.patch
dpkg-source: info: applying bugfix/all/disable-some-marvell-phys.patch
dpkg-source: info: applying 
bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
dpkg-source: info: applying 
bugfix/all/media-solo6x10-replace-max-a-min-b-c-by-clamp-b-a-c.patch
dpkg-source: info: applying 
bugfix/all/udp-allow-header-check-for-dodgy-GSO_UDP_L4-packets.patch
dpkg-source: info: applying 
bugfix/all/gso-fix-dodgy-bit-handling-for-GSO_UDP_L4.patch
dpkg-source: info: applying 
bugfix/all/net-more-strict-VIRTIO_NET_HDR_GSO_UDP_L4-validation.patch
dpkg-source: info: applying 
bugfix/all/net-drop-bad-gso-csum_start-and-offset-in-virtio_net.patch
dpkg-source: info: applying 
features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch
dpkg-source: info: applying 
features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
dpkg-source: info: applying 
features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch
dpkg-source: info: applying 
features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
dpkg-source: info: applying 
features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch
dpkg-source: info: applying 
features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
dpkg-source: info: applying 
features/all/db-mok-keyring/trust-machine-keyring-by-default.patch
dpkg-source: info: applying 
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
dpkg-source: info: applying debian/ntfs-mark-it-as-broken.patch
dpkg-source: info: applying 
bugfix/all/module-disable-matching-missing-version-crc.patch
dpkg-source: info: applying bugfix/all/usbip-document-tcp-wrappers.patch
dpkg-source: info: applying bugfix/all/kbuild-fix-recordmcount-dependency.patch
dpkg-source: info: applying bugfix/all/tools-perf-man-date.patch
dpkg-source: info: applying bugfix/all/tools-perf-remove-shebangs.patch
dpkg-source: info: applying 
bugfix/x86/revert-perf-build-fix-libunwind-feature-detection-on.patch
dpkg-source: info: applying 
bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
dpkg-source: info: applying bugfix/all/cpupower-bump-soname-version.patch
dpkg-source: info: applying 
bugfix/all/cpupower-fix-checks-for-cpu-existence.patch
dpkg-source: info: applying 
bugfix/all/tools-perf-pmu-events-fix-reproducibility.patch
dpkg-source: info: applying 
bugfix/all/libapi-define-_fortify_source-as-2-not-empty.patch
dpkg-source: info: applying 
bugfix/all/tools-perf-fix-missing-ldflags-for-some-programs.patch
dpkg-source: info: applying 
bugfix/powerpc/fbdev-offb-Update-expected-device-name.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0001-net-Remove-the-obsolte-u64_stats_fetch_-_irq-users-d.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0002-net-mana-Assign-interrupts-to-CPUs-based-on-NUMA-nod.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0003-net-mana-Add-support-for-auxiliary-device.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0004-net-mana-Record-the-physical-address-for-doorbell-pa.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0005-net-mana-Handle-vport-sharing-between-devices.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0006-net-mana-Set-the-DMA-device-max-segment-size.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0007-net-mana-Export-Work-Queue-functions-for-use-by-RDMA.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0008-net-mana-Record-port-number-in-netdev.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0009-net-mana-Move-header-files-to-a-common-location.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0010-net-mana-Define-max-values-for-SGL-entries.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0011-net-mana-Define-and-process-GDMA-response-code-GDMA_.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0012-net-mana-Define-data-structures-for-protection-domai.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0013-net-mana-Fix-return-type-of-mana_start_xmit.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0014-net-mana-Fix-accessing-freed-irq-affinity_hint.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0015-net-mana-Add-new-MANA-VF-performance-counters-for-ea.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0016-net-mana-Remove-redundant-pci_clear_master.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0017-net-mana-Use-napi_build_skb-in-RX-path.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0018-net-mana-Refactor-RX-buffer-allocation-code-to-prepa.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0019-net-mana-Enable-RX-path-to-handle-various-MTU-sizes.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0020-net-mana-Add-support-for-jumbo-frame.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0021-net-mana-Check-if-netdev-napi_alloc_frag-returns-sin.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0022-net-mana-Fix-perf-regression-remove-rx_cqes-tx_cqes-.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0023-net-mana-Add-support-for-vlan-tagging.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0024-RDMA-mana_ib-Use-v2-version-of-cfg_rx_steer_req-to-e.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0025-net-mana-use-vmalloc_array-and-vcalloc.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0026-net-mana-Batch-ringing-RX-queue-doorbell-on-receivin.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0027-net-mana-Use-the-correct-WQE-count-for-ringing-RQ-do.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0028-net-mana-Configure-hwc-timeout-from-hardware.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0029-net-mana-Rename-mana_refill_rxoob-and-remove-some-em.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0030-net-mana-Add-gdma-stats-to-ethtool-output-for-mana.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0031-net-mana-Add-remaining-GDMA-stats-for-MANA-to-ethtoo.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0032-net-mana-Fix-Rx-DMA-datasize-and-skb_over_panic.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0033-net-mana-Enable-MANA-driver-on-ARM64-with-4K-page-si.patch
dpkg-source: info: applying 
features/all/ethernet-microsoft/0034-net-mana-Fix-the-extra-HZ-in-mana_hwc_send_request.patch
W: Download is performed unsandboxed as root as file 'linux_6.1.106-3.dsc' 
couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
# cd linux-6.1.106
# export MAKEFLAGS=-j$(nproc)
# export DEB_BUILD_PROFILES='pkg.linux.nokerneldbg pkg.linux.nokerneldbginfo'
# apt-get install devscripts
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
devscripts is already the newest version (2.23.4+deb12u1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
# apt install dh-exec
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  dh-exec
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 27.8 kB of archives.
After this operation, 145 kB of additional disk space will be used.
Get:1 http://deb.devuan.org/merged daedalus/main amd64 dh-exec amd64 0.27 [27.8 
kB]
Fetched 27.8 kB in 0s (108 kB/s) 
Selecting previously unselected package dh-exec.
(Reading database ... 581705 files and directories currently installed.)
Preparing to unpack .../dh-exec_0.27_amd64.deb ...
Unpacking dh-exec (0.27) ...
Setting up dh-exec (0.27) ...
Processing triggers for man-db (2.11.2-2) ...
[ Rootkit Hunter version 1.4.6 ]
File updated: searched for 179 files, found 147
# export EMAIL=tauromen...@gmail.com
# ./debian/bin/test-patches -f amd64 ../fix-bug1070685.patch

snip

Importing patch /usr/src/fix-bug1070685.patch (stored as 
debian/patches/test/fix-bug1070685.patch)
Applying patch debian/patches/test/fix-bug1070685.patch
patching file net/bridge/br_netfilter_hooks.c
Hunk #1 succeeded at 618 (offset -1 lines).
patching file net/netfilter/nfnetlink_queue.c
Hunk #1 succeeded at 647 (offset -173 lines).

snip

and at the end

dpkg-genbuildinfo --build=binary -O../linux_6.1.106-3a~test_amd64.buildinfo
dpkg-genchanges --build=binary -O../linux_6.1.106-3a~test_amd64.changes
dpkg-genchanges: info: binary-only upload (no source code included)
dpkg-source --after-build .
dpkg-buildpackage: info: binary-only upload (no source included)
dpkg-buildpackage: warning: not signing UNRELEASED build; use --force-sign to 
override

The result was:

ls -la *.deb
-rw-r--r-- 1 root root   876884 Sep  7 13:36 
linux-compiler-gcc-12-x86_6.1.106-3a~test_amd64.deb
-rw-r--r-- 1 root root  1407436 Sep  7 13:35 
linux-headers-6.1.0-0.a.test-amd64_6.1.106-3a~test_amd64.deb
-rw-r--r-- 1 root root 10064304 Sep  7 12:39 
linux-headers-6.1.0-0.a.test-common_6.1.106-3a~test_all.deb
-rw-r--r-- 1 root root  8413384 Sep  7 12:39 
linux-headers-6.1.0-0.a.test-common-rt_6.1.106-3a~test_all.deb
-rw-r--r-- 1 root root 58660416 Sep  7 13:36 
linux-image-6.1.0-0.a.test-amd64-unsigned_6.1.106-3a~test_amd64.deb
-rw-r--r-- 1 root root  1560744 Sep  7 13:36 
linux-image-amd64-signed-template_6.1.106-3a~test_amd64.deb
-rw-r--r-- 1 root root  1134012 Sep  7 13:36 
linux-kbuild-6.1_6.1.106-3a~test_amd64.deb
-rw-r--r-- 1 root root  1027600 Sep  7 13:36 
linux-kbuild-6.1-dbgsym_6.1.106-3a~test_amd64.deb
-rw-r--r-- 1 root root  2024548 Sep  7 13:36 
linux-libc-dev_6.1.106-3a~test_amd64.deb
-rw-r--r-- 1 root root   924808 Sep  7 12:39 
linux-support-6.1.0-0.a.test_6.1.106-3a~test_all.deb

and

-rw-r--r--  1 root root      9618 Sep  7 13:36 
linux_6.1.106-3a~test_amd64.buildinfo
-rw-r--r--  1 root root      5269 Sep  7 13:36 
linux_6.1.106-3a~test_amd64.changes

Then I installed the new kernel packages in the router box:

apt install linux-image-6.1.0-0.a.test-amd64-unsigned 
linux-headers-6.1.0-0.a.test-amd64 linux-headers-6.1.0-0.a.test-common 
linux-kbuild-6.1=6.1.106-3a*

and grub-reboot it to test if there was any trace at boot:

# uname -a
Linux devuan-router 6.1.0-0.a.test-amd64 #1 SMP PREEMPT_DYNAMIC Devuan 
6.1.106-3a~test (2024-09-07) x86_64 GNU/Linux

and in /var/log/syslog no trace is to be found!!!! Eureka!

So the attached patch does fix this bug for me.

BTW.: the patch in the  previous mail  was incomplete which I found out the 
hard way.

Ciao,
Tito

>From 025b3326c5c409b372d0103ad30f174e55adbd1b Mon Sep 17 00:00:00 2001
From: Florian Westphal <f...@strlen.de>
Date: Wed, 7 Aug 2024 21:28:41 +0200
Subject: netfilter: nf_queue: drop packets with cloned unconfirmed conntracks

[ Upstream commit 7d8dc1c7be8d3509e8f5164dd5df64c8e34d7eeb ]

Conntrack assumes an unconfirmed entry (not yet committed to global hash
table) has a refcount of 1 and is not visible to other cores.

With multicast forwarding this assumption breaks down because such
skbs get cloned after being picked up, i.e.  ct->use refcount is > 1.

Likewise, bridge netfilter will clone broad/mutlicast frames and
all frames in case they need to be flood-forwarded during learning
phase.

For ip multicast forwarding or plain bridge flood-forward this will
"work" because packets don't leave softirq and are implicitly
serialized.

With nfqueue this no longer holds true, the packets get queued
and can be reinjected in arbitrary ways.

Disable this feature, I see no other solution.

After this patch, nfqueue cannot queue packets except the last
multicast/broadcast packet.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
 net/bridge/br_netfilter_hooks.c |  6 +++++-
 net/netfilter/nfnetlink_queue.c | 35 +++++++++++++++++++++++++++++++++--
 2 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index bf30c50b568956..a9e1b56f854d48 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -619,8 +619,12 @@ static unsigned int br_nf_local_in(void *priv,
 	if (likely(nf_ct_is_confirmed(ct)))
 		return NF_ACCEPT;
 
+	if (WARN_ON_ONCE(refcount_read(&nfct->use) != 1)) {
+		nf_reset_ct(skb);
+		return NF_ACCEPT;
+	}
+
 	WARN_ON_ONCE(skb_shared(skb));
-	WARN_ON_ONCE(refcount_read(&nfct->use) != 1);
 
 	/* We can't call nf_confirm here, it would create a dependency
 	 * on nf_conntrack module.
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 55e28e1da66ec6..e0716da256bf55 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -820,10 +820,41 @@ static bool nf_ct_drop_unconfirmed(const struct nf_queue_entry *entry)
 {
 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
 	static const unsigned long flags = IPS_CONFIRMED | IPS_DYING;
-	const struct nf_conn *ct = (void *)skb_nfct(entry->skb);
+	struct nf_conn *ct = (void *)skb_nfct(entry->skb);
+	unsigned long status;
+	unsigned int use;
 
-	if (ct && ((ct->status & flags) == IPS_DYING))
+	if (!ct)
+		return false;
+
+	status = READ_ONCE(ct->status);
+	if ((status & flags) == IPS_DYING)
 		return true;
+
+	if (status & IPS_CONFIRMED)
+		return false;
+
+	/* in some cases skb_clone() can occur after initial conntrack
+	 * pickup, but conntrack assumes exclusive skb->_nfct ownership for
+	 * unconfirmed entries.
+	 *
+	 * This happens for br_netfilter and with ip multicast routing.
+	 * We can't be solved with serialization here because one clone could
+	 * have been queued for local delivery.
+	 */
+	use = refcount_read(&ct->ct_general.use);
+	if (likely(use == 1))
+		return false;
+
+	/* Can't decrement further? Exclusive ownership. */
+	if (!refcount_dec_not_one(&ct->ct_general.use))
+		return false;
+
+	skb_set_nfct(entry->skb, 0);
+	/* No nf_ct_put(): we already decremented .use and it cannot
+	 * drop down to 0.
+	 */
+	return true;
 #endif
 	return false;
 }
-- 
cgit 1.2.3-korg

Bug#1070685: linux-image-6.1.0-21-amd64: Found Trace in the logs about br_netfilter and nf_conntrack

Reply via email to