Ubuntu
linux package

kernel:nft "Could not process rule: Device or resource busy" on unreferenced chain

Bug #2089699 reported by Nadia Pinaeva
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
New
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
linux-gke (Ubuntu)
New
Undecided
Unassigned
Jammy
Fix Released
Undecided
Ian Whitfield

Bug Description

We see some nftables/netfilter problems after kernel upgrade from 5.15.0-1061-gke to 5.15.0-1067-gke.
Correct transaction with nft fails with "Error: Could not process rule: Device or resource busy"
which usually means a deleted chain is referenced, but you can see it's not.
Full nft table dump + transaction + error is in the attached file.
This is logs from kubernetes CI, which started failing immediately after mentioned kernel update.

CVE References

Revision history for this message
Nadia Pinaeva (npinaeva) wrote :
Paul White (paulw2u)
affects: ubuntu → linux-gke (Ubuntu)
tags: added: jammy
Revision history for this message
Manuel Diewald (diewald) wrote :

Is this still an issue with the latest kernel version in -updates 5.15.0-1069-gke? Can you provide more information, most importantly a kernel log? You can collect logs with apport-collect: https://github.com/canonical/apport.

Changed in linux-gke (Ubuntu Jammy):
status: New → Triaged
Jürg Häfliger (juergh)
Changed in linux-gke (Ubuntu Jammy):
status: Triaged → Incomplete
Revision history for this message
Ian Whitfield (ijwhitfield) wrote :

We were able to reproduce this in the generic kernels, working on a potential fix now.

Changed in linux-gke (Ubuntu Jammy):
assignee: nobody → Ian Whitfield (ijwhitfield)
status: Incomplete → In Progress
Revision history for this message
Ian Whitfield (ijwhitfield) wrote :

I've submitted a patchset for review on the kernel-team mailing list. https://lists.ubuntu.com/archives/kernel-team/2024-December/155790.html

Ian Whitfield (ijwhitfield)
no longer affects: linux-gke (Ubuntu Focal)
Roxana Nicolescu (roxanan)
Changed in linux (Ubuntu Focal):
status: New → Confirmed
status: Confirmed → Fix Committed
Changed in linux (Ubuntu Jammy):
status: New → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.4.0-206.226 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux' to 'verification-done-focal-linux'. If the problem still exists, change the tag 'verification-needed-focal-linux' to 'verification-failed-focal-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-v2 verification-needed-focal-linux
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.15.0-132.143 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux' to 'verification-done-jammy-linux'. If the problem still exists, change the tag 'verification-needed-jammy-linux' to 'verification-failed-jammy-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-v2 verification-needed-jammy-linux
Revision history for this message
Ian Whitfield (ijwhitfield) wrote :

Verified that this is fixed in the proposed kernels 5.15.0-132.143 (Jammy) and 5.4.0-207.227 (Focal) using the reproducer.

tags: added: verification-done-focal verification-done-jammy
removed: verification-needed-focal-linux verification-needed-jammy-linux
Ian Whitfield (ijwhitfield)
tags: added: verification-done-focal-linux verification-done-jammy-linux
removed: verification-done-focal verification-done-jammy
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (30.0 KiB)

This bug was fixed in the package linux - 5.15.0-133.144

---------------
linux (5.15.0-133.144) jammy; urgency=medium

  * CVE-2025-0927
    - SAUCE: fs: hfs/hfsplus: add key_len boundary check to hfs_bnode_read_key

linux (5.15.0-132.143) jammy; urgency=medium

  * jammy/linux: 5.15.0-132.143 -proposed tracker (LP: #2093735)

  * Packaging resync (LP: #1786013)
    - [Packaging] debian.master/dkms-versions -- update from kernel-versions
      (main/2025.01.13)

  * KVM: Cache CPUID at KVM.ko module init to reduce latency of VM-Enter and VM-
    Exit (LP: #2093146)
    - kvm: x86: Fix xstate_required_size() to follow XSTATE alignment rule
    - KVM: x86: Cache CPUID.0xD XSTATE offsets+sizes during module init

  * Jammy update: v5.15.173 upstream stable release (LP: #2089541)
    - 9p: Avoid creating multiple slab caches with the same name
    - irqchip/ocelot: Fix trigger register address
    - block: Fix elevator_get_default() checking for NULL q->tag_set
    - HID: multitouch: Add support for B2402FVA track point
    - HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad
    - bpf: use kvzmalloc to allocate BPF verifier environment
    - crypto: marvell/cesa - Disable hash algorithms
    - sound: Make CONFIG_SND depend on INDIRECT_IOMEM instead of UML
    - drm/vmwgfx: Limit display layout ioctl array size to
      VMWGFX_NUM_DISPLAY_UNITS
    - powerpc/powernv: Free name on error in opal_event_init()
    - vDPA/ifcvf: Fix pci_read_config_byte() return code handling
    - fs: Fix uninitialized value issue in from_kuid and from_kgid
    - HID: multitouch: Add quirk for Logitech Bolt receiver w/ Casa touchpad
    - HID: lenovo: Add support for Thinkpad X1 Tablet Gen 3 keyboard
    - net: usb: qmi_wwan: add Fibocom FG132 0x0112 composition
    - md/raid10: improve code of mrdev in raid10_sync_request
    - mm/memory: add non-anonymous page check in the copy_present_page()
    - udf: Allocate name buffer in directory iterator on heap
    - udf: Avoid directory type conversion failure due to ENOMEM
    - 9p: fix slab cache name creation for real
    - Linux 5.15.173

  * Jammy update: v5.15.173 upstream stable release (LP: #2089541) //
    CVE-2024-41080
    - io_uring: fix possible deadlock in io_register_iowq_max_workers()

  * Jammy update: v5.15.172 upstream stable release (LP: #2089533)
    - arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-sapphire-
      excavator
    - arm64: dts: rockchip: Remove hdmi's 2nd interrupt on rk3328
    - arm64: dts: rockchip: Fix bluetooth properties on Rock960 boards
    - arm64: dts: rockchip: Remove #cooling-cells from fan on Theobroma lion
    - arm64: dts: rockchip: Fix LED triggers on rk3308-roc-cc
    - arm64: dts: imx8mp: correct sdhc ipg clk
    - ARM: dts: rockchip: fix rk3036 acodec node
    - ARM: dts: rockchip: drop grf reference from rk3036 hdmi
    - ARM: dts: rockchip: Fix the spi controller on rk3036
    - ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin
    - NFSv3: only use NFS timeout for MOUNT when protocols are compatible
    - NFS: Add a tracepoint to show the results of nfs_set_cache_invalid()
    - NFSv3: handle out-of-order write replies.
    - ...

Changed in linux (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Update Released

The verification of the Stable Release Update for linux has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (30.7 KiB)

This bug was fixed in the package linux-gke - 5.15.0-1075.81

---------------
linux-gke (5.15.0-1075.81) jammy; urgency=medium

  * jammy/linux-gke: 5.15.0-1075.81 -proposed tracker (LP: #2097141)

  * IDPF: TX timeout and crash (LP: #2093622)
    - Revert "idpf: trigger SW interrupt when exiting wb_on_itr mode"
    - Revert "idpf: add support for SW triggered interrupts"
    - Revert "idpf: fix idpf_vc_core_init error path"
    - Revert "idpf: avoid vport access in idpf_get_link_ksettings"
    - Revert "idpf: enable WB_ON_ITR"

linux-gke (5.15.0-1074.80) jammy; urgency=medium

  * jammy/linux-gke: 5.15.0-1074.80 -proposed tracker (LP: #2093699)

  * Add list of source files to linux-buildinfo (LP: #2086606)
    - [Packaging] Add dwarfdump to build dependencies

  * IDPF: TX timeout and crash (LP: #2093622)
    - idpf: enable WB_ON_ITR
    - idpf: avoid vport access in idpf_get_link_ksettings
    - idpf: fix idpf_vc_core_init error path
    - idpf: add support for SW triggered interrupts
    - idpf: trigger SW interrupt when exiting wb_on_itr mode

  [ Ubuntu: 5.15.0-132.143 ]

  * jammy/linux: 5.15.0-132.143 -proposed tracker (LP: #2093735)
  * Packaging resync (LP: #1786013)
    - [Packaging] debian.master/dkms-versions -- update from kernel-versions
      (main/2025.01.13)
  * KVM: Cache CPUID at KVM.ko module init to reduce latency of VM-Enter and VM-
    Exit (LP: #2093146)
    - kvm: x86: Fix xstate_required_size() to follow XSTATE alignment rule
    - KVM: x86: Cache CPUID.0xD XSTATE offsets+sizes during module init
  * Jammy update: v5.15.173 upstream stable release (LP: #2089541)
    - 9p: Avoid creating multiple slab caches with the same name
    - irqchip/ocelot: Fix trigger register address
    - block: Fix elevator_get_default() checking for NULL q->tag_set
    - HID: multitouch: Add support for B2402FVA track point
    - HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad
    - bpf: use kvzmalloc to allocate BPF verifier environment
    - crypto: marvell/cesa - Disable hash algorithms
    - sound: Make CONFIG_SND depend on INDIRECT_IOMEM instead of UML
    - drm/vmwgfx: Limit display layout ioctl array size to
      VMWGFX_NUM_DISPLAY_UNITS
    - powerpc/powernv: Free name on error in opal_event_init()
    - vDPA/ifcvf: Fix pci_read_config_byte() return code handling
    - fs: Fix uninitialized value issue in from_kuid and from_kgid
    - HID: multitouch: Add quirk for Logitech Bolt receiver w/ Casa touchpad
    - HID: lenovo: Add support for Thinkpad X1 Tablet Gen 3 keyboard
    - net: usb: qmi_wwan: add Fibocom FG132 0x0112 composition
    - md/raid10: improve code of mrdev in raid10_sync_request
    - mm/memory: add non-anonymous page check in the copy_present_page()
    - udf: Allocate name buffer in directory iterator on heap
    - udf: Avoid directory type conversion failure due to ENOMEM
    - 9p: fix slab cache name creation for real
    - Linux 5.15.173
  * Jammy update: v5.15.173 upstream stable release (LP: #2089541) //
    CVE-2024-41080
    - io_uring: fix possible deadlock in io_register_iowq_max_workers()
  * Jammy update: v5.15.172 upstream stable release (LP: #2089533)
    - arm64: dts: rockchip: Fix ...

Changed in linux-gke (Ubuntu Jammy):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (47.4 KiB)

This bug was fixed in the package linux - 5.4.0-208.228

---------------
linux (5.4.0-208.228) focal; urgency=medium

  * CVE-2025-0927
    - SAUCE: fs: hfs/hfsplus: add key_len boundary check to hfs_bnode_read_key

linux (5.4.0-207.227) focal; urgency=medium

  * focal/linux: 5.4.0-207.227 -proposed tracker (LP: #2095347)

  * Remove "ftrace: Fix possible use-after-free issue in ftrace_location()" bad
    commit from focal (LP: #2095348)
    - Revert "ftrace: Fix possible use-after-free issue in ftrace_location()"

linux (5.4.0-206.226) focal; urgency=medium

  * focal/linux: 5.4.0-206.226 -proposed tracker (LP: #2093785)

  * nouveau keeps showing `disp: ctrl 00000080` and crippling the system
    (LP: #2078011)
    - drm/nouveau/disp/gv100-: halt NV_PDISP_FE_RM_INTR_STAT_CTRL_DISP_ERROR
      storms
    - drm/nouveau/kms/gv100-: move window ownership setup into modesetting path
    - drm/nouveau/kms/gv100-: avoid sending a core update until the first modeset

  * CVE-2024-43863
    - drm/vmwgfx: Fix a deadlock in dma buf fence polling

  * CVE-2024-40911
    - wifi: cfg80211: Lock wiphy in cfg80211_get_station

  * CVE-2024-35896
    - netfilter: validate user input for expected length
    - netfilter: complete validation of user input

  * CVE-2023-52458
    - block: add check that partition length needs to be aligned with block size

  * kernel:nft "Could not process rule: Device or resource busy" on unreferenced
    chain (LP: #2089699)
    - SAUCE: netfilter: nf_tables: Fix EBUSY on deleting unreferenced chain

  * CVE-2024-35887
    - lockdep: Add preemption enabled/disabled assertion APIs
    - timers: Don't block on ->expiry_lock for TIMER_IRQSAFE timers
    - Documentation: Remove bogus claim about del_timer_sync()
    - ARM: spear: Do not use timer namespace for timer_shutdown() function
    - clocksource/drivers/arm_arch_timer: Do not use timer namespace for
      timer_shutdown() function
    - clocksource/drivers/sp804: Do not use timer namespace for timer_shutdown()
      function
    - timers: Get rid of del_singleshot_timer_sync()
    - timers: Replace BUG_ON()s
    - timers: Rename del_timer() to timer_delete()
    - Documentation: Replace del_timer/del_timer_sync()
    - timers: Silently ignore timers with a NULL function
    - timers: Split [try_to_]del_timer[_sync]() to prepare for shutdown mode
    - timers: Add shutdown mechanism to the internal functions
    - timers: Provide timer_shutdown[_sync]()
    - timers: Update the documentation to reflect on the new timer_shutdown() API
    - ax25: fix use-after-free bugs caused by ax25_ds_del_timer

  * CVE-2024-40965
    - clk: Add a devm variant of clk_rate_exclusive_get()
    - clk: Provide !COMMON_CLK dummy for devm_clk_rate_exclusive_get()
    - i2c: lpi2c: Avoid calling clk_get_rate during transfer

  * CVE-2024-40982
    - ssb: Fix potential NULL pointer dereference in ssb_device_uevent()

  * CVE-2024-41066
    - ibmvnic: Add tx check to prevent skb leak

  * CVE-2024-42252
    - closures: Change BUG_ON() to WARN_ON()

  * CVE-2024-46731
    - drm/amd/pm: fix the Out-of-bounds read warning

  * Focal update: v5.4.286 upstream stable release (LP: #2089558)
    - arm6...

Changed in linux (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-aws-5.4/5.4.0-1141.151~18.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic-linux-aws-5.4' to 'verification-done-bionic-linux-aws-5.4'. If the problem still exists, change the tag 'verification-needed-bionic-linux-aws-5.4' to 'verification-failed-bionic-linux-aws-5.4'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-bionic-linux-aws-5.4-v2 verification-needed-bionic-linux-aws-5.4
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-nvidia-tegra/5.15.0-1033.33 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-nvidia-tegra' to 'verification-done-jammy-linux-nvidia-tegra'. If the problem still exists, change the tag 'verification-needed-jammy-linux-nvidia-tegra' to 'verification-failed-jammy-linux-nvidia-tegra'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-nvidia-tegra-v2 verification-needed-jammy-linux-nvidia-tegra
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-nvidia-tegra-igx/5.15.0-1021.21 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-nvidia-tegra-igx' to 'verification-done-jammy-linux-nvidia-tegra-igx'. If the problem still exists, change the tag 'verification-needed-jammy-linux-nvidia-tegra-igx' to 'verification-failed-jammy-linux-nvidia-tegra-igx'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-nvidia-tegra-igx-v2 verification-needed-jammy-linux-nvidia-tegra-igx
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-iot/5.4.0-1048.51 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux-iot' to 'verification-done-focal-linux-iot'. If the problem still exists, change the tag 'verification-needed-focal-linux-iot' to 'verification-failed-focal-linux-iot'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-iot-v2 verification-needed-focal-linux-iot
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-raspi/5.4.0-1125.138 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux-raspi' to 'verification-done-focal-linux-raspi'. If the problem still exists, change the tag 'verification-needed-focal-linux-raspi' to 'verification-failed-focal-linux-raspi'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-raspi-v2 verification-needed-focal-linux-raspi
Jürg Häfliger (juergh)
tags: added: kernel-daily-bug
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-raspi-5.4/5.4.0-1129.142~18.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic-linux-raspi-5.4' to 'verification-done-bionic-linux-raspi-5.4'. If the problem still exists, change the tag 'verification-needed-bionic-linux-raspi-5.4' to 'verification-failed-bionic-linux-raspi-5.4'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-bionic-linux-raspi-5.4-v2 verification-needed-bionic-linux-raspi-5.4
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.