Hi and thanks for working at this SRU. I have some comments on the debdiff:
- Please specify the patch Author in the DEP-3 headers. See [1] for more info on the header format. - The patch description should not be "apply upstream patch", because the patch is just the patch, it contains no information on where/how it's applied. It is fine (actually: good) to use the original commit message as the patch description. A multi-line description is OK, again see [1]. - I see you dropped a tests which was present in the original patch. If the test works fine on Jammy, let's keep it. If the test doesn't work on Jammy, please explain why in the patch Description header. - Please call the patch file something like 0002-nft-cache-avoid-double- free-of-unrecognized-base-chains.patch to follow the naming style used by other patches. If the added upstream test (0004extra-base_0) allows the easy verification that this fix works, it would be nice to have that in the SRU test plan. [1] https://dep-team.pages.debian.net/deps/dep3/ -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iptables in Ubuntu. https://bugs.launchpad.net/bugs/2049318 Title: [SRU] free(): double free detected in tcache 2 Status in iptables package in Ubuntu: Fix Released Status in iptables source package in Jammy: Confirmed Bug description: [ Impact ] iptables is unable to list the iptables rules or save the iptables rules if a nftables ruleset is defined which iptables does not recognize. [ Test Plan ] * Add an iptables rule. - sudo iptables -A OUTPUT -p tcp --dport 9999 -j REJECT * save the rules in a file - sudo iptables-save > rules.txt * Convert the rule to nftables ruleset - sudo iptables-nft-restore < rules.txt * List the nftables ruleset - sudo nft list ruleset * Also confirm that iptables can list the old rule - sudo iptables -L * Now add another nftables rule (this rule is taken from upstream test case) sudo nft -f - <<EOF table ip filter { chain INPUT { type filter hook input priority filter counter packets 218 bytes 91375 accept } chain x { type filter hook input priority filter } } EOF * List the nftables ruleset, which will print the old rule and the new rule - sudo nft list ruleset * Try printing the old iptables rule - sudo iptables -L Without the fixed packages it will now abort with a double free. $ sudo iptables -L free(): double free detected in tcache 2 Aborted [ Where problems could occur ] * This is an upstream patch which is only removing an error path when nft_cache_add_chain() errors. nft_cache_add_chain() will free the chain on error, and it was then again freed in the error path. By removing the error path its now fixing the double free. Since the only change is in the error path, the chances of regression are very less. [ Other Info ] * The regression was introduced in v1.8.7 and has been fixed via v1.8.8 so only Jammy is affected. [ Original Bug Description ] nftables is being used successfully with no difficulty. Running iptables on my node receives a crash: $ sudo iptables -nL free(): double free detected in tcache 2 Aborted (core dumped) without sudo # iptables -nL free(): double free detected in tcache 2 Aborted (core dumped) This bug is known and was fixed in version 1.8.8 of iptables https://git.netfilter.org/iptables/commit/?id=4318961230bce82958df82b57f1796143bf2f421 1) The release of Ubuntu $ lsb_release -rd Description: Ubuntu 22.04.3 LTS Release: 22.04 2) The version of the package $ apt info iptables Package: iptables Version: 1.8.7-1ubuntu5.1 3) What you expected to happen not to crash with valid, working nftables rules 4) What happened instead crash A plausible workaround could be a backport of iptables 1.8.9 from mantic ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: iptables 1.8.7-1ubuntu5.1 ProcVersionSignature: Ubuntu 5.15.0-91.101-generic 5.15.131 Uname: Linux 5.15.0-91-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config Date: Sun Jan 14 20:36:59 2024 InstallationDate: Installed on 2021-11-23 (782 days ago) InstallationMedia: Ubuntu-Server 20.04.3 LTS "Focal Fossa" - Release amd64 (20210824) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: iptables UpgradeStatus: Upgraded to jammy on 2023-04-30 (259 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/2049318/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
