CVE-2022-49110

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: conntrack: revisit gc autotuning<br /> <br /> as of commit 4608fdfc07e1<br /> ("netfilter: conntrack: collect all entries in one cycle")<br /> conntrack gc was changed to run every 2 minutes.<br /> <br /> On systems where conntrack hash table is set to large value, most evictions<br /> happen from gc worker rather than the packet path due to hash table<br /> distribution.<br /> <br /> This causes netlink event overflows when events are collected.<br /> <br /> This change collects average expiry of scanned entries and<br /> reschedules to the average remaining value, within 1 to 60 second interval.<br /> <br /> To avoid event overflows, reschedule after each bucket and add a<br /> limit for both run time and number of evictions per run.<br /> <br /> If more entries have to be evicted, reschedule and restart 1 jiffy<br /> into the future.