This bug was fixed in the package linux - 4.19.0-12.13

linux (4.19.0-12.13) disco; urgency=medium

  * linux: 4.19.0-12.13 -proposed tracker (LP: #1813664)

  * kernel oops in bcache module (LP: #1793901)
    - SAUCE: bcache: never writeback a discard operation

  * Disco update: 4.19.18 upstream stable release (LP: #1813611)
    - ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped 
    - mlxsw: spectrum: Disable lag port TX before removing it
    - mlxsw: spectrum_switchdev: Set PVID correctly during VLAN deletion
    - net: dsa: mv88x6xxx: mv88e6390 errata
    - net, skbuff: do not prefer skb allocation fails early
    - qmi_wwan: add MTU default to qmap network interface
    - ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses
    - net: clear skb->tstamp in bridge forwarding path
    - netfilter: ipset: Allow matching on destination MAC address for mac and
      ipmac sets
    - gpio: pl061: Move irq_chip definition inside struct pl061
    - drm/amd/display: Guard against null stream_state in set_crc_source
    - drm/amdkfd: fix interrupt spin lock
    - ixgbe: allow IPsec Tx offload in VEPA mode
    - platform/x86: asus-wmi: Tell the EC the OS will handle the display off
    - e1000e: allow non-monotonic SYSTIM readings
    - usb: typec: tcpm: Do not disconnect link for self powered devices
    - selftests/bpf: enable (uncomment) all tests in
    - of: overlay: add missing of_node_put() after add new node to changeset
    - writeback: don't decrement wb->refcnt if !wb->bdi
    - serial: set suppress_bind_attrs flag only if builtin
    - bpf: Allow narrow loads with offset > 0
    - ALSA: oxfw: add support for APOGEE duet FireWire
    - x86/mce: Fix -Wmissing-prototypes warnings
    - MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur
    - crypto: ecc - regularize scalar for scalar multiplication
    - arm64: perf: set suppress_bind_attrs flag to true
    - drm/atomic-helper: Complete fake_commit->flip_done potentially earlier
    - clk: meson: meson8b: fix incorrect divider mapping in cpu_scale_table
    - samples: bpf: fix: error handling regarding kprobe_events
    - usb: gadget: udc: renesas_usb3: add a safety connection way for
    - fpga: altera-cvp: fix probing for multiple FPGAs on the bus
    - selinux: always allow mounting submounts
    - ASoC: pcm3168a: Don't disable pcm3168a when CONFIG_PM defined
    - scsi: qedi: Check for session online before getting iSCSI TLV data.
    - drm/amdgpu: Reorder uvd ring init before uvd resume
    - rxe: IB_WR_REG_MR does not capture MR's iova field
    - efi/libstub: Disable some warnings for x86{,_64}
    - jffs2: Fix use of uninitialized delayed_work, lockdep breakage
    - clk: imx: make mux parent strings const
    - pstore/ram: Do not treat empty buffers as valid
    - media: uvcvideo: Refactor teardown of uvc on USB disconnect
    - powerpc/xmon: Fix invocation inside lock region
    - powerpc/pseries/cpuidle: Fix preempt warning
    - media: firewire: Fix app_info parameter type in avc_ca{,_app}_info
    - ASoC: use dma_ops of parent device for acp_audio_dma
    - media: venus: core: Set dma maximum segment size
    - staging: erofs: fix use-after-free of on-stack `z_erofs_vle_unzip_io'
    - net: call sk_dst_reset when set SO_DONTROUTE
    - scsi: target: use consistent left-aligned ASCII INQUIRY data
    - scsi: target/core: Make sure that target_wait_for_sess_cmds() waits long
    - selftests: do not macro-expand failed assertion expressions
    - arm64: kasan: Increase stack size for KASAN_EXTRA
    - clk: imx6q: reset exclusive gates on init
    - arm64: Fix minor issues with the dcache_by_line_op macro
    - bpf: relax verifier restriction on BPF_MOV | BPF_ALU
    - kconfig: fix file name and line number of warn_ignored_character()
    - kconfig: fix memory leak when EOF is encountered in quotation
    - mmc: atmel-mci: do not assume idle after atmci_request_end
    - btrfs: volumes: Make sure there is no overlap of dev extents at mount time
    - btrfs: alloc_chunk: fix more DUP stripe size handling
    - btrfs: fix use-after-free due to race between replace start and cancel
    - btrfs: improve error handling of btrfs_add_link
    - tty/serial: do not free trasnmit buffer page under port lock
    - perf intel-pt: Fix error with config term "pt=0"
    - perf tests ARM: Disable breakpoint tests 32-bit
    - perf svghelper: Fix unchecked usage of strncpy()
    - perf parse-events: Fix unchecked usage of strncpy()
    - perf vendor events intel: Fix Load_Miss_Real_Latency on SKL/SKX
    - netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set
    - netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit routine
    - netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine
    - x86/topology: Use total_cpus for max logical packages calculation
    - dm crypt: use u64 instead of sector_t to store iv_offset
    - dm kcopyd: Fix bug causing workqueue stalls
    - perf stat: Avoid segfaults caused by negated options
    - tools lib subcmd: Don't add the kernel sources to the include path
    - dm snapshot: Fix excessive memory usage and workqueue stalls
    - perf cs-etm: Correct packets swapping in cs_etm__flush()
    - perf tools: Add missing sigqueue() prototype for systems lacking it
    - perf tools: Add missing open_memstream() prototype for systems lacking it
    - quota: Lock s_umount in exclusive mode for Q_XQUOTA{ON,OFF} quotactls.
    - clocksource/drivers/integrator-ap: Add missing of_node_put()
    - dm: Check for device sector overflow if CONFIG_LBDAF is not set
    - Bluetooth: btusb: Add support for Intel bluetooth device 8087:0029
    - ALSA: bebob: fix model-id of unit for Apogee Ensemble
    - sysfs: Disable lockdep for driver bind/unbind files
    - IB/usnic: Fix potential deadlock
    - scsi: mpt3sas: fix memory ordering on 64bit writes
    - scsi: smartpqi: correct lun reset issues
    - ath10k: fix peer stats null pointer dereference
    - scsi: smartpqi: call pqi_free_interrupts() in pqi_shutdown()
    - scsi: megaraid: fix out-of-bound array accesses
    - iomap: don't search past page end in iomap_is_partially_uptodate
    - ocfs2: fix panic due to unrecovered local alloc
    - mm/page-writeback.c: don't break integrity writeback on ->writepage() 
    - mm/swap: use nr_node_ids for avail_lists in swap_info_struct
    - userfaultfd: clear flag if remap event not enabled
    - mm, proc: be more verbose about unstable VMA flags in /proc/<pid>/smaps
    - iwlwifi: mvm: Send LQ command as async when necessary
    - Bluetooth: Fix unnecessary error message for HCI request completion
    - ipmi: fix use-after-free of user->release_barrier.rda
    - ipmi: msghandler: Fix potential Spectre v1 vulnerabilities
    - ipmi: Prevent use-after-free in deliver_response
    - ipmi:ssif: Fix handling of multi-part return messages
    - ipmi: Don't initialize anything in the core until something uses it
    - Linux 4.19.18

  * tls selftest failures/hangs on i386 (LP: #1813607)
    - [Config] CONFIG_TLS=n for i386

  * Intel XL710 - i40e driver does not work with kernel 4.15 (Ubuntu 18.04)
    (LP: #1779756)
    - i40e: prevent overlapping tx_timeout recover

  * Disco update: 4.19.17 upstream stable release (LP: #1813016)
    - tty/ldsem: Wake up readers after timed out down_write()
    - tty: Don't hold ldisc lock in tty_reopen() if ldisc present
    - can: gw: ensure DLC boundaries after CAN frame modification
    - netfilter: nf_conncount: replace CONNCOUNT_LOCK_SLOTS with CONNCOUNT_SLOTS
    - netfilter: nf_conncount: split gc in two phases
    - netfilter: nf_conncount: restart search when nodes have been erased
    - netfilter: nf_conncount: merge lookup and add functions
    - netfilter: nf_conncount: move all list iterations under spinlock
    - netfilter: nf_conncount: speculative garbage collection on empty lists
    - netfilter: nf_conncount: fix argument order to find_next_bit
    - mmc: sdhci-msm: Disable CDR function on TX
    - Revert "scsi: target: iscsi: cxgbit: fix csk leak"
    - scsi: target: iscsi: cxgbit: fix csk leak
    - scsi: target: iscsi: cxgbit: fix csk leak
    - arm64/kvm: consistently handle host HCR_EL2 flags
    - arm64: Don't trap host pointer auth use to EL2
    - ipv6: fix kernel-infoleak in ipv6_local_error()
    - net: bridge: fix a bug on using a neighbour cache entry without checking 
    - packet: Do not leak dev refcounts on error exit
    - tcp: change txhash on SYN-data timeout
    - tun: publish tfile after it's fully initialized
    - lan743x: Remove phy_read from link status change function
    - smc: move unhash as early as possible in smc_release()
    - r8169: don't try to read counters if chip is in a PCI power-save state
    - bonding: update nest level on unlink
    - ip: on queued skb use skb_header_pointer instead of pskb_may_pull
    - r8169: load Realtek PHY driver module before r8169
    - crypto: sm3 - fix undefined shift by >= width of value
    - crypto: caam - fix zero-length buffer DMA mapping
    - crypto: authencesn - Avoid twice completion call in decrypt path
    - crypto: ccree - convert to use crypto_authenc_extractkeys()
    - crypto: bcm - convert to use crypto_authenc_extractkeys()
    - crypto: authenc - fix parsing key with misaligned rta_len
    - crypto: talitos - reorder code in talitos_edesc_alloc()
    - crypto: talitos - fix ablkcipher for CONFIG_VMAP_STACK
    - xen: Fix x86 sched_clock() interface for xen
    - Revert "btrfs: balance dirty metadata pages in btrfs_finish_ordered_io"
    - btrfs: wait on ordered extents on abort cleanup
    - Yama: Check for pid death before checking ancestry
    - scsi: core: Synchronize request queue PM status only on successful resume
    - scsi: sd: Fix cache_type_store()
    - mips: fix n32 compat_ipc_parse_version
    - MIPS: BCM47XX: Setup struct device for the SoC
    - MIPS: lantiq: Fix IPI interrupt handling
    - drm/i915/gvt: Fix mmap range check
    - OF: properties: add missing of_node_put
    - mfd: tps6586x: Handle interrupts on suspend
    - media: v4l: ioctl: Validate num_planes for debug messages
    - RDMA/nldev: Don't expose unsafe global rkey to regular user
    - RDMA/vmw_pvrdma: Return the correct opcode when creating WR
    - kbuild: Disable LD_DEAD_CODE_DATA_ELIMINATION with ftrace & GCC <= 4.7
    - net: dsa: realtek-smi: fix OF child-node lookup
    - pstore/ram: Avoid allocation and leak of platform data
    - arm64: kaslr: ensure randomized quantities are clean to the PoC
    - arm64: dts: marvell: armada-ap806: reserve PSCI area
    - Disable MSI also when pcie-octeon.pcie_disable on
    - fix int_sqrt64() for very large numbers
    - omap2fb: Fix stack memory disclosure
    - media: vivid: fix error handling of kthread_run
    - media: vivid: set min width/height to a value > 0
    - bpf: in __bpf_redirect_no_mac pull mac only if present
    - ipv6: make icmp6_send() robust against null skb->dev
    - LSM: Check for NULL cred-security on free
    - media: vb2: vb2_mmap: move lock up
    - sunrpc: handle ENOMEM in rpcb_getport_async
    - netfilter: ebtables: account ebt_table_info to kmemcg
    - block: use rcu_work instead of call_rcu to avoid sleep in softirq
    - selinux: fix GPF on invalid policy
    - blockdev: Fix livelocks on loop device
    - sctp: allocate sctp_sockaddr_entry with kzalloc
    - tipc: fix uninit-value in in tipc_conn_rcv_sub
    - tipc: fix uninit-value in tipc_nl_compat_link_reset_stats
    - tipc: fix uninit-value in tipc_nl_compat_bearer_enable
    - tipc: fix uninit-value in tipc_nl_compat_link_set
    - tipc: fix uninit-value in tipc_nl_compat_name_table_dump
    - tipc: fix uninit-value in tipc_nl_compat_doit
    - block/loop: Don't grab "struct file" for vfs_getattr() operation.
    - block/loop: Use global lock for ioctl() operation.
    - loop: Fold __loop_release into loop_release
    - loop: Get rid of loop_index_mutex
    - loop: Push lo_ctl_mutex down into individual ioctls
    - loop: Split setting of lo_state from loop_clr_fd
    - loop: Push loop_ctl_mutex down into loop_clr_fd()
    - loop: Push loop_ctl_mutex down to loop_get_status()
    - loop: Push loop_ctl_mutex down to loop_set_status()
    - loop: Push loop_ctl_mutex down to loop_set_fd()
    - loop: Push loop_ctl_mutex down to loop_change_fd()
    - loop: Move special partition reread handling in loop_clr_fd()
    - loop: Move loop_reread_partitions() out of loop_ctl_mutex
    - loop: Fix deadlock when calling blkdev_reread_part()
    - loop: Avoid circular locking dependency between loop_ctl_mutex and 
    - loop: Get rid of 'nested' acquisition of loop_ctl_mutex
    - loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl()
    - loop: drop caches if offset or block_size are changed
    - drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock
    - selftests: Fix test errors related to khdr target
    - media: vb2: be sure to unlock mutex on errors
    - nbd: Use set_blocksize() to set device blocksize
    - Linux 4.19.17

  * Enable sound card power saving by default (LP: #1804265)

  * Fix non-working QCA Rome Bluetooth after S3 (LP: #1812812)
    - USB: Add new USB LPM helpers
    - USB: Consolidate LPM checks to avoid enabling LPM twice

  * [SRU] Fix Xorg crash with nomodeset when BIOS enable 64-bit fb addr
    (LP: #1812797)
    - vgaarb: Add support for 64-bit frame buffer address
    - vgaarb: Keep adding VGA device in queue

  * bluetooth controller not detected with 4.15 kernel (LP: #1810797)
    - SAUCE: btqcomsmd: introduce BT_QCOMSMD_HACK
    - [Config] arm64: snapdragon: BT_QCOMSMD_HACK=y

  * [19.04 FEAT| Enable virtio-gpu for s390x (LP: #1799467)
    - [Config] enable virtio-gpu for s390x

  * Miscellaneous Ubuntu changes
    - Revert "UBUNTU: SAUCE: selftests: disable some failing networking tests"
    - SAUCE: selftests: net: replace AF_MAX with INT_MAX in socket.c
    - SAUCE: selftests/ftrace: Fix tab expansion in trace_marker snapshot 
    - update dkms package versions

  * Miscellaneous upstream changes
    - selftests/ftrace: Fix checkbashisms errors
    - selftests/powerpc/pmu: Link ebb tests with -no-pie

 -- Seth Forshee <>  Mon, 28 Jan 2019 15:38:30

** Changed in: linux (Ubuntu)
       Status: Fix Committed => Fix Released

You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.

  iptables connlimit allows more connections than the limit when using
  multiple CPUs

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Committed
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Bionic:
  Fix Released
Status in linux source package in Cosmic:
  Fix Released

Bug description:

   * The iptables connection count/limit rules can be breached
     with multithreaded network driver/server/client (common)
     due to a race in the conncount/connlimit code.

   * For example:

     # iptables -A INPUT -p tcp -m tcp --syn --dport 7777 \
       -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
       -j DROP

   * The fix is a backport from an upstream commit that resolves
     the problem (plus dependencies for a cleaner backport) that
     address the race condition:

     commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
     collection confirm race").

  [Test Case]

   * Server-side: (relevant kernel side)
     (limit TCP port 7777 to only 2000 connections)

     # iptables -A INPUT -p tcp -m tcp --syn --dport 7777 \
       -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
       -j DROP

     # ulimit -SHn 65000   # increase number of open files
     # ruby server.rb      # multi-threaded server

   * Client-side:

     # ulimit -SHn 65000
     # ruby client.rb <server ip> <port> <target # connections> <# threads>
     <test output>

   * Results with Original kernel:
     (client achieves target of 6000 connections > limit of 2000 connections)

     # ruby client.rb 7777 6000 3
     Target reached. Thread finishing
     Target reached. Thread finishing
     Target reached. Thread finishing
     Threads done. 6002 connections
     press enter to exit

   * Results with Modified kernel:
     (client is limited to 2000 connections, and times out afterward)

     # ruby client.rb 7777 6000 3
     <... blocks for a few minutes ...>
     failed to create connection: Connection timed out - connect(2) for 
"" port 7777
     failed to create connection: Connection timed out - connect(2) for 
"" port 7777
     failed to create connection: Connection timed out - connect(2) for 
"" port 7777
     Threads done. 2000 connections
     press enter to exit

   * Test cases possibly available upon request,
     depending on original author's permission.

  [Regression Potential]

   * The patchset has been reviewed by a netfilter maintainer [1] in
     stable mailing list, and was considered OK for 4.14, and that's
     essentially the same backport for 4.15 and 4.4.

   * The changes are limited to netfilter connlimit/conncount (names
     change between older/newer kernel versions).

  [Other Info]

   * The backport for 4.14 [2] is applied as of 4.14.92.


To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to