** Changed in: linux (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1486670
Title:
using ipsec, many connections result in no buffer
** Tags removed: verification-needed-wily
** Tags added: verification-done-wily
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1486670
Title:
using ipsec, many connections result in no
** Branch linked: lp:~ubuntu-branches/ubuntu/trusty/linux-lts-wily
/trusty-proposed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1486670
Title:
using ipsec, many connections result in
** Branch linked: lp:ubuntu/trusty-proposed/linux-lts-vivid
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1486670
Title:
using ipsec, many connections result in no buffer space error
This bug was fixed in the package linux - 3.13.0-79.123
---
linux (3.13.0-79.123) trusty; urgency=low
[ Seth Forshee ]
* SAUCE: cred: Add clone_cred() interface
- LP: #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
* SAUCE: overlayfs: Use mounter's credentials instead
This bug was fixed in the package linux - 3.19.0-51.57
---
linux (3.19.0-51.57) vivid; urgency=low
[ Seth Forshee ]
* SAUCE: cred: Add clone_cred() interface
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
* SAUCE: overlayfs: Use mounter's credentials
This bug was fixed in the package linux - 3.13.0-79.123
---
linux (3.13.0-79.123) trusty; urgency=low
[ Seth Forshee ]
* SAUCE: cred: Add clone_cred() interface
- LP: #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
* SAUCE: overlayfs: Use mounter's credentials instead
This bug was fixed in the package linux - 4.2.0-30.35
---
linux (4.2.0-30.35) wily; urgency=low
[ Seth Forshee ]
* SAUCE: cred: Add clone_cred() interface
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
* SAUCE: overlayfs: Use mounter's credentials
and on wily, this patch is required on top of the patch from comment 14:
probe kernel.function("xfrm_resolve_and_create_bundle") {
if ($family == 2) {
-dst_count[$pols[0]->xp_net->loopback_dev] =
$pols[0]->xp_net->xfrm->xfrm4_dst_ops->pcpuc_entries->count
+
** Tags removed: verification-needed-vivid
** Tags added: verification-done-vivid
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1486670
Title:
using ipsec, many connections result in
** Tags removed: verification-needed-trusty
** Tags added: verification-done-trusty
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1486670
Title:
using ipsec, many connections result in
the systemtap script below can be used to monitor the dst count for all
net namespaces. When any of the counts goes significantly negative
(more than 32 * CPUS negative) it indicates this bug is reproduced -
meaning, the count from one net namespace was incorrectly shifted to
another net
> To test this fix, multiple containers must be started (just 2 is
fine).
note - it can be reproduced with just 2, but it happens exponentially
faster with a higher number of containers.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to
correction on the script above, to only show each netns count once
(script above duplicates netns counts)
probe kernel.function("xfrm_resolve_and_create_bundle") {
if ($family == 2) {
-dst_count[&$pols[0]->xp_net] =
$pols[0]->xp_net->xfrm->xfrm4_dst_ops->pcpuc_entries->count
+
** Changed in: linux (Ubuntu Vivid)
Assignee: (unassigned) => Dan Streetman (ddstreet)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1486670
Title:
using ipsec, many connections
and a reminder - the /proc/sys/net/ipv4/xfrm4_gc_thresh param is a per-
netns value, so it should be changed in each container.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1486670
> To speed up reproduction of this bug, lower the xfrm4_gc_thresh to a value
> ABOVE (2 * 4096 * CPUS), but close to it -
> e.g. something like 10k * CPUS
sorry got the math wrong on the verification - the xfrm4_gc_thresh
should be set to above ((4096 * CPUS) / 2), so something like 4K * CPUS,
I'm still able to duplicate this bug using:
linux-image-3.13.0-78-generic (from trusty-backports)
linux-image-3.19.0-50-generic (from linux-image-generic-lts-vivid)
The LXC images failed to start under linux-image-4.2.0-28-generic, with
a kernel oops.
I also tried, in Xenial,
> The LXC images failed to start under linux-image-4.2.0-28-generic,
with a kernel oops.
this bug isn't about kernel oopses.
> Setting /proc/sys/net/ipv4/xfrm4_gc_thresh to 5 causes the failure almost
> immediately.
>
> I would like to confirm my procedure however. I've been changing
>
** Changed in: linux (Ubuntu Precise)
Status: In Progress => Invalid
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1486670
Title:
using ipsec, many connections result in no
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
wily' to 'verification-done-wily'.
If verification is not done by 5 working days from
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
vivid' to 'verification-done-vivid'.
If verification is not done by 5 working days from
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
trusty' to 'verification-done-trusty'.
If verification is not done by 5 working days from
** Also affects: linux (Ubuntu Vivid)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Vivid)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
** Changed in: linux (Ubuntu Trusty)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1486670
Title:
using ipsec, many connections result in no
** Changed in: linux (Ubuntu Wily)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1486670
Title:
using ipsec, many connections result in no
** Tags added: kernel-da-key
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1486670
Title:
using ipsec, many connections result in no buffer space error
Status in linux package in
Patch is now in mainline; I'll request it gets added to net stable.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1486670
Title:
using ipsec, many connections result in no buffer space
This is in the ipsec
(git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git) tree,
but not yet in net-next
(git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git).
Once it hits net-next, I'll request it for the net stable queue (if
needed).
--
You received this bug
Short summary:
ipsec uses a struct dst_ops object per net-namespace (e.g. per
container), but does not correctly initialize each dst_ops object's
percpu counter. This results in incorrect values for each net
namespace's dst_ops counter.
Full details:
ipsec uses xfrm objects, which contain dst
** Also affects: linux (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Wily)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Trusty)
Importance: Undecided
Status: New
--
You received this bug notification because
** Changed in: linux (Ubuntu Precise)
Assignee: (unassigned) => Dan Streetman (ddstreet)
** Changed in: linux (Ubuntu Trusty)
Assignee: (unassigned) => Dan Streetman (ddstreet)
** Changed in: linux (Ubuntu Wily)
Assignee: (unassigned) => Dan Streetman (ddstreet)
** Changed in:
This is caused by a bug that appears to have been present since ~2008.
Proposed upstream patch:
http://marc.info/?l=linux-netdev=144596262420164=2
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
** Tags added: sts
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1486670
Title:
using ipsec, many connections result in no buffer space error
Status in linux package in Ubuntu:
In
34 matches
Mail list logo
