[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
This bug was fixed in the package linux - 3.13.0-166.216 --- linux (3.13.0-166.216) trusty; urgency=medium * linux: 3.13.0-166.216 -proposed tracker (LP: #1814645) * linux-buildinfo: pull out ABI information into its own package (LP: #1806380) - [Packaging] limit preparation to linux-libc-dev in headers - [Packaging] commonise debhelper invocation - [Packaging] ABI -- accumulate abi information at the end of the build - [Packaging] buildinfo -- add basic build information - [Packaging] buildinfo -- add firmware information to the flavour ABI - [Packaging] buildinfo -- add compiler information to the flavour ABI - [Packaging] buildinfo -- add buildinfo support to getabis - [Config] buildinfo -- add retpoline version markers - [Packaging] getabis -- handle all known package combinations - [Packaging] getabis -- support parsing a simple version - [Packaging] autoreconstruct -- base tag is always primary mainline version * signing: only install a signed kernel (LP: #1764794) - [Debian] usbip tools packaging - [Debian] Don't fail if a symlink already exists - [Debian] perf -- build in the context of the full generated local headers - [Debian] basic hook support - [Debian] follow rename of DEB_BUILD_PROFILES - [Debian] standardise on stage1 for the bootstrap stage in line with debian - [Debian] set do_*_tools after stage1 or bootstrap is determined - [Debian] initscripts need installing when making the package - [Packaging] reconstruct -- automatically reconstruct against base tag - [Debian] add feature interlock with mainline builds - [Debian] Remove generated intermediate files on clean - [Packaging] prevent linux-*-tools-common from being produced from non linux packages - SAUCE: ubuntu: vbox -- elide the new symlinks and reconstruct on clean: - [Debian] Update to new signing key type and location - [Packaging] autoreconstruct -- generate extend-diff-ignore for links - [Packaging] reconstruct -- update when inserting final changes - [Packaging] update to Debian like control scripts - [Packaging] switch to triggers for postinst.d postrm.d handling - [Packaging] signing -- switch to raw-signing tarballs - [Packaging] signing -- switch to linux-image as signed when available - [Packaging] printenv -- add signing options - [Packaging] fix invocation of header postinst hooks - [Packaging] signing -- add support for signing Opal kernel binaries - [Debian] Use src_pkg_name when constructing udeb control files - [Debian] Dynamically determine linux udebs package name - [Packaging] handle both linux-lts* and linux-hwe* as backports - [Config] linux-source-* is in the primary linux namespace - [Packaging] lookup the upstream tag - [Packaging] switch up to debhelper 9 - [Packaging] autopkgtest -- disable d-i when dropping flavours - [debian] support for ship_extras_package=false - [Debian] do_common_tools should always be on - [debian] do not force do_tools_common - [Packaging] skip cloud tools packaging when not building package - [debian] prep linux-libc-dev only if do_libc_dev_package=true * Packaging resync (LP: #1786013) - [Packaging] update helper scripts * kernel oops in bcache module (LP: #1793901) - SAUCE: bcache: never writeback a discard operation * iptables connlimit allows more connections than the limit when using multiple CPUs (LP: #1811094) - netfilter: connlimit: improve packet-to-closed-connection logic - netfilter: nf_conncount: fix garbage collection confirm race - netfilter: nf_conncount: don't skip eviction when age is negative * CVE-2019-6133 - fork: record start_time late * test_095_kernel_symbols_missing_proc_self_stack failed on P-LTS (LP: #1813001) - procfs: make /proc/*/{stack, syscall, personality} 0400 -- Kleber Sacilotto de Souza Thu, 07 Feb 2019 11:31:21 + ** Changed in: linux (Ubuntu Trusty) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6133 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1811094 Title: iptables connlimit allows more connections than the limit when using multiple CPUs Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Bionic: Fix Released Status in linux source package in Cosmic: Fix Released Bug description: [Impact] * The iptables connection count/limit rules can be breached with multithreaded network driver/server/client (common) due to a race in the conncount/connlimit code. * For example: # iptables -A INPUT -p tcp -m tcp --syn --dport \
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
Verification successful on trusty-proposed. Updates kernel (goes above 2000 connections) --- root@petilil:~# uname -a Linux petilil 3.13.0-165-generic #215-Ubuntu SMP Wed Jan 16 11:46:47 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux root@petilil:~# iptables -F root@petilil:~# iptables -A INPUT -p tcp -m tcp --syn --dport -m connlimit --connlimit-above 2000 --connlimit-mask 0 -j DROP root@petilil:~# ulimit -SHn 65000 root@petilil:~# ruby ~ubuntu/server.rb root@rotom:~# ulimit -SHn 65000 root@rotom:~# ruby client.rb 10.230.56.100 6000 3 1 2 3 ... 6000 Target reached. Thread finishing 6001 Target reached. Thread finishing 6002 Target reached. Thread finishing Threads done. 6002 connections press enter to exit Proposed kernel (stops at 2000 connections) --- root@petilil:~# uname -a Linux petilil 3.13.0-166-generic #216-Ubuntu SMP Thu Feb 7 14:07:53 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux root@petilil:~# iptables -F root@petilil:~# iptables -A INPUT -p tcp -m tcp --syn --dport -m connlimit --connlimit-above 2000 --connlimit-mask 0 -j DROP root@petilil:~# ulimit -SHn 65000 root@petilil:~# ruby ~ubuntu/server.rb root@rotom:~# ulimit -SHn 65000 root@rotom:~# ruby client.rb 10.230.56.100 6000 3 ruby: No such file or directory -- client.rb (LoadError) root@rotom:~# cd /home/mfo/sf192750/ root@rotom:/home/mfo/sf192750# ruby client.rb 10.230.56.100 6000 3 Connecting to ["10.230.56.100"]: 6000 times with 3 1 2 3 ... 2000 failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port Threads done. 2000 connections press enter to exit ** Tags removed: verification-needed-trusty ** Tags added: verification-done-trusty -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1811094 Title: iptables connlimit allows more connections than the limit when using multiple CPUs Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Committed Status in linux source package in Xenial: Fix Released Status in linux source package in Bionic: Fix Released Status in linux source package in Cosmic: Fix Released Bug description: [Impact] * The iptables connection count/limit rules can be breached with multithreaded network driver/server/client (common) due to a race in the conncount/connlimit code. * For example: # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP * The fix is a backport from an upstream commit that resolves the problem (plus dependencies for a cleaner backport) that address the race condition: commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"). [Test Case] * Server-side: (relevant kernel side) (limit TCP port to only 2000 connections) # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP # ulimit -SHn 65000 # increase number of open files # ruby server.rb # multi-threaded server * Client-side: # ulimit -SHn 65000 # ruby client.rb<# threads> * Results with Original kernel: (client achieves target of 6000 connections > limit of 2000 connections) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 6000 Target reached. Thread finishing 6001 Target reached. Thread finishing 6002 Target reached. Thread finishing Threads done. 6002 connections press enter to exit * Results with Modified kernel: (client is limited to 2000 connections, and times out afterward) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 2000 <... blocks for a few minutes ...> failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port Threads done. 2000 connections press enter to exit * Test cases possibly available upon request, depending on original author's permission. [Regression Potential] * The patchset has been reviewed by a netfilter maintainer [1] in stable mailing list, and was considered OK for 4.14, and that's essentially the same backport for 4.15 and 4.4. * The changes are limited to netfilter connlimit/conncount (names
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- trusty' to 'verification-done-trusty'. If the problem still exists, change the tag 'verification-needed-trusty' to 'verification-failed- trusty'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-trusty -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1811094 Title: iptables connlimit allows more connections than the limit when using multiple CPUs Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Committed Status in linux source package in Xenial: Fix Released Status in linux source package in Bionic: Fix Released Status in linux source package in Cosmic: Fix Released Bug description: [Impact] * The iptables connection count/limit rules can be breached with multithreaded network driver/server/client (common) due to a race in the conncount/connlimit code. * For example: # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP * The fix is a backport from an upstream commit that resolves the problem (plus dependencies for a cleaner backport) that address the race condition: commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"). [Test Case] * Server-side: (relevant kernel side) (limit TCP port to only 2000 connections) # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP # ulimit -SHn 65000 # increase number of open files # ruby server.rb # multi-threaded server * Client-side: # ulimit -SHn 65000 # ruby client.rb<# threads> * Results with Original kernel: (client achieves target of 6000 connections > limit of 2000 connections) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 6000 Target reached. Thread finishing 6001 Target reached. Thread finishing 6002 Target reached. Thread finishing Threads done. 6002 connections press enter to exit * Results with Modified kernel: (client is limited to 2000 connections, and times out afterward) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 2000 <... blocks for a few minutes ...> failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port Threads done. 2000 connections press enter to exit * Test cases possibly available upon request, depending on original author's permission. [Regression Potential] * The patchset has been reviewed by a netfilter maintainer [1] in stable mailing list, and was considered OK for 4.14, and that's essentially the same backport for 4.15 and 4.4. * The changes are limited to netfilter connlimit/conncount (names change between older/newer kernel versions). [Other Info] * The backport for 4.14 [2] is applied as of 4.14.92. [1] https://www.spinics.net/lists/stable/msg276883.html [2] https://www.spinics.net/lists/stable/msg276910.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
This bug was fixed in the package linux - 4.19.0-12.13 --- linux (4.19.0-12.13) disco; urgency=medium * linux: 4.19.0-12.13 -proposed tracker (LP: #1813664) * kernel oops in bcache module (LP: #1793901) - SAUCE: bcache: never writeback a discard operation * Disco update: 4.19.18 upstream stable release (LP: #1813611) - ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped address - mlxsw: spectrum: Disable lag port TX before removing it - mlxsw: spectrum_switchdev: Set PVID correctly during VLAN deletion - net: dsa: mv88x6xxx: mv88e6390 errata - net, skbuff: do not prefer skb allocation fails early - qmi_wwan: add MTU default to qmap network interface - ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses - net: clear skb->tstamp in bridge forwarding path - netfilter: ipset: Allow matching on destination MAC address for mac and ipmac sets - gpio: pl061: Move irq_chip definition inside struct pl061 - drm/amd/display: Guard against null stream_state in set_crc_source - drm/amdkfd: fix interrupt spin lock - ixgbe: allow IPsec Tx offload in VEPA mode - platform/x86: asus-wmi: Tell the EC the OS will handle the display off hotkey - e1000e: allow non-monotonic SYSTIM readings - usb: typec: tcpm: Do not disconnect link for self powered devices - selftests/bpf: enable (uncomment) all tests in test_libbpf.sh - of: overlay: add missing of_node_put() after add new node to changeset - writeback: don't decrement wb->refcnt if !wb->bdi - serial: set suppress_bind_attrs flag only if builtin - bpf: Allow narrow loads with offset > 0 - ALSA: oxfw: add support for APOGEE duet FireWire - x86/mce: Fix -Wmissing-prototypes warnings - MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur - crypto: ecc - regularize scalar for scalar multiplication - arm64: perf: set suppress_bind_attrs flag to true - drm/atomic-helper: Complete fake_commit->flip_done potentially earlier - clk: meson: meson8b: fix incorrect divider mapping in cpu_scale_table - samples: bpf: fix: error handling regarding kprobe_events - usb: gadget: udc: renesas_usb3: add a safety connection way for forced_b_device - fpga: altera-cvp: fix probing for multiple FPGAs on the bus - selinux: always allow mounting submounts - ASoC: pcm3168a: Don't disable pcm3168a when CONFIG_PM defined - scsi: qedi: Check for session online before getting iSCSI TLV data. - drm/amdgpu: Reorder uvd ring init before uvd resume - rxe: IB_WR_REG_MR does not capture MR's iova field - efi/libstub: Disable some warnings for x86{,_64} - jffs2: Fix use of uninitialized delayed_work, lockdep breakage - clk: imx: make mux parent strings const - pstore/ram: Do not treat empty buffers as valid - media: uvcvideo: Refactor teardown of uvc on USB disconnect - powerpc/xmon: Fix invocation inside lock region - powerpc/pseries/cpuidle: Fix preempt warning - media: firewire: Fix app_info parameter type in avc_ca{,_app}_info - ASoC: use dma_ops of parent device for acp_audio_dma - media: venus: core: Set dma maximum segment size - staging: erofs: fix use-after-free of on-stack `z_erofs_vle_unzip_io' - net: call sk_dst_reset when set SO_DONTROUTE - scsi: target: use consistent left-aligned ASCII INQUIRY data - scsi: target/core: Make sure that target_wait_for_sess_cmds() waits long enough - selftests: do not macro-expand failed assertion expressions - arm64: kasan: Increase stack size for KASAN_EXTRA - clk: imx6q: reset exclusive gates on init - arm64: Fix minor issues with the dcache_by_line_op macro - bpf: relax verifier restriction on BPF_MOV | BPF_ALU - kconfig: fix file name and line number of warn_ignored_character() - kconfig: fix memory leak when EOF is encountered in quotation - mmc: atmel-mci: do not assume idle after atmci_request_end - btrfs: volumes: Make sure there is no overlap of dev extents at mount time - btrfs: alloc_chunk: fix more DUP stripe size handling - btrfs: fix use-after-free due to race between replace start and cancel - btrfs: improve error handling of btrfs_add_link - tty/serial: do not free trasnmit buffer page under port lock - perf intel-pt: Fix error with config term "pt=0" - perf tests ARM: Disable breakpoint tests 32-bit - perf svghelper: Fix unchecked usage of strncpy() - perf parse-events: Fix unchecked usage of strncpy() - perf vendor events intel: Fix Load_Miss_Real_Latency on SKL/SKX - netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set - netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit routine - netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine - x86/topology: Use total_cpus for max logical packages calculation - dm crypt: use u64 instead of sector_t t
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
This bug was fixed in the package linux - 4.18.0-14.15 --- linux (4.18.0-14.15) cosmic; urgency=medium * linux: 4.18.0-14.15 -proposed tracker (LP: #1811406) * CPU hard lockup with rigorous writes to NVMe drive (LP: #1810998) - blk-wbt: Avoid lock contention and thundering herd issue in wbt_wait - blk-wbt: move disable check into get_limit() - blk-wbt: use wq_has_sleeper() for wq active check - blk-wbt: fix has-sleeper queueing check - blk-wbt: abstract out end IO completion handler - blk-wbt: improve waking of tasks * To reduce the Realtek USB cardreader power consumption (LP: #1811337) - mmc: core: Introduce MMC_CAP_SYNC_RUNTIME_PM - mmc: rtsx_usb_sdmmc: Don't runtime resume the device while changing led - mmc: rtsx_usb_sdmmc: Re-work runtime PM support - mmc: rtsx_usb_sdmmc: Re-work card detection/removal support - memstick: rtsx_usb_ms: Add missing pm_runtime_disable() in probe function - misc: rtsx_usb: Use USB remote wakeup signaling for card insertion detection - memstick: Prevent memstick host from getting runtime suspended during card detection - memstick: rtsx_usb_ms: Use ms_dev() helper - memstick: rtsx_usb_ms: Support runtime power management * Support non-strict iommu mode on arm64 (LP: #1806488) - iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() - iommu/arm-smmu-v3: Implement flush_iotlb_all hook - iommu/dma: Add support for non-strict mode - iommu: Add "iommu.strict" command line option - iommu/io-pgtable-arm: Add support for non-strict mode - iommu/arm-smmu-v3: Add support for non-strict mode - iommu/io-pgtable-arm-v7s: Add support for non-strict mode - iommu/arm-smmu: Support non-strict mode * [Regression] crashkernel fails on HiSilicon D05 (LP: #1806766) - efi: honour memory reservations passed via a linux specific config table - efi/arm: libstub: add a root memreserve config table - efi: add API to reserve memory persistently across kexec reboot - irqchip/gic-v3-its: Change initialization ordering for LPIs - irqchip/gic-v3-its: Simplify LPI_PENDBASE_SZ usage - irqchip/gic-v3-its: Split property table clearing from allocation - irqchip/gic-v3-its: Move pending table allocation to init time - irqchip/gic-v3-its: Keep track of property table's PA and VA - irqchip/gic-v3-its: Allow use of pre-programmed LPI tables - irqchip/gic-v3-its: Use pre-programmed redistributor tables with kdump kernels - irqchip/gic-v3-its: Check that all RDs have the same property table - irqchip/gic-v3-its: Register LPI tables with EFI config table - irqchip/gic-v3-its: Allow use of LPI tables in reserved memory - arm64: memblock: don't permit memblock resizing until linear mapping is up - efi/arm: Defer persistent reservations until after paging_init() - efi: Permit calling efi_mem_reserve_persistent() from atomic context - efi: Prevent GICv3 WARN() by mapping the memreserve table before first use * ELAN900C:00 04F3:2844 touchscreen doesn't work (LP: #1811335) - pinctrl: cannonlake: Fix community ordering for H variant - pinctrl: cannonlake: Fix HOSTSW_OWN register offset of H variant * Add Cavium ThunderX2 SoC UNCORE PMU driver (LP: #1811200) - Documentation: perf: Add documentation for ThunderX2 PMU uncore driver - drivers/perf: Add Cavium ThunderX2 SoC UNCORE PMU driver - [Config] New config CONFIG_THUNDERX2_PMU=m * iptables connlimit allows more connections than the limit when using multiple CPUs (LP: #1811094) - netfilter: nf_conncount: don't skip eviction when age is negative * CVE-2018-16882 - KVM: Fix UAF in nested posted interrupt processing * Cannot initialize ATA disk if IDENTIFY command fails (LP: #1809046) - scsi: libsas: check the ata device status by ata_dev_enabled() * scsi: libsas: fix a race condition when smp task timeout (LP: #1808912) - scsi: libsas: fix a race condition when smp task timeout * CVE-2018-14625 - vhost/vsock: fix use-after-free in network stack callers * Fix and issue that LG I2C touchscreen stops working after reboot (LP: #1805085) - HID: i2c-hid: Disable runtime PM for LG touchscreen * Drivers: hv: vmbus: Offload the handling of channels to two workqueues (LP: #1807757) - Drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl() - Drivers: hv: vmbus: Offload the handling of channels to two workqueues * Disable LPM for Raydium Touchscreens (LP: #1802248) - USB: quirks: Add no-lpm quirk for Raydium touchscreens * Power leakage at S5 with Qualcomm Atheros QCA9377 802.11ac Wireless Network Adapter (LP: #1805607) - SAUCE: ath10k: provide reset function for QCA9377 chip * CVE-2018-19407 - KVM: X86: Fix scan ioapic use-before-initialization * Fix USB2 device wrongly detected as USB1 (LP: #1806534) - xhci: Add quirk to workaround the errata
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
This bug was fixed in the package linux - 4.4.0-142.168 --- linux (4.4.0-142.168) xenial; urgency=medium * linux: 4.4.0-142.168 -proposed tracker (LP: #1811846) * Packaging resync (LP: #1786013) - [Packaging] update helper scripts * iptables connlimit allows more connections than the limit when using multiple CPUs (LP: #1811094) - netfilter: xt_connlimit: don't store address in the conn nodes - SAUCE: netfilter: xt_connlimit: remove the 'addr' parameter in add_hlist() - netfilter: nf_conncount: expose connection list interface - netfilter: nf_conncount: Fix garbage collection with zones - netfilter: nf_conncount: fix garbage collection confirm race - netfilter: nf_conncount: don't skip eviction when age is negative * CVE-2017-5715 - SAUCE: x86/speculation: Cleanup IBPB runtime control handling - SAUCE: x86/speculation: Cleanup IBRS runtime control handling - SAUCE: x86/speculation: Use x86_spec_ctrl_base in entry/exit code - SAUCE: x86/speculation: Move RSB_CTXSW hunk * Xenial update: 4.4.167 upstream stable release (LP: #1811077) - media: em28xx: Fix use-after-free when disconnecting - Revert "wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()" - rapidio/rionet: do not free skb before reading its length - s390/qeth: fix length check in SNMP processing - usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2 - kvm: mmu: Fix race in emulated page table writes - xtensa: enable coprocessors that are being flushed - xtensa: fix coprocessor context offset definitions - Btrfs: ensure path name is null terminated at btrfs_control_ioctl - ALSA: wss: Fix invalid snd_free_pages() at error path - ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write - ALSA: control: Fix race between adding and removing a user element - ALSA: sparc: Fix invalid snd_free_pages() at error path - ext2: fix potential use after free - dmaengine: at_hdmac: fix memory leak in at_dma_xlate() - dmaengine: at_hdmac: fix module unloading - btrfs: release metadata before running delayed refs - USB: usb-storage: Add new IDs to ums-realtek - usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series - misc: mic/scif: fix copy-paste error in scif_create_remote_lookup - Kbuild: suppress packed-not-aligned warning for default setting only - exec: avoid gcc-8 warning for get_task_comm - disable stringop truncation warnings for now - kobject: Replace strncpy with memcpy - unifdef: use memcpy instead of strncpy - kernfs: Replace strncpy with memcpy - ip_tunnel: Fix name string concatenate in __ip_tunnel_create() - drm: gma500: fix logic error - scsi: bfa: convert to strlcpy/strlcat - staging: rts5208: fix gcc-8 logic error warning - kdb: use memmove instead of overlapping memcpy - iser: set sector for ambiguous mr status errors - uprobes: Fix handle_swbp() vs. unregister() + register() race once more - MIPS: ralink: Fix mt7620 nd_sd pinmux - mips: fix mips_get_syscall_arg o32 check - drm/ast: Fix incorrect free on ioregs - scsi: scsi_devinfo: cleanly zero-pad devinfo strings - ALSA: trident: Suppress gcc string warning - scsi: csiostor: Avoid content leaks and casts - kgdboc: Fix restrict error - kgdboc: Fix warning with module build - leds: call led_pwm_set() in leds-pwm to enforce default LED_OFF - leds: turn off the LED and wait for completion on unregistering LED class device - leds: leds-gpio: Fix return value check in create_gpio_led() - Input: xpad - quirk all PDP Xbox One gamepads - Input: matrix_keypad - check for errors from of_get_named_gpio() - Input: elan_i2c - add ELAN0620 to the ACPI table - Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR - Input: elan_i2c - add support for ELAN0621 touchpad - btrfs: Always try all copies when reading extent buffers - Btrfs: fix use-after-free when dumping free space - ARC: change defconfig defaults to ARCv2 - arc: [devboards] Add support of NFSv3 ACL - mm: cleancache: fix corruption on missed inode invalidation - usb: gadget: dummy: fix nonsensical comparisons - iommu/vt-d: Fix NULL pointer dereference in prq_event_thread() - iommu/ipmmu-vmsa: Fix crash on early domain free - can: rcar_can: Fix erroneous registration - batman-adv: Expand merged fragment buffer for full packet - bnx2x: Assign unique DMAE channel number for FW DMAE transactions. - qed: Fix PTT leak in qed_drain() - qed: Fix reading wrong value in loop condition - net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command - net/mlx4_core: Fix uninitialized variable compilation warning - net/mlx4: Fix UBSAN warning of signed integer overflow - net: faraday: ftmac100: remove netif_running(netdev) check before disabling interrupts
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
** Also affects: linux (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Trusty) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Trusty) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1811094 Title: iptables connlimit allows more connections than the limit when using multiple CPUs Status in linux package in Ubuntu: Fix Committed Status in linux source package in Trusty: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Released Status in linux source package in Cosmic: Fix Committed Bug description: [Impact] * The iptables connection count/limit rules can be breached with multithreaded network driver/server/client (common) due to a race in the conncount/connlimit code. * For example: # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP * The fix is a backport from an upstream commit that resolves the problem (plus dependencies for a cleaner backport) that address the race condition: commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"). [Test Case] * Server-side: (relevant kernel side) (limit TCP port to only 2000 connections) # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP # ulimit -SHn 65000 # increase number of open files # ruby server.rb # multi-threaded server * Client-side: # ulimit -SHn 65000 # ruby client.rb<# threads> * Results with Original kernel: (client achieves target of 6000 connections > limit of 2000 connections) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 6000 Target reached. Thread finishing 6001 Target reached. Thread finishing 6002 Target reached. Thread finishing Threads done. 6002 connections press enter to exit * Results with Modified kernel: (client is limited to 2000 connections, and times out afterward) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 2000 <... blocks for a few minutes ...> failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port Threads done. 2000 connections press enter to exit * Test cases possibly available upon request, depending on original author's permission. [Regression Potential] * The patchset has been reviewed by a netfilter maintainer [1] in stable mailing list, and was considered OK for 4.14, and that's essentially the same backport for 4.15 and 4.4. * The changes are limited to netfilter connlimit/conncount (names change between older/newer kernel versions). [Other Info] * The backport for 4.14 [2] is applied as of 4.14.92. [1] https://www.spinics.net/lists/stable/msg276883.html [2] https://www.spinics.net/lists/stable/msg276910.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
This bug was fixed in the package linux - 4.15.0-44.47 --- linux (4.15.0-44.47) bionic; urgency=medium * linux: 4.15.0-44.47 -proposed tracker (LP: #1811419) * Packaging resync (LP: #1786013) - [Packaging] update helper scripts * CPU hard lockup with rigorous writes to NVMe drive (LP: #1810998) - blk-wbt: pass in enum wbt_flags to get_rq_wait() - blk-wbt: Avoid lock contention and thundering herd issue in wbt_wait - blk-wbt: move disable check into get_limit() - blk-wbt: use wq_has_sleeper() for wq active check - blk-wbt: fix has-sleeper queueing check - blk-wbt: abstract out end IO completion handler - blk-wbt: improve waking of tasks * To reduce the Realtek USB cardreader power consumption (LP: #1811337) - mmc: sdhci: Disable 1.8v modes (HS200/HS400/UHS) if controller can't support 1.8v - mmc: core: Introduce MMC_CAP_SYNC_RUNTIME_PM - mmc: rtsx_usb_sdmmc: Don't runtime resume the device while changing led - mmc: rtsx_usb: Use MMC_CAP2_NO_SDIO - mmc: rtsx_usb: Enable MMC_CAP_ERASE to allow erase/discard/trim requests - mmc: rtsx_usb_sdmmc: Re-work runtime PM support - mmc: rtsx_usb_sdmmc: Re-work card detection/removal support - memstick: rtsx_usb_ms: Add missing pm_runtime_disable() in probe function - misc: rtsx_usb: Use USB remote wakeup signaling for card insertion detection - memstick: Prevent memstick host from getting runtime suspended during card detection - memstick: rtsx_usb_ms: Use ms_dev() helper - memstick: rtsx_usb_ms: Support runtime power management * Support non-strict iommu mode on arm64 (LP: #1806488) - iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() - iommu/arm-smmu-v3: Implement flush_iotlb_all hook - iommu/dma: Add support for non-strict mode - iommu: Add "iommu.strict" command line option - iommu/io-pgtable-arm: Add support for non-strict mode - iommu/arm-smmu-v3: Add support for non-strict mode - iommu/io-pgtable-arm-v7s: Add support for non-strict mode - iommu/arm-smmu: Support non-strict mode * ELAN900C:00 04F3:2844 touchscreen doesn't work (LP: #1811335) - pinctrl: cannonlake: Fix community ordering for H variant - pinctrl: cannonlake: Fix HOSTSW_OWN register offset of H variant * Add Cavium ThunderX2 SoC UNCORE PMU driver (LP: #1811200) - perf: Export perf_event_update_userpage - Documentation: perf: Add documentation for ThunderX2 PMU uncore driver - drivers/perf: Add Cavium ThunderX2 SoC UNCORE PMU driver - [Config] New config CONFIG_THUNDERX2_PMU=m * Update hisilicon SoC-specific drivers (LP: #1810457) - SAUCE: Revert "net: hns3: Updates RX packet info fetch in case of multi BD" - Revert "UBUNTU: SAUCE: {topost} net: hns3: separate roce from nic when resetting" - Revert "UBUNTU: SAUCE: {topost} net: hns3: Use roce handle when calling roce callback function" - Revert "UBUNTU: SAUCE: {topost} net: hns3: Add calling roce callback function when link status change" - Revert "UBUNTU: SAUCE: {topost} net: hns3: optimize the process of notifying roce client" - Revert "UBUNTU: SAUCE: {topost} net: hns3: Add pf reset for hip08 RoCE" - scsi: hisi_sas: Remove depends on HAS_DMA in case of platform dependency - ethernet: hisilicon: hns: hns_dsaf_mac: Use generic eth_broadcast_addr - scsi: hisi_sas: consolidate command check in hisi_sas_get_ata_protocol() - scsi: hisi_sas: remove some unneeded structure members - scsi: hisi_sas: Introduce hisi_sas_phy_set_linkrate() - net: hns: Fix the process of adding broadcast addresses to tcam - net: hns3: remove redundant variable 'protocol' - scsi: hisi_sas: Drop hisi_sas_slot_abort() - net: hns: Make many functions static - net: hns: make hns_dsaf_roce_reset non static - net: hisilicon: hns: Replace mdelay() with msleep() - net: hns3: fix return value error while hclge_cmd_csq_clean failed - net: hns: remove redundant variables 'max_frm' and 'tmp_mac_key' - net: hns: Mark expected switch fall-through - net: hns3: Mark expected switch fall-through - net: hns3: Remove tx ring BD len register in hns3_enet - net: hns: modify variable type in hns_nic_reuse_page - net: hns: use eth_get_headlen interface instead of hns_nic_get_headlen - net: hns3: modify variable type in hns3_nic_reuse_page - net: hns3: Fix for vf vlan delete failed problem - net: hns3: Fix for multicast failure - net: hns3: Fix error of checking used vlan id - net: hns3: Implement shutdown ops in hns3 pci driver - net: hns3: Fix for loopback selftest failed problem - net: hns3: Fix ping exited problem when doing lp selftest - net: hns3: Preserve vlan 0 in hardware table - net: hns3: Only update mac configuation when necessary - net: hns3: Change the dst mac addr of loopback packet - net: hns3: Remove redundant codes of query ad
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
Verification done on Xenial. - server: root@shuckle:~# uname -a Linux shuckle 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux root@shuckle:~# iptables -F root@shuckle:~# iptables -A INPUT -p tcp -m tcp --syn --dport -m connlimit --connlimit-above 2000 --connlimit-mask 0 -j DROP root@shuckle:~# ulimit -SHn 65000 root@shuckle:~# ruby server.rb - client: root@dixie:~# ruby client.rb 10.230.56.116 6000 3 Connecting to ["10.230.56.116"]: 6000 times with 3 1 2 3 ... 2000 ** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1811094 Title: iptables connlimit allows more connections than the limit when using multiple CPUs Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Bug description: [Impact] * The iptables connection count/limit rules can be breached with multithreaded network driver/server/client (common) due to a race in the conncount/connlimit code. * For example: # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP * The fix is a backport from an upstream commit that resolves the problem (plus dependencies for a cleaner backport) that address the race condition: commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"). [Test Case] * Server-side: (relevant kernel side) (limit TCP port to only 2000 connections) # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP # ulimit -SHn 65000 # increase number of open files # ruby server.rb # multi-threaded server * Client-side: # ulimit -SHn 65000 # ruby client.rb<# threads> * Results with Original kernel: (client achieves target of 6000 connections > limit of 2000 connections) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 6000 Target reached. Thread finishing 6001 Target reached. Thread finishing 6002 Target reached. Thread finishing Threads done. 6002 connections press enter to exit * Results with Modified kernel: (client is limited to 2000 connections, and times out afterward) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 2000 <... blocks for a few minutes ...> failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port Threads done. 2000 connections press enter to exit * Test cases possibly available upon request, depending on original author's permission. [Regression Potential] * The patchset has been reviewed by a netfilter maintainer [1] in stable mailing list, and was considered OK for 4.14, and that's essentially the same backport for 4.15 and 4.4. * The changes are limited to netfilter connlimit/conncount (names change between older/newer kernel versions). [Other Info] * The backport for 4.14 [2] is applied as of 4.14.92. [1] https://www.spinics.net/lists/stable/msg276883.html [2] https://www.spinics.net/lists/stable/msg276910.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed- xenial'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1811094 Title: iptables connlimit allows more connections than the limit when using multiple CPUs Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Bug description: [Impact] * The iptables connection count/limit rules can be breached with multithreaded network driver/server/client (common) due to a race in the conncount/connlimit code. * For example: # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP * The fix is a backport from an upstream commit that resolves the problem (plus dependencies for a cleaner backport) that address the race condition: commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"). [Test Case] * Server-side: (relevant kernel side) (limit TCP port to only 2000 connections) # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP # ulimit -SHn 65000 # increase number of open files # ruby server.rb # multi-threaded server * Client-side: # ulimit -SHn 65000 # ruby client.rb<# threads> * Results with Original kernel: (client achieves target of 6000 connections > limit of 2000 connections) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 6000 Target reached. Thread finishing 6001 Target reached. Thread finishing 6002 Target reached. Thread finishing Threads done. 6002 connections press enter to exit * Results with Modified kernel: (client is limited to 2000 connections, and times out afterward) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 2000 <... blocks for a few minutes ...> failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port Threads done. 2000 connections press enter to exit * Test cases possibly available upon request, depending on original author's permission. [Regression Potential] * The patchset has been reviewed by a netfilter maintainer [1] in stable mailing list, and was considered OK for 4.14, and that's essentially the same backport for 4.15 and 4.4. * The changes are limited to netfilter connlimit/conncount (names change between older/newer kernel versions). [Other Info] * The backport for 4.14 [2] is applied as of 4.14.92. [1] https://www.spinics.net/lists/stable/msg276883.html [2] https://www.spinics.net/lists/stable/msg276910.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
Verification done for Bionic. bionic-proposed: --- - server: root@shuckle:~# uname -a Linux shuckle 4.15.0-44-generic #47-Ubuntu SMP Mon Jan 14 11:26:59 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux - client: root@dixie:~# ruby client.rb 10.230.56.116 6000 3 Connecting to ["10.230.56.116"]: 6000 times with 3 1 2 3 ... 1998 1999 2000 ** Tags removed: verification-needed-bionic verification-needed-cosmic ** Tags added: verification-done-bionic verification-done-cosmic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1811094 Title: iptables connlimit allows more connections than the limit when using multiple CPUs Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Bug description: [Impact] * The iptables connection count/limit rules can be breached with multithreaded network driver/server/client (common) due to a race in the conncount/connlimit code. * For example: # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP * The fix is a backport from an upstream commit that resolves the problem (plus dependencies for a cleaner backport) that address the race condition: commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"). [Test Case] * Server-side: (relevant kernel side) (limit TCP port to only 2000 connections) # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP # ulimit -SHn 65000 # increase number of open files # ruby server.rb # multi-threaded server * Client-side: # ulimit -SHn 65000 # ruby client.rb<# threads> * Results with Original kernel: (client achieves target of 6000 connections > limit of 2000 connections) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 6000 Target reached. Thread finishing 6001 Target reached. Thread finishing 6002 Target reached. Thread finishing Threads done. 6002 connections press enter to exit * Results with Modified kernel: (client is limited to 2000 connections, and times out afterward) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 2000 <... blocks for a few minutes ...> failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port Threads done. 2000 connections press enter to exit * Test cases possibly available upon request, depending on original author's permission. [Regression Potential] * The patchset has been reviewed by a netfilter maintainer [1] in stable mailing list, and was considered OK for 4.14, and that's essentially the same backport for 4.15 and 4.4. * The changes are limited to netfilter connlimit/conncount (names change between older/newer kernel versions). [Other Info] * The backport for 4.14 [2] is applied as of 4.14.92. [1] https://www.spinics.net/lists/stable/msg276883.html [2] https://www.spinics.net/lists/stable/msg276910.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
Verification done for Cosmic. cosmic-proposed: --- - server: root@shuckle:~# uname -a Linux shuckle 4.18.0-14-generic #15-Ubuntu SMP Mon Jan 14 09:01:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux - client: root@dixie:~# ruby client.rb 10.230.56.116 6000 3 Connecting to ["10.230.56.116"]: 6000 times with 3 1 2 3 ... 1998 1999 2000 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1811094 Title: iptables connlimit allows more connections than the limit when using multiple CPUs Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Bug description: [Impact] * The iptables connection count/limit rules can be breached with multithreaded network driver/server/client (common) due to a race in the conncount/connlimit code. * For example: # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP * The fix is a backport from an upstream commit that resolves the problem (plus dependencies for a cleaner backport) that address the race condition: commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"). [Test Case] * Server-side: (relevant kernel side) (limit TCP port to only 2000 connections) # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP # ulimit -SHn 65000 # increase number of open files # ruby server.rb # multi-threaded server * Client-side: # ulimit -SHn 65000 # ruby client.rb<# threads> * Results with Original kernel: (client achieves target of 6000 connections > limit of 2000 connections) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 6000 Target reached. Thread finishing 6001 Target reached. Thread finishing 6002 Target reached. Thread finishing Threads done. 6002 connections press enter to exit * Results with Modified kernel: (client is limited to 2000 connections, and times out afterward) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 2000 <... blocks for a few minutes ...> failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port Threads done. 2000 connections press enter to exit * Test cases possibly available upon request, depending on original author's permission. [Regression Potential] * The patchset has been reviewed by a netfilter maintainer [1] in stable mailing list, and was considered OK for 4.14, and that's essentially the same backport for 4.15 and 4.4. * The changes are limited to netfilter connlimit/conncount (names change between older/newer kernel versions). [Other Info] * The backport for 4.14 [2] is applied as of 4.14.92. [1] https://www.spinics.net/lists/stable/msg276883.html [2] https://www.spinics.net/lists/stable/msg276910.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- cosmic' to 'verification-done-cosmic'. If the problem still exists, change the tag 'verification-needed-cosmic' to 'verification-failed- cosmic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-cosmic ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1811094 Title: iptables connlimit allows more connections than the limit when using multiple CPUs Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Bug description: [Impact] * The iptables connection count/limit rules can be breached with multithreaded network driver/server/client (common) due to a race in the conncount/connlimit code. * For example: # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP * The fix is a backport from an upstream commit that resolves the problem (plus dependencies for a cleaner backport) that address the race condition: commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"). [Test Case] * Server-side: (relevant kernel side) (limit TCP port to only 2000 connections) # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP # ulimit -SHn 65000 # increase number of open files # ruby server.rb # multi-threaded server * Client-side: # ulimit -SHn 65000 # ruby client.rb<# threads> * Results with Original kernel: (client achieves target of 6000 connections > limit of 2000 connections) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 6000 Target reached. Thread finishing 6001 Target reached. Thread finishing 6002 Target reached. Thread finishing Threads done. 6002 connections press enter to exit * Results with Modified kernel: (client is limited to 2000 connections, and times out afterward) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 2000 <... blocks for a few minutes ...> failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port Threads done. 2000 connections press enter to exit * Test cases possibly available upon request, depending on original author's permission. [Regression Potential] * The patchset has been reviewed by a netfilter maintainer [1] in stable mailing list, and was considered OK for 4.14, and that's essentially the same backport for 4.15 and 4.4. * The changes are limited to netfilter connlimit/conncount (names change between older/newer kernel versions). [Other Info] * The backport for 4.14 [2] is applied as of 4.14.92. [1] https://www.spinics.net/lists/stable/msg276883.html [2] https://www.spinics.net/lists/stable/msg276910.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed- bionic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1811094 Title: iptables connlimit allows more connections than the limit when using multiple CPUs Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Bug description: [Impact] * The iptables connection count/limit rules can be breached with multithreaded network driver/server/client (common) due to a race in the conncount/connlimit code. * For example: # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP * The fix is a backport from an upstream commit that resolves the problem (plus dependencies for a cleaner backport) that address the race condition: commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"). [Test Case] * Server-side: (relevant kernel side) (limit TCP port to only 2000 connections) # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP # ulimit -SHn 65000 # increase number of open files # ruby server.rb # multi-threaded server * Client-side: # ulimit -SHn 65000 # ruby client.rb<# threads> * Results with Original kernel: (client achieves target of 6000 connections > limit of 2000 connections) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 6000 Target reached. Thread finishing 6001 Target reached. Thread finishing 6002 Target reached. Thread finishing Threads done. 6002 connections press enter to exit * Results with Modified kernel: (client is limited to 2000 connections, and times out afterward) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 2000 <... blocks for a few minutes ...> failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port Threads done. 2000 connections press enter to exit * Test cases possibly available upon request, depending on original author's permission. [Regression Potential] * The patchset has been reviewed by a netfilter maintainer [1] in stable mailing list, and was considered OK for 4.14, and that's essentially the same backport for 4.15 and 4.4. * The changes are limited to netfilter connlimit/conncount (names change between older/newer kernel versions). [Other Info] * The backport for 4.14 [2] is applied as of 4.14.92. [1] https://www.spinics.net/lists/stable/msg276883.html [2] https://www.spinics.net/lists/stable/msg276910.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
[SRU T][PATCH 0/3] netfilter: nf_conncount: fix for LP#1811094 https://lists.ubuntu.com/archives/kernel-team/2019-January/097878.html [SRU X][PATCH 0/6] netfilter: nf_conncount: fix for LP#1811094 https://lists.ubuntu.com/archives/kernel-team/2019-January/097698.html [SRU B][PATCH 0/5] netfilter: nf_conncount: fix for LP#1811094 https://lists.ubuntu.com/archives/kernel-team/2019-January/097705.html [SRU C, D/Unstable][PATCH 0/1] netfilter: nf_conncount: fix for LP#1811094 https://lists.ubuntu.com/archives/kernel-team/2019-January/097711.html -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1811094 Title: iptables connlimit allows more connections than the limit when using multiple CPUs Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Bug description: [Impact] * The iptables connection count/limit rules can be breached with multithreaded network driver/server/client (common) due to a race in the conncount/connlimit code. * For example: # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP * The fix is a backport from an upstream commit that resolves the problem (plus dependencies for a cleaner backport) that address the race condition: commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"). [Test Case] * Server-side: (relevant kernel side) (limit TCP port to only 2000 connections) # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP # ulimit -SHn 65000 # increase number of open files # ruby server.rb # multi-threaded server * Client-side: # ulimit -SHn 65000 # ruby client.rb<# threads> * Results with Original kernel: (client achieves target of 6000 connections > limit of 2000 connections) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 6000 Target reached. Thread finishing 6001 Target reached. Thread finishing 6002 Target reached. Thread finishing Threads done. 6002 connections press enter to exit * Results with Modified kernel: (client is limited to 2000 connections, and times out afterward) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 2000 <... blocks for a few minutes ...> failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port Threads done. 2000 connections press enter to exit * Test cases possibly available upon request, depending on original author's permission. [Regression Potential] * The patchset has been reviewed by a netfilter maintainer [1] in stable mailing list, and was considered OK for 4.14, and that's essentially the same backport for 4.15 and 4.4. * The changes are limited to netfilter connlimit/conncount (names change between older/newer kernel versions). [Other Info] * The backport for 4.14 [2] is applied as of 4.14.92. [1] https://www.spinics.net/lists/stable/msg276883.html [2] https://www.spinics.net/lists/stable/msg276910.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
** Changed in: linux (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1811094 Title: iptables connlimit allows more connections than the limit when using multiple CPUs Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Bug description: [Impact] * The iptables connection count/limit rules can be breached with multithreaded network driver/server/client (common) due to a race in the conncount/connlimit code. * For example: # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP * The fix is a backport from an upstream commit that resolves the problem (plus dependencies for a cleaner backport) that address the race condition: commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"). [Test Case] * Server-side: (relevant kernel side) (limit TCP port to only 2000 connections) # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP # ulimit -SHn 65000 # increase number of open files # ruby server.rb # multi-threaded server * Client-side: # ulimit -SHn 65000 # ruby client.rb<# threads> * Results with Original kernel: (client achieves target of 6000 connections > limit of 2000 connections) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 6000 Target reached. Thread finishing 6001 Target reached. Thread finishing 6002 Target reached. Thread finishing Threads done. 6002 connections press enter to exit * Results with Modified kernel: (client is limited to 2000 connections, and times out afterward) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 2000 <... blocks for a few minutes ...> failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port Threads done. 2000 connections press enter to exit * Test cases possibly available upon request, depending on original author's permission. [Regression Potential] * The patchset has been reviewed by a netfilter maintainer [1] in stable mailing list, and was considered OK for 4.14, and that's essentially the same backport for 4.15 and 4.4. * The changes are limited to netfilter connlimit/conncount (names change between older/newer kernel versions). [Other Info] * The backport for 4.14 [2] is applied as of 4.14.92. [1] https://www.spinics.net/lists/stable/msg276883.html [2] https://www.spinics.net/lists/stable/msg276910.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
** Changed in: linux (Ubuntu Xenial) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1811094 Title: iptables connlimit allows more connections than the limit when using multiple CPUs Status in linux package in Ubuntu: Confirmed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Bug description: [Impact] * The iptables connection count/limit rules can be breached with multithreaded network driver/server/client (common) due to a race in the conncount/connlimit code. * For example: # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP * The fix is a backport from an upstream commit that resolves the problem (plus dependencies for a cleaner backport) that address the race condition: commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"). [Test Case] * Server-side: (relevant kernel side) (limit TCP port to only 2000 connections) # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP # ulimit -SHn 65000 # increase number of open files # ruby server.rb # multi-threaded server * Client-side: # ulimit -SHn 65000 # ruby client.rb<# threads> * Results with Original kernel: (client achieves target of 6000 connections > limit of 2000 connections) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 6000 Target reached. Thread finishing 6001 Target reached. Thread finishing 6002 Target reached. Thread finishing Threads done. 6002 connections press enter to exit * Results with Modified kernel: (client is limited to 2000 connections, and times out afterward) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 2000 <... blocks for a few minutes ...> failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port Threads done. 2000 connections press enter to exit * Test cases possibly available upon request, depending on original author's permission. [Regression Potential] * The patchset has been reviewed by a netfilter maintainer [1] in stable mailing list, and was considered OK for 4.14, and that's essentially the same backport for 4.15 and 4.4. * The changes are limited to netfilter connlimit/conncount (names change between older/newer kernel versions). [Other Info] * The backport for 4.14 [2] is applied as of 4.14.92. [1] https://www.spinics.net/lists/stable/msg276883.html [2] https://www.spinics.net/lists/stable/msg276910.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
** Changed in: linux (Ubuntu Cosmic) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1811094 Title: iptables connlimit allows more connections than the limit when using multiple CPUs Status in linux package in Ubuntu: Confirmed Status in linux source package in Xenial: New Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Bug description: [Impact] * The iptables connection count/limit rules can be breached with multithreaded network driver/server/client (common) due to a race in the conncount/connlimit code. * For example: # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP * The fix is a backport from an upstream commit that resolves the problem (plus dependencies for a cleaner backport) that address the race condition: commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"). [Test Case] * Server-side: (relevant kernel side) (limit TCP port to only 2000 connections) # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP # ulimit -SHn 65000 # increase number of open files # ruby server.rb # multi-threaded server * Client-side: # ulimit -SHn 65000 # ruby client.rb<# threads> * Results with Original kernel: (client achieves target of 6000 connections > limit of 2000 connections) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 6000 Target reached. Thread finishing 6001 Target reached. Thread finishing 6002 Target reached. Thread finishing Threads done. 6002 connections press enter to exit * Results with Modified kernel: (client is limited to 2000 connections, and times out afterward) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 2000 <... blocks for a few minutes ...> failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port Threads done. 2000 connections press enter to exit * Test cases possibly available upon request, depending on original author's permission. [Regression Potential] * The patchset has been reviewed by a netfilter maintainer [1] in stable mailing list, and was considered OK for 4.14, and that's essentially the same backport for 4.15 and 4.4. * The changes are limited to netfilter connlimit/conncount (names change between older/newer kernel versions). [Other Info] * The backport for 4.14 [2] is applied as of 4.14.92. [1] https://www.spinics.net/lists/stable/msg276883.html [2] https://www.spinics.net/lists/stable/msg276910.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
** Changed in: linux (Ubuntu Bionic) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1811094 Title: iptables connlimit allows more connections than the limit when using multiple CPUs Status in linux package in Ubuntu: Confirmed Status in linux source package in Xenial: New Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: New Bug description: [Impact] * The iptables connection count/limit rules can be breached with multithreaded network driver/server/client (common) due to a race in the conncount/connlimit code. * For example: # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP * The fix is a backport from an upstream commit that resolves the problem (plus dependencies for a cleaner backport) that address the race condition: commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"). [Test Case] * Server-side: (relevant kernel side) (limit TCP port to only 2000 connections) # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP # ulimit -SHn 65000 # increase number of open files # ruby server.rb # multi-threaded server * Client-side: # ulimit -SHn 65000 # ruby client.rb<# threads> * Results with Original kernel: (client achieves target of 6000 connections > limit of 2000 connections) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 6000 Target reached. Thread finishing 6001 Target reached. Thread finishing 6002 Target reached. Thread finishing Threads done. 6002 connections press enter to exit * Results with Modified kernel: (client is limited to 2000 connections, and times out afterward) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 2000 <... blocks for a few minutes ...> failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port Threads done. 2000 connections press enter to exit * Test cases possibly available upon request, depending on original author's permission. [Regression Potential] * The patchset has been reviewed by a netfilter maintainer [1] in stable mailing list, and was considered OK for 4.14, and that's essentially the same backport for 4.15 and 4.4. * The changes are limited to netfilter connlimit/conncount (names change between older/newer kernel versions). [Other Info] * The backport for 4.14 [2] is applied as of 4.14.92. [1] https://www.spinics.net/lists/stable/msg276883.html [2] https://www.spinics.net/lists/stable/msg276910.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
** Also affects: linux (Ubuntu Cosmic) Importance: Undecided Status: New ** Changed in: linux (Ubuntu) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Cosmic) Importance: Undecided => Medium ** Also affects: linux (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Xenial) Importance: Undecided => Medium -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1811094 Title: iptables connlimit allows more connections than the limit when using multiple CPUs Status in linux package in Ubuntu: Confirmed Status in linux source package in Xenial: New Status in linux source package in Bionic: New Status in linux source package in Cosmic: New Bug description: [Impact] * The iptables connection count/limit rules can be breached with multithreaded network driver/server/client (common) due to a race in the conncount/connlimit code. * For example: # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP * The fix is a backport from an upstream commit that resolves the problem (plus dependencies for a cleaner backport) that address the race condition: commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"). [Test Case] * Server-side: (relevant kernel side) (limit TCP port to only 2000 connections) # iptables -A INPUT -p tcp -m tcp --syn --dport \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP # ulimit -SHn 65000 # increase number of open files # ruby server.rb # multi-threaded server * Client-side: # ulimit -SHn 65000 # ruby client.rb<# threads> * Results with Original kernel: (client achieves target of 6000 connections > limit of 2000 connections) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 6000 Target reached. Thread finishing 6001 Target reached. Thread finishing 6002 Target reached. Thread finishing Threads done. 6002 connections press enter to exit * Results with Modified kernel: (client is limited to 2000 connections, and times out afterward) # ruby client.rb 10.230.56.100 6000 3 1 2 3 <...> 2000 <... blocks for a few minutes ...> failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port Threads done. 2000 connections press enter to exit * Test cases possibly available upon request, depending on original author's permission. [Regression Potential] * The patchset has been reviewed by a netfilter maintainer [1] in stable mailing list, and was considered OK for 4.14, and that's essentially the same backport for 4.15 and 4.4. * The changes are limited to netfilter connlimit/conncount (names change between older/newer kernel versions). [Other Info] * The backport for 4.14 [2] is applied as of 4.14.92. [1] https://www.spinics.net/lists/stable/msg276883.html [2] https://www.spinics.net/lists/stable/msg276910.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs
** Description changed: - The following iptables connlimit rule can be breached - with a multithreaded client and network device driver, - due to a race in the conncount/connlimit code: + [Impact] - # iptables -A INPUT -p tcp -m tcp --syn --dport \ - -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ - -j DROP + * The iptables connection count/limit rules can be breached +with multithreaded network driver/server/client (common) +due to a race in the conncount/connlimit code. - NOTE: Patches will be sent to the kernel-team mailing list - and more details/testing will be provided later today. + * For example: + +# iptables -A INPUT -p tcp -m tcp --syn --dport \ + -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ + -j DROP + + * The fix is a backport from an upstream commit that resolves +the problem (plus dependencies for a cleaner backport) that +address the race condition: + +commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage +collection confirm race"). + + [Test Case] + + * Server-side: (relevant kernel side) +(limit TCP port to only 2000 connections) + +# iptables -A INPUT -p tcp -m tcp --syn --dport \ + -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ + -j DROP + +# ulimit -SHn 65000 # increase number of open files +# ruby server.rb # multi-threaded server + + * Client-side: + +# ulimit -SHn 65000 +# ruby client.rb<# threads> + + + * Results with Original kernel: +(client achieves target of 6000 connections > limit of 2000 connections) + +# ruby client.rb 10.230.56.100 6000 3 +1 +2 +3 +<...> +6000 +Target reached. Thread finishing +6001 +Target reached. Thread finishing +6002 +Target reached. Thread finishing +Threads done. 6002 connections +press enter to exit + + * Results with Modified kernel: +(client is limited to 2000 connections, and times out afterward) + +# ruby client.rb 10.230.56.100 6000 3 +1 +2 +3 +<...> +2000 +<... blocks for a few minutes ...> +failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port +failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port +failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port +Threads done. 2000 connections +press enter to exit + + * Test cases possibly available upon request, +depending on original author's permission. + + [Regression Potential] + + * The patchset has been reviewed by a netfilter maintainer [1] in +stable mailing list, and was considered OK for 4.14, and that's +essentially the same backport for 4.15 and 4.4. + + * The changes are limited to netfilter conncount/connlimit (names +change between older/newer kernel versions). + + [Other Info] + + * The backport for 4.14 [2] is applied as of 4.14.92. + + [1] https://www.spinics.net/lists/stable/msg276883.html + [2] https://www.spinics.net/lists/stable/msg276910.html ** Description changed: [Impact] - * The iptables connection count/limit rules can be breached -with multithreaded network driver/server/client (common) -due to a race in the conncount/connlimit code. + * The iptables connection count/limit rules can be breached + with multithreaded network driver/server/client (common) + due to a race in the conncount/connlimit code. - * For example: + * For example: -# iptables -A INPUT -p tcp -m tcp --syn --dport \ - -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ - -j DROP + # iptables -A INPUT -p tcp -m tcp --syn --dport \ + -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ + -j DROP - * The fix is a backport from an upstream commit that resolves -the problem (plus dependencies for a cleaner backport) that -address the race condition: + * The fix is a backport from an upstream commit that resolves + the problem (plus dependencies for a cleaner backport) that + address the race condition: -commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage -collection confirm race"). + commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage + collection confirm race"). [Test Case] - * Server-side: (relevant kernel side) -(limit TCP port to only 2000 connections) + * Server-side: (relevant kernel side) + (limit TCP port to only 2000 connections) -# iptables -A INPUT -p tcp -m tcp --syn --dport \ - -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ - -j DROP + # iptables -A INPUT -p tcp -m tcp --syn --dport \ + -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ + -j DROP -# ulimit -SHn 65000 # increase number of open files -# ruby server.rb # multi-threaded serv