[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 3.13.0-166.216

---
linux (3.13.0-166.216) trusty; urgency=medium

  * linux: 3.13.0-166.216 -proposed tracker (LP: #1814645)

  * linux-buildinfo: pull out ABI information into its own package
(LP: #1806380)
- [Packaging] limit preparation to linux-libc-dev in headers
- [Packaging] commonise debhelper invocation
- [Packaging] ABI -- accumulate abi information at the end of the build
- [Packaging] buildinfo -- add basic build information
- [Packaging] buildinfo -- add firmware information to the flavour ABI
- [Packaging] buildinfo -- add compiler information to the flavour ABI
- [Packaging] buildinfo -- add buildinfo support to getabis
- [Config] buildinfo -- add retpoline version markers
- [Packaging] getabis -- handle all known package combinations
- [Packaging] getabis -- support parsing a simple version
- [Packaging] autoreconstruct -- base tag is always primary mainline version

  * signing: only install a signed kernel (LP: #1764794)
- [Debian] usbip tools packaging
- [Debian] Don't fail if a symlink already exists
- [Debian] perf -- build in the context of the full generated local headers
- [Debian] basic hook support
- [Debian] follow rename of DEB_BUILD_PROFILES
- [Debian] standardise on stage1 for the bootstrap stage in line with debian
- [Debian] set do_*_tools after stage1 or bootstrap is determined
- [Debian] initscripts need installing when making the package
- [Packaging] reconstruct -- automatically reconstruct against base tag
- [Debian] add feature interlock with mainline builds
- [Debian] Remove generated intermediate files on clean
- [Packaging] prevent linux-*-tools-common from being produced from non 
linux
  packages
- SAUCE: ubuntu: vbox -- elide the new symlinks and reconstruct on clean:
- [Debian] Update to new signing key type and location
- [Packaging] autoreconstruct -- generate extend-diff-ignore for links
- [Packaging] reconstruct -- update when inserting final changes
- [Packaging] update to Debian like control scripts
- [Packaging] switch to triggers for postinst.d postrm.d handling
- [Packaging] signing -- switch to raw-signing tarballs
- [Packaging] signing -- switch to linux-image as signed when available
- [Packaging] printenv -- add signing options
- [Packaging] fix invocation of header postinst hooks
- [Packaging] signing -- add support for signing Opal kernel binaries
- [Debian] Use src_pkg_name when constructing udeb control files
- [Debian] Dynamically determine linux udebs package name
- [Packaging] handle both linux-lts* and linux-hwe* as backports
- [Config] linux-source-* is in the primary linux namespace
- [Packaging] lookup the upstream tag
- [Packaging] switch up to debhelper 9
- [Packaging] autopkgtest -- disable d-i when dropping flavours
- [debian] support for ship_extras_package=false
- [Debian] do_common_tools should always be on
- [debian] do not force do_tools_common
- [Packaging] skip cloud tools packaging when not building package
- [debian] prep linux-libc-dev only if do_libc_dev_package=true

  * Packaging resync (LP: #1786013)
- [Packaging] update helper scripts

  * kernel oops in bcache module (LP: #1793901)
- SAUCE: bcache: never writeback a discard operation

  * iptables connlimit allows more connections than the limit when using
multiple CPUs (LP: #1811094)
- netfilter: connlimit: improve packet-to-closed-connection logic
- netfilter: nf_conncount: fix garbage collection confirm race
- netfilter: nf_conncount: don't skip eviction when age is negative

  * CVE-2019-6133
- fork: record start_time late

  * test_095_kernel_symbols_missing_proc_self_stack failed on P-LTS
(LP: #1813001)
- procfs: make /proc/*/{stack, syscall, personality} 0400

 -- Kleber Sacilotto de Souza   Thu, 07 Feb
2019 11:31:21 +

** Changed in: linux (Ubuntu Trusty)
   Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6133

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1811094

Title:
  iptables connlimit allows more connections than the limit when using
  multiple CPUs

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Bionic:
  Fix Released
Status in linux source package in Cosmic:
  Fix Released

Bug description:
  [Impact]

   * The iptables connection count/limit rules can be breached
     with multithreaded network driver/server/client (common)
     due to a race in the conncount/connlimit code.

   * For example:

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Mauricio Faria de Oliveira]

Verification successful on trusty-proposed.

Updates kernel (goes above 2000 connections)
---

root@petilil:~# uname -a
Linux petilil 3.13.0-165-generic #215-Ubuntu SMP Wed Jan 16 11:46:47 UTC 2019 
x86_64 x86_64 x86_64 GNU/Linux
root@petilil:~# iptables -F
root@petilil:~# iptables -A INPUT -p tcp -m tcp --syn --dport  -m connlimit 
--connlimit-above 2000 --connlimit-mask 0 -j DROP
root@petilil:~# ulimit -SHn 65000
root@petilil:~# ruby ~ubuntu/server.rb 

root@rotom:~# ulimit -SHn 65000
root@rotom:~# ruby client.rb 10.230.56.100  6000 3
1
2
3
...
6000
Target reached. Thread finishing
6001
Target reached. Thread finishing
6002
Target reached. Thread finishing
Threads done. 6002 connections
press enter to exit


Proposed kernel (stops at 2000 connections)
---

root@petilil:~# uname -a
Linux petilil 3.13.0-166-generic #216-Ubuntu SMP Thu Feb 7 14:07:53 UTC 2019 
x86_64 x86_64 x86_64 GNU/Linux
root@petilil:~# iptables -F
root@petilil:~# iptables -A INPUT -p tcp -m tcp --syn --dport  -m connlimit 
--connlimit-above 2000 --connlimit-mask 0 -j DROP 
root@petilil:~# ulimit -SHn 65000
root@petilil:~# ruby ~ubuntu/server.rb 

root@rotom:~# ulimit -SHn 65000 

root@rotom:~# ruby client.rb 10.230.56.100  6000 3
ruby: No such file or directory -- client.rb (LoadError)
root@rotom:~# cd /home/mfo/sf192750/
root@rotom:/home/mfo/sf192750# ruby client.rb 10.230.56.100  6000 3
Connecting to ["10.230.56.100"]: 6000 times with 3
1
2
3
...
2000

failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
Threads done. 2000 connections
press enter to exit


** Tags removed: verification-needed-trusty
** Tags added: verification-done-trusty

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1811094

Title:
  iptables connlimit allows more connections than the limit when using
  multiple CPUs

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Committed
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Bionic:
  Fix Released
Status in linux source package in Cosmic:
  Fix Released

Bug description:
  [Impact]

   * The iptables connection count/limit rules can be breached
     with multithreaded network driver/server/client (common)
     due to a race in the conncount/connlimit code.

   * For example:

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

   * The fix is a backport from an upstream commit that resolves
     the problem (plus dependencies for a cleaner backport) that
     address the race condition:

     commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
     collection confirm race").

  [Test Case]

   * Server-side: (relevant kernel side)
     (limit TCP port  to only 2000 connections)

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

     # ulimit -SHn 65000   # increase number of open files
     # ruby server.rb  # multi-threaded server

   * Client-side:

     # ulimit -SHn 65000
     # ruby client.rb<# threads>
     

   * Results with Original kernel:
     (client achieves target of 6000 connections > limit of 2000 connections)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     6000
     Target reached. Thread finishing
     6001
     Target reached. Thread finishing
     6002
     Target reached. Thread finishing
     Threads done. 6002 connections
     press enter to exit

   * Results with Modified kernel:
     (client is limited to 2000 connections, and times out afterward)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     2000
     <... blocks for a few minutes ...>
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     Threads done. 2000 connections
     press enter to exit

   * Test cases possibly available upon request,
     depending on original author's permission.

  [Regression Potential]

   * The patchset has been reviewed by a netfilter maintainer [1] in
     stable mailing list, and was considered OK for 4.14, and that's
     essentially the same backport for 4.15 and 4.4.

   * The changes are limited to netfilter connlimit/conncount (names
    

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Brad Figg]

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
trusty' to 'verification-done-trusty'. If the problem still exists,
change the tag 'verification-needed-trusty' to 'verification-failed-
trusty'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-trusty

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1811094

Title:
  iptables connlimit allows more connections than the limit when using
  multiple CPUs

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Committed
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Bionic:
  Fix Released
Status in linux source package in Cosmic:
  Fix Released

Bug description:
  [Impact]

   * The iptables connection count/limit rules can be breached
     with multithreaded network driver/server/client (common)
     due to a race in the conncount/connlimit code.

   * For example:

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

   * The fix is a backport from an upstream commit that resolves
     the problem (plus dependencies for a cleaner backport) that
     address the race condition:

     commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
     collection confirm race").

  [Test Case]

   * Server-side: (relevant kernel side)
     (limit TCP port  to only 2000 connections)

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

     # ulimit -SHn 65000   # increase number of open files
     # ruby server.rb  # multi-threaded server

   * Client-side:

     # ulimit -SHn 65000
     # ruby client.rb<# threads>
     

   * Results with Original kernel:
     (client achieves target of 6000 connections > limit of 2000 connections)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     6000
     Target reached. Thread finishing
     6001
     Target reached. Thread finishing
     6002
     Target reached. Thread finishing
     Threads done. 6002 connections
     press enter to exit

   * Results with Modified kernel:
     (client is limited to 2000 connections, and times out afterward)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     2000
     <... blocks for a few minutes ...>
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     Threads done. 2000 connections
     press enter to exit

   * Test cases possibly available upon request,
     depending on original author's permission.

  [Regression Potential]

   * The patchset has been reviewed by a netfilter maintainer [1] in
     stable mailing list, and was considered OK for 4.14, and that's
     essentially the same backport for 4.15 and 4.4.

   * The changes are limited to netfilter connlimit/conncount (names
     change between older/newer kernel versions).

  [Other Info]

   * The backport for 4.14 [2] is applied as of 4.14.92.

  [1] https://www.spinics.net/lists/stable/msg276883.html
  [2] https://www.spinics.net/lists/stable/msg276910.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 4.19.0-12.13

---
linux (4.19.0-12.13) disco; urgency=medium

  * linux: 4.19.0-12.13 -proposed tracker (LP: #1813664)

  * kernel oops in bcache module (LP: #1793901)
- SAUCE: bcache: never writeback a discard operation

  * Disco update: 4.19.18 upstream stable release (LP: #1813611)
- ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped 
address
- mlxsw: spectrum: Disable lag port TX before removing it
- mlxsw: spectrum_switchdev: Set PVID correctly during VLAN deletion
- net: dsa: mv88x6xxx: mv88e6390 errata
- net, skbuff: do not prefer skb allocation fails early
- qmi_wwan: add MTU default to qmap network interface
- ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses
- net: clear skb->tstamp in bridge forwarding path
- netfilter: ipset: Allow matching on destination MAC address for mac and
  ipmac sets
- gpio: pl061: Move irq_chip definition inside struct pl061
- drm/amd/display: Guard against null stream_state in set_crc_source
- drm/amdkfd: fix interrupt spin lock
- ixgbe: allow IPsec Tx offload in VEPA mode
- platform/x86: asus-wmi: Tell the EC the OS will handle the display off
  hotkey
- e1000e: allow non-monotonic SYSTIM readings
- usb: typec: tcpm: Do not disconnect link for self powered devices
- selftests/bpf: enable (uncomment) all tests in test_libbpf.sh
- of: overlay: add missing of_node_put() after add new node to changeset
- writeback: don't decrement wb->refcnt if !wb->bdi
- serial: set suppress_bind_attrs flag only if builtin
- bpf: Allow narrow loads with offset > 0
- ALSA: oxfw: add support for APOGEE duet FireWire
- x86/mce: Fix -Wmissing-prototypes warnings
- MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur
- crypto: ecc - regularize scalar for scalar multiplication
- arm64: perf: set suppress_bind_attrs flag to true
- drm/atomic-helper: Complete fake_commit->flip_done potentially earlier
- clk: meson: meson8b: fix incorrect divider mapping in cpu_scale_table
- samples: bpf: fix: error handling regarding kprobe_events
- usb: gadget: udc: renesas_usb3: add a safety connection way for
  forced_b_device
- fpga: altera-cvp: fix probing for multiple FPGAs on the bus
- selinux: always allow mounting submounts
- ASoC: pcm3168a: Don't disable pcm3168a when CONFIG_PM defined
- scsi: qedi: Check for session online before getting iSCSI TLV data.
- drm/amdgpu: Reorder uvd ring init before uvd resume
- rxe: IB_WR_REG_MR does not capture MR's iova field
- efi/libstub: Disable some warnings for x86{,_64}
- jffs2: Fix use of uninitialized delayed_work, lockdep breakage
- clk: imx: make mux parent strings const
- pstore/ram: Do not treat empty buffers as valid
- media: uvcvideo: Refactor teardown of uvc on USB disconnect
- powerpc/xmon: Fix invocation inside lock region
- powerpc/pseries/cpuidle: Fix preempt warning
- media: firewire: Fix app_info parameter type in avc_ca{,_app}_info
- ASoC: use dma_ops of parent device for acp_audio_dma
- media: venus: core: Set dma maximum segment size
- staging: erofs: fix use-after-free of on-stack `z_erofs_vle_unzip_io'
- net: call sk_dst_reset when set SO_DONTROUTE
- scsi: target: use consistent left-aligned ASCII INQUIRY data
- scsi: target/core: Make sure that target_wait_for_sess_cmds() waits long
  enough
- selftests: do not macro-expand failed assertion expressions
- arm64: kasan: Increase stack size for KASAN_EXTRA
- clk: imx6q: reset exclusive gates on init
- arm64: Fix minor issues with the dcache_by_line_op macro
- bpf: relax verifier restriction on BPF_MOV | BPF_ALU
- kconfig: fix file name and line number of warn_ignored_character()
- kconfig: fix memory leak when EOF is encountered in quotation
- mmc: atmel-mci: do not assume idle after atmci_request_end
- btrfs: volumes: Make sure there is no overlap of dev extents at mount time
- btrfs: alloc_chunk: fix more DUP stripe size handling
- btrfs: fix use-after-free due to race between replace start and cancel
- btrfs: improve error handling of btrfs_add_link
- tty/serial: do not free trasnmit buffer page under port lock
- perf intel-pt: Fix error with config term "pt=0"
- perf tests ARM: Disable breakpoint tests 32-bit
- perf svghelper: Fix unchecked usage of strncpy()
- perf parse-events: Fix unchecked usage of strncpy()
- perf vendor events intel: Fix Load_Miss_Real_Latency on SKL/SKX
- netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set
- netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit routine
- netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine
- x86/topology: Use total_cpus for max logical packages calculation
- dm crypt: use u64 instead of sector_t t

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 4.18.0-14.15

---
linux (4.18.0-14.15) cosmic; urgency=medium

  * linux: 4.18.0-14.15 -proposed tracker (LP: #1811406)

  * CPU hard lockup with rigorous writes to NVMe drive (LP: #1810998)
- blk-wbt: Avoid lock contention and thundering herd issue in wbt_wait
- blk-wbt: move disable check into get_limit()
- blk-wbt: use wq_has_sleeper() for wq active check
- blk-wbt: fix has-sleeper queueing check
- blk-wbt: abstract out end IO completion handler
- blk-wbt: improve waking of tasks

  * To reduce the Realtek USB cardreader power consumption (LP: #1811337)
- mmc: core: Introduce MMC_CAP_SYNC_RUNTIME_PM
- mmc: rtsx_usb_sdmmc: Don't runtime resume the device while changing led
- mmc: rtsx_usb_sdmmc: Re-work runtime PM support
- mmc: rtsx_usb_sdmmc: Re-work card detection/removal support
- memstick: rtsx_usb_ms: Add missing pm_runtime_disable() in probe function
- misc: rtsx_usb: Use USB remote wakeup signaling for card insertion 
detection
- memstick: Prevent memstick host from getting runtime suspended during card
  detection
- memstick: rtsx_usb_ms: Use ms_dev() helper
- memstick: rtsx_usb_ms: Support runtime power management

  * Support non-strict iommu mode on arm64 (LP: #1806488)
- iommu/io-pgtable-arm: Fix race handling in split_blk_unmap()
- iommu/arm-smmu-v3: Implement flush_iotlb_all hook
- iommu/dma: Add support for non-strict mode
- iommu: Add "iommu.strict" command line option
- iommu/io-pgtable-arm: Add support for non-strict mode
- iommu/arm-smmu-v3: Add support for non-strict mode
- iommu/io-pgtable-arm-v7s: Add support for non-strict mode
- iommu/arm-smmu: Support non-strict mode

  * [Regression] crashkernel fails on HiSilicon D05 (LP: #1806766)
- efi: honour memory reservations passed via a linux specific config table
- efi/arm: libstub: add a root memreserve config table
- efi: add API to reserve memory persistently across kexec reboot
- irqchip/gic-v3-its: Change initialization ordering for LPIs
- irqchip/gic-v3-its: Simplify LPI_PENDBASE_SZ usage
- irqchip/gic-v3-its: Split property table clearing from allocation
- irqchip/gic-v3-its: Move pending table allocation to init time
- irqchip/gic-v3-its: Keep track of property table's PA and VA
- irqchip/gic-v3-its: Allow use of pre-programmed LPI tables
- irqchip/gic-v3-its: Use pre-programmed redistributor tables with kdump
  kernels
- irqchip/gic-v3-its: Check that all RDs have the same property table
- irqchip/gic-v3-its: Register LPI tables with EFI config table
- irqchip/gic-v3-its: Allow use of LPI tables in reserved memory
- arm64: memblock: don't permit memblock resizing until linear mapping is up
- efi/arm: Defer persistent reservations until after paging_init()
- efi: Permit calling efi_mem_reserve_persistent() from atomic context
- efi: Prevent GICv3 WARN() by mapping the memreserve table before first use

  * ELAN900C:00 04F3:2844 touchscreen doesn't work (LP: #1811335)
- pinctrl: cannonlake: Fix community ordering for H variant
- pinctrl: cannonlake: Fix HOSTSW_OWN register offset of H variant

  * Add Cavium ThunderX2 SoC UNCORE PMU driver (LP: #1811200)
- Documentation: perf: Add documentation for ThunderX2 PMU uncore driver
- drivers/perf: Add Cavium ThunderX2 SoC UNCORE PMU driver
- [Config] New config CONFIG_THUNDERX2_PMU=m

  * iptables connlimit allows more connections than the limit when using
multiple CPUs (LP: #1811094)
- netfilter: nf_conncount: don't skip eviction when age is negative

  * CVE-2018-16882
- KVM: Fix UAF in nested posted interrupt processing

  * Cannot initialize ATA disk if IDENTIFY command fails (LP: #1809046)
- scsi: libsas: check the ata device status by ata_dev_enabled()

  * scsi: libsas: fix a race condition when smp task timeout (LP: #1808912)
- scsi: libsas: fix a race condition when smp task timeout

  * CVE-2018-14625
- vhost/vsock: fix use-after-free in network stack callers

  * Fix and issue that LG I2C touchscreen stops working after reboot
(LP: #1805085)
- HID: i2c-hid: Disable runtime PM for LG touchscreen

  * Drivers: hv: vmbus: Offload the handling of channels to two workqueues
(LP: #1807757)
- Drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl()
- Drivers: hv: vmbus: Offload the handling of channels to two workqueues

  * Disable LPM for Raydium Touchscreens (LP: #1802248)
- USB: quirks: Add no-lpm quirk for Raydium touchscreens

  * Power leakage at S5 with Qualcomm Atheros QCA9377 802.11ac Wireless Network
Adapter (LP: #1805607)
- SAUCE: ath10k: provide reset function for QCA9377 chip

  * CVE-2018-19407
- KVM: X86: Fix scan ioapic use-before-initialization

  * Fix USB2 device wrongly detected as USB1 (LP: #1806534)
- xhci: Add quirk to workaround the errata

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 4.4.0-142.168

---
linux (4.4.0-142.168) xenial; urgency=medium

  * linux: 4.4.0-142.168 -proposed tracker (LP: #1811846)

  * Packaging resync (LP: #1786013)
- [Packaging] update helper scripts

  * iptables connlimit allows more connections than the limit when using
multiple CPUs (LP: #1811094)
- netfilter: xt_connlimit: don't store address in the conn nodes
- SAUCE: netfilter: xt_connlimit: remove the 'addr' parameter in add_hlist()
- netfilter: nf_conncount: expose connection list interface
- netfilter: nf_conncount: Fix garbage collection with zones
- netfilter: nf_conncount: fix garbage collection confirm race
- netfilter: nf_conncount: don't skip eviction when age is negative

  * CVE-2017-5715
- SAUCE: x86/speculation: Cleanup IBPB runtime control handling
- SAUCE: x86/speculation: Cleanup IBRS runtime control handling
- SAUCE: x86/speculation: Use x86_spec_ctrl_base in entry/exit code
- SAUCE: x86/speculation: Move RSB_CTXSW hunk

  * Xenial update: 4.4.167 upstream stable release (LP: #1811077)
- media: em28xx: Fix use-after-free when disconnecting
- Revert "wlcore: Add missing PM call for
  wlcore_cmd_wait_for_event_or_timeout()"
- rapidio/rionet: do not free skb before reading its length
- s390/qeth: fix length check in SNMP processing
- usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2
- kvm: mmu: Fix race in emulated page table writes
- xtensa: enable coprocessors that are being flushed
- xtensa: fix coprocessor context offset definitions
- Btrfs: ensure path name is null terminated at btrfs_control_ioctl
- ALSA: wss: Fix invalid snd_free_pages() at error path
- ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write
- ALSA: control: Fix race between adding and removing a user element
- ALSA: sparc: Fix invalid snd_free_pages() at error path
- ext2: fix potential use after free
- dmaengine: at_hdmac: fix memory leak in at_dma_xlate()
- dmaengine: at_hdmac: fix module unloading
- btrfs: release metadata before running delayed refs
- USB: usb-storage: Add new IDs to ums-realtek
- usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series
- misc: mic/scif: fix copy-paste error in scif_create_remote_lookup
- Kbuild: suppress packed-not-aligned warning for default setting only
- exec: avoid gcc-8 warning for get_task_comm
- disable stringop truncation warnings for now
- kobject: Replace strncpy with memcpy
- unifdef: use memcpy instead of strncpy
- kernfs: Replace strncpy with memcpy
- ip_tunnel: Fix name string concatenate in __ip_tunnel_create()
- drm: gma500: fix logic error
- scsi: bfa: convert to strlcpy/strlcat
- staging: rts5208: fix gcc-8 logic error warning
- kdb: use memmove instead of overlapping memcpy
- iser: set sector for ambiguous mr status errors
- uprobes: Fix handle_swbp() vs. unregister() + register() race once more
- MIPS: ralink: Fix mt7620 nd_sd pinmux
- mips: fix mips_get_syscall_arg o32 check
- drm/ast: Fix incorrect free on ioregs
- scsi: scsi_devinfo: cleanly zero-pad devinfo strings
- ALSA: trident: Suppress gcc string warning
- scsi: csiostor: Avoid content leaks and casts
- kgdboc: Fix restrict error
- kgdboc: Fix warning with module build
- leds: call led_pwm_set() in leds-pwm to enforce default LED_OFF
- leds: turn off the LED and wait for completion on unregistering LED class
  device
- leds: leds-gpio: Fix return value check in create_gpio_led()
- Input: xpad - quirk all PDP Xbox One gamepads
- Input: matrix_keypad - check for errors from of_get_named_gpio()
- Input: elan_i2c - add ELAN0620 to the ACPI table
- Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR
- Input: elan_i2c - add support for ELAN0621 touchpad
- btrfs: Always try all copies when reading extent buffers
- Btrfs: fix use-after-free when dumping free space
- ARC: change defconfig defaults to ARCv2
- arc: [devboards] Add support of NFSv3 ACL
- mm: cleancache: fix corruption on missed inode invalidation
- usb: gadget: dummy: fix nonsensical comparisons
- iommu/vt-d: Fix NULL pointer dereference in prq_event_thread()
- iommu/ipmmu-vmsa: Fix crash on early domain free
- can: rcar_can: Fix erroneous registration
- batman-adv: Expand merged fragment buffer for full packet
- bnx2x: Assign unique DMAE channel number for FW DMAE transactions.
- qed: Fix PTT leak in qed_drain()
- qed: Fix reading wrong value in loop condition
- net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command
- net/mlx4_core: Fix uninitialized variable compilation warning
- net/mlx4: Fix UBSAN warning of signed integer overflow
- net: faraday: ftmac100: remove netif_running(netdev) check before 
disabling
  interrupts

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Stefan Bader]

** Also affects: linux (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Changed in: linux (Ubuntu Trusty)
   Importance: Undecided => Medium

** Changed in: linux (Ubuntu Trusty)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1811094

Title:
  iptables connlimit allows more connections than the limit when using
  multiple CPUs

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Trusty:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Bionic:
  Fix Released
Status in linux source package in Cosmic:
  Fix Committed

Bug description:
  [Impact]

   * The iptables connection count/limit rules can be breached
     with multithreaded network driver/server/client (common)
     due to a race in the conncount/connlimit code.

   * For example:

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

   * The fix is a backport from an upstream commit that resolves
     the problem (plus dependencies for a cleaner backport) that
     address the race condition:

     commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
     collection confirm race").

  [Test Case]

   * Server-side: (relevant kernel side)
     (limit TCP port  to only 2000 connections)

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

     # ulimit -SHn 65000   # increase number of open files
     # ruby server.rb  # multi-threaded server

   * Client-side:

     # ulimit -SHn 65000
     # ruby client.rb<# threads>
     

   * Results with Original kernel:
     (client achieves target of 6000 connections > limit of 2000 connections)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     6000
     Target reached. Thread finishing
     6001
     Target reached. Thread finishing
     6002
     Target reached. Thread finishing
     Threads done. 6002 connections
     press enter to exit

   * Results with Modified kernel:
     (client is limited to 2000 connections, and times out afterward)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     2000
     <... blocks for a few minutes ...>
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     Threads done. 2000 connections
     press enter to exit

   * Test cases possibly available upon request,
     depending on original author's permission.

  [Regression Potential]

   * The patchset has been reviewed by a netfilter maintainer [1] in
     stable mailing list, and was considered OK for 4.14, and that's
     essentially the same backport for 4.15 and 4.4.

   * The changes are limited to netfilter connlimit/conncount (names
     change between older/newer kernel versions).

  [Other Info]

   * The backport for 4.14 [2] is applied as of 4.14.92.

  [1] https://www.spinics.net/lists/stable/msg276883.html
  [2] https://www.spinics.net/lists/stable/msg276910.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 4.15.0-44.47

---
linux (4.15.0-44.47) bionic; urgency=medium

  * linux: 4.15.0-44.47 -proposed tracker (LP: #1811419)

  * Packaging resync (LP: #1786013)
- [Packaging] update helper scripts

  * CPU hard lockup with rigorous writes to NVMe drive (LP: #1810998)
- blk-wbt: pass in enum wbt_flags to get_rq_wait()
- blk-wbt: Avoid lock contention and thundering herd issue in wbt_wait
- blk-wbt: move disable check into get_limit()
- blk-wbt: use wq_has_sleeper() for wq active check
- blk-wbt: fix has-sleeper queueing check
- blk-wbt: abstract out end IO completion handler
- blk-wbt: improve waking of tasks

  * To reduce the Realtek USB cardreader power consumption (LP: #1811337)
- mmc: sdhci: Disable 1.8v modes (HS200/HS400/UHS) if controller can't 
support
  1.8v
- mmc: core: Introduce MMC_CAP_SYNC_RUNTIME_PM
- mmc: rtsx_usb_sdmmc: Don't runtime resume the device while changing led
- mmc: rtsx_usb: Use MMC_CAP2_NO_SDIO
- mmc: rtsx_usb: Enable MMC_CAP_ERASE to allow erase/discard/trim requests
- mmc: rtsx_usb_sdmmc: Re-work runtime PM support
- mmc: rtsx_usb_sdmmc: Re-work card detection/removal support
- memstick: rtsx_usb_ms: Add missing pm_runtime_disable() in probe function
- misc: rtsx_usb: Use USB remote wakeup signaling for card insertion 
detection
- memstick: Prevent memstick host from getting runtime suspended during card
  detection
- memstick: rtsx_usb_ms: Use ms_dev() helper
- memstick: rtsx_usb_ms: Support runtime power management

  * Support non-strict iommu mode on arm64 (LP: #1806488)
- iommu/io-pgtable-arm: Fix race handling in split_blk_unmap()
- iommu/arm-smmu-v3: Implement flush_iotlb_all hook
- iommu/dma: Add support for non-strict mode
- iommu: Add "iommu.strict" command line option
- iommu/io-pgtable-arm: Add support for non-strict mode
- iommu/arm-smmu-v3: Add support for non-strict mode
- iommu/io-pgtable-arm-v7s: Add support for non-strict mode
- iommu/arm-smmu: Support non-strict mode

  * ELAN900C:00 04F3:2844 touchscreen doesn't work (LP: #1811335)
- pinctrl: cannonlake: Fix community ordering for H variant
- pinctrl: cannonlake: Fix HOSTSW_OWN register offset of H variant

  * Add Cavium ThunderX2 SoC UNCORE PMU driver (LP: #1811200)
- perf: Export perf_event_update_userpage
- Documentation: perf: Add documentation for ThunderX2 PMU uncore driver
- drivers/perf: Add Cavium ThunderX2 SoC UNCORE PMU driver
- [Config] New config CONFIG_THUNDERX2_PMU=m

  * Update hisilicon SoC-specific drivers (LP: #1810457)
- SAUCE: Revert "net: hns3: Updates RX packet info fetch in case of multi 
BD"
- Revert "UBUNTU: SAUCE: {topost} net: hns3: separate roce from nic when
  resetting"
- Revert "UBUNTU: SAUCE: {topost} net: hns3: Use roce handle when calling 
roce
  callback function"
- Revert "UBUNTU: SAUCE: {topost} net: hns3: Add calling roce callback
  function when link status change"
- Revert "UBUNTU: SAUCE: {topost} net: hns3: optimize the process of 
notifying
  roce client"
- Revert "UBUNTU: SAUCE: {topost} net: hns3: Add pf reset for hip08 RoCE"
- scsi: hisi_sas: Remove depends on HAS_DMA in case of platform dependency
- ethernet: hisilicon: hns: hns_dsaf_mac: Use generic eth_broadcast_addr
- scsi: hisi_sas: consolidate command check in hisi_sas_get_ata_protocol()
- scsi: hisi_sas: remove some unneeded structure members
- scsi: hisi_sas: Introduce hisi_sas_phy_set_linkrate()
- net: hns: Fix the process of adding broadcast addresses to tcam
- net: hns3: remove redundant variable 'protocol'
- scsi: hisi_sas: Drop hisi_sas_slot_abort()
- net: hns: Make many functions static
- net: hns: make hns_dsaf_roce_reset non static
- net: hisilicon: hns: Replace mdelay() with msleep()
- net: hns3: fix return value error while hclge_cmd_csq_clean failed
- net: hns: remove redundant variables 'max_frm' and 'tmp_mac_key'
- net: hns: Mark expected switch fall-through
- net: hns3: Mark expected switch fall-through
- net: hns3: Remove tx ring BD len register in hns3_enet
- net: hns: modify variable type in hns_nic_reuse_page
- net: hns: use eth_get_headlen interface instead of hns_nic_get_headlen
- net: hns3: modify variable type in hns3_nic_reuse_page
- net: hns3: Fix for vf vlan delete failed problem
- net: hns3: Fix for multicast failure
- net: hns3: Fix error of checking used vlan id
- net: hns3: Implement shutdown ops in hns3 pci driver
- net: hns3: Fix for loopback selftest failed problem
- net: hns3: Fix ping exited problem when doing lp selftest
- net: hns3: Preserve vlan 0 in hardware table
- net: hns3: Only update mac configuation when necessary
- net: hns3: Change the dst mac addr of loopback packet
- net: hns3: Remove redundant codes of query ad

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Mauricio Faria de Oliveira]

Verification done on Xenial.

- server:

root@shuckle:~# uname -a
Linux shuckle 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 
x86_64 x86_64 x86_64 GNU/Linux
root@shuckle:~# iptables -F
root@shuckle:~# iptables -A INPUT -p tcp -m tcp --syn --dport  -m connlimit 
--connlimit-above 2000 --connlimit-mask 0 -j DROP 
root@shuckle:~# ulimit -SHn 65000
root@shuckle:~# ruby server.rb 

- client:

root@dixie:~# ruby client.rb 10.230.56.116  6000 3
Connecting to ["10.230.56.116"]: 6000 times with 3
1
2
3
...
2000


** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1811094

Title:
  iptables connlimit allows more connections than the limit when using
  multiple CPUs

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Bionic:
  Fix Committed
Status in linux source package in Cosmic:
  Fix Committed

Bug description:
  [Impact]

   * The iptables connection count/limit rules can be breached
     with multithreaded network driver/server/client (common)
     due to a race in the conncount/connlimit code.

   * For example:

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

   * The fix is a backport from an upstream commit that resolves
     the problem (plus dependencies for a cleaner backport) that
     address the race condition:

     commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
     collection confirm race").

  [Test Case]

   * Server-side: (relevant kernel side)
     (limit TCP port  to only 2000 connections)

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

     # ulimit -SHn 65000   # increase number of open files
     # ruby server.rb  # multi-threaded server

   * Client-side:

     # ulimit -SHn 65000
     # ruby client.rb<# threads>
     

   * Results with Original kernel:
     (client achieves target of 6000 connections > limit of 2000 connections)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     6000
     Target reached. Thread finishing
     6001
     Target reached. Thread finishing
     6002
     Target reached. Thread finishing
     Threads done. 6002 connections
     press enter to exit

   * Results with Modified kernel:
     (client is limited to 2000 connections, and times out afterward)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     2000
     <... blocks for a few minutes ...>
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     Threads done. 2000 connections
     press enter to exit

   * Test cases possibly available upon request,
     depending on original author's permission.

  [Regression Potential]

   * The patchset has been reviewed by a netfilter maintainer [1] in
     stable mailing list, and was considered OK for 4.14, and that's
     essentially the same backport for 4.15 and 4.4.

   * The changes are limited to netfilter connlimit/conncount (names
     change between older/newer kernel versions).

  [Other Info]

   * The backport for 4.14 [2] is applied as of 4.14.92.

  [1] https://www.spinics.net/lists/stable/msg276883.html
  [2] https://www.spinics.net/lists/stable/msg276910.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Brad Figg]

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
xenial' to 'verification-done-xenial'. If the problem still exists,
change the tag 'verification-needed-xenial' to 'verification-failed-
xenial'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-xenial

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1811094

Title:
  iptables connlimit allows more connections than the limit when using
  multiple CPUs

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Bionic:
  Fix Committed
Status in linux source package in Cosmic:
  Fix Committed

Bug description:
  [Impact]

   * The iptables connection count/limit rules can be breached
     with multithreaded network driver/server/client (common)
     due to a race in the conncount/connlimit code.

   * For example:

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

   * The fix is a backport from an upstream commit that resolves
     the problem (plus dependencies for a cleaner backport) that
     address the race condition:

     commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
     collection confirm race").

  [Test Case]

   * Server-side: (relevant kernel side)
     (limit TCP port  to only 2000 connections)

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

     # ulimit -SHn 65000   # increase number of open files
     # ruby server.rb  # multi-threaded server

   * Client-side:

     # ulimit -SHn 65000
     # ruby client.rb<# threads>
     

   * Results with Original kernel:
     (client achieves target of 6000 connections > limit of 2000 connections)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     6000
     Target reached. Thread finishing
     6001
     Target reached. Thread finishing
     6002
     Target reached. Thread finishing
     Threads done. 6002 connections
     press enter to exit

   * Results with Modified kernel:
     (client is limited to 2000 connections, and times out afterward)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     2000
     <... blocks for a few minutes ...>
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     Threads done. 2000 connections
     press enter to exit

   * Test cases possibly available upon request,
     depending on original author's permission.

  [Regression Potential]

   * The patchset has been reviewed by a netfilter maintainer [1] in
     stable mailing list, and was considered OK for 4.14, and that's
     essentially the same backport for 4.15 and 4.4.

   * The changes are limited to netfilter connlimit/conncount (names
     change between older/newer kernel versions).

  [Other Info]

   * The backport for 4.14 [2] is applied as of 4.14.92.

  [1] https://www.spinics.net/lists/stable/msg276883.html
  [2] https://www.spinics.net/lists/stable/msg276910.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Mauricio Faria de Oliveira]

Verification done for Bionic.

bionic-proposed:
---

- server:

root@shuckle:~# uname -a
Linux shuckle 4.15.0-44-generic #47-Ubuntu SMP Mon Jan 14 11:26:59 UTC 2019 
x86_64 x86_64 x86_64 GNU/Linux

- client:

root@dixie:~# ruby client.rb 10.230.56.116  6000 3
Connecting to ["10.230.56.116"]: 6000 times with 3
1
2
3
...
1998
1999
2000


** Tags removed: verification-needed-bionic verification-needed-cosmic
** Tags added: verification-done-bionic verification-done-cosmic

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1811094

Title:
  iptables connlimit allows more connections than the limit when using
  multiple CPUs

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Bionic:
  Fix Committed
Status in linux source package in Cosmic:
  Fix Committed

Bug description:
  [Impact]

   * The iptables connection count/limit rules can be breached
     with multithreaded network driver/server/client (common)
     due to a race in the conncount/connlimit code.

   * For example:

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

   * The fix is a backport from an upstream commit that resolves
     the problem (plus dependencies for a cleaner backport) that
     address the race condition:

     commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
     collection confirm race").

  [Test Case]

   * Server-side: (relevant kernel side)
     (limit TCP port  to only 2000 connections)

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

     # ulimit -SHn 65000   # increase number of open files
     # ruby server.rb  # multi-threaded server

   * Client-side:

     # ulimit -SHn 65000
     # ruby client.rb<# threads>
     

   * Results with Original kernel:
     (client achieves target of 6000 connections > limit of 2000 connections)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     6000
     Target reached. Thread finishing
     6001
     Target reached. Thread finishing
     6002
     Target reached. Thread finishing
     Threads done. 6002 connections
     press enter to exit

   * Results with Modified kernel:
     (client is limited to 2000 connections, and times out afterward)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     2000
     <... blocks for a few minutes ...>
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     Threads done. 2000 connections
     press enter to exit

   * Test cases possibly available upon request,
     depending on original author's permission.

  [Regression Potential]

   * The patchset has been reviewed by a netfilter maintainer [1] in
     stable mailing list, and was considered OK for 4.14, and that's
     essentially the same backport for 4.15 and 4.4.

   * The changes are limited to netfilter connlimit/conncount (names
     change between older/newer kernel versions).

  [Other Info]

   * The backport for 4.14 [2] is applied as of 4.14.92.

  [1] https://www.spinics.net/lists/stable/msg276883.html
  [2] https://www.spinics.net/lists/stable/msg276910.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Mauricio Faria de Oliveira]

Verification done for Cosmic.


cosmic-proposed:
---

- server:

root@shuckle:~# uname -a
Linux shuckle 4.18.0-14-generic #15-Ubuntu SMP Mon Jan 14 09:01:02 UTC 2019 
x86_64 x86_64 x86_64 GNU/Linux

- client:

root@dixie:~# ruby client.rb 10.230.56.116  6000 3
Connecting to ["10.230.56.116"]: 6000 times with 3
1
2
3
...
1998
1999
2000


-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1811094

Title:
  iptables connlimit allows more connections than the limit when using
  multiple CPUs

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Bionic:
  Fix Committed
Status in linux source package in Cosmic:
  Fix Committed

Bug description:
  [Impact]

   * The iptables connection count/limit rules can be breached
     with multithreaded network driver/server/client (common)
     due to a race in the conncount/connlimit code.

   * For example:

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

   * The fix is a backport from an upstream commit that resolves
     the problem (plus dependencies for a cleaner backport) that
     address the race condition:

     commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
     collection confirm race").

  [Test Case]

   * Server-side: (relevant kernel side)
     (limit TCP port  to only 2000 connections)

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

     # ulimit -SHn 65000   # increase number of open files
     # ruby server.rb  # multi-threaded server

   * Client-side:

     # ulimit -SHn 65000
     # ruby client.rb<# threads>
     

   * Results with Original kernel:
     (client achieves target of 6000 connections > limit of 2000 connections)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     6000
     Target reached. Thread finishing
     6001
     Target reached. Thread finishing
     6002
     Target reached. Thread finishing
     Threads done. 6002 connections
     press enter to exit

   * Results with Modified kernel:
     (client is limited to 2000 connections, and times out afterward)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     2000
     <... blocks for a few minutes ...>
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     Threads done. 2000 connections
     press enter to exit

   * Test cases possibly available upon request,
     depending on original author's permission.

  [Regression Potential]

   * The patchset has been reviewed by a netfilter maintainer [1] in
     stable mailing list, and was considered OK for 4.14, and that's
     essentially the same backport for 4.15 and 4.4.

   * The changes are limited to netfilter connlimit/conncount (names
     change between older/newer kernel versions).

  [Other Info]

   * The backport for 4.14 [2] is applied as of 4.14.92.

  [1] https://www.spinics.net/lists/stable/msg276883.html
  [2] https://www.spinics.net/lists/stable/msg276910.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Brad Figg]

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
cosmic' to 'verification-done-cosmic'. If the problem still exists,
change the tag 'verification-needed-cosmic' to 'verification-failed-
cosmic'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-cosmic

** Tags added: verification-needed-bionic

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1811094

Title:
  iptables connlimit allows more connections than the limit when using
  multiple CPUs

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Bionic:
  Fix Committed
Status in linux source package in Cosmic:
  Fix Committed

Bug description:
  [Impact]

   * The iptables connection count/limit rules can be breached
     with multithreaded network driver/server/client (common)
     due to a race in the conncount/connlimit code.

   * For example:

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

   * The fix is a backport from an upstream commit that resolves
     the problem (plus dependencies for a cleaner backport) that
     address the race condition:

     commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
     collection confirm race").

  [Test Case]

   * Server-side: (relevant kernel side)
     (limit TCP port  to only 2000 connections)

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

     # ulimit -SHn 65000   # increase number of open files
     # ruby server.rb  # multi-threaded server

   * Client-side:

     # ulimit -SHn 65000
     # ruby client.rb<# threads>
     

   * Results with Original kernel:
     (client achieves target of 6000 connections > limit of 2000 connections)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     6000
     Target reached. Thread finishing
     6001
     Target reached. Thread finishing
     6002
     Target reached. Thread finishing
     Threads done. 6002 connections
     press enter to exit

   * Results with Modified kernel:
     (client is limited to 2000 connections, and times out afterward)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     2000
     <... blocks for a few minutes ...>
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     Threads done. 2000 connections
     press enter to exit

   * Test cases possibly available upon request,
     depending on original author's permission.

  [Regression Potential]

   * The patchset has been reviewed by a netfilter maintainer [1] in
     stable mailing list, and was considered OK for 4.14, and that's
     essentially the same backport for 4.15 and 4.4.

   * The changes are limited to netfilter connlimit/conncount (names
     change between older/newer kernel versions).

  [Other Info]

   * The backport for 4.14 [2] is applied as of 4.14.92.

  [1] https://www.spinics.net/lists/stable/msg276883.html
  [2] https://www.spinics.net/lists/stable/msg276910.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Brad Figg]

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
bionic' to 'verification-done-bionic'. If the problem still exists,
change the tag 'verification-needed-bionic' to 'verification-failed-
bionic'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1811094

Title:
  iptables connlimit allows more connections than the limit when using
  multiple CPUs

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Bionic:
  Fix Committed
Status in linux source package in Cosmic:
  Fix Committed

Bug description:
  [Impact]

   * The iptables connection count/limit rules can be breached
     with multithreaded network driver/server/client (common)
     due to a race in the conncount/connlimit code.

   * For example:

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

   * The fix is a backport from an upstream commit that resolves
     the problem (plus dependencies for a cleaner backport) that
     address the race condition:

     commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
     collection confirm race").

  [Test Case]

   * Server-side: (relevant kernel side)
     (limit TCP port  to only 2000 connections)

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

     # ulimit -SHn 65000   # increase number of open files
     # ruby server.rb  # multi-threaded server

   * Client-side:

     # ulimit -SHn 65000
     # ruby client.rb<# threads>
     

   * Results with Original kernel:
     (client achieves target of 6000 connections > limit of 2000 connections)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     6000
     Target reached. Thread finishing
     6001
     Target reached. Thread finishing
     6002
     Target reached. Thread finishing
     Threads done. 6002 connections
     press enter to exit

   * Results with Modified kernel:
     (client is limited to 2000 connections, and times out afterward)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     2000
     <... blocks for a few minutes ...>
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     Threads done. 2000 connections
     press enter to exit

   * Test cases possibly available upon request,
     depending on original author's permission.

  [Regression Potential]

   * The patchset has been reviewed by a netfilter maintainer [1] in
     stable mailing list, and was considered OK for 4.14, and that's
     essentially the same backport for 4.15 and 4.4.

   * The changes are limited to netfilter connlimit/conncount (names
     change between older/newer kernel versions).

  [Other Info]

   * The backport for 4.14 [2] is applied as of 4.14.92.

  [1] https://www.spinics.net/lists/stable/msg276883.html
  [2] https://www.spinics.net/lists/stable/msg276910.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Mauricio Faria de Oliveira]

[SRU T][PATCH 0/3] netfilter: nf_conncount: fix for LP#1811094
https://lists.ubuntu.com/archives/kernel-team/2019-January/097878.html

[SRU X][PATCH 0/6] netfilter: nf_conncount: fix for LP#1811094
https://lists.ubuntu.com/archives/kernel-team/2019-January/097698.html

[SRU B][PATCH 0/5] netfilter: nf_conncount: fix for LP#1811094
https://lists.ubuntu.com/archives/kernel-team/2019-January/097705.html

[SRU C, D/Unstable][PATCH 0/1] netfilter: nf_conncount: fix for LP#1811094
https://lists.ubuntu.com/archives/kernel-team/2019-January/097711.html

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1811094

Title:
  iptables connlimit allows more connections than the limit when using
  multiple CPUs

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Bionic:
  Fix Committed
Status in linux source package in Cosmic:
  Fix Committed

Bug description:
  [Impact]

   * The iptables connection count/limit rules can be breached
     with multithreaded network driver/server/client (common)
     due to a race in the conncount/connlimit code.

   * For example:

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

   * The fix is a backport from an upstream commit that resolves
     the problem (plus dependencies for a cleaner backport) that
     address the race condition:

     commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
     collection confirm race").

  [Test Case]

   * Server-side: (relevant kernel side)
     (limit TCP port  to only 2000 connections)

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

     # ulimit -SHn 65000   # increase number of open files
     # ruby server.rb  # multi-threaded server

   * Client-side:

     # ulimit -SHn 65000
     # ruby client.rb<# threads>
     

   * Results with Original kernel:
     (client achieves target of 6000 connections > limit of 2000 connections)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     6000
     Target reached. Thread finishing
     6001
     Target reached. Thread finishing
     6002
     Target reached. Thread finishing
     Threads done. 6002 connections
     press enter to exit

   * Results with Modified kernel:
     (client is limited to 2000 connections, and times out afterward)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     2000
     <... blocks for a few minutes ...>
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     Threads done. 2000 connections
     press enter to exit

   * Test cases possibly available upon request,
     depending on original author's permission.

  [Regression Potential]

   * The patchset has been reviewed by a netfilter maintainer [1] in
     stable mailing list, and was considered OK for 4.14, and that's
     essentially the same backport for 4.15 and 4.4.

   * The changes are limited to netfilter connlimit/conncount (names
     change between older/newer kernel versions).

  [Other Info]

   * The backport for 4.14 [2] is applied as of 4.14.92.

  [1] https://www.spinics.net/lists/stable/msg276883.html
  [2] https://www.spinics.net/lists/stable/msg276910.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Seth Forshee]

** Changed in: linux (Ubuntu)
   Status: Confirmed => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1811094

Title:
  iptables connlimit allows more connections than the limit when using
  multiple CPUs

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Bionic:
  Fix Committed
Status in linux source package in Cosmic:
  Fix Committed

Bug description:
  [Impact]

   * The iptables connection count/limit rules can be breached
     with multithreaded network driver/server/client (common)
     due to a race in the conncount/connlimit code.

   * For example:

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

   * The fix is a backport from an upstream commit that resolves
     the problem (plus dependencies for a cleaner backport) that
     address the race condition:

     commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
     collection confirm race").

  [Test Case]

   * Server-side: (relevant kernel side)
     (limit TCP port  to only 2000 connections)

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

     # ulimit -SHn 65000   # increase number of open files
     # ruby server.rb  # multi-threaded server

   * Client-side:

     # ulimit -SHn 65000
     # ruby client.rb<# threads>
     

   * Results with Original kernel:
     (client achieves target of 6000 connections > limit of 2000 connections)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     6000
     Target reached. Thread finishing
     6001
     Target reached. Thread finishing
     6002
     Target reached. Thread finishing
     Threads done. 6002 connections
     press enter to exit

   * Results with Modified kernel:
     (client is limited to 2000 connections, and times out afterward)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     2000
     <... blocks for a few minutes ...>
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     Threads done. 2000 connections
     press enter to exit

   * Test cases possibly available upon request,
     depending on original author's permission.

  [Regression Potential]

   * The patchset has been reviewed by a netfilter maintainer [1] in
     stable mailing list, and was considered OK for 4.14, and that's
     essentially the same backport for 4.15 and 4.4.

   * The changes are limited to netfilter connlimit/conncount (names
     change between older/newer kernel versions).

  [Other Info]

   * The backport for 4.14 [2] is applied as of 4.14.92.

  [1] https://www.spinics.net/lists/stable/msg276883.html
  [2] https://www.spinics.net/lists/stable/msg276910.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Kleber Sacilotto de Souza]

** Changed in: linux (Ubuntu Xenial)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1811094

Title:
  iptables connlimit allows more connections than the limit when using
  multiple CPUs

Status in linux package in Ubuntu:
  Confirmed
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Bionic:
  Fix Committed
Status in linux source package in Cosmic:
  Fix Committed

Bug description:
  [Impact]

   * The iptables connection count/limit rules can be breached
     with multithreaded network driver/server/client (common)
     due to a race in the conncount/connlimit code.

   * For example:

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

   * The fix is a backport from an upstream commit that resolves
     the problem (plus dependencies for a cleaner backport) that
     address the race condition:

     commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
     collection confirm race").

  [Test Case]

   * Server-side: (relevant kernel side)
     (limit TCP port  to only 2000 connections)

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

     # ulimit -SHn 65000   # increase number of open files
     # ruby server.rb  # multi-threaded server

   * Client-side:

     # ulimit -SHn 65000
     # ruby client.rb<# threads>
     

   * Results with Original kernel:
     (client achieves target of 6000 connections > limit of 2000 connections)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     6000
     Target reached. Thread finishing
     6001
     Target reached. Thread finishing
     6002
     Target reached. Thread finishing
     Threads done. 6002 connections
     press enter to exit

   * Results with Modified kernel:
     (client is limited to 2000 connections, and times out afterward)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     2000
     <... blocks for a few minutes ...>
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     Threads done. 2000 connections
     press enter to exit

   * Test cases possibly available upon request,
     depending on original author's permission.

  [Regression Potential]

   * The patchset has been reviewed by a netfilter maintainer [1] in
     stable mailing list, and was considered OK for 4.14, and that's
     essentially the same backport for 4.15 and 4.4.

   * The changes are limited to netfilter connlimit/conncount (names
     change between older/newer kernel versions).

  [Other Info]

   * The backport for 4.14 [2] is applied as of 4.14.92.

  [1] https://www.spinics.net/lists/stable/msg276883.html
  [2] https://www.spinics.net/lists/stable/msg276910.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Kleber Sacilotto de Souza]

** Changed in: linux (Ubuntu Cosmic)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1811094

Title:
  iptables connlimit allows more connections than the limit when using
  multiple CPUs

Status in linux package in Ubuntu:
  Confirmed
Status in linux source package in Xenial:
  New
Status in linux source package in Bionic:
  Fix Committed
Status in linux source package in Cosmic:
  Fix Committed

Bug description:
  [Impact]

   * The iptables connection count/limit rules can be breached
     with multithreaded network driver/server/client (common)
     due to a race in the conncount/connlimit code.

   * For example:

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

   * The fix is a backport from an upstream commit that resolves
     the problem (plus dependencies for a cleaner backport) that
     address the race condition:

     commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
     collection confirm race").

  [Test Case]

   * Server-side: (relevant kernel side)
     (limit TCP port  to only 2000 connections)

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

     # ulimit -SHn 65000   # increase number of open files
     # ruby server.rb  # multi-threaded server

   * Client-side:

     # ulimit -SHn 65000
     # ruby client.rb<# threads>
     

   * Results with Original kernel:
     (client achieves target of 6000 connections > limit of 2000 connections)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     6000
     Target reached. Thread finishing
     6001
     Target reached. Thread finishing
     6002
     Target reached. Thread finishing
     Threads done. 6002 connections
     press enter to exit

   * Results with Modified kernel:
     (client is limited to 2000 connections, and times out afterward)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     2000
     <... blocks for a few minutes ...>
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     Threads done. 2000 connections
     press enter to exit

   * Test cases possibly available upon request,
     depending on original author's permission.

  [Regression Potential]

   * The patchset has been reviewed by a netfilter maintainer [1] in
     stable mailing list, and was considered OK for 4.14, and that's
     essentially the same backport for 4.15 and 4.4.

   * The changes are limited to netfilter connlimit/conncount (names
     change between older/newer kernel versions).

  [Other Info]

   * The backport for 4.14 [2] is applied as of 4.14.92.

  [1] https://www.spinics.net/lists/stable/msg276883.html
  [2] https://www.spinics.net/lists/stable/msg276910.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Kleber Sacilotto de Souza]

** Changed in: linux (Ubuntu Bionic)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1811094

Title:
  iptables connlimit allows more connections than the limit when using
  multiple CPUs

Status in linux package in Ubuntu:
  Confirmed
Status in linux source package in Xenial:
  New
Status in linux source package in Bionic:
  Fix Committed
Status in linux source package in Cosmic:
  New

Bug description:
  [Impact]

   * The iptables connection count/limit rules can be breached
     with multithreaded network driver/server/client (common)
     due to a race in the conncount/connlimit code.

   * For example:

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

   * The fix is a backport from an upstream commit that resolves
     the problem (plus dependencies for a cleaner backport) that
     address the race condition:

     commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
     collection confirm race").

  [Test Case]

   * Server-side: (relevant kernel side)
     (limit TCP port  to only 2000 connections)

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

     # ulimit -SHn 65000   # increase number of open files
     # ruby server.rb  # multi-threaded server

   * Client-side:

     # ulimit -SHn 65000
     # ruby client.rb<# threads>
     

   * Results with Original kernel:
     (client achieves target of 6000 connections > limit of 2000 connections)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     6000
     Target reached. Thread finishing
     6001
     Target reached. Thread finishing
     6002
     Target reached. Thread finishing
     Threads done. 6002 connections
     press enter to exit

   * Results with Modified kernel:
     (client is limited to 2000 connections, and times out afterward)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     2000
     <... blocks for a few minutes ...>
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     Threads done. 2000 connections
     press enter to exit

   * Test cases possibly available upon request,
     depending on original author's permission.

  [Regression Potential]

   * The patchset has been reviewed by a netfilter maintainer [1] in
     stable mailing list, and was considered OK for 4.14, and that's
     essentially the same backport for 4.15 and 4.4.

   * The changes are limited to netfilter connlimit/conncount (names
     change between older/newer kernel versions).

  [Other Info]

   * The backport for 4.14 [2] is applied as of 4.14.92.

  [1] https://www.spinics.net/lists/stable/msg276883.html
  [2] https://www.spinics.net/lists/stable/msg276910.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Stefan Bader]

** Also affects: linux (Ubuntu Cosmic)
   Importance: Undecided
   Status: New

** Changed in: linux (Ubuntu)
   Importance: Undecided => Medium

** Changed in: linux (Ubuntu Cosmic)
   Importance: Undecided => Medium

** Also affects: linux (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: linux (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: linux (Ubuntu Bionic)
   Importance: Undecided => Medium

** Changed in: linux (Ubuntu Xenial)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1811094

Title:
  iptables connlimit allows more connections than the limit when using
  multiple CPUs

Status in linux package in Ubuntu:
  Confirmed
Status in linux source package in Xenial:
  New
Status in linux source package in Bionic:
  New
Status in linux source package in Cosmic:
  New

Bug description:
  [Impact]

   * The iptables connection count/limit rules can be breached
     with multithreaded network driver/server/client (common)
     due to a race in the conncount/connlimit code.

   * For example:

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

   * The fix is a backport from an upstream commit that resolves
     the problem (plus dependencies for a cleaner backport) that
     address the race condition:

     commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
     collection confirm race").

  [Test Case]

   * Server-side: (relevant kernel side)
     (limit TCP port  to only 2000 connections)

     # iptables -A INPUT -p tcp -m tcp --syn --dport  \
   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
   -j DROP

     # ulimit -SHn 65000   # increase number of open files
     # ruby server.rb  # multi-threaded server

   * Client-side:

     # ulimit -SHn 65000
     # ruby client.rb<# threads>
     

   * Results with Original kernel:
     (client achieves target of 6000 connections > limit of 2000 connections)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     6000
     Target reached. Thread finishing
     6001
     Target reached. Thread finishing
     6002
     Target reached. Thread finishing
     Threads done. 6002 connections
     press enter to exit

   * Results with Modified kernel:
     (client is limited to 2000 connections, and times out afterward)

     # ruby client.rb 10.230.56.100  6000 3
     1
     2
     3
     <...>
     2000
     <... blocks for a few minutes ...>
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
     Threads done. 2000 connections
     press enter to exit

   * Test cases possibly available upon request,
     depending on original author's permission.

  [Regression Potential]

   * The patchset has been reviewed by a netfilter maintainer [1] in
     stable mailing list, and was considered OK for 4.14, and that's
     essentially the same backport for 4.15 and 4.4.

   * The changes are limited to netfilter connlimit/conncount (names
     change between older/newer kernel versions).

  [Other Info]

   * The backport for 4.14 [2] is applied as of 4.14.92.

  [1] https://www.spinics.net/lists/stable/msg276883.html
  [2] https://www.spinics.net/lists/stable/msg276910.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

[Mauricio Faria de Oliveira]

** Description changed:

- The following iptables connlimit rule can be breached
- with a multithreaded client and network device driver,
- due to a race in the conncount/connlimit code:
+ [Impact]
  
- # iptables -A INPUT -p tcp -m tcp --syn --dport  \
-   -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
-   -j DROP
+  * The iptables connection count/limit rules can be breached 
+with multithreaded network driver/server/client (common)
+due to a race in the conncount/connlimit code.
  
- NOTE: Patches will be sent to the kernel-team mailing list
- and more details/testing will be provided later today.
+  * For example:
+ 
+# iptables -A INPUT -p tcp -m tcp --syn --dport  \
+  -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
+  -j DROP
+ 
+  * The fix is a backport from an upstream commit that resolves
+the problem (plus dependencies for a cleaner backport) that
+address the race condition:
+ 
+commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
+collection confirm race").
+ 
+ [Test Case]
+ 
+  * Server-side: (relevant kernel side)
+(limit TCP port  to only 2000 connections)
+ 
+# iptables -A INPUT -p tcp -m tcp --syn --dport  \
+  -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
+  -j DROP
+ 
+# ulimit -SHn 65000   # increase number of open files
+# ruby server.rb  # multi-threaded server
+ 
+  * Client-side:
+ 
+# ulimit -SHn 65000
+# ruby client.rb<# threads> 
+
+ 
+  * Results with Original kernel:
+(client achieves target of 6000 connections > limit of 2000 connections)
+ 
+# ruby client.rb 10.230.56.100  6000 3 
+1
+2
+3
+<...>
+6000
+Target reached. Thread finishing
+6001
+Target reached. Thread finishing
+6002
+Target reached. Thread finishing
+Threads done. 6002 connections
+press enter to exit
+ 
+  * Results with Modified kernel:
+(client is limited to 2000 connections, and times out afterward)
+ 
+# ruby client.rb 10.230.56.100  6000 3
+1
+2
+3
+<...>
+2000
+<... blocks for a few minutes ...>
+failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
+failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
+failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 
+Threads done. 2000 connections
+press enter to exit
+ 
+  * Test cases possibly available upon request,
+depending on original author's permission.
+ 
+ [Regression Potential]
+ 
+  * The patchset has been reviewed by a netfilter maintainer [1] in
+stable mailing list, and was considered OK for 4.14, and that's
+essentially the same backport for 4.15 and 4.4. 
+ 
+  * The changes are limited to netfilter conncount/connlimit (names
+change between older/newer kernel versions).
+ 
+ [Other Info]
+  
+  * The backport for 4.14 [2] is applied as of 4.14.92.
+ 
+ [1] https://www.spinics.net/lists/stable/msg276883.html
+ [2] https://www.spinics.net/lists/stable/msg276910.html

** Description changed:

  [Impact]
  
-  * The iptables connection count/limit rules can be breached 
-with multithreaded network driver/server/client (common)
-due to a race in the conncount/connlimit code.
+  * The iptables connection count/limit rules can be breached
+    with multithreaded network driver/server/client (common)
+    due to a race in the conncount/connlimit code.
  
-  * For example:
+  * For example:
  
-# iptables -A INPUT -p tcp -m tcp --syn --dport  \
-  -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
-  -j DROP
+    # iptables -A INPUT -p tcp -m tcp --syn --dport  \
+  -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
+  -j DROP
  
-  * The fix is a backport from an upstream commit that resolves
-the problem (plus dependencies for a cleaner backport) that
-address the race condition:
+  * The fix is a backport from an upstream commit that resolves
+    the problem (plus dependencies for a cleaner backport) that
+    address the race condition:
  
-commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
-collection confirm race").
+    commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
+    collection confirm race").
  
  [Test Case]
  
-  * Server-side: (relevant kernel side)
-(limit TCP port  to only 2000 connections)
+  * Server-side: (relevant kernel side)
+    (limit TCP port  to only 2000 connections)
  
-# iptables -A INPUT -p tcp -m tcp --syn --dport  \
-  -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
-  -j DROP
+    # iptables -A INPUT -p tcp -m tcp --syn --dport  \
+  -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
+  -j DROP
  
-# ulimit -SHn 65000   # increase number of open files
-# ruby server.rb  # multi-threaded serv