Title: Regression: connect() returns EACCES (Permission denied) due to internal route cache / fnhe corruption in 6.8.0-100
Package: linux (Ubuntu 24.04 LTS) Description: There is a routing regression introduced in the Ubuntu 24.04 kernel between versions 6.8.0-90 and 6.8.0-100. Under certain outbound traffic bursts (such as Kodi generating concurrent API requests to CloudFront/TMDB), the kernel internally corrupts the routing cache / FIB Next Hop Exception (fnhe) for the destination IP. Once corrupted, any subsequent attempt to open a socket to that IP results in an immediate EACCES (Permission denied) error locally. This is strictly a local kernel issue; packet captures confirm no external ICMP unreachables or redirects are being received to trigger this. System Information: OS: Ubuntu 24.04 LTS (Noble Numbat) Good Kernel: 6.8.0-90-generic Bad Kernel: 6.8.0-100-generic Steps to Reproduce: Boot into kernel 6.8.0-100. Generate a high volume of concurrent outbound requests to a specific external IP (e.g., running the Kodi scraper against api.themoviedb.org). Wait for the application to lose connectivity to the destination IP. Attempt to trace or ping the IP using mtr -t4 <destination_ip>. Expected Behavior: The traffic routes normally via the default gateway, as it does flawlessly on kernel 6.8.0-90. Actual Behavior: The connect() syscall fails instantly at the local level with a permission error. mtr outputs: mtr: udp socket connect failed: Permission denied ping misinterprets the EACCES error on the socket and outputs: Do you want to ping broadcast? Then -b Diagnostic Evidence: Proof of fnhe presence: Running ip -d route get <destination_ip> during the failure state appends the cache keyword, confirming an exception exists in the routing table. Proof of internal origin: Running tcpdump -i eth0 -n "icmp" during the traffic burst captures absolutely zero inbound ICMP unreachable, reject, or redirect packets. The kernel is generating this exception locally. The Workaround: Running sudo ip route flush cache immediately clears the corrupted exception, and mtr / ping / Kodi instantly resume working until the workload triggers the bug again. Conclusion: A patch backported into the 6.8.0-100 kernel tree has introduced a race condition or logic error in how local route exceptions are generated or flagged, causing standard unicast IPs to be locally treated as broadcast/prohibited. Pinning the system to 6.8.0-90 completely permanently resolves the issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2141531 Title: Network unstable on 6.8.0-100.100 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2141531/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
