lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAB9dFds7KQxihReHhW9CXJeY9+=4BPema3ZawVA89U45QL5uBw@mail.gmail.com>
Date:	Mon, 4 Jul 2016 09:35:28 -0300
From:	Marc Dionne <marc.c.dionne@...il.com>
To:	Florian Westphal <fw@...len.de>
Cc:	Pablo Neira Ayuso <pablo@...filter.org>,
	netdev <netdev@...r.kernel.org>, regressions@...mhuis.info
Subject: Re: Multi-thread udp 4.7 regression, bisected to 71d8c47fc653

On Mon, Jun 27, 2016 at 2:21 PM, Marc Dionne <marc.c.dionne@...il.com> wrote:
> On Mon, Jun 27, 2016 at 12:38 PM, Florian Westphal <fw@...len.de> wrote:
>> Marc Dionne <marc.c.dionne@...il.com> wrote:
>>> On Mon, Jun 27, 2016 at 11:22 AM, Florian Westphal <fw@...len.de> wrote:
>>> > Marc Dionne <marc.c.dionne@...il.com> wrote:
>>> >> Hi,
>>
>>> >         hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[hash], hnnode)
>>> >                 if (nf_ct_key_equal(h, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
>>> > -                                   zone, net))
>>> > -                       goto out;
>>> > +                                   zone, net)) {
>>> > +                       nf_ct_add_to_dying_list(ct);
>>> > +                       ret = nf_ct_resolve_clash(net, skb, ctinfo, h);
>>> > +                       goto dying;
>>> > +               }
>>
>> This is bogus as h can be a reply too (key compare does not deal
>> with it).
>>
>> Below is what I actually intended; I can't come up with a reason why
>> you experience this issue other than that we're getting confused over
>> reply/original direction.
>>
>> If the patch doesn't help either, can you tell us what kind of iptables
>> rules are installed on the affected system or perhaps report perf drop
>> monitor stat when things go wrong?
>>
>> Thanks!
>
> The additional patch didn't help either.
>
> I had a lot of iptables bloat, but I reverted to old simple iptables
> and ip6tables configs (attached), and still see the problem.  Note
> that the test normally uses ipv6, but the behaviour is the same with
> ipv4.
>
> Marc

Hi,

Any other ideas for this issue?  I would hate to see the 4.7 release
go out without a fix or revert, and have a kernel that we have to tell
our clients not to use.

If there is no quick fix, seems like a revert should be considered:
- Looks to me like the commit attempts to fix a long standing bug
(exists at least as far back as 3.5,
https://bugzilla.kernel.org/show_bug.cgi?id=52991)
- The above bug has a simple workaround (at least for us) that we
implemented more than 3 years ago
- The commit reverts cleanly, restoring the original behaviour
- From that bug report, bind was one of the affected applications; I
would suspect that this regression is likely to affect bind as well

I'd be more than happy to test suggested fixes or give feedback with
debugging patches, etc.

Thanks,
Marc

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ