Ubuntu
apparmor package

[LTCTest] SR-IOV VF hotplug failing: cannot limit locked memory of process

Bug #1625319 reported by bugproxy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

---Problem Description---
Unable to hotplug SRIOV CX4 VF to Ubuntu 16.10 or 16.04.1 guests.

---uname output---
Linux c158f2u09os 4.7.0unofficial #5 SMP Mon Sep 5 08:53:38 EDT 2016 ppc64le ppc64le ppc64le GNU/Linux

---Additional Hardware Info---
Mellanox CX4

Machine Type = 8247-22L

---Steps to Reproduce---
 Unable to hotplug SRIOV CX4 VF to Ubuntu 16.10 guest.

1. Boot the guests with/without VFs
2. Try hotplugging of VF to guests, you will notice error as shown below:

root@c158f2u09os:/var/lib/libvirt/images/srikanth# cat hot_vf.xml
<hostdev mode='subsystem' type='pci' managed='yes'>
  <source>
    <address domain='0x0005' bus='0x01' slot='0x00' function='0x4'/>
  </source>
</hostdev>
root@c158f2u09os:/var/lib/libvirt/images/srikanth# virsh attach-device ubuntu1610_srik ./hot_vf.xml --live
error: Failed to attach device from ./hot_vf.xml
error: cannot limit locked memory of process 80265 to 9663676416: Permission denied

root@c158f2u09os:/var/lib/libvirt/images/srikanth# virsh attach-device ubuntu160401_srik ./hot_vf.xml --live
error: Failed to attach device from ./hot_vf.xml
error: cannot limit locked memory of process 80960 to 9663676416: Permission denied

=====================
Environment details:
=====================

Host :
 9.47.68.198, root/sriov4321
 Ubuntu 16.10
 kernel version:
 Linux c158f2u09os 4.7.0unofficial #5 SMP Mon Sep 5 08:53:38 EDT 2016 ppc64le ppc64le ppc64le GNU/Linux
Guest:
1. ubuntu1610_srik
 kernel version: 4.7.0unofficial
 creds: root/123456
2. ubuntu160401_srik
 kernel version: 4.4.0-38-generic
 creds: root/123456

MOFED versions:
 MOFED version in Host as well Guest: 3.4-OFED.3.4.0.1.0.1
 CX4 Firmware version: 12.17.0222

Development took a look at this an believes this is an apparmor related issue and requested the defect be mirrored to Canonical for their assistance.

Revision history for this message
bugproxy (bugproxy) wrote : sosreport

Default Comment by Bridge

tags: added: architecture-ppc64le bugnameltc-146192 severity-critical targetmilestone-inin1610
Changed in ubuntu:
assignee: nobody → Taco Screen team (taco-screen-team)
affects: ubuntu → apparmor (Ubuntu)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Shivaprasad reported this last week in the #apparmor irc channel. What I think we figured out at the time:

- The 4.7.0-based kernel may or may not be missing fixes from Ubuntu kernels
- 9663676416 is suspiciously larger than 32 bit integer
- the profile didn't mention rlimits, so they should not have been 'enforced'

I had a wild-guess that "set rlimit memlock 1," might provide useful debugging information. John thought otherwise.

John asked for the security/apparmor/rlim_names.h file that's created during the build.

Thanks

Revision history for this message
Tyler Hicks (tyhicks) wrote :

As Seth mentioned, this unofficial kernel may be missing some AppArmor fixes that are included in the official Ubuntu kernels. Can you please try 4.8.0-11.12 from yakkety-proposed and let us know if this bug is still present?

  https://launchpad.net/ubuntu/+source/linux/4.8.0-11.12

Thanks!

Changed in apparmor (Ubuntu):
status: New → Incomplete
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2016-09-30 11:11 EDT-------
*** Bug 147131 has been marked as a duplicate of this bug. ***

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2016-10-12 00:50 EDT-------
Tested with latest Ubuntu 16.10 build having kernel '4.8.0-21-generic'. The issue reported in this bug is fixed.

Revision history for this message
Andrew Cloke (andrew-cloke) wrote :

As per comment #5, marking as "Fix Released".

Changed in apparmor (Ubuntu):
status: Incomplete → Fix Released
assignee: Taco Screen team (taco-screen-team) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.