rtnetlink: enable namespace identifying properties in rtnetlink requests

Bug #1748232 reported by Christian Brauner on 2018-02-08
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Seth Forshee
Bionic
Medium
Seth Forshee

Bug Description

Hey,

I've recently pushed a couple of patches to enable IFLA_IF_NETNSID to be passed in rtnetlink requests to avoid having to take the hit of setns() to a network namespace and its owning user namespace when performing operations on a target network namespace. This makes a lot of costly operations for LXD through liblxc way cheaper. Juju is one candidate that recently suffered from costs caused by lxc list on a LXD instance with a lot of containers. If it's not too much trouble in the current meltdown/spectre and pre-LTS release craziness it would be really great if we could ensure that these patches make it into the Bionic kernel and possibly be backported to the 16.04 kernel. The 16.04 kernel might be a little annoying though since it misses a few pre-requisite patches but if you think that we can do it I can give you the patches that you need to make it easier for you! Here are the patches that are required for 4.15 in Bionic:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c4f63ba824302492985553018881455982241d6

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c310bfcb6e1be993629c5747accf8e1c65fbb255

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b61ad68a9fe85d29d5363eb36860164a049723cf

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5bb8ed075428b71492734af66230aa0c07fcc515

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7973bfd8758d05c85ee32052a3d7d5d0549e91b4

There's one additional (security/hardening) patch which has been acked and will very likely make it into 4.16 as well once Dave picks it up and sends it to Linus. So I'm listing it here right away but if you want to wait until it is fully upstream, I understand:

https://patchwork.ozlabs.org/patch/870363/

Thanks!
Christian

CVE References

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1748232

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Changed in linux (Ubuntu):
importance: Undecided → Medium
tags: added: bionic kernel-da-key
Changed in linux (Ubuntu Bionic):
status: Confirmed → Triaged
Christian Brauner (cbrauner) wrote :

Fyi, the last hardening patch I mentioned made it into Dave's net tree and will be included in 4.16:
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=4ff66cae7f10b65b028dc3bdaaad9cc2989ef6ae

Seth Forshee (sforshee) on 2018-02-27
Changed in linux (Ubuntu Bionic):
assignee: nobody → Seth Forshee (sforshee)
status: Triaged → In Progress
Seth Forshee (sforshee) wrote :

Comitted for bionic.

Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (40.0 KiB)

This bug was fixed in the package linux - 4.15.0-12.13

---------------
linux (4.15.0-12.13) bionic; urgency=medium

  * linux: 4.15.0-12.13 -proposed tracker (LP: #1754059)

  * CONFIG_EFI=y on armhf (LP: #1726362)
    - [Config] CONFIG_EFI=y on armhf, reconcile secureboot EFI settings

  * ppc64el: Support firmware disable of RFI flush (LP: #1751994)
    - powerpc/pseries: Support firmware disable of RFI flush
    - powerpc/powernv: Support firmware disable of RFI flush

  * [Feature] CFL/CNL (PCH:CNP-H): New GPIO Commit added (GPIO Driver needed)
    (LP: #1751714)
    - gpio / ACPI: Drop unnecessary ACPI GPIO to Linux GPIO translation
    - pinctrl: intel: Allow custom GPIO base for pad groups
    - pinctrl: cannonlake: Align GPIO number space with Windows

  * [Feature] Add xHCI debug device support in the driver (LP: #1730832)
    - usb: xhci: Make some static functions global
    - usb: xhci: Add DbC support in xHCI driver
    - [Config] USB_XHCI_DBGCAP=y for commit mainline dfba2174dc42.

  * [SRU] Lenovo E41 Mic mute hotkey is not responding (LP: #1753347)
    - platform/x86: ideapad-laptop: Increase timeout to wait for EC answer

  * headset mic can't be detected on two Dell machines (LP: #1748807)
    - ALSA: hda - Fix a wrong FIXUP for alc289 on Dell machines

  * hisi_sas: Add disk LED support (LP: #1752695)
    - scsi: hisi_sas: directly attached disk LED feature for v2 hw

  * [Feature] [Graphics]Whiskey Lake (Coffelake-U 4+2) new PCI Device ID adds
    (LP: #1742561)
    - drm/i915/cfl: Adding more Coffee Lake PCI IDs.

  * [Bug] [USB Function][CFL-CNL PCH]Stall Error and USB Transaction Error in
    trace, Disable of device-initiated U1/U2 failed and rebind failed: -517
    during suspend/resume with usb storage. (LP: #1730599)
    - usb: Don't print a warning if interface driver rebind is deferred at resume

  * retpoline: ignore %cs:0xNNN constant indirections (LP: #1752655)
    - [Packaging] retpoline -- elide %cs:0xNNNN constants on i386
    - [Config] retpoline -- clean up i386 retpoline files

  * hisilicon hibmc regression due to ea642c3216cb ("drm/ttm: add io_mem_pfn
    callback") (LP: #1738334)
    - drm/ttm: add ttm_bo_io_mem_pfn to check io_mem_pfn

  * [Asus UX360UA] battery status in unity-panel is not changing when battery is
    being charged (LP: #1661876) // AC adapter status not detected on Asus
    ZenBook UX410UAK (LP: #1745032)
    - ACPI / battery: Add quirk for Asus UX360UA and UX410UAK

  * ASUS UX305LA - Battery state not detected correctly (LP: #1482390)
    - ACPI / battery: Add quirk for Asus GL502VSK and UX305LA

  * [18.04 FEAT] Automatically detect layer2 setting in the qeth device driver
    (LP: #1747639)
    - s390/diag: add diag26c support for VNIC info
    - s390/qeth: support early setup for z/VM NICs

  * Bionic update to v4.15.7 stable release (LP: #1752317)
    - netfilter: drop outermost socket lock in getsockopt()
    - arm64: mm: don't write garbage into TTBR1_EL1 register
    - kconfig.h: Include compiler types to avoid missed struct attributes
    - MIPS: boot: Define __ASSEMBLY__ for its.S build
    - xtensa: fix high memory/reserved memory collision
    - scsi: ibmvfc: fix misde...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Christian Brauner (cbrauner) wrote :

Thanks!

Christian

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers