FDB table grows out of control

Status changed to 'Confirmed' because the bug affects multiple users.

Did this issue start happening after an update/upgrade? Was there a prior kernel version where you were not having this particular problem?

Would it be possible for you to test the latest upstream kernel? Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest v4.6 kernel[0].

If this bug is fixed in the mainline kernel, please add the following tag 'kernel-fixed-upstream'.

If the mainline kernel does not fix this bug, please add the tag: 'kernel-bug-exists-upstream'.

Once testing of the upstream kernel is complete, please mark this bug as "Confirmed".

Thanks in advance.

[0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.6-rc4-wily/

@Joseph It was fixed in the upstream kernel. I have added tags and changed the status.

This problem affects us. I have identified that the change 9063e21fb026c4966fc93261c18322214f9835eb is able to resolve it after merging it to v3.13 kernel. Can we add the patch to new ubuntu v3.13 patch? Any suggestion? Thanks.

git describe --contains 9063e21fb026c4966fc93261c18322214f9835eb
v3.15-rc1~113^2~198

Hi Tim,

Can we add the patch into new v3.13 maintenance patch? It affects many people and we really needs this. Please suggest. Otherwise we have to build custom kernel and we don't prefer custom kernel. Thanks.

btw, I checked out Ubuntu-3.13.0-87.133 which has the problem. And after cherry-picking 9063e21fb026c4966fc93261c18322214f9835eb, the problem is gone.

Perry

Perry - this patch has been proposed for review on the kernel team mailing list: https://lists.ubuntu.com/archives/kernel-team/2016-May/077818.html

I see that the patch has gotten two ACKs. Looks the coming cycle is from 03-Jun through 25-Jun, and it is 03-Jun as last day for kernel commits. Please let me know if you need my support. Thanks.

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

The defect has been fixed in kernel3.13.0-89-generic with the test approach in https://github.com/dlevy-ibm/fdb_bug.

------
Adding FDB entry for IP: 123.123.123.1
...
Adding FDB entry for IP: 123.123.123.74
79
Linux vmtotest 3.13.0-89-generic #136-Ubuntu SMP Fri Jun 10 19:19:24 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

This bug was fixed in the package linux - 3.13.0-91.138

---------------
linux (3.13.0-91.138) trusty; urgency=medium

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1595991

  [ Upstream Kernel Changes ]

  * netfilter: x_tables: validate e->target_offset early
    - LP: #1555338
    - CVE-2016-3134
  * netfilter: x_tables: make sure e->next_offset covers remaining blob
    size
    - LP: #1555338
    - CVE-2016-3134
  * netfilter: x_tables: fix unconditional helper
    - LP: #1555338
    - CVE-2016-3134
  * netfilter: x_tables: don't move to non-existent next rule
    - LP: #1595350
  * netfilter: x_tables: validate targets of jumps
    - LP: #1595350
  * netfilter: x_tables: add and use xt_check_entry_offsets
    - LP: #1595350
  * netfilter: x_tables: kill check_entry helper
    - LP: #1595350
  * netfilter: x_tables: assert minimum target size
    - LP: #1595350
  * netfilter: x_tables: add compat version of xt_check_entry_offsets
    - LP: #1595350
  * netfilter: x_tables: check standard target size too
    - LP: #1595350
  * netfilter: x_tables: check for bogus target offset
    - LP: #1595350
  * netfilter: x_tables: validate all offsets and sizes in a rule
    - LP: #1595350
  * netfilter: x_tables: don't reject valid target size on some
    architectures
    - LP: #1595350
  * netfilter: arp_tables: simplify translate_compat_table args
    - LP: #1595350
  * netfilter: ip_tables: simplify translate_compat_table args
    - LP: #1595350
  * netfilter: ip6_tables: simplify translate_compat_table args
    - LP: #1595350
  * netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
    - LP: #1595350
  * netfilter: x_tables: do compat validation via translate_table
    - LP: #1595350
  * netfilter: x_tables: introduce and use xt_copy_counters_from_user
    - LP: #1595350

linux (3.13.0-90.137) trusty; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1595693

  [ Serge Hallyn ]

  * SAUCE: add a sysctl to disable unprivileged user namespace unsharing
    - LP: #1555338, #1595350

linux (3.13.0-89.136) trusty; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1591315

  [ Kamal Mostafa ]

  * [debian] getabis: Only git add $abidir if running in local repo
    - LP: #1584890
  * [debian] getabis: Fix inconsistent compiler versions check
    - LP: #1584890

  [ Stefan Bader ]

  * SAUCE: powerpc/powernv: Fix incomplete backport of 8117ac6
    - LP: #1589910

  [ Tim Gardner ]

  * [Config] Remove arc4 from nic-modules
    - LP: #1582991

  [ Upstream Kernel Changes ]

  * KVM: x86: move steal time initialization to vcpu entry time
    - LP: #1494350
  * lpfc: Fix premature release of rpi bit in bitmask
    - LP: #1580560
  * lpfc: Correct loss of target discovery after cable swap.
    - LP: #1580560
  * mm/balloon_compaction: redesign ballooned pages management
    - LP: #1572562
  * mm/balloon_compaction: fix deflation when compaction is disabled
    - LP: #1572562
  * bridge: Fix the way to find old local fdb entries in br_fdb_changeaddr
    - LP: #1581585
  * bridge: notify user space after fdb update
    - LP: #1581585
  * ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
   ...