Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 570491

Summary: vmalloc ENOMEM caused by iptables
Product: Red Hat Enterprise Linux 5 Reporter: Jon Thomas <jthomas>
Component: kernelAssignee: Jiri Olsa <jolsa>
Status: CLOSED ERRATA QA Contact: Eryu Guan <eguan>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.4CC: eguan, oguzyilmaz, qcai, tao
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-13 20:37:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
reproducer
none
proposed patch none

Description Jon Thomas 2010-03-04 14:31:29 UTC 
Created attachment 397820 [details]
reproducer

Client is stress testing iptables for their requirement on smp system. They have provided program(attached) which adds thousands of rules in iptables. In rhel5.x, once limit goes to ~50000, program exits on getting error code with error "iptables: Unknown error 18446744073709551615". iptables version is iptables-1.3.5-5.3.el5_4.1

How reproducible:
Always

Steps to Reproduce:
I'll attach the reproducer. 

run the program
#./a.out

Actual result:
iptables: Unknown error 18446744073709551615 

This is really an ENOMEM that doesn't get propagated to iptables. The iptables code sets errno to ret val (-1) of setsockopt. There is a simple fix for this and is not the focus of this bug report. 

setsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 6127868) = -1 ENOMEM (Cannot allocate memory)
munmap(0xb728c000, 512000)              = 0
munmap(0xb7309000, 512000)              = 0
munmap(0xb7386000, 6131712)             = 0
write(2, "iptables: Unknown error 42949672"..., 35iptables: Unknown error 4294967295
) = 35
exit_group(1)


Expected result:
should run successfully

Should not be an ENOMEM as was fixed in rhel4.7


Additional info:
Once this limit is reached, one can not insert even single rule. These rules are persistent in iptables service restart. They are destroyed when you remove all iptables kernel modules(mostly x_tables). 'VmallocUsed' field changes drastically after the program. Difference is more than 125MB. When the program is straced, setsockopt() returns -ENOMEM in the end and program stops.  On rhel 4, It gave error "iptables: Memory allocation problem". After upgrading to rhel4.7 , the issue is resolved. 


Appears to be a duplicate of a rhel4 bug

https://bugzilla.redhat.com/show_bug.cgi?id=179098

that was a dup of 

https://bugzilla.redhat.com/show_bug.cgi?id=173193

it looks like the rhel4 patch was applied to rhel5 kernel, but then some other updates have been applied since.
Comment 1 Jiri Olsa 2010-03-15 22:50:39 UTC 
hi,

I've found/backported following change, that seems to cause the issue:

commit 9e67d5a739327c44885adebb4f3a538050be73e4
Author: Patrick McHardy <kaber>
[NETFILTER]: x_tables: remove obsolete overflow check
    
the change is based on following commit as well..

commit 259d4e41f3ec25f22169daece42729f597b89f9a
Author: Eric Dumazet <dada1>
[NETFILTER]: x_tables: struct xt_table_info diet


I'll send this for review, meanwhile you can try patched kernel:
http://people.redhat.com/jolsa/kernel-2.6.18-192.el5jolsa_iptables_fix1.x86_64.rpm

wbr,
jirka
Comment 2 Jiri Olsa 2010-03-15 23:03:02 UTC 
FYI the iptables package should be fixed in iptables 1.3.6 according to upstream sources
Comment 3 Jiri Olsa 2010-03-15 23:05:58 UTC 
Created attachment 400326 [details]
proposed patch
Comment 6 RHEL Program Management 2010-05-20 12:43:58 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 8 Jarod Wilson 2010-05-25 21:11:47 UTC 
in kernel-2.6.18-200.el5
You can download this test kernel from http://people.redhat.com/jwilson/el5

Detailed testing feedback is always welcomed.
Comment 12 errata-xmlrpc 2011-01-13 20:37:41 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0017.html