[CentOS-devel] Backport of xfrm kernel bugfix

Thu Jan 9 02:34:36 UTC 2020
Akemi Yagi <amyagi at gmail.com>

On Wed, Jan 8, 2020 at 5:58 PM Carl George <carl at redhat.com> wrote:
>
> Thanks Matt for sending the patch to the list.  This is moving forward
> inside Red Hat, and will be included in a future kernel package.  We can't
> say for sure when this will happen, but the fix has been accepted.  We're
> still ironing out the details for the CentOS Stream external contribution
> pipeline, so please bear with us.
>
> On Thu, Dec 12, 2019 at 2:03 PM Matt Dees <matt.dees at netprotect.com> wrote:
>>
>> Hi All!
>>
>> We have been dealing with a memory leak in the kernel for IKEv2 and IPSec connections relating to a memory leak in xfrm support on both el8 and el7. The symptom of this issue is that memory will continue allocating in slab over time making a box oom after too many connections.
>>
>> As per some external discussions I am sending the patch + bug report on to this list. It has already been accepted into upstream kernels (4.19 included) and is a pretty straight forward backport. I have tested and installed this on a few centos8 systems to validate that this does indeed solve the memory leak issue.
>>
>> rbz# 1780470
> --
> Carl George

In the meantime, the centosplus kernel (kernel-plus) for the upcoming
CentOS 8.1.1911 includes this patch, so users can give it a try.

Akemi