Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 157849 - CVE-2005-3274 IPVS panic at ip_vs_conn_flush() when unloading ip_vs module
Summary: CVE-2005-3274 IPVS panic at ip_vs_conn_flush() when unloading ip_vs module
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel
Version: 3.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Neil Horman
QA Contact: Brian Brock
Depends On:
Blocks: 156320
TreeView+ depends on / blocked
Reported: 2005-05-16 14:15 UTC by Issue Tracker
Modified: 2007-11-30 22:07 UTC (History)
5 users (show)

Fixed In Version: RHSA-2005-663
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-09-28 15:10:08 UTC
Target Upstream Version:

Attachments (Terms of Use)
patch to prevent unlocking in the middle of list traversal (deleted)
2005-06-23 17:08 UTC, Neil Horman
no flags Details | Diff
new patch to prevent ipvs race (deleted)
2005-06-24 14:50 UTC, Neil Horman
no flags Details | Diff
upstream backport of ipvs fix (deleted)
2005-06-28 17:21 UTC, Neil Horman
no flags Details | Diff
correct upstream backport patch (deleted)
2005-06-28 19:30 UTC, Neil Horman
no flags Details | Diff

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:663 qe-ready SHIPPED_LIVE Important: Updated kernel packages available for Red Hat Enterprise Linux 3 Update 6 2005-09-28 04:00:00 UTC

Description Issue Tracker 2005-05-16 14:15:12 UTC
Escalated to Bugzilla from IssueTracker

Comment 16 Ernie Petrides 2005-05-16 21:14:18 UTC
Reassigning to DaveM.

Comment 17 Neil Horman 2005-06-03 15:36:19 UTC
Dave M. and Peter S. requested that I finish up the work on this bug.  I'll get
the smoke tested patch posted here asap.

Comment 18 Neil Horman 2005-06-23 17:08:53 UTC
Created attachment 115883 [details]
patch to prevent unlocking in the middle of list traversal

I know previously I thought that the second egenera patch was the right thing
to do, but now after looking more closely at it, I think the first idea is
probably the better way to go.	The problem comes down to the fact that you
release the spinlock that protects the list while you still have outstanding
work to do regarding the reading of its prev and next pointers (via the for
loop).	As such, when we re-aquire the lock, we need to reset our loop counter
so that it starts at the beginning of the list again (to ensure that our prev
and next pointers aren't corrupt).  The second suggested fix that I initially
thought was good now worries me a bit, because it tries to accomplish the same
thing in a less reliable manner.  By increasing the ref count on the next
pointer we can prevent the current elements next pointer from becomming
corrupt, but its still possible (although far less likely) that the next->next
entry might get freed, and race with the ip_vs_conn_flush loop.  My point is I
don't think the second solution is really a complete fix.  We need to provide
mutual exclusion to _all_ list modifications and accesses.  That means either
resetting the entry pointer to the start of the loop, or to just not unlock the
loop.  Since we're waiting on the list to be flushed here, this boils down to
waiting for each element to flush individually (by re-expiring the same cp
entry using the list reset method ) waiting for each to finish, or by holding
the lock, until each expiration is requested, and then rescanning the list
looking for stragglers to re-expire (the mutex holding method).  The Latter
seems less prone to errors to me.   It looks like this needs to go upstream as
well, so I'll post this there first, and if there isn't any push-back on it,
I'll push it here for RHEL3/4.

Comment 20 Neil Horman 2005-06-24 14:50:21 UTC
Created attachment 115935 [details]
new patch to prevent ipvs race

I've gotten some upstream feedback, and this is the variant of the patch that
is getting some traction currently.

Comment 21 Neil Horman 2005-06-28 17:21:45 UTC
Created attachment 116070 [details]
upstream backport of ipvs fix

Upstream backport to RHEL3 of ipvs patch

Comment 22 Neil Horman 2005-06-28 19:30:08 UTC
Created attachment 116081 [details]
correct upstream backport patch

Sorry, posted the wrong patch previously.  This is the correct one.

Comment 25 Ernie Petrides 2005-07-12 01:13:57 UTC
A fix for this problem has just been committed to the RHEL3 U6
patch pool this evening (in kernel version 2.4.21-32.10.EL).

Comment 29 Red Hat Bugzilla 2005-09-28 15:10:09 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.