Bug 176455

Summary: [CM] [RHEL4] IPSec Kernel Bug
Product: Red Hat Enterprise Linux 4 Reporter: Bryan Mason <nobody+bjmason>
Component: kernelAssignee: Jeff Layton <jlayton>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: davem, jbaron, steved, tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2007-0304 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-01 23:59:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
backport of immediate SA switchover patch from upstream
none
respun patch, include dst->obsolete < 0 check none

Comment 1 David Miller 2005-12-24 09:44:23 UTC 
I already cooked up a patch so I'll take this.
Comment 6 Jeff Layton 2006-10-04 13:33:22 UTC 
Created attachment 137740 [details]
backport of immediate SA switchover patch from upstream

Instead of using RHEL3's patch as a base, I backported the original upstream
patch here, since it was a little closer to the RHEL4 codebase. The original
patch is here:

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=399c180ac5f0cb66ef9479358e0b8b6bafcbeafe


There is another patch, however, that we might want to consider, which looks
like it fixed some deficiencies of the original patch:

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d49c73c729e2ef644558a1f441c044bfacdc9744


Dave, you're more familiar with this code than I. Should I backport that one
too?
Comment 7 Jeff Layton 2006-10-04 14:01:50 UTC 
Created attachment 137743 [details]
respun patch, include dst->obsolete < 0 check

Respun patch that includes the later patch to correct the case when
dst->obsolete < 0.
Comment 8 David Miller 2006-10-04 20:40:27 UTC 
Good catch Jeff, yes that second bit with the dst->obsolete check
is needed.
Comment 9 Jeff Layton 2006-10-24 11:28:52 UTC 
The patch seems to have fixed the customer's Linux-Linux renegotiation problems,
but Linux-Windows doesn't seem to be working correctly still. Going to see if I
can crank up debugging in racoon and get some idea of why it's not occurring.

Essentially, network captures show the ISAKMP messages being sent back and forth
for rekeying, but the sequence number of the packets following that don't get
reset back to 1. I'm presuming this means that the rekeying failed for some reason.
Comment 11 Jeff Layton 2006-11-28 20:01:18 UTC 
I'm planning to post the patch here soon, so I'll go ahead and grab this from Dave.
Comment 13 Jason Baron 2006-12-04 19:16:10 UTC 
committed in stream U5 build 42.28. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 15 RHEL Program Management 2006-12-11 15:40:57 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 16 Jay Turner 2006-12-11 17:51:50 UTC 
QE ack for 4.5.
Comment 20 Mike Gahagan 2007-03-29 15:04:11 UTC 
Patch is in -52 and the customer has been using a hotfix kernel already for some
time.
Comment 22 Red Hat Bugzilla 2007-05-01 23:59:50 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0304.html