Bug 157849 - CVE-2005-3274 IPVS panic at ip_vs_conn_flush() when unloading ip_vs module
CVE-2005-3274 IPVS panic at ip_vs_conn_flush() when unloading ip_vs module
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Neil Horman
Brian Brock
Depends On:
Blocks: 156320
  Show dependency treegraph
Reported: 2005-05-16 10:15 EDT by Issue Tracker
Modified: 2007-11-30 17:07 EST (History)
5 users (show)

See Also:
Fixed In Version: RHSA-2005-663
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-09-28 11:10:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch to prevent unlocking in the middle of list traversal (624 bytes, patch)
2005-06-23 13:08 EDT, Neil Horman
no flags Details | Diff
new patch to prevent ipvs race (1.16 KB, patch)
2005-06-24 10:50 EDT, Neil Horman
no flags Details | Diff
upstream backport of ipvs fix (624 bytes, patch)
2005-06-28 13:21 EDT, Neil Horman
no flags Details | Diff
correct upstream backport patch (1.83 KB, patch)
2005-06-28 15:30 EDT, Neil Horman
no flags Details | Diff

  None (edit)
Description Issue Tracker 2005-05-16 10:15:12 EDT
Escalated to Bugzilla from IssueTracker
Comment 16 Ernie Petrides 2005-05-16 17:14:18 EDT
Reassigning to DaveM.
Comment 17 Neil Horman 2005-06-03 11:36:19 EDT
Dave M. and Peter S. requested that I finish up the work on this bug.  I'll get
the smoke tested patch posted here asap.
Comment 18 Neil Horman 2005-06-23 13:08:53 EDT
Created attachment 115883 [details]
patch to prevent unlocking in the middle of list traversal

I know previously I thought that the second egenera patch was the right thing
to do, but now after looking more closely at it, I think the first idea is
probably the better way to go.	The problem comes down to the fact that you
release the spinlock that protects the list while you still have outstanding
work to do regarding the reading of its prev and next pointers (via the for
loop).	As such, when we re-aquire the lock, we need to reset our loop counter
so that it starts at the beginning of the list again (to ensure that our prev
and next pointers aren't corrupt).  The second suggested fix that I initially
thought was good now worries me a bit, because it tries to accomplish the same
thing in a less reliable manner.  By increasing the ref count on the next
pointer we can prevent the current elements next pointer from becomming
corrupt, but its still possible (although far less likely) that the next->next
entry might get freed, and race with the ip_vs_conn_flush loop.  My point is I
don't think the second solution is really a complete fix.  We need to provide
mutual exclusion to _all_ list modifications and accesses.  That means either
resetting the entry pointer to the start of the loop, or to just not unlock the
loop.  Since we're waiting on the list to be flushed here, this boils down to
waiting for each element to flush individually (by re-expiring the same cp
entry using the list reset method ) waiting for each to finish, or by holding
the lock, until each expiration is requested, and then rescanning the list
looking for stragglers to re-expire (the mutex holding method).  The Latter
seems less prone to errors to me.   It looks like this needs to go upstream as
well, so I'll post this there first, and if there isn't any push-back on it,
I'll push it here for RHEL3/4.
Comment 20 Neil Horman 2005-06-24 10:50:21 EDT
Created attachment 115935 [details]
new patch to prevent ipvs race

I've gotten some upstream feedback, and this is the variant of the patch that
is getting some traction currently.
Comment 21 Neil Horman 2005-06-28 13:21:45 EDT
Created attachment 116070 [details]
upstream backport of ipvs fix

Upstream backport to RHEL3 of ipvs patch
Comment 22 Neil Horman 2005-06-28 15:30:08 EDT
Created attachment 116081 [details]
correct upstream backport patch

Sorry, posted the wrong patch previously.  This is the correct one.
Comment 25 Ernie Petrides 2005-07-11 21:13:57 EDT
A fix for this problem has just been committed to the RHEL3 U6
patch pool this evening (in kernel version 2.4.21-32.10.EL).
Comment 29 Red Hat Bugzilla 2005-09-28 11:10:09 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.