176455 – [CM] [RHEL4] IPSec Kernel Bug

Bug 176455 - [CM] [RHEL4] IPSec Kernel Bug

Summary: [CM] [RHEL4] IPSec Kernel Bug

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Jeff Layton
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-12-22 23:03 UTC by Bryan Mason
Modified:	2014-06-18 07:35 UTC (History)
CC List:	4 users (show)
Fixed In Version:	RHBA-2007-0304
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-05-01 23:59:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
backport of immediate SA switchover patch from upstream (1.86 KB, patch) 2006-10-04 13:33 UTC, Jeff Layton	no flags	Details \| Diff
respun patch, include dst->obsolete < 0 check (2.65 KB, patch) 2006-10-04 14:01 UTC, Jeff Layton	no flags	Details \| Diff
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2007:0304	0	normal	SHIPPED_LIVE	Updated kernel packages available for Red Hat Enterprise Linux 4 Update 5	2007-04-28 18:58:50 UTC

Comment 1 David Miller 2005-12-24 09:44:23 UTC

I already cooked up a patch so I'll take this.

Comment 6 Jeff Layton 2006-10-04 13:33:22 UTC

Created attachment 137740 [details]
backport of immediate SA switchover patch from upstream

Instead of using RHEL3's patch as a base, I backported the original upstream
patch here, since it was a little closer to the RHEL4 codebase. The original
patch is here:

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=399c180ac5f0cb66ef9479358e0b8b6bafcbeafe


There is another patch, however, that we might want to consider, which looks
like it fixed some deficiencies of the original patch:

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d49c73c729e2ef644558a1f441c044bfacdc9744


Dave, you're more familiar with this code than I. Should I backport that one
too?

Comment 7 Jeff Layton 2006-10-04 14:01:50 UTC

Created attachment 137743 [details]
respun patch, include dst->obsolete < 0 check

Respun patch that includes the later patch to correct the case when
dst->obsolete < 0.

Comment 8 David Miller 2006-10-04 20:40:27 UTC

Good catch Jeff, yes that second bit with the dst->obsolete check
is needed.

Comment 9 Jeff Layton 2006-10-24 11:28:52 UTC

The patch seems to have fixed the customer's Linux-Linux renegotiation problems,
but Linux-Windows doesn't seem to be working correctly still. Going to see if I
can crank up debugging in racoon and get some idea of why it's not occurring.

Essentially, network captures show the ISAKMP messages being sent back and forth
for rekeying, but the sequence number of the packets following that don't get
reset back to 1. I'm presuming this means that the rekeying failed for some reason.

Comment 11 Jeff Layton 2006-11-28 20:01:18 UTC

I'm planning to post the patch here soon, so I'll go ahead and grab this from Dave.

Comment 13 Jason Baron 2006-12-04 19:16:10 UTC

committed in stream U5 build 42.28. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/

Comment 15 RHEL Program Management 2006-12-11 15:40:57 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 16 Jay Turner 2006-12-11 17:51:50 UTC

QE ack for 4.5.

Comment 20 Mike Gahagan 2007-03-29 15:04:11 UTC

Patch is in -52 and the customer has been using a hotfix kernel already for some
time.

Comment 22 Red Hat Bugzilla 2007-05-01 23:59:50 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0304.html

Note You need to log in before you can comment on or make changes to this bug.