Bug 234485
| Summary: | LSPP: when searching for larval SAs check the protocol too | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Joy Latten <latten> | ||||
| Component: | kernel | Assignee: | Eric Paris <eparis> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Martin Jenner <mjenner> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 5.0 | CC: | dzickus, eparis, iboverma, krisw, linda.knippers, poelstra, sgrubb | ||||
| Target Milestone: | --- | Keywords: | OtherQA | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | RHBA-2007-0959 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2007-11-07 19:45:47 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 224041 | ||||||
| Attachments: |
|
||||||
|
Description
Joy Latten
2007-03-29 16:21:32 UTC
commit 75e252d981c0e80c14ce90df246e9b1300474c4f
Author: Joy Latten <latten.com>
Date: Mon Mar 12 17:14:07 2007 -0700
[XFRM]: Fix missing protocol comparison of larval SAs.
I noticed that in xfrm_state_add we look for the larval SA in a few
places without checking for protocol match. So when using both
AH and ESP, whichever one gets added first, deletes the larval SA.
It seems AH always gets added first and ESP is always the larval
SA's protocol since the xfrm->tmpl has it first. Thus causing the
additional km_query()
Adding the check eliminates accidental double SA creation.
Signed-off-by: Joy Latten <latten.com>
Signed-off-by: David S. Miller <davem>
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=75e252d981c0e80c14ce90df246e9b1300474c4f
This commit depends on a couple of others that don't seem to be in the RHEL5 kernel.
Created attachment 151279 [details]
RHEL 5 version of this patch
Here is a RHEL5 version of this patch. RHEL5 doesn't implement the
__find_acq_core that is upstream, instead we have seperate functions for xfrm4
and xfrm6. As it turns out RHEL5 actually checks proto in those 2 fucntion and
the check for proto upstream was dropped when they switched to the unified
__find_acq_core. So this patch only fixes the other place we forgot to check
proto. Has been in the LSPP kernel for weeks and seems to be working fine for
people there.
I ran a 15 hour stress test for labeled ipsec over ipv4 in lspp 70 kernel and saw no problems. Joy has tested this and it is accepted into upstream kernel. in 2.6.18-27.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5 A fix for this issue should have been included in the packages contained in the RHEL5.1-Snapshot3 on partners.redhat.com. Requested action: Please verify that your issue is fixed as soon as possible to ensure that it is included in this update release. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to FAILS_QA. More assistance: If you cannot access bugzilla, please reply with a message to Issue Tracker and I will change the status for you. If you need assistance accessing ftp://partners.redhat.com, please contact your Partner Manager. Verified that this is fixed. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0959.html |