Bug 248716 - Module MPPE cause kernel panic.
Summary: Module MPPE cause kernel panic.
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.0
Hardware: x86_64
OS: Linux
Target Milestone: ---
: ---
Assignee: Michal Schmidt
QA Contact: Martin Jenner
Depends On:
Blocks: 425461
TreeView+ depends on / blocked
Reported: 2007-07-18 13:07 UTC by Seby Carta
Modified: 2008-05-21 14:46 UTC (History)
1 user (show)

Fixed In Version: RHBA-2008-0314
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-05-21 14:46:34 UTC
Target Upstream Version:

Attachments (Terms of Use)
workaround patch (1008 bytes, patch)
2007-09-19 19:15 UTC, Michal Schmidt
no flags Details | Diff
a better fix (1.83 KB, patch)
2007-09-21 16:18 UTC, Michal Schmidt
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0314 0 normal SHIPPED_LIVE Updated kernel packages for Red Hat Enterprise Linux 5.2 2008-05-20 18:43:34 UTC

Description Seby Carta 2007-07-18 13:07:52 UTC
Description of problem:

Module mppe cause kernel panic after few seconds. I installed pptpd x86_64 ,
when i connect from clients my server machine freezes. I had to hard reboot. 
Same configuration works ok on x86 architecture.

Version-Release number of selected component (if applicable):
2.6.18-8.x ( x86_64 version)

How reproducible:

Steps to Reproduce:
1. Start pptpd service
2. connect from 1 windows client 
Actual results:

Server completely freezes with kernel panic

Expected results:

Estabilish vpn tunnel

Additional info:

This bug was also filed on Centos bugzilla ( you can also find a kdump there):

Comment 1 Johannes Maybaum 2007-09-14 13:59:15 UTC
I can confirm this i386 2.6.18-8.1.8 works ok
same setup on x86_64 produces panic listed on centos bug tracker

Comment 2 Michal Schmidt 2007-09-19 13:49:23 UTC
I reproduced the bug on x86_64. Narrowed it down to 

Comment 3 Michal Schmidt 2007-09-19 19:15:09 UTC
Created attachment 199981 [details]
workaround patch

Don't allocate InterimKey on the stack, because then virt_to_page doesn't work
on it. Not yet sure if it's expected or an unintended side-effect of

Comment 4 RHEL Program Management 2007-09-20 15:06:18 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 5 Michal Schmidt 2007-09-21 16:18:35 UTC
Created attachment 202531 [details]
a better fix

After discussing it with others, I came to the conclusion that trying
virt_to_page on a stack-allocated buffer is indeed a bug. This patch fixes
mppe_rekey to avoid doing that. As a bonus, it gets rid of one memcpy and saves
a bit of stack space. I sent a patch to upstream too. I tested only the
upstream version. This one is only compile-tested so far.

Comment 6 Michal Schmidt 2007-09-24 09:29:49 UTC

I've uploaded a testing kernel with the patch to:

Could you verify it fixes the bug for you?


Comment 7 Seby Carta 2007-09-24 09:57:35 UTC
Hi Michael,
thank you for your work, the kernel run perfectly! :-)
Could you please publish also the *-devel package? 
Thank you very much.

Comment 8 Michal Schmidt 2007-09-24 10:28:55 UTC
OK, here it is:

But note that this kernel build didn't go through any QA tests, so I don't
recommend it for production use.

Comment 9 Seby Carta 2007-09-25 13:37:01 UTC
I installed the patch "a better fix" on kernel series  2.6.18-8.1.10 and it run!.
Will this patch be included in next kernel release?
Thank you.

Comment 10 Michal Schmidt 2007-09-25 14:10:06 UTC
First it has to be accepted upstream. It's in -mm now and Andrew Morton will
probably send it to Linus for 2.6.24. Then it can be included in a RHEL Update
Release (5.x). I don't expect the patch to make it into a RHEL 5.0 kernel bugfix
release, unless a customer needs it.

Comment 11 V 2007-09-28 14:18:09 UTC
But we need to get working VPN. Now I cannot use it. We buy product and then we 
cannot get fixes.

Comment 12 Michal Schmidt 2007-09-28 16:13:38 UTC

if you are a Red Hat Enterprise Linux user, would you please use Customer 
Support and file a request in the Issue Tracker. Include the number of this 
Bugzilla bug in the description of your issue. Support should be able to 
provide you with a fixed and still supported kernel, or at least push for 
earlier inclusion of the fix into a standard release.

If you are not our customer, you can still simply recompile the kernel source 
RPM to which you include the patch I provided here.

Anyway, I don't recommend using VPNs based on PPTP. PPTP has several known 
security flaws. Consider using other VPN solutions, e.g. IPsec or OpenVPN.

Comment 13 Sotnik Dmitrij 2007-09-28 16:57:33 UTC
Could I connect to existing servers using IPsec or OpenVPN instead of PPTP?

Comment 14 Michal Schmidt 2007-09-28 23:04:28 UTC
No. They are different protocols. To a PPTP server you can only connect with a 
PPTP client.

Comment 15 Sotnik Dmitrij 2007-09-29 09:06:10 UTC
> I don't expect the patch to make it into a RHEL 5.0 kernel bugfix
> release, unless a customer needs it.

> To a PPTP server you can only connect with a PPTP client.

So, RHEL5 currently DOESN'T work with most of Windows and some BSD\Linux 
servers, doesn't work with most ISP (because lot of them using PPTP), and Red 
Hat company really thinking, that customers don't need this ability?

Please, help me to understand, WHAT we should say to our ISPs and admins of 
some servers? "Guys, PPTP is a bad way. Even if your server works fine and you 
already have hundreds clients, you should remove your software and install 

Please, add this patch to updates, we don't want to add this "must have" patch 
and recompile kernel for every new version.

Thank you!

Comment 17 Don Zickus 2007-12-14 18:38:32 UTC
in 2.6.18-60.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Comment 20 errata-xmlrpc 2008-05-21 14:46:34 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.