Bug 268001 - bonding: Fix use after free in unregister path
bonding: Fix use after free in unregister path
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.1
All Linux
medium Severity high
: rc
: ---
Assigned To: Andy Gospodarek
Martin Jenner
: OtherQA
: 249806 (view as bug list)
Depends On:
Blocks: 246139 246258 296411 372911 420521 422431 422441 430580
  Show dependency treegraph
 
Reported: 2007-08-30 12:49 EDT by Flavio Leitner
Modified: 2014-06-29 18:59 EDT (History)
6 users (show)

See Also:
Fixed In Version: RHBA-2008-0314
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 10:54:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch from upstream with offsets fixed for RHEL-5 (2.08 KB, patch)
2007-08-30 12:49 EDT, Flavio Leitner
no flags Details | Diff
bonding-rhel5-fixes.patch (13.54 KB, patch)
2008-01-25 14:25 EST, Andy Gospodarek
no flags Details | Diff

  None (edit)
Description Flavio Leitner 2007-08-30 12:49:54 EDT
Description of problem:

An operation of the form "echo -bond0 > /sys/class/net/bonding_masters"
can trigger a NULL pointer dereference in sysfs.

How reproducible:
Set up bond0 interface, take it down and do:
# echo -bond0 > /sys/class/net/bonding_masters

Steps to Reproduce:
  1) Bonding device is set.
  2) ifdown bond0
  3) echo -bond0 > /sys/class/net/bonding_masters

Actual results:
Panic

Additional info:
A fix is available to fix this problem and is on upstream:
http://lkml.org/lkml/2007/6/19/279

I'll attach the patch with offsets fixed for RHEL5.

-Flavio
Comment 1 Flavio Leitner 2007-08-30 12:49:55 EDT
Created attachment 181361 [details]
Patch from upstream with offsets fixed for RHEL-5
Comment 4 RHEL Product and Program Management 2007-09-11 13:03:56 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 5 Andy Gospodarek 2007-11-20 09:08:44 EST
My test kernels have been updated to include a patch for this bugzilla.

http://people.redhat.com/agospoda/#rhel5

Please test them and report back your results.
Comment 6 Issue Tracker 2007-11-22 04:43:23 EST
Feedback from Fujitsu.

------------------------------------
Matsuya-san,

I tested the same test on test-RPMS.
When the bonding device was deleted, the system didn't do the kernel
panic.
Thank you for your fix.

Izumi Takada

Internal Status set to 'Waiting on Engineering'

This event sent from IssueTracker by mmatsuya 
 issue 130401
Comment 10 Andy Gospodarek 2007-12-14 09:17:42 EST
My test kernels have been updated to include a patch for this bugzilla.

http://people.redhat.com/agospoda/#rhel5

Please test them and report back your results.
Comment 11 Issue Tracker 2007-12-21 10:46:10 EST
Hi Andy,

From Fujitsu:
------------------------------------------
I tested the same test on test-kernel.
   Kernel version:  2.6.18-61.el5.gtest.34

The system didn't happen the kernel panic.

But the following messages continued to output and command prompt didn't
return when IPv6 state is on.
   kernel: unregister_netdevice: waiting for bond0 to become free. Usage
count = 1

When I turned off and tested IPv6, this message was not output.


This event sent from IssueTracker by mmatsuya 
 issue 130401
Comment 12 Don Zickus 2007-12-21 15:17:50 EST
in 2.6.18-62.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 14 Andy Gospodarek 2008-01-08 10:53:43 EST
Unfortunately a bug slipped into the RHEL5 dev tree that caused the problem they describe, but it has already been fixed in the latest dev tree and my test kernels.
Comment 15 Issue Tracker 2008-01-15 01:52:50 EST
Hello Andy,

> but it has already been fixed in the latest dev tree and my test
kernels.

But this problem occured again on the environment of Fujitsu with your
test kernel.
Can you please check it again?

> Matsuya-san,
> 
> I checked the same test on test-kernel again.
> --> Kernel version:  2.6.18-62.el5.gtest.36

> But the following problem happened again.
> Sorry, would you check it, please?

>> But the following messages continued to output and command prompt
didn't
>> return when IPv6 state is on.
>>    kernel: unregister_netdevice: waiting for bond0 to become free.
Usage count = 1


This event sent from IssueTracker by mmatsuya 
 issue 130401
Comment 16 Andy Gospodarek 2008-01-15 09:11:07 EST
I was sure my most recent test kernels has this resolved.  Does this issue still appear with gtest.36?
Comment 17 Issue Tracker 2008-01-17 22:13:30 EST
Yes, Fujitsu tested gtest.36. And they saw this problem. 

> But the following messages continued to output and command prompt
didn't
> return when IPv6 state is on.
>    kernel: unregister_netdevice: waiting for bond0 to become free. Usage
count = 1




This event sent from IssueTracker by mmatsuya 
 issue 130401
Comment 19 Andy Gospodarek 2008-01-25 14:25:03 EST
Created attachment 292974 [details]
bonding-rhel5-fixes.patch

I could not make my system on the latest kernel (2.6.18-72.el5) fail with a
simple 

# ifdown bond0

but I did find that the original test case fails again due to some other
patches that were added.  The box doesn't panic, but there are some reference
count issuse.  This was already fixed upstream and I wanted to pull it anyway,
so I've attached the patch that resolves the original test case.

If the customer can reproduce this problem by simply typing

# ifdown bond0 

please have them provide more detailed information.  I even assigned an ipv6
address in my testing and did not have any problems.
Comment 20 Andy Gospodarek 2008-01-30 10:56:40 EST
My test kernels have been updated to include a patch for this bugzilla.

http://people.redhat.com/agospoda/#rhel5

Please test them and report back your results.
Comment 24 Andy Gospodarek 2008-02-04 10:24:47 EST
My test kernels have been updated to include a patch for this bugzilla.

http://people.redhat.com/agospoda/#rhel5

Please test them and report back your results.
Comment 27 Don Domingo 2008-02-07 19:51:02 EST
does this need to be mentioned in the release notes? if so, please post the
necessary content for it. thanks!
Comment 28 Don Zickus 2008-02-08 15:30:10 EST
in 2.6.18-79.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 30 John Poelstra 2008-03-20 23:59:33 EDT
Greetings Red Hat Partner,

A fix for this issue should be included in the latest packages contained in
RHEL5.2-Snapshot1--available now on partners.redhat.com.  

Please test and confirm that your issue is fixed.

After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to ASSIGNED.

If you are receiving this message in Issue Tracker, please reply with a message
to Issue Tracker about your results and I will update bugzilla for you.  If you
need assistance accessing ftp://partners.redhat.com, please contact your Partner
Manager.

Thank you
Comment 32 Don Domingo 2008-03-30 19:03:36 EDT
can somebody please post the necessary release note text for this? i'm afraid i
don't fully understand the issue that was resolved. thanks!
Comment 33 Andy Gospodarek 2008-03-31 08:36:04 EDT
Don, you can probably just get away with a note that indicates that the bonding
driver has been upgraded to version 3.2.4.

Comment 35 Andy Gospodarek 2008-04-07 18:09:38 EDT
*** Bug 249806 has been marked as a duplicate of this bug. ***
Comment 37 errata-xmlrpc 2008-05-21 10:54:23 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0314.html

Note You need to log in before you can comment on or make changes to this bug.