Bug 985526 – ip link show hangs when rtnl_send fails

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 985526 - ip link show hangs when rtnl_send fails

Summary:	ip link show hangs when rtnl_send fails

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	iproute (Show other bugs)
Sub Component:
Version:	6.4
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Petr Šabata
QA Contact:	David Spurek
Docs Contact:

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:
Keywords:	Patch

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2013-07-17 12:49 EDT by Andy Grimm
Modified:	2016-11-07 22:47 EST (History)
CC List:	8 users (show)

See Also:
Fixed In Version:	iproute-2.6.32-24.el6
Doc Type:	Bug Fix
Doc Text:	Cause: The ip utility was mishandling netlink communication, which could cause hangs under certain cirtumstances. Consequence: Listing network devices with 'ip link show' hangs in a SELinux restricted mode. Fix: The ip utility now checks for the result of rtnl_send() before waiting for a reply, avoiding an indefinite hang. Result: It is now possible to list network devices in a SELinux restricted environment.
Story Points:	---
Clone Of:
Clones:	996537 1040454 (view as bug list)
Environment:
Last Closed:	2013-11-21 18:07:03 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
patch from andy to fix the issue (463 bytes, patch) 2013-08-06 16:23 EDT, Michael Scherer	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1697	normal	SHIPPED_LIVE	iproute bug fix and enhancement update	2013-11-20 19:39:29 EST

Groups: None (edit)

Description Andy Grimm 2013-07-17 12:49:20 EDT

Description of problem:

Inside an OpenShift gears, there are various restrictions on a user's access to network interfaces, addresses and ports.  One of these restrictions causes "ip link show" to hang.

Version-Release number of selected component (if applicable):

iproute-2.6.32-23.el6.x86_64

How reproducible:

Always (in OpenShift)

Steps to Reproduce:
1. Create an OpenShift app
2. rhc ssh <appname>
3. run "ip link show lo"

Actual results:

The command hangs until you kill it.

Expected results:

It should not hang

Additional info:

I did an strace and found this happening:

bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
getsockname(3, {sa_family=AF_NETLINK, pid=32592, groups=00000000}, [12]) = 0
gettimeofday({1374074067, 433784}, NULL) = 0
sendto(3, " \0\0\0\20\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 32, 0, NULL, 0) = -1 EACCES (Permission denied)
recvmsg(3, ^C <unfinished ...>

so I did a debug build inside my openshift gear, and tracked it down to this bit of code in iplink.c at line 160:

rtnl_send(&rth, (char *)&req.n, req.n.nlmsg_len);
rtnl_listen(&rth, accept_msg, NULL);

If I change this to:

if (rtnl_send(&rth, (char *)&req.n, req.n.nlmsg_len) == 0)
    rtnl_listen(&rth, accept_msg, NULL);

then the issue is resolved.

Comment 2 Petr Šabata 2013-07-18 05:47:46 EDT

Yes, that seems reasonable.

Comment 3 Michael Scherer 2013-08-06 03:38:24 EDT

This bug also happen on F19, when running selinux with a confined user. So this blocked facter and ansible on my work station. 

The exact AVC :
type=AVC msg=audit(1375773208.329:1511): avc:  denied  { nlmsg_write } for  pid=4256 comm="ip" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=netlink_route_socket

Should the bug be cloned for F19 ?

Comment 4 Michael Scherer 2013-08-06 14:18:36 EDT

To reproduce ( on F19, but should work equally on RHEL 6 ), add your current user ( or create a new one ) in a confined domain (make sure that you have a root shell opened somewhere or you know how to disable selinux in case you lock yourself out ) : 

$ sudo semanage login -a -s staff_u -r 's0-s0:c0.c1023' $(id -un)

logout ( or login in another tty )

check that you are running a restricted user id:
$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c102c

check that you are running in enforcing mode:
$ getenforce
Enforcing

run:
$ ip link show em1

and wait

I am building a updated package with the proper patch to see if the issue is fixed.

Comment 5 Michael Scherer 2013-08-06 16:23:09 EDT

And i can say the following patch work

Comment 6 Michael Scherer 2013-08-06 16:23:52 EDT

Created attachment 783495 [details]
patch from andy to fix the issue

Comment 7 Petr Šabata 2013-08-13 07:36:00 EDT

Thanks, Michael!

True, this should be cloned for F19 as well.  I'll do that.

Comment 9 Petr Šabata 2013-08-13 12:17:40 EDT

Pushed as iproute-2.6.32-24.el6.

Comment 11 Andy Grimm 2013-08-14 12:35:05 EDT

I have confirmed that the new build resolves my issue in OpenShift.

Comment 12 Petr Šabata 2013-08-16 09:07:41 EDT

Thank you, Andy.

Comment 15 errata-xmlrpc 2013-11-21 18:07:03 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1697.html

Comment 16 Andrew Vagin 2013-12-10 06:28:44 EST

int rtnl_send(struct rtnl_handle *rth, const char *buf, int len)
{               
        return send(rth->fd, buf, len, 0);
} 

"send"  returns  the  number of characters sent.

Are you sure that this patch is correct?

It doesn't work for me.
-bash-4.1# ip link set up dev venet0
RTNETLINK answers: Operation not supported

Note You need to log in before you can comment on or make changes to this bug.