When testing [CVE-2011-2482] with SELinux disabled (haven't triggered panic on patched kernel with selinux on), the reproducer run after regular user causes soft lookups and the machine becomes completely unresponsive on patched kernel. Target machine was unresponsive after remote part of reproducer (con) killed. Target with patched kernel needed to be rebooted to start working regularly. [root@intel-mahobay-01 ~]# setenforce 0 [test@intel-mahobay-01 ~]$ uname -r 2.6.18-238.30.1.el5 [test@intel-mahobay-01 ~]$ for i in 3333 3334 3335 3336; do > ./acc -a 1 -p $i -K -k 10000 -K -F 1 -R -U -W & done [test@intel-mahobay-01 ~]$ BUG: soft lockup - CPU#2 stuck for 60s! [acc:5861] CPU 2: Modules linked in: md5 sctp autofs4 hidp rfcomm l2cap bluetooth lockd sunrpc cpufreq_ondemand acpi_cpufreq freq_table mperf be2iscsi ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp bnx2i cnic ipv6 xfrm_nalgo crypto_api uio cxgb3i cxgb3 libiscsi_tcp libiscsi2 scsi_transport_iscsi2 scsi_transport_iscsi loop dm_multipath scsi_dh video backlight sbs power_meter hwmon i2c_ec i2c_core dell_wmi wmi button battery asus_acpi acpi_memhotplug ac lp sr_mod cdrom parport_serial sg e1000e parport_pc shpchp igb parport 8021q tpm_tis dca tpm pcspkr tpm_bios dm_raid45 dm_message dm_region_hash dm_mem_cache dm_snapshot dm_zero dm_mirror dm_log dm_mod ahci libata sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd Pid: 5861, comm: acc Not tainted 2.6.18-238.30.1.el5 #1 RIP: 0010:[<ffffffff80064be3>] [<ffffffff80064be3>] .text.lock.spinlock+0x29/0x30 RSP: 0018:ffff810139751dc8 EFLAGS: 00000282 RAX: ffff810139751fd8 RBX: 0000000000000000 RCX: ffff81013a7660d0 RDX: ffff81014daa38d0 RSI: ffff81014daa38d0 RDI: ffff810139dd89c0 RBP: ffff810139e82e00 R08: ffff810146e56700 R09: 0000000000000000 R10: ffff810139751b68 R11: ffff81013a352000 R12: 0000000000000292 R13: ffff81014daa38a8 R14: ffffffff88671ba7 R15: 0000000000000296 FS: 00002aaed65086e0(0000) GS:ffff81014e4ffe40(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 00007fff136a7c40 CR3: 000000013a3a6000 CR4: 00000000000006e0 Call Trace: [<ffffffff80064ae9>] _spin_lock_bh+0x9/0x14 [<ffffffff80030fe6>] release_sock+0x13/0xc1 [<ffffffff8867f048>] :sctp:sctp_accept+0x1b7/0x1d0 [<ffffffff800a2884>] autoremove_wake_function+0x0/0x2e [<ffffffff8026822a>] inet_accept+0x25/0xcb [<ffffffff8022b938>] sys_accept+0x11c/0x1ea [<ffffffff80030fe6>] release_sock+0x13/0xc1 [<ffffffff8022d9cb>] sock_setsockopt+0x4d3/0x4e5 [<ffffffff800b95d4>] audit_syscall_entry+0x1a4/0x1cf [<ffffffff8005d28d>] tracesys+0xd5/0xe0 BUG: soft lockup - CPU#7 stuck for 60s! [ksoftirqd/7:24] CPU 7: Modules linked in: md5 sctp autofs4 hidp rfcomm l2cap bluetooth lockd sunrpc cpufreq_ondemand acpi_cpufreq freq_table mperf be2iscsi ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp bnx2i cnic ipv6 xfrm_nalgo crypto_api uio cxgb3i cxgb3 libiscsi_tcp libiscsi2 scsi_transport_iscsi2 scsi_transport_iscsi loop dm_multipath scsi_dh video backlight sbs power_meter hwmon i2c_ec i2c_core dell_wmi wmi button battery asus_acpi acpi_memhotplug ac lp sr_mod cdrom parport_serial sg e1000e parport_pc shpchp igb parport 8021q tpm_tis dca tpm pcspkr tpm_bios dm_raid45 dm_message dm_region_hash dm_mem_cache dm_snapshot dm_zero dm_mirror dm_log dm_mod ahci libata sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd Pid: 24, comm: ksoftirqd/7 Not tainted 2.6.18-238.30.1.el5 #1 RIP: 0010:[<ffffffff80064bbf>] [<ffffffff80064bbf>] .text.lock.spinlock+0x5/0x30 RSP: 0018:ffff810104a6fcb0 EFLAGS: 00000282 RAX: 0000000000000000 RBX: ffff81014717c480 RCX: 0000000000000000 RDX: ffff810139e05d60 RSI: ffff810104a6fd14 RDI: ffff810139dd89c0 RBP: ffff810104a6fc30 R08: ffff810139e05cc0 R09: 0000000000000000 R10: ffff810139e05cc0 R11: 00000000000000f8 R12: ffffffff8005dc8e R13: ffff810139e05cc0 R14: ffffffff80078f1d R15: ffff810104a6fc30 FS: 0000000000000000(0000) GS:ffff81014e59e340(0000) knlGS:0000000000000000 CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b CR2: 00007fff136a7c34 CR3: 0000000000201000 CR4: 00000000000006e0 Call Trace: <IRQ> [<ffffffff8868093c>] :sctp:sctp_rcv+0x61e/0x7ba [<ffffffff8008f355>] scheduler_tick+0xc3/0x35f [<ffffffff80034b1e>] ip_local_deliver+0x19d/0x263 [<ffffffff80035c7a>] ip_rcv+0x539/0x57c [<ffffffff80020bdc>] netif_receive_skb+0x470/0x49f [<ffffffff8823ebfb>] :e1000e:e1000_receive_skb+0x1b5/0x1d6 [<ffffffff8824390d>] :e1000e:e1000_clean_rx_irq+0x271/0x318 [<ffffffff88241abc>] :e1000e:e1000_clean+0x7c/0x29b [<ffffffff8000ca35>] net_rx_action+0xac/0x1b3 [<ffffffff80012537>] __do_softirq+0x89/0x133 [<ffffffff8005e2fc>] call_softirq+0x1c/0x28 <EOI> [<ffffffff80096395>] ksoftirqd+0x0/0xbf [<ffffffff8006d5f5>] do_softirq+0x2c/0x7d [<ffffffff800963f4>] ksoftirqd+0x5f/0xbf [<ffffffff80032b28>] kthread+0xfe/0x132 [<ffffffff8005dfb1>] child_rip+0xa/0x11 [<ffffffff80032a2a>] kthread+0x0/0x132 [<ffffffff8005dfa7>] child_rip+0x0/0x11
Statement: This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise Linux 4, 6 and Red Hat Enterprise MRG as they were not vulnerable to CVE-2011-2482. This has been addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2012-0007.html.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0007 https://rhn.redhat.com/errata/RHSA-2012-0007.html
Upstream commit: http://git.kernel.org/linus/ae53b5bd77719fed58086c5be60ce4f22bffe1c6