[strongSwan] Kernel panic with VTI tunnel

Mike Noordermeer mike at normi.net
Sun Mar 15 15:15:35 CET 2015 

Hi,

I am currently experiencing the same kernel panic on multiple hosts,
with a quite recent Linux kernel, and was wondering if anyone here has
an idea of what the issue could be, or how I could further debug it.
Any help is appreciated.

I am using Linux 3.16 (3.16.7-ckt4-3~bpo70+1 from Debian
wheezy-backports) and Strongswan 5.2.1 (5.2.1-5~bpo70+1 form Debian
wheezy-backports). I have a fairly 'simple' tunnel with a mark and a
left/right subnet of 0/0, and disabled install_routes in Strongswan.
Then I have a VTI device configured with the same mark. This all works
well, but causes a kernel panic every few hours, always on the same
spot. As far as I can see, no fixes for such an issue have been
committed to the kernel since version 3.16.

>From the backtrace it seems that xfrm_input() in the kernel is hitting
a NULL dereference, when dereferencing 'outer_mode' in the xfrm_state
struct, this line to be precise:
https://github.com/torvalds/linux/blob/2e71029e2c32ecd59a2e8f351517bfbbad42ac11/include/net/xfrm.h#L1807

Any idea on why this could be NULL? Some config details and the full
backtrace are below.

Thanks,

Mike

----------------------------------------
Simplified ipsec.conf:
----------------------------------------

config setup

conn %default
        keyexchange = ikev2
        dpdaction = restart
        esp = aes128gcm128-modp4096!
        ike = aes128gcm128-prfsha256-modp4096!
        mobike = no
        auto = route

conn myconnection
        left = x.x.x.x
        leftcert = leftcert.crt
        leftsubnet = 0.0.0.0/0
        right = y.y.y.y
        rightcert = rightcert.crt
        rightsubnet = 0.0.0.0/0
        mark = 15

----------------------------------------
ip xfrm policy
----------------------------------------

src 0.0.0.0/0 dst 0.0.0.0/0
    dir fwd priority 3075 ptype main
    mark 15/0xffffffff
    tmpl src y.y.y.y dst x.x.x.x
        proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
    dir in priority 3075 ptype main
    mark 15/0xffffffff
    tmpl src y.y.y.y dst x.x.x.x
        proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
    dir out priority 3075 ptype main
    mark 15/0xffffffff
    tmpl src x.x.x.x dst y.y.y.y
        proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src ::/0 dst ::/0
    socket in priority 0 ptype main
src ::/0 dst ::/0
    socket out priority 0 ptype main
src ::/0 dst ::/0
    socket in priority 0 ptype main
src ::/0 dst ::/0
    socket out priority 0 ptype main

----------------------------------------
ip xfrm state
----------------------------------------

src x.x.x.x dst y.y.y.y
    proto esp spi 0xcb5c6f72 reqid 1 mode tunnel
    replay-window 32 flag af-unspec
    mark 15/0xffffffff
    aead rfc4106(gcm(aes)) 0x3d1c9ae2f921fc088b2e54a1d1efcd3e4441e502 128
src y.y.y.y dst x.x.x.x
    proto esp spi 0xcd742975 reqid 1 mode tunnel
    replay-window 32 flag af-unspec
    mark 15/0xffffffff
    aead rfc4106(gcm(aes)) 0x439dd5bf790a1f7ba1979d798757bab94f62776c 128
src x.x.x.x dst y.y.y.y
    proto esp spi 0xc79db590 reqid 1 mode tunnel
    replay-window 32 flag af-unspec
    mark 15/0xffffffff
    aead rfc4106(gcm(aes)) 0x7bf0811323a4df1118680d30d4117ed403b60bd8 128
src y.y.y.y dst x.x.x.x
    proto esp spi 0xc8e198f5 reqid 1 mode tunnel
    replay-window 32 flag af-unspec
    mark 15/0xffffffff
    aead rfc4106(gcm(aes)) 0x1f1f32fc74a0d8ba38b9aab67fbbfff1024cf265 128

----------------------------------------
Kernel oops backtrace
----------------------------------------

[31202.487290] BUG: unable to handle kernel NULL pointer dereference
at 0000000000000034
[31202.499656] IP: [<ffffffff814e4a12>] xfrm_input+0x3d2/0x590
[31202.502444] PGD 0
[31202.503479] Oops: 0000 [#1] SMP
[31202.505121] Modules linked in: seqiv xfrm6_mode_tunnel
xfrm4_mode_tunnel xfrm_user xfrm4_tunnel tunnel4 ipcomp xfrm_ipcomp
esp4 ah4 af_key xfrm_algo act_police cls_basic cls_flow cls_fw cls_u32
sch_tbf sch_prio sch_hfsc sch_htb sch_ingress sch_sfq xt_statistic
xt_CT xt_realm xt_LOG iptable_raw xt_connlimit xt_addrtype xt_comment
xt_nat xt_recent ipt_ULOG ipt_REJECT ipt_MASQUERADE ipt_ECN
ipt_CLUSTERIP ipt_ah nf_nat_tftp nf_nat_snmp_basic nf_conntrack_snmp
nf_nat_sip nf_nat_pptp nf_nat_proto_gre nf_nat_irc nf_nat_h323
nf_nat_ftp xt_set ip_set nf_nat_amanda nf_conntrack_tftp
nf_conntrack_sip nf_conntrack_sane nf_conntrack_proto_udplite
nf_conntrack_proto_sctp nf_conntrack_pptp nf_conntrack_proto_gre
nf_conntrack_netlink nf_conntrack_netbios_ns nf_conntrack_broadcast
nf_conntrack_irc ts_kmp nf_conntrack_amanda nf_conntrack_h323
nf_conntrack_ftp xt_time xt_TCPMSS xt_TPROXY xt_tcpmss xt_sctp
xt_policy xt_pkttype xt_physdev xt_owner xt_NFLOG nfnetlink_log
xt_NFQUEUE xt_multiport xt_mark xt_mac xt_limit xt_length xt_iprange
xt_helper xt_hashlimit xt_DSCP xt_dscp xt_dccp xt_connmark xt_CLASSIFY
ip6t_REJECT xt_AUDIT xt_tcpudp iptable_nat nf_nat_ipv4 xt_state nf_nat
nf_conntrack_ipv6 nf_conntrack_ipv4 nf_defrag_ipv6 nf_defrag_ipv4
xt_conntrack nf_conntrack iptable_mangle ip6table_raw ip6table_mangle
nfnetlink iptable_filter ip6table_filter ip6_tables ip_tables x_tables
ip_vti ip_tunnel loop coretemp vmwgfx ttm crct10dif_pclmul
drm_kms_helper crc32_pclmul ghash_clmulni_intel drm aesni_intel
aes_x86_64 lrw gf128mul glue_helper vmw_balloon ablk_helper cryptd
psmouse i2c_piix4 i2c_core serio_raw pcspkr evdev vmw_vmci shpchp
battery parport_pc parport processor thermal_sys ac button ext4 crc16
mbcache jbd2 dm_mod sr_mod cdrom sg sd_mod crc_t10dif crct10dif_common
ata_generic crc32c_intel floppy ata_piix e1000 libata mptspi
scsi_transport_spi mptscsih mptbase scsi_mod
[31202.591173] CPU: 0 PID: 3829 Comm: charon Not tainted
3.16.0-0.bpo.4-amd64 #1 Debian 3.16.7-ckt4-3~bpo70+1
[31202.595671] Hardware name: VMware, Inc. VMware Virtual
Platform/440BX Desktop Reference Platform, BIOS 6.00 04/14/2014
[31202.600531] task: ffff88002b3112f0 ti: ffff88002bef4000 task.ti:
ffff88002bef4000
[31202.603967] RIP: 0010:[<ffffffff814e4a12>]  [<ffffffff814e4a12>]
xfrm_input+0x3d2/0x590
[31202.607734] RSP: 0000:ffff880031003b98  EFLAGS: 00010286
[31202.610241] RAX: 0000000000000000 RBX: ffff880030a33d00 RCX: 0000000000000000
[31202.613640] RDX: 0000000000000001 RSI: 0000000000000200 RDI: ffffffff814e1633
[31202.617023] RBP: 0000000000000002 R08: ffff880030916c00 R09: 0000000000000002
[31202.620272] R10: 0000000000000032 R11: 00000000033993db R12: 0000000000000032
[31202.623532] R13: 0000000000000032 R14: ffff880030916c00 R15: 0000000000000000
[31202.626860] FS:  00007f669aafa700(0000) GS:ffff880031000000(0000)
knlGS:0000000000000000
[31202.630585] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[31202.633234] CR2: 0000000000000034 CR3: 000000002146e000 CR4: 00000000000407f0
[31202.636588] Stack:
[31202.637589]  ffffffff81486050 00000000a1339d6c ffffffff818b7bc0
0000000030a33d00
[31202.641338]  ffff88002925769e 5059f5ca00000002 0000000000000032
01000000260ae8c0
[31202.645024]  ffff88002a902000 ffff880030a33d00 ffffffffa02df040
ffffffff818b7bc0
[31202.648700] Call Trace:
[31202.649879]  <IRQ>
[31202.650797]  [<ffffffff81486050>] ? ip_rcv_finish+0x370/0x370
[31202.653769]  [<ffffffff814d87b7>] ? xfrm4_esp_rcv+0x37/0x70
[31202.656423]  [<ffffffff814860ee>] ? ip_local_deliver_finish+0x9e/0x200
[31202.659449]  [<ffffffff8144b15b>] ? __netif_receive_skb_core+0x57b/0x700
[31202.662551]  [<ffffffff8101e0c5>] ? read_tsc+0x5/0x20
[31202.664889]  [<ffffffff8144ba6f>] ? netif_receive_skb_internal+0x1f/0x90
[31202.668100]  [<ffffffff8144c3d8>] ? napi_gro_receive+0x128/0x1b0
[31202.670892]  [<ffffffffa00af36b>] ? e1000_clean_rx_irq+0x2db/0x560 [e1000]
[31202.674112]  [<ffffffffa00b0313>] ? e1000_clean+0x273/0x980 [e1000]
[31202.677012]  [<ffffffffa00b0406>] ? e1000_clean+0x366/0x980 [e1000]
[31202.679902]  [<ffffffff8104dab1>] ? ack_apic_level+0x81/0x170
[31202.682591]  [<ffffffff8144cb21>] ? net_rx_action+0x121/0x230
[31202.685246]  [<ffffffff81072c0e>] ? __do_softirq+0xde/0x2e0
[31202.687941]  [<ffffffff8104dab1>] ? ack_apic_level+0x81/0x170
[31202.690708]  [<ffffffff81073066>] ? irq_exit+0x86/0xb0
[31202.693130]  [<ffffffff8154c856>] ? do_IRQ+0x66/0x110
[31202.695531]  [<ffffffff8154a6ed>] ? common_interrupt+0x6d/0x6d
[31202.698241]  <EOI>
[31202.699165] Code: ff ff 85 c0 0f 85 c1 fd ff ff e9 05 fd ff ff 66
2e 0f 1f 84 00 00 00 00 00 48 83 7b 40 00 0f 84 5b fd ff ff 49 8b 86
e0 02 00 00 <f6> 40 34 01 0f 84 85 fd ff ff e9 45 fd ff ff 0f 1f 80 00
00 00
[31202.712413] RIP  [<ffffffff814e4a12>] xfrm_input+0x3d2/0x590
[31202.715102]  RSP <ffff880031003b98>
[31202.716751] CR2: 0000000000000034
[31202.719064] ---[ end trace cebe794b0c57af5e ]---
[31202.721593] Kernel panic - not syncing: Fatal exception in interrupt
[31202.724814] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation
range: 0xffffffff80000000-0xffffffff9fffffff)

More information about the Users mailing list