[strongSwan] Kernel panic with VTI tunnel

Mike Noordermeer mike at normi.net
Mon Mar 16 09:18:46 CET 2015


Hi,

Do you happen to have any more specific info on this bugfix? I would
rather not deviate from the Debian default kernels, so it would be
nice if I could point the maintainers to a specific fix that should be
backported.

Thanks,

Mike


On 15 March 2015 at 17:02, Andre Valentin <avalentin at marcant.net> wrote:
> Hi!
>
> Try kernel 3.18. There's a bugfix for an issue like this.
>
> Kind regards,
>
> André
>
>
> Am 15.03.2015 um 15:15 schrieb Mike Noordermeer:
>> Hi,
>>
>> I am currently experiencing the same kernel panic on multiple hosts,
>> with a quite recent Linux kernel, and was wondering if anyone here has
>> an idea of what the issue could be, or how I could further debug it.
>> Any help is appreciated.
>>
>> I am using Linux 3.16 (3.16.7-ckt4-3~bpo70+1 from Debian
>> wheezy-backports) and Strongswan 5.2.1 (5.2.1-5~bpo70+1 form Debian
>> wheezy-backports). I have a fairly 'simple' tunnel with a mark and a
>> left/right subnet of 0/0, and disabled install_routes in Strongswan.
>> Then I have a VTI device configured with the same mark. This all works
>> well, but causes a kernel panic every few hours, always on the same
>> spot. As far as I can see, no fixes for such an issue have been
>> committed to the kernel since version 3.16.
>>
>> From the backtrace it seems that xfrm_input() in the kernel is hitting
>> a NULL dereference, when dereferencing 'outer_mode' in the xfrm_state
>> struct, this line to be precise:
>> https://github.com/torvalds/linux/blob/2e71029e2c32ecd59a2e8f351517bfbbad42ac11/include/net/xfrm.h#L1807
>>
>> Any idea on why this could be NULL? Some config details and the full
>> backtrace are below.
>>
>> Thanks,
>>
>> Mike
>>
>> ----------------------------------------
>> Simplified ipsec.conf:
>> ----------------------------------------
>>
>> config setup
>>
>> conn %default
>>         keyexchange = ikev2
>>         dpdaction = restart
>>         esp = aes128gcm128-modp4096!
>>         ike = aes128gcm128-prfsha256-modp4096!
>>         mobike = no
>>         auto = route
>>
>> conn myconnection
>>         left = x.x.x.x
>>         leftcert = leftcert.crt
>>         leftsubnet = 0.0.0.0/0
>>         right = y.y.y.y
>>         rightcert = rightcert.crt
>>         rightsubnet = 0.0.0.0/0
>>         mark = 15
>>
>> ----------------------------------------
>> ip xfrm policy
>> ----------------------------------------
>>
>> src 0.0.0.0/0 dst 0.0.0.0/0
>>     dir fwd priority 3075 ptype main
>>     mark 15/0xffffffff
>>     tmpl src y.y.y.y dst x.x.x.x
>>         proto esp reqid 1 mode tunnel
>> src 0.0.0.0/0 dst 0.0.0.0/0
>>     dir in priority 3075 ptype main
>>     mark 15/0xffffffff
>>     tmpl src y.y.y.y dst x.x.x.x
>>         proto esp reqid 1 mode tunnel
>> src 0.0.0.0/0 dst 0.0.0.0/0
>>     dir out priority 3075 ptype main
>>     mark 15/0xffffffff
>>     tmpl src x.x.x.x dst y.y.y.y
>>         proto esp reqid 1 mode tunnel
>> src 0.0.0.0/0 dst 0.0.0.0/0
>>     socket in priority 0 ptype main
>> src 0.0.0.0/0 dst 0.0.0.0/0
>>     socket out priority 0 ptype main
>> src 0.0.0.0/0 dst 0.0.0.0/0
>>     socket in priority 0 ptype main
>> src 0.0.0.0/0 dst 0.0.0.0/0
>>     socket out priority 0 ptype main
>> src ::/0 dst ::/0
>>     socket in priority 0 ptype main
>> src ::/0 dst ::/0
>>     socket out priority 0 ptype main
>> src ::/0 dst ::/0
>>     socket in priority 0 ptype main
>> src ::/0 dst ::/0
>>     socket out priority 0 ptype main
>>
>> ----------------------------------------
>> ip xfrm state
>> ----------------------------------------
>>
>> src x.x.x.x dst y.y.y.y
>>     proto esp spi 0xcb5c6f72 reqid 1 mode tunnel
>>     replay-window 32 flag af-unspec
>>     mark 15/0xffffffff
>>     aead rfc4106(gcm(aes)) 0x3d1c9ae2f921fc088b2e54a1d1efcd3e4441e502 128
>> src y.y.y.y dst x.x.x.x
>>     proto esp spi 0xcd742975 reqid 1 mode tunnel
>>     replay-window 32 flag af-unspec
>>     mark 15/0xffffffff
>>     aead rfc4106(gcm(aes)) 0x439dd5bf790a1f7ba1979d798757bab94f62776c 128
>> src x.x.x.x dst y.y.y.y
>>     proto esp spi 0xc79db590 reqid 1 mode tunnel
>>     replay-window 32 flag af-unspec
>>     mark 15/0xffffffff
>>     aead rfc4106(gcm(aes)) 0x7bf0811323a4df1118680d30d4117ed403b60bd8 128
>> src y.y.y.y dst x.x.x.x
>>     proto esp spi 0xc8e198f5 reqid 1 mode tunnel
>>     replay-window 32 flag af-unspec
>>     mark 15/0xffffffff
>>     aead rfc4106(gcm(aes)) 0x1f1f32fc74a0d8ba38b9aab67fbbfff1024cf265 128
>>
>> ----------------------------------------
>> Kernel oops backtrace
>> ----------------------------------------
>>
>> [31202.487290] BUG: unable to handle kernel NULL pointer dereference
>> at 0000000000000034
>> [31202.499656] IP: [<ffffffff814e4a12>] xfrm_input+0x3d2/0x590
>> [31202.502444] PGD 0
>> [31202.503479] Oops: 0000 [#1] SMP
>> [31202.505121] Modules linked in: seqiv xfrm6_mode_tunnel
>> xfrm4_mode_tunnel xfrm_user xfrm4_tunnel tunnel4 ipcomp xfrm_ipcomp
>> esp4 ah4 af_key xfrm_algo act_police cls_basic cls_flow cls_fw cls_u32
>> sch_tbf sch_prio sch_hfsc sch_htb sch_ingress sch_sfq xt_statistic
>> xt_CT xt_realm xt_LOG iptable_raw xt_connlimit xt_addrtype xt_comment
>> xt_nat xt_recent ipt_ULOG ipt_REJECT ipt_MASQUERADE ipt_ECN
>> ipt_CLUSTERIP ipt_ah nf_nat_tftp nf_nat_snmp_basic nf_conntrack_snmp
>> nf_nat_sip nf_nat_pptp nf_nat_proto_gre nf_nat_irc nf_nat_h323
>> nf_nat_ftp xt_set ip_set nf_nat_amanda nf_conntrack_tftp
>> nf_conntrack_sip nf_conntrack_sane nf_conntrack_proto_udplite
>> nf_conntrack_proto_sctp nf_conntrack_pptp nf_conntrack_proto_gre
>> nf_conntrack_netlink nf_conntrack_netbios_ns nf_conntrack_broadcast
>> nf_conntrack_irc ts_kmp nf_conntrack_amanda nf_conntrack_h323
>> nf_conntrack_ftp xt_time xt_TCPMSS xt_TPROXY xt_tcpmss xt_sctp
>> xt_policy xt_pkttype xt_physdev xt_owner xt_NFLOG nfnetlink_log
>> xt_NFQUEUE xt_multiport xt_mark xt_mac xt_limit xt_length xt_iprange
>> xt_helper xt_hashlimit xt_DSCP xt_dscp xt_dccp xt_connmark xt_CLASSIFY
>> ip6t_REJECT xt_AUDIT xt_tcpudp iptable_nat nf_nat_ipv4 xt_state nf_nat
>> nf_conntrack_ipv6 nf_conntrack_ipv4 nf_defrag_ipv6 nf_defrag_ipv4
>> xt_conntrack nf_conntrack iptable_mangle ip6table_raw ip6table_mangle
>> nfnetlink iptable_filter ip6table_filter ip6_tables ip_tables x_tables
>> ip_vti ip_tunnel loop coretemp vmwgfx ttm crct10dif_pclmul
>> drm_kms_helper crc32_pclmul ghash_clmulni_intel drm aesni_intel
>> aes_x86_64 lrw gf128mul glue_helper vmw_balloon ablk_helper cryptd
>> psmouse i2c_piix4 i2c_core serio_raw pcspkr evdev vmw_vmci shpchp
>> battery parport_pc parport processor thermal_sys ac button ext4 crc16
>> mbcache jbd2 dm_mod sr_mod cdrom sg sd_mod crc_t10dif crct10dif_common
>> ata_generic crc32c_intel floppy ata_piix e1000 libata mptspi
>> scsi_transport_spi mptscsih mptbase scsi_mod
>> [31202.591173] CPU: 0 PID: 3829 Comm: charon Not tainted
>> 3.16.0-0.bpo.4-amd64 #1 Debian 3.16.7-ckt4-3~bpo70+1
>> [31202.595671] Hardware name: VMware, Inc. VMware Virtual
>> Platform/440BX Desktop Reference Platform, BIOS 6.00 04/14/2014
>> [31202.600531] task: ffff88002b3112f0 ti: ffff88002bef4000 task.ti:
>> ffff88002bef4000
>> [31202.603967] RIP: 0010:[<ffffffff814e4a12>]  [<ffffffff814e4a12>]
>> xfrm_input+0x3d2/0x590
>> [31202.607734] RSP: 0000:ffff880031003b98  EFLAGS: 00010286
>> [31202.610241] RAX: 0000000000000000 RBX: ffff880030a33d00 RCX: 0000000000000000
>> [31202.613640] RDX: 0000000000000001 RSI: 0000000000000200 RDI: ffffffff814e1633
>> [31202.617023] RBP: 0000000000000002 R08: ffff880030916c00 R09: 0000000000000002
>> [31202.620272] R10: 0000000000000032 R11: 00000000033993db R12: 0000000000000032
>> [31202.623532] R13: 0000000000000032 R14: ffff880030916c00 R15: 0000000000000000
>> [31202.626860] FS:  00007f669aafa700(0000) GS:ffff880031000000(0000)
>> knlGS:0000000000000000
>> [31202.630585] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [31202.633234] CR2: 0000000000000034 CR3: 000000002146e000 CR4: 00000000000407f0
>> [31202.636588] Stack:
>> [31202.637589]  ffffffff81486050 00000000a1339d6c ffffffff818b7bc0
>> 0000000030a33d00
>> [31202.641338]  ffff88002925769e 5059f5ca00000002 0000000000000032
>> 01000000260ae8c0
>> [31202.645024]  ffff88002a902000 ffff880030a33d00 ffffffffa02df040
>> ffffffff818b7bc0
>> [31202.648700] Call Trace:
>> [31202.649879]  <IRQ>
>> [31202.650797]  [<ffffffff81486050>] ? ip_rcv_finish+0x370/0x370
>> [31202.653769]  [<ffffffff814d87b7>] ? xfrm4_esp_rcv+0x37/0x70
>> [31202.656423]  [<ffffffff814860ee>] ? ip_local_deliver_finish+0x9e/0x200
>> [31202.659449]  [<ffffffff8144b15b>] ? __netif_receive_skb_core+0x57b/0x700
>> [31202.662551]  [<ffffffff8101e0c5>] ? read_tsc+0x5/0x20
>> [31202.664889]  [<ffffffff8144ba6f>] ? netif_receive_skb_internal+0x1f/0x90
>> [31202.668100]  [<ffffffff8144c3d8>] ? napi_gro_receive+0x128/0x1b0
>> [31202.670892]  [<ffffffffa00af36b>] ? e1000_clean_rx_irq+0x2db/0x560 [e1000]
>> [31202.674112]  [<ffffffffa00b0313>] ? e1000_clean+0x273/0x980 [e1000]
>> [31202.677012]  [<ffffffffa00b0406>] ? e1000_clean+0x366/0x980 [e1000]
>> [31202.679902]  [<ffffffff8104dab1>] ? ack_apic_level+0x81/0x170
>> [31202.682591]  [<ffffffff8144cb21>] ? net_rx_action+0x121/0x230
>> [31202.685246]  [<ffffffff81072c0e>] ? __do_softirq+0xde/0x2e0
>> [31202.687941]  [<ffffffff8104dab1>] ? ack_apic_level+0x81/0x170
>> [31202.690708]  [<ffffffff81073066>] ? irq_exit+0x86/0xb0
>> [31202.693130]  [<ffffffff8154c856>] ? do_IRQ+0x66/0x110
>> [31202.695531]  [<ffffffff8154a6ed>] ? common_interrupt+0x6d/0x6d
>> [31202.698241]  <EOI>
>> [31202.699165] Code: ff ff 85 c0 0f 85 c1 fd ff ff e9 05 fd ff ff 66
>> 2e 0f 1f 84 00 00 00 00 00 48 83 7b 40 00 0f 84 5b fd ff ff 49 8b 86
>> e0 02 00 00 <f6> 40 34 01 0f 84 85 fd ff ff e9 45 fd ff ff 0f 1f 80 00
>> 00 00
>> [31202.712413] RIP  [<ffffffff814e4a12>] xfrm_input+0x3d2/0x590
>> [31202.715102]  RSP <ffff880031003b98>
>> [31202.716751] CR2: 0000000000000034
>> [31202.719064] ---[ end trace cebe794b0c57af5e ]---
>> [31202.721593] Kernel panic - not syncing: Fatal exception in interrupt
>> [31202.724814] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation
>> range: 0xffffffff80000000-0xffffffff9fffffff)
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
> --
> Systemadministration / Projektkoordination
>
> --
> ++++++WIR ZIEHEN UM++++++
> Ab dem 09.03.2015 erreichen Sie uns unter folgender Anschrift.
>
> MarcanT GmbH
> Herforder Straße 163 a
> 33609 Bielefeld
>
> Bitte beachten Sie, dass ab dem 09.03.2015 alle Rechnungen und
> Korrespondenz nur noch auf die oben genannte Anschrift ausgestellt
> werden. Aktualisieren Sie bitte Ihre Stammdaten entsprechend. Wir
> wünschen uns, den Umzug für Sie und uns ohne Beeinträchtigungen des
> Tagesgeschäftes abwickeln zu können. Sollte es dennoch zu Schwierigkeiten
> kommen, hoffen wir auf Ihr Verständnis.
> Auf unser Rechenzentrum hat der Umzug keinen Einfluss; die Funktionen
> wurden bereits Anfang Februar auf unsere Redundanzrechenzentren verteilt.
> ++++++++++++++++++++++++++++++++++++
>
> MarcanT GmbH, Ravensberger Str. 10 G, D - 33602 Bielefeld
> Fon: +49 (521) 95945-0 | Fax: +49 (521) 95945-18
> URL: http://www.marcant.net | http://www.global-m2m.com
>
> Internet * Netzwerk * Mobile Daten
> Citrix Silver Solution Advisor
>
> Geschäftsführer: Thorsten Hojas
> Handelsregister: AG Bielefeld, HRB 35827 USt-ID Nr.: DE 190203238
> ___________________________________________________________
> Ausserhalb unserer Geschäftszeiten (Montag bis Freitag von 8:30 Uhr bis
> 17:30 Uhr, ausgenommen gesetzliche Feiertage in NRW) stehen wir Ihnen
> gemäß Ihrer jeweiligen Service-Level-Agreements unter der Ihnen
> mitgeteilten Telefonnummer für Störungen und Notfälle zur Verfügung.
> Sie können natürlich auch gerne jederzeit unter support at marcant.net ein
> Ticket eröffnen, welches am nächsten Arbeitstag bearbeitet wird.
>
>
>
> Mit freundlichen Grüßen
>  André Valentin
> Systemadministrator
> --
>
> ++++++WIR SIND UMGEZOGEN++++++
> Seit dem 09.03.2015 erreichen Sie uns unter folgender Anschrift.
>
> MarcanT GmbH
> Herforder Straße 163a
> 33609 Bielefeld
>
> Bitte beachten Sie, dass ab dem 09.03.2015 alle Rechnungen und
> Korrespondenz nur noch auf die oben genannte Anschrift ausgestellt
> werden. Aktualisieren Sie bitte Ihre Stammdaten entsprechend.
> ++++++++++++++++++++++++++++++++++++
>
> MarcanT GmbH, Herforder Straße 163a, D - 33609 Bielefeld
> Fon: +49 (521) 95945-0 | Fax: +49 (521) 95945-18
> URL: http://www.marcant.net | http://www.global-m2m.com
>
> Internet * Netzwerk * Mobile Daten
> Citrix Silver Solution Advisor
>
> Geschäftsführer: Thorsten Hojas
> Handelsregister: AG Bielefeld, HRB 35827 USt-ID Nr.: DE 190203238
> ___________________________________________________________
> Ausserhalb unserer Geschäftszeiten (Montag bis Freitag von 8:30 Uhr bis
> 17:30 Uhr, ausgenommen gesetzliche Feiertage in NRW) stehen wir Ihnen
> gemäß Ihrer jeweiligen Service-Level-Agreements unter der Ihnen
> mitgeteilten Telefonnummer für Störungen und Notfälle zur Verfügung.
> Sie können natürlich auch gerne jederzeit unter support at marcant.net ein
> Ticket eröffnen, welches am nächsten Arbeitstag bearbeitet wird.
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


More information about the Users mailing list