Bug 106611

Summary: regression: Kernel panic with ipsec over ipv6
Product: Networking Reporter: Scott Harrison (scott.linux-kernel)
Component: IPV6Assignee: Hideaki YOSHIFUJI (yoshfuji)
Status: RESOLVED CODE_FIX    
Severity: normal CC: adobriyan, daniel, kafai
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.2.1, 4.2.2, 4.2.3 Subsystem:
Regression: No Bisected commit-id:

Description Scott Harrison 2015-10-26 09:17:41 UTC 
I have recently upgraded from 4.1.6 to 4.2.1 and am now seeing a kernel
panic when trying to do IPSec (using ipsec-tools, racoon and setkey) over
IPv6:

Call Trace:
  [<ffffffff8151460c>] ? ip6_dst_destroy+0x5c/0xf0
  [<ffffffff8146343f>] dst_destroy+0x6f/0xd0
  [<ffffffff81463557>] dst_gc_task+0xb7/0x220
  [<ffffffff8100cd13>] ? __switch_to+0x273/0x480
  [<ffffffff8106dd21>] process_on_work+0x141/0340
  [<ffffffff8106df93>] worker_thread+0x73/0x470
  [<ffffffff8106df20>] ? process_on_work+0x340/0x340
  [<ffffffff8106df20>] ? process_on_work+0x340/0x340
  [<ffffffff81073645>] kthread+0xe5/0x100
  [<ffffffff81073560>] ? kthread_create_on_node+0x180/0x180
  [<ffffffff8156059f>] ret_from_fork+0x3f/0x70
  [<ffffffff81073560>] ? kthread_create_on_node+0x180/0x180

Code: 48 81 c4 20 10 00 00 89 c6 e8 bb 3a b3 ff 5d c3 66 0f 1f 84 00 00 00 00 00
  65 81 05 dd bb aa 7e 00 02 00 00 31 c0 ba 01 00 00 00 <f0> 0f b1 17 85 c0 75 01
  c3 55 48 89 e5 48 81 ec 20 10 00 00 48
RIP  [<ffffffff8155fd02>] _raw_spin_lock_bh+0x12/0x40
  RSP <ffff8800bb91bcd0>
CR2: 0000000000000000
---[ end trace ae902d1290b61bc5 ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt


(I had to copy this by hand from the console, so there may be typos, sorry)

I have done a git bisect on the kernel and found that this started to occur
at 8d0b94afdca84598912347e61defa846a0988d04, if I revert this change in
kernel 4.2.2, then the system works as expected.
Comment 1 Alexey Dobriyan 2015-11-06 22:00:21 UTC 
"f0 0f b1 17" is "lock cmpxchg %edx, (%rdi)"
Comment 2 Daniel Borkmann 2015-11-06 22:06:11 UTC 
(Adding Martin to Cc for the commit.)
Comment 3 Martin KaFai Lau 2015-11-06 22:46:27 UTC 
There is a fix related to 8d0b94afdca84598912347e61defa846a0988d04 in 4.2.5:
58d772c ipv6: Don't call with rt6_uncached_list_flush_dev

Also, there is a ipsec related fix for ipv6 which is currently in 4.3:
ebfa45f ipv6: Move common init code for rt6_info to a new function rt6_info_init()
0a1f596 ipv6: Initialize rt6_info properly in ip6_blackhole_route()

Can you give 4.3 a try?
Comment 4 Scott Harrison 2015-11-09 15:46:34 UTC 
Initial testing seems to work in 4.3, will do more testing and reopen if it's still there.