IPsec/crypto kernel panic in 2.6.[456]

IPsec/crypto kernel panic in 2.6.[456]

[Tobias Ringström]

I get a kernel panic that is very easy to reproduce.  The panic goes 
away if I revert the following changeset ("fix in-place de/encryption 
bug with highmem"):

     http://linux.bkbits.net:8080/linux-2.5/cset@1.1371.476.15

I have not analyzed the code closely, so I cannot say for certain that 
there is a problem with that specific changeset, and I'm certainly not 
out to blame anyone, but reverting it at least seems to fix the problem. 
  The panic occurs when I receive more than a little TCP data in an 
IPsec ESP tunnel.  I'm of course willing to test patches or provide 
further info if required.

[Please CC me because I'm not subscribed to the list.]

/Tobias


Unable to handle kernel paging request at virtual address 77d89bb3
  printing eip:
e38c230d
*pde = 00000000
Oops: 0002 [#1]
CPU:    0
EIP:    0060:[<e38c230d>]    Not tainted
EFLAGS: 00010216   (2.6.6)
EIP is at des_small_fips_decrypt+0x96d/0x9a0 [des]
eax: 0030f000   ebx: 00030f00   ecx: 1b24b797   edx: ba4d7f77
esi: dcf91438   edi: 77d89bb3   ebp: c040fbb0   esp: c040fb5c
ds: 007b   es: 007b   ss: 0068
Process swapper (pid: 0, threadinfo=c040e000 task=c0386a40)
Stack: 77d89bb3 dcf91330 da6e4458 e38c28ed dcf91438 77d89bb3 c040fbf0 
77d89bb3
        c040fbf0 c01e7623 dcf91330 77d89bb3 c040fbf0 c01e7373 c040fbf2 
dec77000
        00000006 c040fb94 c040fbf0 000004a0 00000008 c040fc50 c01e7513 
dcf91304
Call Trace:
  [<e38c28ed>] des3_ede_decrypt+0x2d/0x70 [des]
  [<c01e7623>] cbc_process+0x63/0x170
  [<c01e7373>] scatterwalk_copychunks+0x83/0xd0
  [<c01e7513>] crypt+0x153/0x200
  [<e38c28c0>] des3_ede_decrypt+0x0/0x70 [des]
  [<c02d2000>] dst_output+0x0/0x30
  [<c02d1b74>] ip_push_pending_frames+0x344/0x420
  [<c02d2000>] dst_output+0x0/0x30
  [<c01e7948>] cbc_decrypt+0x48/0x50
  [<e38c28c0>] des3_ede_decrypt+0x0/0x70 [des]
  [<c01e75c0>] cbc_process+0x0/0x170
  [<e38ccb1b>] esp_input+0x1fb/0x500 [esp4]
  [<e38cca3e>] esp_input+0x11e/0x500 [esp4]
  [<c02b78f4>] kfree_skbmem+0x24/0x30
  [<c030fdeb>] xfrm_state_lookup+0x5b/0x70
  [<c030b58e>] xfrm4_rcv_encap+0xee/0x4a0
  [<c02d20e2>] ip_finish_output2+0xb2/0x1d0
  [<c0302484>] ipt_do_table+0x294/0x380
  [<c02c5302>] nf_hook_slow+0xd2/0x120
  [<c02ccfc0>] ip_local_deliver_finish+0x0/0x1d0
  [<c0304b37>] ipt_hook+0x37/0x40
  [<c030b3d7>] xfrm4_rcv+0x17/0x20
  [<c02cd089>] ip_local_deliver_finish+0xc9/0x1d0
  [<c02ccfc0>] ip_local_deliver_finish+0x0/0x1d0
  [<c02c5302>] nf_hook_slow+0xd2/0x120
  [<c02ccfc0>] ip_local_deliver_finish+0x0/0x1d0
  [<c02ccb27>] ip_local_deliver+0x217/0x240
  [<c02ccfc0>] ip_local_deliver_finish+0x0/0x1d0
  [<c02cd350>] ip_rcv_finish+0x1c0/0x230
  [<c02cd190>] ip_rcv_finish+0x0/0x230
  [<c02c5302>] nf_hook_slow+0xd2/0x120
  [<c02cd190>] ip_rcv_finish+0x0/0x230
  [<c02ccf04>] ip_rcv+0x3b4/0x470
  [<c02cd190>] ip_rcv_finish+0x0/0x230
  [<c02bc430>] netif_receive_skb+0x150/0x190
  [<c02bc4dd>] process_backlog+0x6d/0x100
  [<c02bc5da>] net_rx_action+0x6a/0xf0
  [<c011afc5>] __do_softirq+0x85/0x90
  [<c011aff6>] do_softirq+0x26/0x30
  [<c0106439>] do_IRQ+0xc9/0xf0
  [<c0101ef0>] default_idle+0x0/0x30
  [<c01047cc>] common_interrupt+0x18/0x20
  [<c0101ef0>] default_idle+0x0/0x30
  [<c0101f14>] default_idle+0x24/0x30
  [<c0101f90>] cpu_idle+0x30/0x40
  [<c041072d>] start_kernel+0x14d/0x170
  [<c0410470>] unknown_bootoption+0x0/0x130

Code: 88 0f c1 e9 08 31 c2 88 4f 01 c1 e9 08 88 57 04 88 4f 02 c1
  <0>Kernel panic: Fatal exception in interrupt
In interrupt handler - not syncing

Re: IPsec/crypto kernel panic in 2.6.[456]

[Andy Isaacson]

On Wed, May 19, 2004 at 09:48:31PM +0200, Tobias Ringström wrote:
> I get a kernel panic that is very easy to reproduce.  The panic goes 
> away if I revert the following changeset ("fix in-place de/encryption 
> bug with highmem"):
> 
>     http://linux.bkbits.net:8080/linux-2.5/cset@1.1371.476.15

Or,
http://linux.bkbits.net:8080/linux-2.5/cset@40443186BowXpsBHgFbxClLNqkdCyw

(need to use "bookmarkable link"; revision numbers change.)

-andy

Re: IPsec/crypto kernel panic in 2.6.[456]

[Christophe Saout]

Am Mi, den 19.05.2004 um 21:48 Uhr +0200 schrieb Tobias Ringström:

> I have not analyzed the code closely, so I cannot say for certain that 
> there is a problem with that specific changeset, and I'm certainly not 
> out to blame anyone, but reverting it at least seems to fix the problem. 
> The panic occurs when I receive more than a little TCP data in an 
> IPsec ESP tunnel.  I'm of course willing to test patches or provide 
> further info if required.

I've been using linux 2.6. IPSec myself for quite some time and never
seen this. Hmm. What kind of tunnel is this? How large are the packets
involved?

Can you send me your .config and tell me what compiler was used, and
perhaps the object files in your kernel crypto/ directory?

> eax: 0030f000   ebx: 00030f00   ecx: 1b24b797   edx: ba4d7f77
> esi: dcf91438   edi: 77d89bb3   ebp: c040fbb0   esp: c040fb5c
                       ^^^^^^^^

What kind of address is this? Something random? The ESP code uses
in-place decryption, so this should point on the stack.

> ds: 007b   es: 007b   ss: 0068
> Process swapper (pid: 0, threadinfo=c040e000 task=c0386a40)
> Stack:
> 77d89bb3 dcf91330 da6e4458 e38c28ed dcf91438 77d89bb3 c040fbf0 77d89bb3
  ^^^^^^^^                                     ^^^^^^^^          ^^^^^^^

Here it is again.