[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#809293: linux-image-3.16.0-4-amd64: network regression in 3.16.7-ckt20-1+deb8u1 breaks ipv6 ike/ipsec negotiations

On Mon, Dec 28, 2015 at 03:22:52PM -0800, Noah Meyerhans wrote:
> Following the recent kernel security update, racoon(8) from ipsec-tools
> can no longer negotiate an IPSec security association with an ipv6 peer.
> IPv4 does not appear affected.
> 
> Racoon logs the following:
> Dec 28 13:20:42 amarth racoon: ERROR: recvmsg (Resource temporarily unavailable)
> Dec 28 13:20:42 amarth racoon: ERROR: failed to receive isakmp packet at isakmp.c:238: Resource temporarily unavailable
> 
> This happens when trying to read an IKE (udp port 500) message from the
> peer.
> 
> Downgrading to 3.16.7-ckt11-1+deb8u3 resolves the problem.

git-bisect of the debian packaging repo suggests that the problem was
introduced in 3.16.7-ckt17.

Looking at the git logs for that release, the only commit that is
obviously related to ipv6 and udp is f3106f:
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Jul 14 08:10:22 2015 +0200

    ipv6: lock socket in ip6_datagram_connect()
    
    commit 03645a11a570d52e70631838cb786eb4253eb463 upstream.
    
    ip6_datagram_connect() is doing a lot of socket changes without
    socket being locked.
    
    This looks wrong, at least for udp_lib_rehash() which could corrupt
    lists because of concurrent udp_sk(sk)->udp_portaddr_hash accesses.

But I haven't tested anything yet...

noah
Reply to: