Bug#809293: linux-image-3.16.0-4-amd64: network regression in 3.16.7-ckt20-1+deb8u1 breaks ipv6 ike/ipsec negotiations
On Mon, Dec 28, 2015 at 03:22:52PM -0800, Noah Meyerhans wrote:
> Following the recent kernel security update, racoon(8) from ipsec-tools
> can no longer negotiate an IPSec security association with an ipv6 peer.
> IPv4 does not appear affected.
>
> Racoon logs the following:
> Dec 28 13:20:42 amarth racoon: ERROR: recvmsg (Resource temporarily unavailable)
> Dec 28 13:20:42 amarth racoon: ERROR: failed to receive isakmp packet at isakmp.c:238: Resource temporarily unavailable
>
> This happens when trying to read an IKE (udp port 500) message from the
> peer.
>
> Downgrading to 3.16.7-ckt11-1+deb8u3 resolves the problem.
git-bisect of the debian packaging repo suggests that the problem was
introduced in 3.16.7-ckt17.
Looking at the git logs for that release, the only commit that is
obviously related to ipv6 and udp is f3106f:
Author: Eric Dumazet <edumazet@google.com>
Date: Tue Jul 14 08:10:22 2015 +0200
ipv6: lock socket in ip6_datagram_connect()
commit 03645a11a570d52e70631838cb786eb4253eb463 upstream.
ip6_datagram_connect() is doing a lot of socket changes without
socket being locked.
This looks wrong, at least for udp_lib_rehash() which could corrupt
lists because of concurrent udp_sk(sk)->udp_portaddr_hash accesses.
But I haven't tested anything yet...
noah
Reply to: