Bug#809293: linux-image-3.16.0-4-amd64: network regression in 3.16.7-ckt20-1+deb8u1 breaks ipv6 ike/ipsec negotiations

To: Debian Bug Tracking System <809293@bugs.debian.org>
Subject: Bug#809293: linux-image-3.16.0-4-amd64: network regression in 3.16.7-ckt20-1+deb8u1 breaks ipv6 ike/ipsec negotiations
From: Noah Meyerhans <noahm@debian.org>
Date: Thu, 31 Dec 2015 11:08:55 -0800
Message-id: <[🔎] 20151231190855.GB480@insomnia.internal.morgul.net>
Reply-to: Noah Meyerhans <noahm@debian.org>, 809293@bugs.debian.org
In-reply-to: <[🔎] 20151229193946.GH7266@insomnia.internal.morgul.net>
References: <[🔎] 20151228184237.3424.29616.reportbug@amarth.morgul.net> <[🔎] 20151229193946.GH7266@insomnia.internal.morgul.net>

On Tue, Dec 29, 2015 at 11:39:46AM -0800, Noah Meyerhans wrote:
> > Dec 28 13:20:42 amarth racoon: ERROR: recvmsg (Resource temporarily unavailable)
> > Dec 28 13:20:42 amarth racoon: ERROR: failed to receive isakmp packet at isakmp.c:238: Resource temporarily unavailable
> > 
> > This happens when trying to read an IKE (udp port 500) message from the
> > peer.
> > 
> > Downgrading to 3.16.7-ckt11-1+deb8u3 resolves the problem.
> 
> git-bisect of the debian packaging repo suggests that the problem was
> introduced in 3.16.7-ckt17.

Bisecting the upstream kernel changes suggests the following commit as
being the origin of the problem:

commit bd0900e5eed6502b314402d36ec11f6d1a67de82
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Mon Jul 13 20:01:42 2015 +0800

    net: Fix skb csum races when peeking
    
    commit 89c22d8c3b278212eef6a8cc66b570bc840a6f5a upstream.
    
    When we calculate the checksum on the recv path, we store the
    result in the skb as an optimisation in case we need the checksum
    again down the line.
    
    This is in fact bogus for the MSG_PEEK case as this is done without
    any locking.  So multiple threads can peek and then store the result
    to the same skb, potentially resulting in bogus skb states.
    
    This patch fixes this by only storing the result if the skb is not
    shared.  This preserves the optimisations for the few cases where
    it can be done safely due to locking or other reasons, e.g., SIOCINQ.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

I will confirm this by trying a build with this change reverted, and
will also check to see if there have been followup changes upstream of
the ckt kernels that might have corrected the problem.

noah

Reply to:

References:
- Bug#809293: linux-image-3.16.0-4-amd64: network regression in 3.16.7-ckt20-1+deb8u1 breaks ipv6 ike/ipsec negotiations
  - From: Noah Meyerhans <noahm@debian.org>
- Bug#809293: linux-image-3.16.0-4-amd64: network regression in 3.16.7-ckt20-1+deb8u1 breaks ipv6 ike/ipsec negotiations
  - From: Noah Meyerhans <noahm@debian.org>

Prev by Date: Bug#809528: Update maximum kernel size for armel/kirkwood
Previous by thread: Bug#809293: linux-image-3.16.0-4-amd64: network regression in 3.16.7-ckt20-1+deb8u1 breaks ipv6 ike/ipsec negotiations
Next by thread: Bug#809330: initramfs-tools: not able to create a fresh initramfs image
Index(es):
- Date
- Thread