Bug 214169

Summary:	Kernel panic using IPv6 and TCP-SIGNATURE (IPSEC)
Product:	Base System	Reporter:	Anderson Soares Ferreira <anderson.soares>
Component:	kern	Assignee:	Andrey V. Elsukov <ae>
Status:	Closed FIXED
Severity:	Affects Only Me	CC:	ae
Priority:	---
Version:	11.0-STABLE
Hardware:	amd64
OS:	Any

Description Anderson Soares Ferreira 2016-11-03 17:35:48 UTC

After migrate my gateway to FreeBSD 11 STABLE, the quagga bgpd daemon started to cause kernel panics in my gateway every time quagga starts.
At first, I thought it was a quagga related problem and I tried to replace it to OpenBGPD. But as soon as I started openbgpd, the system crashed again.
After that, I was able to trace the problem to some bgp peers using password protected connections. A few more tests showed that the problem only happened in IPv6 connections.
Since bgp protected connections use RFC 2385 TCP MD5 signatures option, I've tried to simulate the problem in other environment using IPSEC and netcat (nc -S).
As expected, every time I tried to connect two hosts with TCP-MD5 signatures, the host opening the connection crashes. Nothing happens to the host listening to connections.
I've forced to downgrade my gateway to FreeBSD 10.3, and since then, my gateway has worked without any failure.

The kernel panics as follow:

Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address	= 0x8
fault code		= supervisor read data, page not present
instruction pointer	= 0x20:0xffffffff80c6e0ea
stack pointer	        = 0x28:0xfffffe00510da6b0
frame pointer	        = 0x28:0xfffffe00510da790
code segment		= base rx0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 743 (nc)
trap number		= 12
panic: page fault
cpuid = 1
KDB: stack backtrace:
#0 0xffffffff80a98d27 at kdb_backtrace+0x67
#1 0xffffffff80a4f6c2 at vpanic+0x182
#2 0xffffffff80a4f533 at panic+0x43
#3 0xffffffff80ef2e41 at trap_fatal+0x351
#4 0xffffffff80ef3033 at trap_pfault+0x1e3
#5 0xffffffff80ef25bc at trap+0x26c
#6 0xffffffff80ed5d11 at calltrap+0x8
#7 0xffffffff80c6801b at tcp_output+0x16ab
#8 0xffffffff80c78b11 at tcp6_usr_connect+0x271
#9 0xffffffff80aee5de at kern_connectat+0x12e
#10 0xffffffff80aee487 at sys_connect+0x77
#11 0xffffffff80ef37ee at amd64_syscall+0x51e
#12 0xffffffff80ed5ffb at Xfast_syscall+0xfb


How-To-Repeat:

- In a system with TCP_SIGNATURE kernel option enabled, enable IPSEC and add a TCP-MD5 key in /etc/ipsec.conf for each side of connection.

- Run nc -6S <host ipv6> <port>


The system

Comment 1 commit-hook freebsd_committer

2016-11-06 02:34:00 UTC

A commit references this bug:

Author: ae
Date: Sun Nov  6 02:33:04 UTC 2016
New revision: 308358
URL: https://svnweb.freebsd.org/changeset/base/308358

Log:
  Initialize ip6 pointer before use.

  PR:		214169
  MFC after:	1 week

Changes:
  head/sys/netinet/tcp_subr.c

Comment 2 commit-hook freebsd_committer

2016-11-13 16:20:52 UTC

A commit references this bug:

Author: ae
Date: Sun Nov 13 16:20:06 UTC 2016
New revision: 308613
URL: https://svnweb.freebsd.org/changeset/base/308613

Log:
  MFC r308358:
    Initialize ip6 pointer before use.

    PR:		214169

Changes:
_U  stable/11/
  stable/11/sys/netinet/tcp_subr.c

Comment 3 Andrey V. Elsukov freebsd_committer

2016-11-13 16:23:18 UTC

Fixed in head/ and stable/11. Thanks!