Re: 3.12.33 - BUG xfrm_selector_match+0x25/0x2f6

To: Smart Weblications GmbH - Florian Wiessner <f.wiessner@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: 3.12.33 - BUG xfrm_selector_match+0x25/0x2f6
Cc: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>, netdev@xxxxxxxxxxxxxxx, LKML <linux-kernel@xxxxxxxxxxxxxxx>, stable@xxxxxxxxxxxxxxx, Simon Horman <horms@xxxxxxxxxxxx>, lvs-devel@xxxxxxxxxxxxxxx
From: Julian Anastasov <ja@xxxxxx>
Date: Fri, 5 Dec 2014 11:55:23 +0200 (EET)

        Adding Simon to CC...

On Fri, 5 Dec 2014, Smart Weblications GmbH - Florian Wiessner wrote:

> i tried with 3.12.33 without any XFRM and now got this one (which is 
> reproducable):
> [  233.956012] BUG: unable to handle kernel NULL pointer dereference at 
> 00000000
>                                    00000014
> [  233.956218] IP: [<ffffffffa013a470>] nf_ct_seqadj_set+0x60/0x90 
> [nf_conntrack

        It seems fix from 3.13 was not sent to 3.12 stable:

commit b25adce1606427fd8 ("ipvs: correct usage/allocation of seqadj ext in 

        There was related change but it is not needed
for stable kernels:

commit db12cf27435356017e ("netfilter: WARN about wrong usage of sequence 
number adjustments"

        Simon, can we try commit b25adce1606427fd8 for 3.12?

> setup is like this:
> #virtual=<myVIP>:21
> #       real= masq
> #       real= masq
> #       real= masq
> #       real= masq
> #       persistent=600
> #       service=ftp
> #       scheduler=rr
> #       protocol=tcp
> #       checktype=connect
> ( i remarked it to prevent fruther crashes...)
> when ip_vs_ftp is loaded and someone trying to make a ftp connection, the 
> system
> panics instantly.
> - are lxc-containers using veth connected to the bridge
> running on 4 different nodes. The node running ldirector/ipvsadm has also one 
> of
> those containers running (don't know if that matters)

        It is always good to know the setup. Do you access VIP
from local clients (from director)?

> brctl show
> bridge name     bridge id               STP enabled     interfaces
> br0             8000.00259052bbf4       no              bond0
>                                                         vethMKELUc
>                                                         vethXdWGqf
>                                                         vethgJMmEb
>                                                         vethmKNqFc
> I disabled the ftp server lxc container on the node doing ip_vs, so that the
> endpoint of the connection is not on the same node and tried again but with 
> the
> same result.
> Unfortunatelly i cannot test with newer kernels than 3.12, because ocfs2 is
> somehow broken in >= 3.14

        Before I create patch to avoid rerouting for
LOCAL_IN you can try to set IPVS sysctl var "snat_reroute" to 0
or even to change ip_vs_route_me_harder() function just to return 0.
snat_reroute=1 (a default value) is needed if you have
multiple links to clients and use ip rules to select
correct route by src ip (after SNAT). If you have single
uplink snat_reroute can be 0.


Julian Anastasov <ja@xxxxxx>
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

<Prev in Thread] Current Thread [Next in Thread>