Kernel panic when committing IPSec config with QAT enabled

Bugs
1

I encountered a reproducable problem using QAT acceleration with IPSec.
When committing IPSec configuration with QAT enabled machine, the linux kernel crashes and stall on the kernel panic screen. There are a few keywords like “esp” makes it seems like related to IPSec stuff. When I disable QAT from command line configuration, the IPSec VPN works normally.

My configuration to commit:

set vpn ipsec esp-group FOO proposal 1 encryption 'aes128'
set vpn ipsec esp-group FOO proposal 1 hash 'sha1'
set vpn ipsec ike-group FOO proposal 1 dh-group '2'
set vpn ipsec ike-group FOO proposal 1 encryption 'aes128'
set vpn ipsec ike-group FOO proposal 1 hash 'sha1'
set vpn ipsec interface 'bond0'
set vpn ipsec site-to-site peer 10.10.9.10 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.10.9.10 authentication pre-shared-secret '123456'
set vpn ipsec site-to-site peer 10.10.9.10 default-esp-group 'FOO'
set vpn ipsec site-to-site peer 10.10.9.10 ike-group 'FOO'
set vpn ipsec site-to-site peer 10.10.9.10 local-address '10.10.9.9'
set vpn ipsec site-to-site peer 10.10.9.10 tunnel 1 protocol 'gre'

And all the rest of the configuration before adding IPSec:

set interfaces bonding bond0 address '10.10.9.9/29'
set interfaces bonding bond0 hash-policy 'layer3+4'
set interfaces bonding bond0 lacp-rate 'fast'
set interfaces bonding bond0 member interface 'eth0'
set interfaces bonding bond0 member interface 'eth1'
set interfaces bonding bond0 member interface 'eth2'
set interfaces bonding bond0 member interface 'eth3'
set interfaces bonding bond0 mode '802.3ad'
set interfaces ethernet eth0 hw-id '3c:ec:******:d4'
set interfaces ethernet eth1 hw-id '3c:ec:******:d5'
set interfaces ethernet eth2 hw-id '3c:ec:******:d6'
set interfaces ethernet eth3 hw-id '3c:ec:******:d7'
set interfaces loopback lo
set interfaces openvpn vtun0 local-address 10.10.60.9
set interfaces openvpn vtun0 local-port '1194'
set interfaces openvpn vtun0 mode 'site-to-site'
set interfaces openvpn vtun0 persistent-tunnel
set interfaces openvpn vtun0 protocol 'udp'
set interfaces openvpn vtun0 remote-address '10.10.60.10'
set interfaces openvpn vtun0 remote-host '10.10.9.10'
set interfaces openvpn vtun0 remote-port '1194'
set interfaces openvpn vtun0 shared-secret-key 'openvpn-1'
set interfaces tunnel tun100 address '10.10.20.9/29'
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 remote '10.10.9.10'
set interfaces tunnel tun100 source-address '10.10.9.9'
set interfaces wireguard wg0 address '10.10.40.9/29'
set interfaces wireguard wg0 peer router-5019d address '10.10.9.10'
set interfaces wireguard wg0 peer router-5019d allowed-ips '10.10.40.10/32'
set interfaces wireguard wg0 peer router-5019d allowed-ips '0.0.0.0/0'
set interfaces wireguard wg0 peer router-5019d persistent-keepalive '10'
set interfaces wireguard wg0 peer router-5019d port '51820'
set interfaces wireguard wg0 peer router-5019d public-key '***'
set interfaces wireguard wg0 port '51820'
set interfaces wireguard wg0 private-key '***'
set pki openvpn shared-secret openvpn-1 key '***'
set pki openvpn shared-secret openvpn-1 version '1'
set protocols static route 0.0.0.0/0 next-hop 10.10.9.10
set service ssh port '22'
set system acceleration qat
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name 'ROUTER-5019A-C3958'
set system name-server '114.114.114.114'
set system ntp server time1.vyos.net
set system ntp server time2.vyos.net
set system ntp server time3.vyos.net
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set system time-zone 'Asia/Shanghai'

Hardware and version info:

Version:          VyOS 1.4-rolling-202207190217
Release train:    sagitta
Built by:         autobuild@vyos.net
Built on:         Tue 19 Jul 2022 02:17 UTC
Build UUID:       47a911cc-ece0-4c6d-ab0d-f87b4e6eb500
Build commit ID:  efb1de57f6e4bf
Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  Supermicro
Hardware model:   SYS-5019A-FN5T

CPU: Intel Atom C3958
More information at: SYS-5019A-FN5T | 1U | SuperServers | Products | Super Micro Computer, Inc.

I grabbed a screenshot from IPMI iKVM.

20220722205155
20220722205155803×628 144 KB

2

Hi @helixzz
Can you show output show system acceleration qat ?

3

Hi @helixzz , it is know issue
https://phabricator.vyos.net/T3587
https://phabricator.vyos.net/T3484

4

Thanks for your reply. Let me grab the information tomorrow. =)

5

It‘a pity. So we have to wait for Intel to fix the driver issue or maybe there will be a way to solve (or workaround) it?

Thank you!

6

We tried to write intel and 01.org several times, but unfortunately without reply. It is the main blocker why we use lower kernel in 1.3 stable version

7

Oh, that’s really sad news.