kern/86330: panic in ESP code

Lupe Christoph lupe at lupe-christoph.de
Mon Sep 19 03:40:15 PDT 2005 

>Number:         86330
>Category:       kern
>Synopsis:       panic in ESP code
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 19 10:40:14 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Lupe Christoph
>Release:        FreeBSD 5.4-RELEASE-p7 i386
>Organization:
>Environment:
System: FreeBSD firewally.lupe-christoph.de 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7 #4: Tue Sep 13 20:23:52 CEST 2005 lupe at firewally.lupe-christoph.de:/usr/obj/usr/src/sys/FIREWALLY i386


	5.4-RELEASE-p7
>Description:
	A large transfer over a complicated connection triggers this:

	The FreeBSD 5.4 machine is my DSL router/firewall. It has
	a number of IPSec tunnels. One of those tunnels is forwarded
	by a Linux machine running Debian Stable with OpenSWAN to
	an OpenWRT router, also running OpenSWAN.

	The IPSec tunnels are maintained by racoon.
	Here is the one where this happens:

	spdadd 172.17.0.0/16 172.19.0.0/24 any -P out ipsec esp/tunnel/$MYADDR-$TUNNELFORW/unique;
	spdadd 172.19.0.0/24 172.17.0.0/16 any -P in  ipsec esp/tunnel/$TUNNELFORW-$MYADDR/unique;

	The local net is 172.17.0.0/16, 172.19.0.0/24 is behind the
	OpenWRT router.

	The intermediate Debian machine sends an ICMP Destination
	unreachable/Fragmentation needed. This may be triggering
	the panic indirectly.

	I have no explanation of the ICMP message - the MTUs of all
	interfaces that transport the ESP packets are all at 1492.
	And the traffic is leaving the intermediate machine over
	the same (and only) Ethernet interface it came from. The
	ESP packet is unpacked and regenerated by the intermediate
	machine, though.

	Here is the traceback from kgdb:

	#0  doadump () at pcpu.h:159
	#1  0xc062c5b2 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:410
	#2  0xc062c848 in panic (fmt=0xc08572e5 "%s") at /usr/src/sys/kern/kern_shutdown.c:566
	#3  0xc080962c in trap_fatal (frame=0xc7aa87c0, eva=0) at /usr/src/sys/i386/i386/trap.c:817
	#4  0xc0809397 in trap_pfault (frame=0xc7aa87c0, usermode=0, eva=0) at /usr/src/sys/i386/i386/trap.c:735
	#5  0xc0808fd9 in trap (frame=
	      {tf_fs = -1054081000, tf_es = 16, tf_ds = -1064239088, tf_edi = 0, tf_esi = -945125268, tf_ebp = -945125344, tf_isp = -945125396, tf_ebx = -1051804672, tf_edx = -1065138860, tf_ecx = 2, tf_eax = 945125268, tf_trapno = 12, tf_err = 2, tf_eip = -1065323226, tf_cs = 8, tf_eflags = 66066, tf_esp = 16, tf_ss = 0}) at /usr/src/sys/i386/i386/trap.c:425
	#6  0xc07f91aa in calltrap () at /usr/src/sys/i386/i386/exception.s:140
	#7  0xc12c0018 in ?? ()
	#8  0x00000010 in ?? ()
	#9  0xc0910010 in bios_vmode ()
	#10 0x00000000 in ?? ()
	#11 0xc7aa886c in ?? ()
	#12 0xc7aa8820 in ?? ()
	#13 0xc7aa87ec in ?? ()
	#14 0xc14ebc00 in ?? ()
	#15 0xc0834554 in esp_algorithms ()
	#16 0x00000002 in ?? ()
	#17 0x38557794 in ?? ()
	#18 0x0000000c in ?? ()
	#19 0x00000002 in ?? ()
	#20 0xc0807526 in generic_bcopy () at /usr/src/sys/i386/i386/support.s:489
	#21 0x00000010 in ?? ()
	#22 0x00000000 in ?? ()
	#23 0xc06e3d0d in esp_3des_blockencrypt (algo=0xc0834554, sav=0x0, s=0xc7aa886c "ö¹A\020Yj\034\b", d=0x8 <Address 0x8 out of bounds>)
	    at /usr/src/sys/netinet6/esp_core.c:594
	#24 0xc06e4604 in esp_cbc_encrypt (m=0xc14bbd00, off=0, plen=1504, sav=0xc18ca800, algo=0xc0834554, ivlen=-1052836864)
	    at /usr/src/sys/netinet6/esp_core.c:989
	#25 0xc06e678b in esp_output (m=0xc14bbd00, nexthdrp=0xc14bbdf5 "2±4T\230\213\203Ôpã]", md=0x4, isr=0x0, af=2)
	    at /usr/src/sys/netinet6/esp_output.c:573
	#26 0xc06e6a60 in esp4_output (m=0xc14bbd00, isr=0xc1616800) at /usr/src/sys/netinet6/esp_output.c:701
	#27 0xc070004c in ipsec4_output (state=0xc7aa89b4, sp=0xc18be330, flags=1) at /usr/src/sys/netinet6/ipsec.c:2752
	#28 0xc06cb1f3 in ip_output (m=0xc13eab00, opt=0xc140e016, ro=0xc7aa89c4, flags=1, imo=0x0, inp=0x0)
	    at /usr/src/sys/netinet/ip_output.c:473
	#29 0xc06ca7f4 in ip_forward (m=0xc13eab00, srcrt=0) at /usr/src/sys/netinet/ip_input.c:1780
	#30 0xc06c94d2 in ip_input (m=0xc13eab00) at /usr/src/sys/netinet/ip_input.c:679
	#31 0xc069bfff in netisr_processqueue (ni=0xc093eb98) at /usr/src/sys/net/netisr.c:233
	#32 0xc069c1ae in swi_net (dummy=0x0) at /usr/src/sys/net/netisr.c:340
	#33 0xc0618ec5 in ithread_loop (arg=0xc12bc480) at /usr/src/sys/kern/kern_intr.c:547
	#34 0xc0618158 in fork_exit (callout=0xc0618d74 <ithread_loop>, arg=0xc12bc480, frame=0xc7aa8d48) at /usr/src/sys/kern/kern_fork.c:791
	#35 0xc07f920c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:209

	I'm afraid I don't know how to get the panic information
	that is supposed to be displayed, according to the Developers'
	Handbook.

	I remember it was a write to location 0. I'd rather not
	panic the machine again, there is quite a bit depending on
	it functioning.

>How-To-Repeat:
	
>Fix:

	


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list