amd64/89261: IPSec always causes panics on amd64

infofarmer at gmail.com infofarmer at gmail.com
Sat Nov 19 00:10:30 GMT 2005 

>Number:         89261
>Category:       amd64
>Synopsis:       IPSec always causes panics on amd64
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-amd64
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 19 00:10:27 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Andrew Pantyukhin
>Release:        FreeBSD 6.0-RELEASE i386
>Organization:
>Environment:
This bug has been reproduced on 5.4-RELEASE, 6.0-RELEASE and 6.0-STABLE.

	
>Description:
	IPSec key management (setkey) always causes kernel panics
	
>How-To-Repeat:
	Add "options IPSEC" to GENERIC kernel and run "setkey -D"
	Adding other IPSEC options does not help at all.
	
>Fix:

	
Sorry about the acid formatting. I've done this with script(1)

--- ipsec.1.debug begins here ---
Script started on Sat Nov 19 02:43:19 2005
satsmb# kgdb kernel.debug /var/crsash/vmcore.1 
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd".

Unread portion of the kernel message buffer:


Fatal trap 9: general protection fault while in kernel mode
instruction pointer	= 0x8:0xffffffff804c5d4c
stack pointer	        = 0x10:0xffffffff967808a0
frame pointer	        = 0x10:0xa0
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 641 (setkey)
trap number		= 9
panic: general protection fault
Uptime: 3m11s
Dumping 511 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 511MB (130800 pages) 495 479 463 447 431 415 399 383 367 351 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15

#0  doadump () at pcpu.h:172
172		__asm __volatile("movq %%gs:0,%0" : "=r" (td));
(kgdb) backtrace
#0  doadump () at pcpu.h:172
#1  0x0000000000000004 in ?? ()
#2  0xffffffff803ba433 in boot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:399
#3  0xffffffff803baa36 in panic (fmt=0xffffff00152be720 "@\023°\025")
    at /usr/src/sys/kern/kern_shutdown.c:555
#4  0xffffffff805af57f in trap_fatal (frame=0xffffff00152be720, 
    eva=18446742974561784640) at /usr/src/sys/amd64/amd64/trap.c:655
#5  0xffffffff805afa22 in trap (frame=
      {tf_rdi = -1099013703168, tf_rsi = 4351, tf_rdx = 4351, tf_rcx = -281373226712833, tf_r8 = 0, tf_r9 = -1099156429024, tf_rax = -1770518320, tf_rbx = -1770518145, tf_rbp = 160, tf_r10 = -2139144832, tf_r11 = 1, tf_r12 = 0, tf_r13 = -1099151977264, tf_r14 = 0, tf_r15 = 0, tf_trapno = 9, tf_addr = 0, tf_flags = 4, tf_err = 0, tf_rip = -2142479028, tf_cs = 8, tf_rflags = 66051, tf_rsp = -1770518352, tf_ss = 16}) at /usr/src/sys/amd64/amd64/trap.c:467
#6  0xffffffff8059f0ab in calltrap ()
    at /usr/src/sys/amd64/amd64/exception.S:168
#7  0xffffffff804c5d4c in keydb_newsecasvar ()
    at /usr/src/sys/netkey/keydb.c:177
#8  0x0000000000001041 in ?? ()
#9  0xffffff00178dc9b0 in ?? ()
#10 0xffffff00156fd4d0 in ?? ()
#11 0xffffff001dadba00 in ?? ()
#12 0x0000000000000000 in ?? ()
Previous frame identical to this frame (corrupt stack?)
(kgdb) up 7
#7  0xffffffff804c5d4c in keydb_newsecasvar ()
    at /usr/src/sys/netkey/keydb.c:177
177				if (q->id < said && said < TAILQ_NEXT(q, tailq)->id)
(kgdb) list
172			said++;
173		TAILQ_FOREACH(q, &satailq, tailq) {
174			if (q->id == said)
175				goto again;
176			if (TAILQ_NEXT(q, tailq)) {
177				if (q->id < said && said < TAILQ_NEXT(q, tailq)->id)
178					break;
179				if (q->id + 1 < TAILQ_NEXT(q, tailq)->id) {
180					said = q->id + 1;
181					break;
(kgdb) pirnt    rint q
$1 = (struct secasvar *) 0xffffffff9678097f
(kgdb) print q->id
$2 = 4351
(kgdb) print q->id     said
$3 = 0
(kgdb) print said    tailq
No symbol "tailq" in current context.
(kgdb) yo  up
#8  0x0000000000001041 in ?? ()
(kgdb) up
#9  0xffffff00178dc9b0 in ?? ()
(kgdb) up
#10 0xffffff00156fd4d0 in ?? ()
(kgdb) up
#11 0xffffff001dadba00 in ?? ()
(kgdb) up
#12 0x0000000000000000 in ?? ()
(kgdb) up
Initial frame selected; you cannot go up.
(kgdb) quit
satsmb# ^Dexit

Script done on Sat Nov 19 02:48:28 2005
--- ipsec.1.debug ends here ---

I will welcome any requests for further investigations.
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-amd64 mailing list