amd64/95008: FAST_IPSEC kernel crash on amd64
Mats Palmgren
mats.palmgren at bredband.net
Mon Mar 27 17:40:25 UTC 2006
>Number: 95008
>Category: amd64
>Synopsis: FAST_IPSEC kernel crash on amd64
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-amd64
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Mar 27 17:40:22 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Mats Palmgren
>Release: RELENG_6
>Organization:
>Environment:
>Description:
I think the problem is that ip4_input() is declared as a
varargs function but the caller encap4_input() thinks it's not.
Fixing the signature fixed the crash anyway.
Note that the last valid frame is "encap4_input()" below.
Fatal trap 1: privileged instruction fault while in kernel mode
instruction pointer = 0x8:0xffffffff8049bfde
stack pointer = 0x10:0xffffffff95817810
frame pointer = 0x10:0xffffffff95817920
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 12 (swi1: net)
trap number = 1
panic: privileged instruction fault
KDB: stack backtrace:
panic() at panic+0x1d5
trap_fatal() at trap_fatal+0x298
trap() at trap+0x17b
calltrap() at calltrap+0x5
--- trap 0x1, rip = 0xffffffff8049bfde, rsp = 0xffffffff95817810, rbp =
0xffffffff95817920 ---
ipcomp_output_cb() at ipcomp_output_cb+0x1ee
encap4_input() at encap4_input+0x1e9
ip_input() at ip_input+0x5cb
netisr_processqueue() at netisr_processqueue+0x78
swi_net() at swi_net+0x138
ithread_loop() at ithread_loop+0x162
fork_exit() at fork_exit+0x86
fork_trampoline() at fork_trampoline+0xe
--- trap 0, rip = 0, rsp = 0xffffffff95817d00, rbp = 0 ---
Uptime: 8h6m26s
Dumping 511 MB (2 chunks)
chunk 0: 1MB (159 pages) ... ok
chunk 1: 511MB (130800 pages) 495 479 463 447 431 415 399 383 367 351 335 319
303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15
#0 doadump () at pcpu.h:172
172 pcpu.h: No such file or directory.
in pcpu.h
(kgdb) bt
#0 doadump () at pcpu.h:172
#1 0xffffffff803b330d in boot (howto=260) at
/usr/src/sys/kern/kern_shutdown.c:399
#2 0xffffffff803b3977 in panic (fmt=0xffffff001ed45be0 "@C�036") at
/usr/src/sys/kern/kern_shutdown.c:555
#3 0xffffffff8054f678 in trap_fatal (frame=0x1, eva=18446742974715157472) at
/usr/src/sys/amd64/amd64/trap.c:660
#4 0xffffffff8054fbcb in trap (frame=
{tf_rdi = -1099138710528, tf_rsi = -2142650404, tf_rdx = -1786677168,
tf_rcx = -1786676944, tf_r8 = 640, tf_r9 = 160, tf_rax = -1099009056191, tf_rbx
= -1786676993, tf_rbp = -1786676960, tf_r10 = -1098994394144, tf_r11 = 224,
tf_r12 = -1099138710528, tf_r13 = 20, tf_r14 = -1786676672, tf_r15 =
-1099000037952, tf_trapno = 1, tf_addr = 0, tf_flags = 942615917012933828,
tf_err = 0, tf_rip = -2142650402, tf_cs = 8, tf_rflags = 68227, tf_rsp =
-1786677216, tf_ss = 16}) at
/usr/src/sys/amd64/amd64/trap.c:469
#5 0xffffffff8053d94b in calltrap () at
/usr/src/sys/amd64/amd64/exception.S:168
#6 0xffffffff8049bfde in ipcomp_output_cb (crp=0xffffff001e7e3dc0) at
/usr/src/sys/netipsec/xform_ipcomp.c:599
#7 0xffffffff80468f59 in encap4_input (m=0xffffffff80770340, off=372917248) at
/usr/src/sys/netinet/ip_encap.c:214
#8 0xffffffff8046cf9b in ip_input (m=0xffffff00163a4400) at
/usr/src/sys/netinet/ip_input.c:1073
#9 0xffffffff8043cfd8 in netisr_processqueue (ni=0xffffffff807de0d0) at
/usr/src/sys/net/netisr.c:236
#10 0xffffffff8043d298 in swi_net (dummy=0xffffff00163a4400) at
/usr/src/sys/net/netisr.c:349
#11 0xffffffff80398fa2 in ithread_loop (arg=0xffffff000001e080) at
/usr/src/sys/kern/kern_intr.c:672
#12 0xffffffff80397a96 in fork_exit (callout=0xffffffff80398e40 <ithread_loop>,
arg=0xffffff000001e080, frame=0xffffffff95817c50)
at /usr/src/sys/kern/kern_fork.c:789
#13 0xffffffff8053dcae in fork_trampoline () at
/usr/src/sys/amd64/amd64/exception.S:394
#14 0x0000000000000000 in ?? ()
Previous frame identical to this frame (corrupt stack?)
(kgdb) fr 7
#7 0xffffffff80468f59 in encap4_input (m=0xffffffff80770340, off=372917248) at
/usr/src/sys/netinet/ip_encap.c:214
214 (*psw->pr_input)(m, off);
>How-To-Repeat:
Build a custom kernel with FAST_IPSEC enabled for amd64.
Setup a VPN, send a packet to or from the amd64 box through the tunnel.
>Fix:
Index: sys/netipsec/xform.h
===================================================================
RCS file: /cvs/cvsroot/project/imos/src/sys/netipsec/xform.h,v
retrieving revision 1.2
diff -8 -p -u -r1.2 xform.h
--- sys/netipsec/xform.h 9 Feb 2006 12:16:16 -0000 1.2
+++ sys/netipsec/xform.h 25 Mar 2006 05:19:42 -0000
@@ -101,17 +101,17 @@ struct xformsw {
#ifdef _KERNEL
extern void xform_register(struct xformsw*);
extern int xform_init(struct secasvar *sav, int xftype);
struct cryptoini;
/* XF_IP4 */
extern int ip4_input6(struct mbuf **m, int *offp, int proto);
-extern void ip4_input(struct mbuf *m, ...);
+extern void ip4_input(struct mbuf *m, int);
extern int ipip_output(struct mbuf *, struct ipsecrequest *,
struct mbuf **, int, int);
/* XF_AH */
extern int ah_init0(struct secasvar *, struct xformsw *, struct cryptoini *);
extern int ah_zeroize(struct secasvar *sav);
extern struct auth_hash *ah_algorithm_lookup(int alg);
extern size_t ah_hdrsiz(struct secasvar *);
Index: sys/netipsec/xform_ipip.c
===================================================================
RCS file: /cvs/cvsroot/project/imos/src/sys/netipsec/xform_ipip.c,v
retrieving revision 1.2
diff -8 -p -u -r1.2 xform_ipip.c
--- sys/netipsec/xform_ipip.c 5 Dec 2005 19:59:03 -0000 1.2
+++ sys/netipsec/xform_ipip.c 25 Mar 2006 05:48:41 -0000
@@ -124,34 +124,27 @@ ip4_input6(struct mbuf **m, int *offp, i
}
#endif /* INET6 */
#ifdef INET
/*
* Really only a wrapper for ipip_input(), for use with IPv4.
*/
void
-ip4_input(struct mbuf *m, ...)
+ip4_input(struct mbuf *m, int iphlen)
{
- va_list ap;
- int iphlen;
-
#if 0
/* If we do not accept IP-in-IP explicitly, drop. */
if (!ipip_allow && (m->m_flags & M_IPSEC) == 0) {
DPRINTF(("%s: dropped due to policy\n", __func__));
ipipstat.ipips_pdrops++;
m_freem(m);
return;
}
#endif
- va_start(ap, m);
- iphlen = va_arg(ap, int);
- va_end(ap);
-
_ipip_input(m, iphlen, NULL);
}
#endif /* INET */
/*
* ipip_input gets called when we receive an IP{46} encapsulated packet,
* either because we got it at a real interface, or because AH or ESP
* were being used in tunnel mode (in which case the rcvif element will
@@ -633,34 +626,34 @@ ipe4_input(struct mbuf *m, struct secasv
}
static struct xformsw ipe4_xformsw = {
XF_IP4, 0, "IPv4 Simple Encapsulation",
ipe4_init, ipe4_zeroize, ipe4_input, ipip_output,
};
extern struct domain inetdomain;
-static struct ipprotosw ipe4_protosw[] = {
+static struct protosw ipe4_protosw =
{ SOCK_RAW, &inetdomain, IPPROTO_IPV4, PR_ATOMIC|PR_ADDR|PR_LASTHDR,
- (pr_in_input_t*) ip4_input,
+ ip4_input,
0, 0, rip_ctloutput,
0,
0, 0, 0, 0,
&rip_usrreqs
-},
+};
#ifdef INET6
+static struct ip6protosw ipe6_protosw =
{ SOCK_RAW, &inetdomain, IPPROTO_IPV6, PR_ATOMIC|PR_ADDR|PR_LASTHDR,
- (pr_in_input_t*) ip4_input,
+ ip4_input6,
0, 0, rip_ctloutput,
0,
0, 0, 0, 0,
&rip_usrreqs
-}
-#endif
};
+#endif
/*
* Check the encapsulated packet to see if we want it
*/
static int
ipe4_encapcheck(const struct mbuf *m, int off, int proto, void *arg)
{
/*
@@ -674,16 +667,16 @@ ipe4_encapcheck(const struct mbuf *m, in
static void
ipe4_attach(void)
{
xform_register(&ipe4_xformsw);
/* attach to encapsulation framework */
/* XXX save return cookie for detach on module remove */
(void) encap_attach_func(AF_INET, -1,
- ipe4_encapcheck, (struct protosw*) &ipe4_protosw[0], NULL);
+ ipe4_encapcheck, &ipe4_protosw, NULL);
#ifdef INET6
(void) encap_attach_func(AF_INET6, -1,
- ipe4_encapcheck, (struct protosw*) &ipe4_protosw[1], NULL);
+ ipe4_encapcheck, (struct protosw*) &ipe6_protosw, NULL);
#endif
}
SYSINIT(ipe4_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipe4_attach, NULL);
#endif /* FAST_IPSEC */
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-amd64
mailing list