misc/123066: kernel trap with ipsec

Mihail msaf1980 at rambler.ru
Fri Apr 25 04:20:02 UTC 2008 

>Number:         123066
>Category:       misc
>Synopsis:       kernel trap with ipsec
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Apr 25 04:20:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Mihail
>Release:        7.0
>Organization:
>Environment:
7.0-RELEASE-p1
>Description:
I get kernel trap with IPSEC when use ping with size > 3000 bytes  over IPSEC tunnel with router D-Link DI-804HV, like

ping -s 4000 -S 192.168.241.160 192.168.200.6


Local Subnet is 192.168.241.0/24
Remote Subnet is 192.168.200.0/29

/etc/ipsec.conf

spdflush;
spdadd 192.168.241.0/24 192.168.200.0/29 any -P out ipsec esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require;
spdadd 192.168.200.0/29 192.168.241.0/24 any -P in ipsec esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require;

Kernel config is simular to GENERIC with options

options         NETGRAPH
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=100
options         IPFIREWALL_DEFAULT_TO_ACCEPT
options         IPDIVERT
options         DUMMYNET
options         HZ=1000
options         MROUTING

device crypto

options         IPSEC
options         IPSEC_DEBUG

Kernel dump 

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0xd7d6d5e8
fault code              = supervisor write, page not present
instruction pointer     = 0x20:0xc0a952f6
stack pointer           = 0x28:0xc884e974
frame pointer           = 0x28:0xc884e9d8
code segment            = base 0x0, limit 0xfffff, type 0x1b
                = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 864 (ping)
trap number             = 12
panic: page fault
cpuid = 0
Uptime: 2m36s
Physical memory: 115 MB
Dumping 30 MB: 15


(kgdb) list *0xc0a952f6
0xc0a952f6 is at /usr/src/sys/i386/i386/support.s:499.
494     cmpl    %ecx,%eax                       /* overlapping && src < dst? */
495     jb      1f
496
497     shrl    $2,%ecx                         /* copy by 32-bit words */
498     cld                                     /* nope, copy forwards */
499     rep
500     movsl
501     movl    20(%esp),%ecx
502     andl    $3,%ecx                         /* any bytes left? */
503     rep


(kgdb) backtrace
#0  doadump () at pcpu.h:195
#1  0xc075df57 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#2  0xc075e219 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:563
#3  0xc0a9766c in trap_fatal (frame=0xc884e934, eva=3621180904)
    at /usr/src/sys/i386/i386/trap.c:899
#4  0xc0a978f0 in trap_pfault (frame=0xc884e934, usermode=0, eva=3621180904)
    at /usr/src/sys/i386/i386/trap.c:812
#5  0xc0a9829c in trap (frame=0xc884e934) at /usr/src/sys/i386/i386/trap.c:490
#6  0xc0a7e21b in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7  0xc0a952f6 in generic_bcopy () at /usr/src/sys/i386/i386/support.s:498
Previous frame inner to this frame (corrupt stack?)

>How-To-Repeat:
permanently
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list