[PATCH] IPSec fixes

Bjoern A. Zeeb bzeeb-lists at lists.zabbadoz.net
Fri Jan 16 01:31:56 PST 2004 

On Fri, 16 Jan 2004, Hajimu UMEMOTO wrote:

Hi,

> Do you mean that following patch itojun offered doesn't help for you?

I never applied it as going through the code showed that it will not
do the right thing(TM). See older mail.

> It seems fix the problem here.

ahh - this isn't exactly the diff itojun offered.
the newsp->refcnt++; is missing. Is it also missing in your kernel ?

I am currently offsite but could you please try to add this
- shouldn't give too much debugging output; depending on number of
  SPs ypu have - do some setkey spdadd and sdpflush and
restart your ike daemon possibly running and mail me the output ?

> Index: sys/netkey/key.c
> diff -up sys/netkey/key.c.orig sys/netkey/key.c
> --- sys/netkey/key.c.orig	Fri Jan 16 17:06:26 2004
> +++ sys/netkey/key.c	Fri Jan 16 17:07:38 2004
> @@ -1958,7 +1958,6 @@ key_spdadd(so, m, mhp)
>  	newsp->lifetime = lft ? lft->sadb_lifetime_addtime : 0;
>  	newsp->validtime = lft ? lft->sadb_lifetime_usetime : 0;
>
> -	newsp->refcnt = 1;	/* do not reclaim until I say I do */
>  	newsp->state = IPSEC_SPSTATE_ALIVE;
>  	LIST_INSERT_TAIL(&sptree[newsp->dir], newsp, secpolicy, chain);
>
> @@ -7591,9 +7590,10 @@ key_sp_unlink(sp)
>  {
>
>  	/* remove from SP index */
> -	if (__LIST_CHAINED(sp))
> +	if (__LIST_CHAINED(sp)) {
>  		LIST_REMOVE(sp, chain);
> -	key_freesp(sp);
+		/* you should only see this once */
+		printf("%s:%d key_sp_unlink(%p) called\n",
+				__func__, __LINE__, sp);
+		printf("+ id=%u, refcnt=%d\n", sp->id, sp->refcnt);
+		printf("+ le_next=%p, le_prev=%p\n",
+				sp->chain.le_next, sp->chain.le_prev);
> +		key_freesp(sp);
> +	}
+       else {
+		/* you should never see this */
+		printf("%s:%d key_sp_unlink(%p) called another time\n",
+				__func__, __LINE__, sp);
+		printf("+ id=%u, refcnt=%d\n", sp->id, sp->refcnt);
+		printf("+ le_next=%p, le_prev=%p\n",
+				sp->chain.le_next, sp->chain.le_prev);
+       }
>  }
>
>  /* XXX too much? */


PS: do you have other patches in your local tree that are not yet
in HEAD ? I got another patch from you once in Nov or Dec but I think
it was renaming functions and passing pcb instead of so only (removing
some unnecessary function calls) [more like FATS_IPSEC]. I have a more
improved version of this in my private patchset but currently
suspended while debugging.

-- 
Greetings

Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT
56 69 73 69 74				http://www.zabbadoz.net/

More information about the freebsd-current mailing list