Enabling IPSec panics stable/9 (runs OK on stable/8)

Attila Nagy bra at fsn.hu
Wed Jan 4 15:17:44 UTC 2012


   Hi,
   On 01/04/12 15:51, VANHULLEBUS Yvan wrote:

   I've just upgraded a 8-STABLE box to 9-STABLE (well, just few commits
   before it has been tagged as STABLE), which runs from NFS (pxebooted).
   It has some IPSec config in ipsec.conf, like this for several boxes:
   add 172.28.16.4 172.16.248.2 ah 15704 -A hmac-md5 "asdfgh";
   add 172.16.248.2 172.28.16.4 ah 24504 -A hmac-md5 "asdfgh";
   add 172.28.16.4 172.16.248.2 esp 15705 -E blowfish-cbc "hgfdsa";
   add 172.16.248.2 172.28.16.4 esp 24505 -E blowfish-cbc "hgfdsa";
   spdadd 172.28.16.4 172.16.248.2 any -P out ipsec
              esp/transport/172.28.16.4-172.16.248.2/default
              ah/transport/172.28.16.4-172.16.248.2/default;

There is probably nothing related to the crash, but do you really use
static IPsec without IKE keying ????

   Yes. :)
   It runs on an intranet, but there's a need to encrypt traffic.



[....]

   kgdb says:
   (kgdb) bt
   #0  doadump (textdump=1) at /data/usr/src/sys/kern/kern_shutdown.c:260
   #1  0xffffffff80845705 in kern_reboot (howto=260)
       at /data/usr/src/sys/kern/kern_shutdown.c:442
   #2  0xffffffff80845bb1 in panic (fmt=Variable "fmt" is not available.
   )
       at /data/usr/src/sys/kern/kern_shutdown.c:607
   #3  0xffffffff80b167a0 in trap_fatal (frame=0xc, eva=Variable "eva" is
   not available.
   )
       at /data/usr/src/sys/amd64/amd64/trap.c:819
   #4  0xffffffff80b16ae9 in trap_pfault (frame=0xffffff80002cd2a0,
   usermode=0)
       at /data/usr/src/sys/amd64/amd64/trap.c:735
   #5  0xffffffff80b16faf in trap (frame=0xffffff80002cd2a0)
       at /data/usr/src/sys/amd64/amd64/trap.c:474
   #6  0xffffffff80b012ef in calltrap ()
       at /data/usr/src/sys/amd64/amd64/exception.S:228
   #7  0xffffffff809bf779 in ipsec_process_done (m=0xfffffe000c7c7a00,
       isr=0xfffffe001bf54380) at
   /data/usr/src/sys/netipsec/ipsec_output.c:170

Here seems to be the problem....
Can you do the following (in this order) in kgdb:
frame 7
p saidx
p *saidx

   (kgdb) frame 7
   #7  0xffffffff809bf779 in ipsec_process_done (m=0xfffffe000c7c7a00,
       isr=0xfffffe001bf54380) at
   /data/usr/src/sys/netipsec/ipsec_output.c:170
   170                     switch (saidx->dst.sa.sa_family) {
   (kgdb) p saidx
   No symbol "saidx" in current context.


The latest will probably generate an error, as (if you have the exact
same ipsec_output.c as I have from HEAD) saidx will probably have an
invalid adress.

   I have the same as in HEAD.



[...]

   8-STABLE runs fine with the same config.

Strange.... I'll review changes in IPsec stack which have been done in
STABLE/9 and not backported to STABLE/8.....

   Oh, sorry, not quite an up-to-date 8-STABLE, it's from Sat May 21
   22:05:26 CEST 2011 (csup'd some hours earlier).
   Should I check with a more recent version? Does that help?
   Thanks for helping.


More information about the freebsd-stable mailing list