Enabling IPSec panics stable/9 (runs OK on stable/8)

VANHULLEBUS Yvan vanhu at FreeBSD.org
Thu Jan 5 10:37:26 UTC 2012


On Thu, Jan 05, 2012 at 11:20:48AM +0100, Attila Nagy wrote:
> On 01/04/12 17:31, VANHULLEBUS Yvan wrote:
[....]
> >Could you check that you are running a correct debug kernel ?
> The kernel config is GENERIC, plus some, so it contains DEBUG=-g 
> makeoptions.

Ok.


[....]
> (kgdb) frame 7
> #7  0xffffffff809bf779 in ipsec_process_done (m=0xfffffe001977a600,
>     isr=0xfffffe019eb96480) at 
> /data/usr/src/sys/netipsec/ipsec_output.c:170
> 170                     switch (saidx->dst.sa.sa_family) {
> (kgdb) p saidx
> No symbol "saidx" in current context.
> 
> BTW in the same frame:
> (kgdb) p tdbi
> $1 = (struct tdb_ident *) 0xfffffe017ce5e418
> (kgdb) p mtag
> $2 = (struct m_tag *) 0xfffffe017ce5e400
> (kgdb) p isr
> $3 = (struct ipsecrequest *) 0xfffffe019eb96480

Strange..... may be related to some kind of code optimization....

As the line juste before is:
saidx = &sav->sah->saidx;

Could you show the value of &sav->sah->saidx ?
And also check if kgdb can print sav->sah->saidx (without the &) ?



> >>Strange.... I'll review changes in IPsec stack which have been done in
> >>STABLE/9 and not backported to STABLE/8.....
> >>
> >>    Oh, sorry, not quite an up-to-date 8-STABLE, it's from Sat May 21
> >>    22:05:26 CEST 2011 (csup'd some hours earlier).
> >>    Should I check with a more recent version? Does that help?
> >>    Thanks for helping.
> >
> >Yes, this may help if you try with a most recent 8-STABLE: I don't
> >remember exactly what, but I'm quite sure there have been some IPsec
> >related commits on stable/8 between that date and now !
> I will try it.

Ok.


To help you having a quick workaround, do you really need ESP+AH ?
Most of the time, people who configure ESP+AH just needs in fact ESP
with optional data authentication.

And the crash occurs in some part of the code which deals with
encapsulation in encapsulation.

This also may explains why I never saw that crash......


Yvan.



More information about the freebsd-stable mailing list