From owner-freebsd-bugs@freebsd.org Fri Dec 25 04:18:08 2015 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7424DA5009D for ; Fri, 25 Dec 2015 04:18:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 58E461F24 for ; Fri, 25 Dec 2015 04:18:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id tBP4I84F012803 for ; Fri, 25 Dec 2015 04:18:08 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 205592] TCP processing in IPSec causes kernel panic Date: Fri, 25 Dec 2015 04:18:08 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: andrew@rinet.ru X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Dec 2015 04:18:08 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=205592 Bug ID: 205592 Summary: TCP processing in IPSec causes kernel panic Product: Base System Version: 10.2-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: andrew@rinet.ru I'm trying to set up IPSec tunnel via D-Link hardware router and FreeBSD v10.2-p6 running as Xen PVHVM guest. Tunnel itself establishes correctly, and traffic passes back and forth unless it is not a TCP traffic -- i.e. DNS over the tunnel works perfect, but attempt to use, f.e, ssh causes kernel panic. Post-mortem dump backtrace shows: === (kgdb) bt #0 doadump (textdump=1) at /usr/src/sys/kern/kern_shutdown.c:263 #1 0xffffffff809b14aa in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:451 #2 0xffffffff809b1e8c in vpanic (fmt=0xffffffff8116770a "m_copydata, offset > size of mbuf chain", ap=0xfffffe0230631070) at /usr/src/sys/kern/kern_shutdown.c:758 #3 0xffffffff809b1969 in kassert_panic (fmt=0xffffffff8116770a "m_copydata, offset > size of mbuf chain") at /usr/src/sys/kern/kern_shutdown.c:646 #4 0xffffffff80a70e1c in m_copydata (m=0x0, off=21, len=3, cp=0xfffffe02306311f5 "") at /usr/src/sys/kern/uipc_mbuf.c:878 #5 0xffffffff80ceb488 in esp_input_cb (crp=0x0) at /usr/src/sys/netipsec/xform_esp.c:600 #6 0xffffffff80d0659b in crypto_done (crp=0xfffff8017a4b6bb0) at /usr/src/sys/opencrypto/crypto.c:1156 #7 0xffffffff80d094a8 in swcr_process (dev=0xfffff80005313b00, crp=0xfffff8017a4b6bb0, hint=0) at /usr/src/sys/opencrypto/cryptosoft.c:1054 #8 0xffffffff80d082b5 in CRYPTODEV_PROCESS (dev=0xfffff80005313b00, op=0xfffff8017a4b6bb0, flags=0) at cryptodev_if.h:53 #9 0xffffffff80d05e89 in crypto_invoke (cap=0xfffff80003fbd200, crp=0xfffff8017a4b6bb0, hint=0) at /usr/src/sys/opencrypto/crypto.c:1045 #10 0xffffffff80d05b9c in crypto_dispatch (crp=0xfffff8017a4b6bb0) at /usr/src/sys/opencrypto/crypto.c:806 #11 0xffffffff80ce9a18 in esp_input (m=0xfffff80135558200, sav=0xfffff801ed67d500, skip=20, protoff=9) at /usr/src/sys/netipsec/xform_esp.c:447 #12 0xffffffff80cc6d04 in ipsec_common_input (m=0xfffff80135558200, skip=20, protoff=9, af=2, sproto=50) at /usr/src/sys/netipsec/ipsec_input.c:231 #13 0xffffffff80cc63b6 in ipsec4_common_input (m=0xfffff80135558200) at /usr/src/sys/netipsec/ipsec_input.c:251 #14 0xffffffff80cc6e06 in esp4_input (m=0xfffff80135558200, off=20) at /usr/src/sys/netipsec/ipsec_input.c:271 #15 0xffffffff80b63630 in ip_input (m=0xfffff80135558200) at /usr/src/sys/netinet/ip_input.c:734 #16 0xffffffff80b18e2f in netisr_dispatch_src (proto=1, source=0, m=0xfffff80135558200) at /usr/src/sys/net/netisr.c:976 #17 0xffffffff80b193ff in netisr_dispatch (proto=1, m=0xfffff80135558200) at /usr/src/sys/net/netisr.c:1067 #18 0xffffffff80b06fe7 in ether_demux (ifp=0xfffff80005ec1800, m=0xfffff80135558200) at /usr/src/sys/net/if_ethersubr.c:851 #19 0xffffffff80b09168 in ether_input_internal (ifp=0xfffff80005ec1800, m=0xfffff80135558200) at /usr/src/sys/net/if_ethersubr.c:646 #20 0xffffffff80b0859d in ether_nh_input (m=0xfffff80135558200) at /usr/src/sys/net/if_ethersubr.c:658 #21 0xffffffff80b18e2f in netisr_dispatch_src (proto=9, source=0, m=0xfffff80135558200) at /usr/src/sys/net/netisr.c:976 #22 0xffffffff80b193ff in netisr_dispatch (proto=9, m=0xfffff80135558200) at /usr/src/sys/net/netisr.c:1067 #23 0xffffffff80b07583 in ether_input (ifp=0xfffff80005ec1800, m=0xfffff80135558200) at /usr/src/sys/net/if_ethersubr.c:716 #24 0xffffffff807d5fb0 in xn_rxeof (np=0xfffffe00026c0000) at /usr/src/sys/dev/xen/netfront/netfront.c:1077 #25 0xffffffff807d5b46 in xn_intr (xsc=0xfffffe00026c0000) at /usr/src/sys/dev/xen/netfront/netfront.c:1219 #26 0xffffffff80959c83 in intr_event_execute_handlers (p=0xfffff800052019d0, ie=0xfffff80005ed4e00) at /usr/src/sys/kern/kern_intr.c:1264 #27 0xffffffff8095ae7e in ithread_execute_handlers (p=0xfffff800052019d0, ie=0xfffff80005ed4e00) at /usr/src/sys/kern/kern_intr.c:1277 #28 0xffffffff8095ace2 in ithread_loop (arg=0xfffff80005ecb700) at /usr/src/sys/kern/kern_intr.c:1361 #29 0xffffffff80955610 in fork_exit (callout=0xffffffff8095abe0 , arg=0xfffff80005ecb700, frame=0xfffffe0230631c00) at /usr/src/sys/kern/kern_fork.c:1018 #30 0xffffffff80f746ee in fork_trampoline () at /usr/src/sys/amd64/amd64/exception.S:611 #31 0x0000000000000000 in ?? () === ... that it is a NULL pointer dereference in m_copydata() called with NULL mbuf pointer form esp_input_cb(). -- You are receiving this mail because: You are the assignee for the bug.