Date: Fri, 13 Nov 2015 08:48:13 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 204437] 10.2 STABLE Crashing with IPSec Support Message-ID: <bug-204437-2472-51Tiw74ymv@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-204437-2472@https.bugs.freebsd.org/bugzilla/> References: <bug-204437-2472@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204437 emeric.poupon@stormshield.eu changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |emeric.poupon@stormshield.e | |u --- Comment #5 from emeric.poupon@stormshield.eu --- Hello, it seems we have the very same issue here. Here is the backtrace: (kgdb) bt #0 doadump (textdump=<value optimized out>) at pcpu.h:237 #1 0xffffffff8044b9d2 in kern_reboot (howto=260) at ../../../kern/kern_shutdown.c:464 #2 0xffffffff8044bf3c in panic (fmt=0x104 <Address 0x104 out of bounds>) at ../../../kern/kern_shutdown.c:745 #3 0xffffffff80656a4d in trap_fatal (frame=0xfffffe0001c194a8, eva=<value optimized out>) at ../../../amd64/amd64/trap.c:878 #4 0xffffffff80656d68 in trap_pfault (frame=0xffffff8000ec1760, usermode=0) at ../../../amd64/amd64/trap.c:794 #5 0xffffffff8065710c in trap (frame=0xffffff8000ec1760) at ../../../amd64/amd64/trap.c:456 #6 0xffffffff80640cff in calltrap () at ../../../amd64/amd64/exception.S:232 #7 0xffffffff805b48d1 in ipsec_getpolicybysock (m=0xfffffe005fd0da00, dir=1, inp=0xfffffe00c26e9320, error=0xffffff8000ec186c) at ../../../netipsec/ipsec.c:328 #8 0xffffffff805b5664 in ipsec46_in_reject (m=0xfffffe005fd0da00, inp=<value optimized out>) at ../../../netipsec/ipsec.c:1291 #9 0xffffffff805b5ba9 in ipsec4_in_reject (m=<value optimized out>, inp=<value optimized out>) at ../../../netipsec/ipsec.c:1313 #10 0xffffffff8056b4d1 in tcp_input (m=0xfffffe005fd0da00, off0=20) at ../../../netinet/tcp_input.c:944 #11 0xffffffff8055e7a2 in ip_input (m=0xfffffe005fd0da00) at ../../../netinet/ip_input.c:1103 #12 0xffffffff80519393 in swi_net (arg=<value optimized out>) at ../../../net/netisr.c:807 #13 0xffffffff8042349d in intr_event_execute_handlers (p=<value optimized out>, ie=0xfffffe005f598200) at ../../../kern/kern_intr.c:1272 #14 0xffffffff80424c8d in ithread_loop (arg=0xfffffe005f530880) at ../../../kern/kern_intr.c:1285 #15 0xffffffff8042064f in fork_exit (callout=0xffffffff80424bf0 <ithread_loop>, arg=0xfffffe005f530880, frame=0xffffff8000ec1c40) at ../../../kern/kern_fork.c:996 #16 0xffffffff8064122e in fork_trampoline () at ../../../amd64/amd64/exception.S:606 #17 0x0000000000000000 in ?? () (kgdb) p *inp $1 = { inp_hash = { le_next = 0x0, le_prev = 0xffffff805d4c92e0 }, inp_pcbgrouphash = { le_next = 0x0, le_prev = 0x0 }, inp_list = { le_next = 0xfffffe00c29024b0, le_prev = 0xfffffe00cb627340 }, inp_ppcb = 0x0, inp_pcbinfo = 0xffffffff80c9a3c0, inp_pcbgroup = 0x0, inp_pcbgroup_wild = { le_next = 0x0, le_prev = 0x0 }, inp_socket = 0x0, inp_cred = 0xfffffe00cb880100, inp_flow = 0, inp_flags = 75497472, inp_flags2 = 16, inp_vflag = 0 '\0', inp_ip_ttl = 64 '@', inp_ip_p = 0 '\0', inp_ip_minttl = 0 '\0', inp_flowid = 0, inp_refcount = 1, inp_pspare = {0x0, 0x0, 0x0, 0x0, 0x0}, inp_ispare = {0, 0, 0, 0, 0, 0}, inp_ro_dst = { s_addr = 0 }, inp_inc = { inc_flags = 0 '\0', inc_len = 0 '\0', inc_fibnum = 0, inc_ie = { ie_fport = 51153, ie_lport = 36895, ie_dependfaddr = { ie46_foreign = { ia46_pad32 = {0, 0, 0}, ia46_addr4 = { s_addr = 536939018 } ---Type <return> to continue, or q <return> to quit--- }, ie6_foreign = { __u6_addr = { __u6_addr8 = '\0' <repeats 12 times>, "\n\n\001 ", __u6_addr16 = {0, 0, 0, 0, 0, 0, 2570, 8193}, __u6_addr32 = {0, 0, 0, 536939018} } } }, ie_dependladdr = { ie46_local = { ia46_pad32 = {0, 0, 0}, ia46_addr4 = { s_addr = 33554559 } }, ie6_local = { __u6_addr = { __u6_addr8 = '\0' <repeats 12 times>, "\177\000\000\002", __u6_addr16 = {0, 0, 0, 0, 0, 0, 127, 512}, __u6_addr32 = {0, 0, 0, 33554559} } } } } }, inp_label = 0x0, inp_sp = 0x0, inp_depend4 = { inp4_ip_tos = 0 '\0', inp4_options = 0x0, inp4_moptions = 0x0 }, inp_depend6 = { inp6_options = 0x0, inp6_outputopts = 0x0, inp6_moptions = 0x0, inp6_icmp6filt = 0x0, inp6_cksum = 0, inp6_hops = 0 }, inp_portlist = { le_next = 0xfffffe00c27644b0, le_prev = 0xfffffe00cb1bd010 }, inp_phd = 0xfffffe00cb1bd000, inp_gencnt = 560249, inp_lle = 0x0, inp_rt = 0x0, ---Type <return> to continue, or q <return> to quit--- inp_lock = { lock_object = { lo_name = 0xffffffff8071866f "tcpinp", lo_flags = 90898432, lo_data = 0, lo_witness = 0x0 }, rw_lock = 18446741876286327076 } } (kgdb) Looks like the inp struct has been freed (inp_flags2 = 16), but the struct is still referenced somewhere (refcnt = 1) What do you think? -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-204437-2472-51Tiw74ymv>