Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 5 Jan 2012 11:37:23 +0100
From:      VANHULLEBUS Yvan <vanhu@FreeBSD.org>
To:        Attila Nagy <bra@fsn.hu>
Cc:        stable@freebsd.org
Subject:   Re:  Enabling IPSec panics stable/9 (runs OK on stable/8)
Message-ID:  <20120105103723.GA33970@zeninc.net>
In-Reply-To: <4F057980.7080307@fsn.hu>
References:  <4F044A0B.3020108@fsn.hu> <20120104145155.GA31550@zeninc.net> <4F046D95.3070106@fsn.hu> <20120104163131.GA31787@zeninc.net> <4F057980.7080307@fsn.hu>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Jan 05, 2012 at 11:20:48AM +0100, Attila Nagy wrote:
> On 01/04/12 17:31, VANHULLEBUS Yvan wrote:
[....]
> >Could you check that you are running a correct debug kernel ?
> The kernel config is GENERIC, plus some, so it contains DEBUG=-g 
> makeoptions.

Ok.


[....]
> (kgdb) frame 7
> #7  0xffffffff809bf779 in ipsec_process_done (m=0xfffffe001977a600,
>     isr=0xfffffe019eb96480) at 
> /data/usr/src/sys/netipsec/ipsec_output.c:170
> 170                     switch (saidx->dst.sa.sa_family) {
> (kgdb) p saidx
> No symbol "saidx" in current context.
> 
> BTW in the same frame:
> (kgdb) p tdbi
> $1 = (struct tdb_ident *) 0xfffffe017ce5e418
> (kgdb) p mtag
> $2 = (struct m_tag *) 0xfffffe017ce5e400
> (kgdb) p isr
> $3 = (struct ipsecrequest *) 0xfffffe019eb96480

Strange..... may be related to some kind of code optimization....

As the line juste before is:
saidx = &sav->sah->saidx;

Could you show the value of &sav->sah->saidx ?
And also check if kgdb can print sav->sah->saidx (without the &) ?



> >>Strange.... I'll review changes in IPsec stack which have been done in
> >>STABLE/9 and not backported to STABLE/8.....
> >>
> >>    Oh, sorry, not quite an up-to-date 8-STABLE, it's from Sat May 21
> >>    22:05:26 CEST 2011 (csup'd some hours earlier).
> >>    Should I check with a more recent version? Does that help?
> >>    Thanks for helping.
> >
> >Yes, this may help if you try with a most recent 8-STABLE: I don't
> >remember exactly what, but I'm quite sure there have been some IPsec
> >related commits on stable/8 between that date and now !
> I will try it.

Ok.


To help you having a quick workaround, do you really need ESP+AH ?
Most of the time, people who configure ESP+AH just needs in fact ESP
with optional data authentication.

And the crash occurs in some part of the code which deals with
encapsulation in encapsulation.

This also may explains why I never saw that crash......


Yvan.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120105103723.GA33970>