Reproducible IPSEC panic head r254660 ipsec6_output_tunnel() - encif is NULL.

Gavin Atkinson gavin at FreeBSD.org
Mon Sep 9 18:19:20 UTC 2013


Hi all,

I have a reproducible kernel panic on a machine running head, r254660:
Thu Aug 22 19:51:00 UTC 2013 amd64.

The machine in question is a firewall.  It already has one IPSEC tunnel
in place, which seems stable.  Bringing up a second leads to almost
instant panic:

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0xd0
fault code              = supervisor write data, page not present
instruction pointer     = 0x20:0xffffffff806d5ada
stack pointer           = 0x28:0xfffffe011ad614b0
frame pointer           = 0x28:0xfffffe011ad61580
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 12 (swi5: fast taskq)


#8  0xffffffff807d277a in trap (frame=0xfffffe011ad61400)
    at /usr/src/sys/amd64/amd64/trap.c:463
#9  0xffffffff807bae03 in calltrap ()
    at /usr/src/sys/amd64/amd64/exception.S:232
#10 0xffffffff806d5ada in ipsec6_output_tunnel
(state=0xfffffe011ad615d0, 
    sp=<value optimized out>, flags=<value optimized out>)
    at /usr/src/sys/netipsec/ipsec_output.c:815
#11 0xffffffff806b4f5a in ip6_forward (m=0xfffff80005e11100, srcrt=0)
    at /usr/src/sys/netinet6/ip6_forward.c:292
#12 0xffffffff806b7566 in ip6_input (m=0xfffff80005e11100)
    at /usr/src/sys/netinet6/ip6_input.c:961
#13 0xffffffff805f264d in netisr_dispatch_src (proto=10, source=0, 
    m=<value optimized out>) at /usr/src/sys/net/netisr.c:1013
#14 0xffffffff805e4f59 in ether_demux (ifp=0xfffff80002bd7800, 
    m=0xfffff80005e11100) at /usr/src/sys/net/if_ethersubr.c:850
#15 0xffffffff805e5249 in ether_nh_input (m=<value optimized out>)
    at /usr/src/sys/net/if_ethersubr.c:645
#16 0xffffffff805f264d in netisr_dispatch_src (proto=9, source=0, 
    m=<value optimized out>) at /usr/src/sys/net/netisr.c:1013
#17 0xffffffff8045d579 in re_rxeof (sc=0xfffffe0000811000,
rx_npktsp=0x0)
    at /usr/src/sys/dev/re/if_re.c:2326
#18 0xffffffff8046170a in re_int_task (arg=<value optimized out>, 
    npending=<value optimized out>) at /usr/src/sys/dev/re/if_re.c:2546
#19 0xffffffff80554e63 in taskqueue_run_locked
(queue=0xfffff800029e8400)
    at /usr/src/sys/kern/subr_taskqueue.c:333
#20 0xffffffff80554fad in taskqueue_run (queue=0xfffff800029e8400)
    at /usr/src/sys/kern/subr_taskqueue.c:347
#21 0xffffffff804dc05a in intr_event_execute_handlers (
    p=<value optimized out>, ie=0xfffff800029e8300)
    at /usr/src/sys/kern/kern_intr.c:1263
#22 0xffffffff804dd6eb in ithread_loop (arg=0xfffff80002951980)
    at /usr/src/sys/kern/kern_intr.c:1276
#23 0xffffffff804d90f9 in fork_exit (
    callout=0xffffffff804dd650 <ithread_loop>, arg=0xfffff80002951980, 
    frame=0xfffffe011ad61c00) at /usr/src/sys/kern/kern_fork.c:989
#24 0xffffffff807bb32e in fork_trampoline ()
    at /usr/src/sys/amd64/amd64/exception.S:606


(kgdb) frame 10
#10 0xffffffff806d5ada in ipsec6_output_tunnel
(state=0xfffffe011ad615d0, sp=<value optimized out>, flags=<value
optimized out>) at /usr/src/sys/netipsec/ipsec_output.c:815
815             ipsec_bpf(m, isr->sav, AF_INET6, ENC_OUT|ENC_BEFORE);
(kgdb) list
810     #ifdef DEV_ENC
811             encif->if_opackets++;
812             encif->if_obytes += m->m_pkthdr.len;
813
814             /* pass the mbuf to enc0 for bpf processing */
815             ipsec_bpf(m, isr->sav, AF_INET6, ENC_OUT|ENC_BEFORE);
816             /* pass the mbuf to enc0 for packet filtering */
817             if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|
ENC_BEFORE)) != 0)
818                     goto bad;
819     #endif

(kgdb) p encif
$5 = (struct ifnet *) 0x0



In /etc/rc.conf, I have simply:

ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
racoon_enable="yes"

And two tunnels defined in both ipsec.conf and racoon.conf.  Commenting
out one of the two tunnels seems sufficient to avoid the panic, though
it is not clear to me why.

Adding cloned_interfaces="enc0" to /etc/rc.conf seems to be sufficient
to work around the panic.

So, how is this supposed to work?  Who is supposed to be creating the
enc0 interface?

Thanks,

Gavin

-- 
Gavin Atkinson
FreeBSD committer and bugmeister
GPG: A093262B (313A A79F 697D 3A5C 216A  EDF5 935D EF44 A093 262B)



More information about the freebsd-net mailing list