[Bug 204437] 10.2 STABLE Crashing with IPSec Support

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Nov 13 08:48:14 UTC 2015 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204437

emeric.poupon at stormshield.eu changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |emeric.poupon at stormshield.e
                   |                            |u

--- Comment #5 from emeric.poupon at stormshield.eu ---
Hello,
it seems we have the very same issue here.

Here is the backtrace:

(kgdb) bt
#0  doadump (textdump=<value optimized out>) at pcpu.h:237
#1  0xffffffff8044b9d2 in kern_reboot (howto=260) at
../../../kern/kern_shutdown.c:464
#2  0xffffffff8044bf3c in panic (fmt=0x104 <Address 0x104 out of bounds>) at
../../../kern/kern_shutdown.c:745
#3  0xffffffff80656a4d in trap_fatal (frame=0xfffffe0001c194a8, eva=<value
optimized out>) at ../../../amd64/amd64/trap.c:878
#4  0xffffffff80656d68 in trap_pfault (frame=0xffffff8000ec1760, usermode=0) at
../../../amd64/amd64/trap.c:794
#5  0xffffffff8065710c in trap (frame=0xffffff8000ec1760) at
../../../amd64/amd64/trap.c:456
#6  0xffffffff80640cff in calltrap () at ../../../amd64/amd64/exception.S:232
#7  0xffffffff805b48d1 in ipsec_getpolicybysock (m=0xfffffe005fd0da00, dir=1,
inp=0xfffffe00c26e9320, error=0xffffff8000ec186c) at
../../../netipsec/ipsec.c:328
#8  0xffffffff805b5664 in ipsec46_in_reject (m=0xfffffe005fd0da00, inp=<value
optimized out>) at ../../../netipsec/ipsec.c:1291
#9  0xffffffff805b5ba9 in ipsec4_in_reject (m=<value optimized out>, inp=<value
optimized out>) at ../../../netipsec/ipsec.c:1313
#10 0xffffffff8056b4d1 in tcp_input (m=0xfffffe005fd0da00, off0=20) at
../../../netinet/tcp_input.c:944
#11 0xffffffff8055e7a2 in ip_input (m=0xfffffe005fd0da00) at
../../../netinet/ip_input.c:1103
#12 0xffffffff80519393 in swi_net (arg=<value optimized out>) at
../../../net/netisr.c:807
#13 0xffffffff8042349d in intr_event_execute_handlers (p=<value optimized out>,
ie=0xfffffe005f598200) at ../../../kern/kern_intr.c:1272
#14 0xffffffff80424c8d in ithread_loop (arg=0xfffffe005f530880) at
../../../kern/kern_intr.c:1285
#15 0xffffffff8042064f in fork_exit (callout=0xffffffff80424bf0 <ithread_loop>,
arg=0xfffffe005f530880, frame=0xffffff8000ec1c40) at
../../../kern/kern_fork.c:996
#16 0xffffffff8064122e in fork_trampoline () at
../../../amd64/amd64/exception.S:606
#17 0x0000000000000000 in ?? ()


(kgdb) p *inp
$1 = {
  inp_hash = {
    le_next = 0x0, 
    le_prev = 0xffffff805d4c92e0
  }, 
  inp_pcbgrouphash = {
    le_next = 0x0, 
    le_prev = 0x0
  }, 
  inp_list = {
    le_next = 0xfffffe00c29024b0, 
    le_prev = 0xfffffe00cb627340
  }, 
  inp_ppcb = 0x0, 
  inp_pcbinfo = 0xffffffff80c9a3c0, 
  inp_pcbgroup = 0x0, 
  inp_pcbgroup_wild = {
    le_next = 0x0, 
    le_prev = 0x0
  }, 
  inp_socket = 0x0, 
  inp_cred = 0xfffffe00cb880100, 
  inp_flow = 0, 
  inp_flags = 75497472, 
  inp_flags2 = 16, 
  inp_vflag = 0 '\0', 
  inp_ip_ttl = 64 '@', 
  inp_ip_p = 0 '\0', 
  inp_ip_minttl = 0 '\0', 
  inp_flowid = 0, 
  inp_refcount = 1, 
  inp_pspare = {0x0, 0x0, 0x0, 0x0, 0x0}, 
  inp_ispare = {0, 0, 0, 0, 0, 0}, 
  inp_ro_dst = {
    s_addr = 0
  }, 
  inp_inc = {
    inc_flags = 0 '\0', 
    inc_len = 0 '\0', 
    inc_fibnum = 0, 
    inc_ie = {
      ie_fport = 51153, 
      ie_lport = 36895, 
      ie_dependfaddr = {
        ie46_foreign = {
          ia46_pad32 = {0, 0, 0}, 
          ia46_addr4 = {
            s_addr = 536939018
          }
---Type <return> to continue, or q <return> to quit---
        }, 
        ie6_foreign = {
          __u6_addr = {
            __u6_addr8 = '\0' <repeats 12 times>, "\n\n\001 ", 
            __u6_addr16 = {0, 0, 0, 0, 0, 0, 2570, 8193}, 
            __u6_addr32 = {0, 0, 0, 536939018}
          }
        }
      }, 
      ie_dependladdr = {
        ie46_local = {
          ia46_pad32 = {0, 0, 0}, 
          ia46_addr4 = {
            s_addr = 33554559
          }
        }, 
        ie6_local = {
          __u6_addr = {
            __u6_addr8 = '\0' <repeats 12 times>, "\177\000\000\002", 
            __u6_addr16 = {0, 0, 0, 0, 0, 0, 127, 512}, 
            __u6_addr32 = {0, 0, 0, 33554559}
          }
        }
      }
    }
  }, 
  inp_label = 0x0, 
  inp_sp = 0x0, 
  inp_depend4 = {
    inp4_ip_tos = 0 '\0', 
    inp4_options = 0x0, 
    inp4_moptions = 0x0
  }, 
  inp_depend6 = {
    inp6_options = 0x0, 
    inp6_outputopts = 0x0, 
    inp6_moptions = 0x0, 
    inp6_icmp6filt = 0x0, 
    inp6_cksum = 0, 
    inp6_hops = 0
  }, 
  inp_portlist = {
    le_next = 0xfffffe00c27644b0, 
    le_prev = 0xfffffe00cb1bd010
  }, 
  inp_phd = 0xfffffe00cb1bd000, 
  inp_gencnt = 560249, 
  inp_lle = 0x0, 
  inp_rt = 0x0, 
---Type <return> to continue, or q <return> to quit---
  inp_lock = {
    lock_object = {
      lo_name = 0xffffffff8071866f "tcpinp", 
      lo_flags = 90898432, 
      lo_data = 0, 
      lo_witness = 0x0
    }, 
    rw_lock = 18446741876286327076
  }
}
(kgdb) 

Looks like the inp struct has been freed (inp_flags2 = 16), but the struct is
still referenced somewhere (refcnt = 1)

What do you think?

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-net mailing list