From owner-freebsd-net@FreeBSD.ORG  Mon Sep  9 18:19:20 2013
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id E09BAA64
 for <freebsd-net@FreeBSD.org>; Mon,  9 Sep 2013 18:19:20 +0000 (UTC)
 (envelope-from gavin@FreeBSD.org)
Received: from mail-gw14.york.ac.uk (mail-gw14.york.ac.uk [144.32.129.164])
 (using TLSv1 with cipher AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9D4C42A63
 for <freebsd-net@FreeBSD.org>; Mon,  9 Sep 2013 18:19:20 +0000 (UTC)
Received: from buffy-128.york.ac.uk ([144.32.128.160]:35838
 helo=buffy.york.ac.uk)
 by mail-gw14.york.ac.uk with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.76) (envelope-from <gavin@FreeBSD.org>) id 1VJ5wY-0000Sa-Nt
 for freebsd-net@FreeBSD.org; Mon, 09 Sep 2013 19:12:10 +0100
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by buffy.york.ac.uk (8.14.6/8.14.6) with ESMTP id r89ICACK013991
 for <freebsd-net@FreeBSD.org>; Mon, 9 Sep 2013 19:12:10 +0100 (BST)
 (envelope-from gavin@FreeBSD.org)
Subject: Reproducible IPSEC panic head r254660 ipsec6_output_tunnel() -
 encif is NULL.
From: Gavin Atkinson <gavin@FreeBSD.org>
To: freebsd-net@FreeBSD.org
Content-Type: text/plain; charset="ASCII"
Date: Mon, 09 Sep 2013 19:12:10 +0100
Message-ID: <1378750330.11656.44.camel@buffy.york.ac.uk>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port 
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2013 18:19:20 -0000


Hi all,

I have a reproducible kernel panic on a machine running head, r254660:
Thu Aug 22 19:51:00 UTC 2013 amd64.

The machine in question is a firewall.  It already has one IPSEC tunnel
in place, which seems stable.  Bringing up a second leads to almost
instant panic:

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0xd0
fault code              = supervisor write data, page not present
instruction pointer     = 0x20:0xffffffff806d5ada
stack pointer           = 0x28:0xfffffe011ad614b0
frame pointer           = 0x28:0xfffffe011ad61580
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 12 (swi5: fast taskq)


#8  0xffffffff807d277a in trap (frame=0xfffffe011ad61400)
    at /usr/src/sys/amd64/amd64/trap.c:463
#9  0xffffffff807bae03 in calltrap ()
    at /usr/src/sys/amd64/amd64/exception.S:232
#10 0xffffffff806d5ada in ipsec6_output_tunnel
(state=0xfffffe011ad615d0, 
    sp=<value optimized out>, flags=<value optimized out>)
    at /usr/src/sys/netipsec/ipsec_output.c:815
#11 0xffffffff806b4f5a in ip6_forward (m=0xfffff80005e11100, srcrt=0)
    at /usr/src/sys/netinet6/ip6_forward.c:292
#12 0xffffffff806b7566 in ip6_input (m=0xfffff80005e11100)
    at /usr/src/sys/netinet6/ip6_input.c:961
#13 0xffffffff805f264d in netisr_dispatch_src (proto=10, source=0, 
    m=<value optimized out>) at /usr/src/sys/net/netisr.c:1013
#14 0xffffffff805e4f59 in ether_demux (ifp=0xfffff80002bd7800, 
    m=0xfffff80005e11100) at /usr/src/sys/net/if_ethersubr.c:850
#15 0xffffffff805e5249 in ether_nh_input (m=<value optimized out>)
    at /usr/src/sys/net/if_ethersubr.c:645
#16 0xffffffff805f264d in netisr_dispatch_src (proto=9, source=0, 
    m=<value optimized out>) at /usr/src/sys/net/netisr.c:1013
#17 0xffffffff8045d579 in re_rxeof (sc=0xfffffe0000811000,
rx_npktsp=0x0)
    at /usr/src/sys/dev/re/if_re.c:2326
#18 0xffffffff8046170a in re_int_task (arg=<value optimized out>, 
    npending=<value optimized out>) at /usr/src/sys/dev/re/if_re.c:2546
#19 0xffffffff80554e63 in taskqueue_run_locked
(queue=0xfffff800029e8400)
    at /usr/src/sys/kern/subr_taskqueue.c:333
#20 0xffffffff80554fad in taskqueue_run (queue=0xfffff800029e8400)
    at /usr/src/sys/kern/subr_taskqueue.c:347
#21 0xffffffff804dc05a in intr_event_execute_handlers (
    p=<value optimized out>, ie=0xfffff800029e8300)
    at /usr/src/sys/kern/kern_intr.c:1263
#22 0xffffffff804dd6eb in ithread_loop (arg=0xfffff80002951980)
    at /usr/src/sys/kern/kern_intr.c:1276
#23 0xffffffff804d90f9 in fork_exit (
    callout=0xffffffff804dd650 <ithread_loop>, arg=0xfffff80002951980, 
    frame=0xfffffe011ad61c00) at /usr/src/sys/kern/kern_fork.c:989
#24 0xffffffff807bb32e in fork_trampoline ()
    at /usr/src/sys/amd64/amd64/exception.S:606


(kgdb) frame 10
#10 0xffffffff806d5ada in ipsec6_output_tunnel
(state=0xfffffe011ad615d0, sp=<value optimized out>, flags=<value
optimized out>) at /usr/src/sys/netipsec/ipsec_output.c:815
815             ipsec_bpf(m, isr->sav, AF_INET6, ENC_OUT|ENC_BEFORE);
(kgdb) list
810     #ifdef DEV_ENC
811             encif->if_opackets++;
812             encif->if_obytes += m->m_pkthdr.len;
813
814             /* pass the mbuf to enc0 for bpf processing */
815             ipsec_bpf(m, isr->sav, AF_INET6, ENC_OUT|ENC_BEFORE);
816             /* pass the mbuf to enc0 for packet filtering */
817             if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|
ENC_BEFORE)) != 0)
818                     goto bad;
819     #endif

(kgdb) p encif
$5 = (struct ifnet *) 0x0



In /etc/rc.conf, I have simply:

ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
racoon_enable="yes"

And two tunnels defined in both ipsec.conf and racoon.conf.  Commenting
out one of the two tunnels seems sufficient to avoid the panic, though
it is not clear to me why.

Adding cloned_interfaces="enc0" to /etc/rc.conf seems to be sufficient
to work around the panic.

So, how is this supposed to work?  Who is supposed to be creating the
enc0 interface?

Thanks,

Gavin

-- 
Gavin Atkinson
FreeBSD committer and bugmeister
GPG: A093262B (313A A79F 697D 3A5C 216A  EDF5 935D EF44 A093 262B)