129517 – [ipsec] [panic] double fault / stack overflow

Bug 129517 - [ipsec] [panic] double fault / stack overflow

Summary: [ipsec] [panic] double fault / stack overflow

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	Unspecified
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-12-09 08:30 UTC by crahman
Modified:	2019-05-20 02:54 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description crahman 2008-12-09 08:30:01 UTC

On my embedded system boxes based upon the Soekris platform with 64MB of memory, the kernel regularly crashes with "panic: double fault" if ipsec is 
used.

Note that ip_output() has been stacked seven times deep before the stack overflow occurs.

The stack trace follows:

Fatal double fault:
eip = 0xc0459328
esp = 0xc5d97f8c
ebp = 0xc5d980a0
panic: double fault
KDB: stack backtrace:
db_trace_self_wrapper(c07a9c99,c080a1a0,c07c6f5d,c0827a90,c0827a90,...) at db_trace_self_wrapper+0x26
panic(c07c6f5d,c5d980a0,c5d980a0,0,0,...) at panic+0xed
dblfault_handler() at dblfault_handler+0x69
--- trap 0x17, eip = 0xc0459328, esp = 0xc5d97f8c, ebp = 0xc5d980a0 ---
pf_test(2,c1087000,c5d980e4,0,0,...) at pf_test+0x88
pf_check_out(0,c5d980e4,c1087000,2,0,...) at pf_check_out+0x43
pfil_run_hooks(c0812f80,c5d98198,c1087000,2,0,...) at pfil_run_hooks+0x9f
ipsec_filter(c5d98198,2,201,201,1e100e0a,...) at ipsec_filter+0x16c
ipsec4_process_packet(c16bb000,c15f7600,2,0,0,...) at ipsec4_process_packet+0xa8
ip_ipsec_output(c5d98248,0,c5d98254,c5d98228,c5d98250,...) at ip_ipsec_output+0x145
ip_output(c16bb000,0,c5d9820c,2,0,...) at ip_output+0x2e4
ipsec_process_done(c16bb000,c15f7580,0,c1787348,46c,...) at ipsec_process_done+0x1fe
ah_output_cb(c17167bc,c5d98428,c16bb054,c,2c,c5d98358,c5d98428,c1715d80) at ah_output_cb+0x196
crypto_done(c17167bc,20,0,c5d98434,c5d98428,...) at crypto_done+0xf6
swcr_process(c0fc0480,c17167bc,0,c16bb000,3,...) at swcr_process+0x59
crypto_invoke(1,a,c1787334,14,c19c3980,...) at crypto_invoke+0x67
crypto_dispatch(c17167bc,1,0,c5d98530,2,...) at crypto_dispatch+0xe2
ah_output(c16bb000,c15f7580,0,14,9,...) at ah_output+0x529
ipsec4_process_packet(c16bb000,c15f7600,2,0,0,...) at ipsec4_process_packet+0x2d1
ip_ipsec_output(c5d9866c,0,c5d98678,c5d9864c,c5d98674,...) at ip_ipsec_output+0x145
ip_output(c16bb000,0,c5d98630,2,0,...) at ip_output+0x2e4
ipsec_process_done(c16bb000,c15f7580,0,c1736548,46c,...) at ipsec_process_done+0x1fe
ah_output_cb(c1716564,c5d9884c,c16bb054,c,2c,c5d9877c,c5d9884c,c1715d80) at ah_output_cb+0x196
crypto_done(c1716564,20,0,c5d98858,c5d9884c,...) at crypto_done+0xf6
swcr_process(c0fc0480,c1716564,0,c16bb000,3,...) at swcr_process+0x59
crypto_invoke(1,a,c1736534,14,c19c3980,...) at crypto_invoke+0x67
crypto_dispatch(c1716564,1,0,c5d98954,2,...) at crypto_dispatch+0xe2
ah_output(c16bb000,c15f7580,0,14,9,...) at ah_output+0x529
ipsec4_process_packet(c16bb000,c15f7600,2,0,0,...) at ipsec4_process_packet+0x2d1
ip_ipsec_output(c5d98a90,0,c5d98a9c,c5d98a70,c5d98a98,...) at ip_ipsec_output+0x145
ip_output(c16bb000,0,c5d98a54,2,0,...) at ip_output+0x2e4
ipsec_process_done(c16bb000,c15f7580,0,c17887c8,46c,...) at ipsec_process_done+0x1fe
ah_output_cb(c1716348,c5d98c70,c16bb054,c,2c,c5d98ba0,c5d98c70,c1715d80) at ah_output_cb+0x196
crypto_done(c1716348,20,0,c5d98c7c,c5d98c70,...) at crypto_done+0xf6
swcr_process(c0fc0480,c1716348,0,c16bb000,3,...) at swcr_process+0x59
crypto_invoke(1,a,c17887b4,14,c19c3980,...) at crypto_invoke+0x67
crypto_dispatch(c1716348,1,0,c5d98d78,2,...) at crypto_dispatch+0xe2
ah_output(c16bb000,c15f7580,0,14,9,...) at ah_output+0x529t+0x2e4
ipsec_process_done(c16bb000,c15f7580,0,c17887c8,46c,...) at ipsec_process_done+0x1fe
ah_output_cb(c1716348,c5d98c70,c16bb054,c,2c,c5d98ba0,c5d98c70,c1715d80) at ah_output_cb+0x196
crypto_done(c1716348,20,0,c5d98c7c,c5d98c70,...) at crypto_done+0xf6
swcr_process(c0fc0480,c1716348,0,c16bb000,3,...) at swcr_process+0x59
crypto_invoke(1,a,c17887b4,14,c19c3980,...) at crypto_invoke+0x67
crypto_dispatch(c1716348,1,0,c5d98d78,2,...) at crypto_dispatch+0xe2
ah_output(c16bb000,c15f7580,0,14,9,...) at ah_output+0x529
ipsec4_process_packet(c16bb000,c15f7600,2,0,0,...) at ipsec4_process_packet+0x2d1
ip_ipsec_output(c5d98eb4,0,c5d98ec0,c5d98e94,c5d98ebc,...) at ip_ipsec_output+0x145
ip_output(c16bb000,0,c5d98e78,2,0,...) at ip_output+0x2e4
ipsec_process_done(c16bb000,c15f7580,0,c168c848,46c,...) at ipsec_process_done+0x1fe
ah_output_cb(c1716528,c5d99094,c16bb054,c,2c,c5d98fc4,c5d99094,c1715d80) at ah_output_cb+0x196
crypto_done(c1716528,20,0,c5d990a0,c5d99094,...) at crypto_done+0xf6
swcr_process(c0fc0480,c1716528,0,c16bb000,3,...) at swcr_process+0x59
crypto_invoke(1,a,c168c834,14,c19c3980,...) at crypto_invoke+0x67
crypto_dispatch(c1716528,1,0,c5d9919c,2,...) at crypto_dispatch+0xe2
ah_output(c16bb000,c15f7580,0,14,9,...) at ah_output+0x529
ipsec4_process_packet(c16bb000,c15f7600,2,0,0,...) at ipsec4_process_packet+0x2d1
ip_ipsec_output(c5d992d8,0,c5d992e4,c5d992b8,c5d992e0,...) at ip_ipsec_output+0x145
ip_output(c16bb000,0,c5d9929c,2,0,...) at ip_output+0x2e4
ipsec_process_done(c16bb000,c15f7580,0,c17350c8,46c,...) at ipsec_process_done+0x1fe
ah_output_cb(c1716708,c5d994b8,c16bb054,c,2c,c5d993e8,c5d994b8,c1715d80) at ah_output_cb+0x196
crypto_done(c1716708,20,0,c5d994c4,c5d994b8,...) at crypto_done+0xf6
swcr_process(c0fc0480,c1716708,0,c16bb000,3,...) at swcr_process+0x59
crypto_invoke(1,a,c17350b4,14,c19c3980,...) at crypto_invoke+0x67
crypto_dispatch(c1716708,1,0,c5d995c0,2,...) at crypto_dispatch+0xe2
ah_output(c16bb000,c15f7580,0,14,9,...) at ah_output+0x529
ipsec4_process_packet(c16bb000,c15f7600,2,0,0,...) at ipsec4_process_packet+0x2d1
ip_ipsec_output(c5d996fc,0,c5d99708,c5d996dc,c5d99704,...) at ip_ipsec_output+0x145
ip_output(c16bb000,0,c5d996c0,2,0,...) at ip_output+0x2e4
ipsec_process_done(c16bb000,c15f7580,0,c19c3848,46c,...) at ipsec_process_done+0x1fe
ah_output_cb(c17164b0,c5d998dc,c16bb054,c,2c,c5d9980c,c5d998dc,c1715d80) at ah_output_cb+0x196
crypto_done(c17164b0,20,0,c5d998e8,c5d998dc,...) at crypto_done+0xf6
swcr_process(c0fc0480,c17164b0,0,c16bb000,3,...) at swcr_process+0x59
crypto_invoke(1,a,c19c3834,14,c19c3980,...) at crypto_invoke+0x67
crypto_dispatch(c17164b0,1,0,c5d999e4,2,...) at crypto_dispatch+0xe2
ah_output(c16bb000,c15f7580,0,14,9,...) at ah_output+0x529
ipsec4_process_packet(c10de800,c15f7600,0,0,c1512654,...) at ipsec4_process_packet+0x2d1
ip_ipsec_output(c5d99b20,c1512654,c5d99b2c,c5d99b00,c5d99b28,...) at ip_ipsec_output+0x145
ip_output(c10de800,0,c5d99ae4,0,0,...) at ip_output+0x2e4
udp_send(c1699340,0,c10de800,c17cb5d0,0,...) at udp_send+0x4e3
sosend_dgram(c1699340,c17cb5d0,c5d99be8,c10de800,0,...) at sosend_dgram+0x298
kern_sendit(c1124af0,c,c5d99c5c,0,0,...) at kern_sendit+0xcf
sendit(0,c17cb5d0,10,c5d99c78,1,...) at sendit+0xda
sendto(c1124af0,c5d99cf8,18,c1124af0,c0fdfaf0,...) at sendto+0x48
syscall(c5d99d38) at syscall+0x17b
Xint0x80_syscall() at Xint0x80_syscall+0x20
--- syscall (133, FreeBSD ELF32, sendto), eip = 0x281611df, esp = 0xbfbe28fc, ebp = 0xbfbfc528 ---
KDB: enter: panic
[thread pid 1409 tid 100058 ]
Stopped at      kdb_enter_why+0x3b:     movl    $0,kdb_why

How-To-Repeat: Run ipsec on a slower embedded system and wait a bit.

This is happening on a system exchanging ipv4 packets with ah+esp.

Comment 1 Mark Linimon freebsd_committer

2008-12-09 08:49:40 UTC

Responsible Changed
From-To: freebsd-bugs->freebsd-net

Over to maintainer(s).

Comment 2 Eitan Adler freebsd_committer

2017-12-31 07:59:48 UTC

For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped

Comment 3 crahman 2019-05-20 02:54:07 UTC

The code behind this ancient but is no longer in use.