netbsd-bugs: kern/13813: kernel panics after many /etc/rc.d/ipsec restart operations

Subject: kern/13813: kernel panics after many /etc/rc.d/ipsec restart operations
To: None <gnats-bugs@gnats.netbsd.org>
From: None <lukem@netbsd.org>
List: netbsd-bugs
Date: 08/29/2001 12:33:00
>Number:         13813
>Category:       kern
>Synopsis:       kernel panics after many /etc/rc.d/ipsec restart operations
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Aug 28 19:29:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Luke Mewburn
>Release:        around August 26, 2001
>Organization:
Wasabi Systems
>Environment:
System: NetBSD argo.akimbo.com.au 1.5X NetBSD 1.5X (ARGO) #0: Sun Aug 26 16:41:16 EST 2001 lukem@argo.akimbo.com.au:/z/scratch/obj.i386/sys/ARGO i386
Architecture: i386
Machine: i386
>Description:
	when learning about and debugging a simple ipsec setup, i've
	had a few kernel panics.  these have all occurred not long
	after doing an "/etc/rc.d/ipsec restart", although that specific
	operation doesn't cause an immediate panic.

	here's a few backtraces from gdb (with ddb stuff after panic()
	culled):

=== panic 1 ===

Aug 27 22:31:50 argo savecore: reboot after panic: panic: free: unaligned
addr 0xc0e96dff, size 512, type key mgmt, mask 511 

#10 0xc019defc in panic (
    fmt=0xc032f8a0 "free: unaligned addr %p, size %ld, type %s, mask %ld\n")
    at /sys/kern/subr_prf.c:234
#11 0xc01908e8 in free (addr=0xc0e96dff, type=95)
    at /sys/kern/kern_malloc.c:477
#12 0xc0239d7d in keydb_delsecpolicy (p=0xc0e96dff) at /sys/netkey/keydb.c:78
#13 0xc0232d5c in key_delsp (sp=0xc0e96dff) at /sys/netkey/key.c:988
#14 0xc0232b4c in key_freesp (sp=0xc0e96dff) at /sys/netkey/key.c:842
#15 0xc0227027 in ipsec4_delete_pcbpolicy (inp=0xc0d04ea4)
    at /sys/netinet6/ipsec.c:1527
#16 0xc01efc91 in in_pcbdetach (v=0xc0d04ea4) at /sys/netinet/in_pcb.c:531
#17 0xc0207e9d in tcp_close (tp=0xc0d8a4f4) at /sys/netinet/tcp_subr.c:1028
#18 0xc0209c1c in tcp_usrclosed (tp=0xc0d8a4f4)
    at /sys/netinet/tcp_usrreq.c:889
#19 0xc0209627 in tcp_usrreq (so=0xc0e8d434, req=7, m=0x0, nam=0x0, 
    control=0x0, p=0x0) at /sys/netinet/tcp_usrreq.c:481
#20 0xc01aca00 in soshutdown (so=0xc0e8d434, how=2)
    at /sys/kern/uipc_socket.c:850
#21 0xc01af1de in sys_shutdown (p=0xdeb45580, v=0xdeb1df80, retval=0xdeb1df78)
    at /sys/kern/uipc_syscalls.c:758

=== panic 2 ===

Aug 29 10:39:16 argo savecore: reboot after panic: panic: free: unaligned
addr 0xc0dc15ff, size 512, type UVM amap, mask 511 

#10 0xc019defc in panic (
    fmt=0xc032f8a0 "free: unaligned addr %p, size %ld, type %s, mask %ld\n")
    at /sys/kern/subr_prf.c:234
#11 0xc01908e8 in free (addr=0xc0dc15ff, type=82)
    at /sys/kern/kern_malloc.c:477
#12 0xc028aea2 in amap_extend (entry=0xde839f8c, addsize=4096)
    at /sys/uvm/uvm_amap.c:430
#13 0xc0291250 in uvm_map (map=0xde77d3b4, startp=0xde8aff54, size=4096, 
    uobj=0x0, uoffset=0, align=0, flags=1771287) at /sys/uvm/uvm_map.c:642
#14 0xc029ac4c in sys_obreak (p=0xde8331ec, v=0xde8aff80, retval=0xde8aff78)
    at /sys/uvm/uvm_unix.c:95

=== panic 3 ===

Aug 29 11:31:14 argo savecore: reboot after panic: panic: free: unaligned
addr 0xc0bc31ff, size 512, type key mgmt, mask 511 

#10 0xc019defc in panic (
    fmt=0xc032f8a0 "free: unaligned addr %p, size %ld, type %s, mask %ld\n")
    at /sys/kern/subr_prf.c:234
#11 0xc01908e8 in free (addr=0xc0bc31ff, type=95)
    at /sys/kern/kern_malloc.c:477
#12 0xc0239d7d in keydb_delsecpolicy (p=0xc0bc31ff) at /sys/netkey/keydb.c:78
#13 0xc0232d5c in key_delsp (sp=0xc0bc31ff) at /sys/netkey/key.c:988
#14 0xc0232b4c in key_freesp (sp=0xc0bc31ff) at /sys/netkey/key.c:842
#15 0xc022700b in ipsec4_delete_pcbpolicy (inp=0xc0d1e904)
    at /sys/netinet6/ipsec.c:1522
#16 0xc01efc91 in in_pcbdetach (v=0xc0d1e904) at /sys/netinet/in_pcb.c:531
#17 0xc020ab9a in udp_usrreq (so=0xc0db3e40, req=1, m=0x0, nam=0x0, 
    control=0x0, p=0x0) at /sys/netinet/udp_usrreq.c:1342
#18 0xc01ab4f5 in soclose (so=0xc0db3e40) at /sys/kern/uipc_socket.c:223
#19 0xc01a1612 in soo_close (fp=0xde7ec190, p=0xde5d3ab8)
    at /sys/kern/sys_socket.c:217
#20 0xc018c2ec in closef (fp=0xde7ec190, p=0xde5d3ab8)
    at /sys/kern/kern_descrip.c:1110
#21 0xc018b820 in fdrelease (p=0xde5d3ab8, fd=71)
    at /sys/kern/kern_descrip.c:485
#22 0xc018b84c in sys_close (p=0xde5d3ab8, v=0xde6c2f80, retval=0xde6c2f78)
    at /sys/kern/kern_descrip.c:508


>How-To-Repeat:
	while (!panic) {
		fiddle with /etc/ipsec.conf
		run /etc/rc.d/ipsec restart
		send some network traffic, etc
	}

	usually only takes a few restarts to do this.

>Fix:
	bribe itojun? :)
>Release-Note:
>Audit-Trail:
>Unformatted: