Subject: port-xen/33162: FAST_IPSEC crashes Xen domU kernel
To: None <port-xen-maintainer@netbsd.org, gnats-admin@netbsd.org,>
From: None <riz@tastylime.net>
List: netbsd-bugs
Date: 03/28/2006 21:55:00
>Number: 33162
>Category: port-xen
>Synopsis: FAST_IPSEC crashes Xen domU kernel
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: port-xen-maintainer
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Mar 28 21:55:00 +0000 2006
>Originator: Jeff Rizzo
>Release: NetBSD 3.99.17
>Organization:
>Environment:
System: NetBSD xen5.york.redcrowgroup.com 3.99.17 NetBSD 3.99.17 (XENU.FAST_IPSEC) #1: Tue Mar 28 11:30:42 PST 2006 riz@fubar.york.redcrowgroup.com:/lfs/buildobj/usr/src/sys/arch/i386/compile/XENU.FAST_IPSEC i386
Architecture: i386 (xen)
Machine: i386
>Description:
When trying to initiate ipsec traffic on a Xen host with
options FAST_IPSEC in the kernel, it panics as follows:
xen5# ping fubar
PING fubar.york.redcrowgroup.com (192.168.3.8): 56 data bytes
panic: m_copyback0: read-only
Stopped in pid 3.1 (cryptoret) at netbsd:cpu_Debugger+0x4: popl %ebp
db> bt
cpu_Debugger(c041ed20,ca803e48,ca803e7c,c0317c26,c0488200) at netbsd:cpu_Debugger+0x4
panic(c041bc1d,ca804334,c07c0e00,b6cef66c,99) at netbsd:panic+0x12c
m_copyback0(ca803ec4,9,1,ca803f26,9) at netbsd:m_copyback0+0x913
m_copyback(c07c0e00,9,1,ca803f26,1e5) at netbsd:m_copyback+0x42
esp_input_cb(0,24,c040d32f,0,0) at netbsd:esp_input_cb+0x45f
cryptoret(c9fcbdec,52d000,c0537000,0,c010017c) at netbsd:cryptoret+0x12e
db>
>How-To-Repeat:
configure SPD entries between Xen host and another, and try to
ping the other host. (which works when the Xen host is using KAME ipsec)
my ipsec.conf contains this:
add 192.168.3.17 192.168.3.8 esp 8771 -E rijndael-cbc 0x09ab8987bc76dc8966548907bc2498761234654367890cad8576234d35461089;
add 192.168.3.8 192.168.3.17 esp 8772 -E rijndael-cbc 0x2134cafe987234fcefdefacb9b8b7b6b5b23874692dfdf342342aea324423556;
spdadd 192.168.3.17 192.168.3.8 any -P out ipsec esp/transport//use;
>Fix:
none provided.
>Unformatted: