OpenSolaris

Printable Version Enter a New Search
Bug ID 6618673
Synopsis IPsec per-socket policy for IPv6 no longer works, causes panics in bypass + no-global case.
State 10-Fix Delivered (Fix available in build)
Category:Subcategory network:ipsec
Keywords
Responsible Engineer Dan Mcdonald
Reported Against
Duplicate Of
Introduced In solaris_10
Commit to Fix snv_77
Fixed In snv_77
Release Fixed solaris_nevada(snv_77) , solaris_10u7(s10u7_02) (Bug ID:2168208)
Related Bugs 6595449 , 6608966
Submit Date 18-October-2007
Last Update Date 8-November-2007
Description 
ONPIT are seeing a new panic in ike_tunn_ntu(2.28) during snv_76 on SUNW,A70 and Sun-Fire-V890,Panther platforms

- core files at /net/cesspit.ireland/export/crash/ON/snv_76/ike_tunn_ntu/1002940
- no history of this ike_tunn_utu panic having occured on either platform, test has been re-queued on runtime systems to see if it is reproducible
- some iked-related putbacks did occur in snv_76 :- (see putback list for bugids 6516622/6609988/6612767/6612771) 



Oct 18 09:59:08 bellwood ip: ipsec_check_global_policy: Dropping the datagram because the incoming packet is secure, but the recipient expects clear; Source fe80::1111:1111:1111:1111, Destination ff02::1.
   Oct 18 10:01:14 bellwood in.ndpd[818934]: Interface ip.tun5 has been removed from kernel. in.ndpd will no longer use it
   Oct 18 10:01:16 bellwood last message repeated 1 time
   Oct 18 10:01:21 bellwood ip: ipsec_check_global_policy: Dropping the datagram because the incoming packet is secure, but the recipient expects clear; Source fe80::1111:1111:1111:1111, Destination ff02::1.
   Oct 18 10:03:20 bellwood in.ndpd[818934]: Interface ip.tun5 has been removed from kernel. in.ndpd will no longer use it
   
panic[cpu1]/thread=439a5494ac0: assertion failed: (io->ipsec_out_policy != 0L) || (io->ipsec_out_act != 0L), file: ../../common/inet/ip/spd.c, line: 4675

000002a101236ff0 genunix:assfail+78 (7bb79838, 7bb783d8, 1243, 1852800, 1332800, 0)
  %l0-3: 0000000000000000 000000007bb78800 0000000000000000 00000600131ea400
  %l4-7: 0000030223c7a9e0 0000000000000000 00000000018a1400 0000000000000000
000002a1012370a0 ip:ip_wput_attach_policy+480 (0, 0, 600131ea490, 1243, 600110a7300, 0)
  %l0-3: 00000300414f40e0 0000000000000000 0000000000000000 0000000000001000
  %l4-7: 000000007bb783d8 0000030004f47f08 000003000742c000 0000060010ba3900
000002a1012371e0 ip:ip_wput_ire_parse_ipsec_out+d0 (300414f40e0, 0, 600131ea490, 6001144d0f0, 600110a7300, 0)
  %l0-3: 0000000000000000 000000000133ac00 0000060010ba3900 ffffffffffffffff
  %l4-7: 000000007bab8d68 000000007bab8c00 0000000000000160 0000000000000000
000002a1012372a0 ip:ip_wput_ire_v6+398 (6001b602e58, 7bb67800, 6001144d0f0, 0, 30004f47f08, 600110a7300)
  %l0-3: 000000000000000d 0000000000000000 0000000000000000 0000060010ba3900
  %l4-7: 00000300071d2000 0000000000000000 00000600131ea490 000003000742c000
000002a101237430 ip:ip_output_v6+1770 (0, 6001144d100, 300414f40e0, 6001144d0f0, 600110e73c0, 0)
  %l0-3: 0000000000000000 0000000000000000 0000000000002400 000000007bb67b00
  %l4-7: 0000000000000000 00000600131ea490 00000300071d2000 00000600110a7300
000002a101237590 ip:udp_output_v6+1158 (b1b, 7bb84000, ac, 2a1012377fc, 300414f40e0, fc00)
  %l0-3: 00000000000000d4 0000000000000b1a 00000300414f40e0 0000000000000001
  %l4-7: 0000030223c7a9e0 000006001011f300 0000000000000000 0000000000000000
000002a101237740 ip:udp_wput+314 (600110a7300, 300414f40e0, 6001b602e58, 20, 7ffffc00, 6001011f300)
  %l0-3: 000003021a830884 000000007fffffff 00000600110a7780 000003021a8308a4
  %l4-7: 000003021a830800 0000000000000034 0000000000000000 000000007bb84400
000002a101237800 sockfs:sodgram_direct+38c (60011314978, 0, 300414f40e0, 2a101237aa0, 18d8000, 1000)
  %l0-3: 00000600110cf2a0 000000007bfef320 0000000000000000 000006001b602e58
  %l4-7: 0000030223c7a9e0 0000000000000000 0000000000000009 00000000000000a4
000002a1012378e0 sockfs:sendit+1b0 (c, 2a101237a70, 2a101237aa0, 700100b8, a4, 0)
  %l0-3: 0000060010214778 0000060011314978 0000000000000000 0000000000000001
  %l4-7: 0000000000000001 ffffffffffffffe5 000000000000001b 000000007bfcfe88
000002a1012379b0 sockfs:sendto+6c (c, 2a101237ad0, a4, 8, ffbfc728, 8000)
  %l0-3: 000003000795a000 0000000000000012 0000000000000001 0000000000000000
  %l4-7: 00000010d5a2dd5b 000000000181b310 0000000000000001 0000000000000000

panic: entering debugger (continue to save dump)
panicsys+0x3e4(18757d0, 1858af0, 3000795a000, 1, 20040, 1850000)
vpanic+0xcc(1332af0, 2a101237078, 2a1012371b4, 1, 8, 8)
panic+0x1c(1332af0, 7bb79838, 7bb783d8, 1243, 30004f47f08, 0)
assfail+0x78(7bb79838, 7bb783d8, 1243, 1852800, 1332800, 0)
ip`ip_wput_attach_policy+0x480(0, 0, 600131ea490, 1243, 600110a7300, 0)
ip`ip_wput_ire_parse_ipsec_out+0xd0(300414f40e0, 0, 600131ea490, 6001144d0f0, 
600110a7300, 0)
ip`ip_wput_ire_v6+0x398(6001b602e58, 7bb67800, 6001144d0f0, 0, 30004f47f08, 
600110a7300)
ip`ip_output_v6+0x1770(0, 6001144d100, 300414f40e0, 6001144d0f0, 600110e73c0, 0
)
ip`udp_output_v6+0x1158(b1b, 7bb84000, ac, 2a1012377fc, 300414f40e0, fc00)
ip`udp_wput+0x314(600110a7300, 300414f40e0, 6001b602e58, 20, 7ffffc00, 
6001011f300)
sockfs`sodgram_direct+0x38c(60011314978, 0, 300414f40e0, 2a101237aa0, 18d8000, 
1000)
sockfs`sendit+0x1b0(c, 2a101237a70, 2a101237aa0, 700100b8, a4, 0)
sockfs`sendto+0x6c(c, 2a101237ad0, a4, 8, ffbfc728, 8000)
syscall_trap32+0x1e8(c, 9a750, a4, 0, ffbfc728, 20)
[1]> 

root@bellwood>mdb unix.1 vmcore.1
Loading modules: [ unix krtld genunix specfs dtrace ufs scsi_vhci sd mpt px ip hook neti sctp arp usba fctl nca lofs zfs random nfs logindmux ptm fcip cpc sppp crypto ipc ]
> $c
vpanic(1332af0, 7bb79838, 7bb783d8, 1243, 30004f47f08, 0)
assfail+0x78(7bb79838, 7bb783d8, 1243, 1852800, 1332800, 0)
ip_wput_attach_policy+0x480(0, 0, 600131ea490, 1243, 600110a7300, 0)
ip_wput_ire_parse_ipsec_out+0xd0(300414f40e0, 0, 600131ea490, 6001144d0f0,
600110a7300, 0)
ip_wput_ire_v6+0x398(6001b602e58, 7bb67800, 6001144d0f0, 0, 30004f47f08,
600110a7300)
ip_output_v6+0x1770(0, 6001144d100, 300414f40e0, 6001144d0f0, 600110e73c0, 0)
udp_output_v6+0x1158(b1b, 7bb84000, ac, 2a1012377fc, 300414f40e0, fc00)
udp_wput+0x314(600110a7300, 300414f40e0, 6001b602e58, 20, 7ffffc00, 6001011f300
)
sodgram_direct+0x38c(60011314978, 0, 300414f40e0, 2a101237aa0, 18d8000, 1000)
sendit+0x1b0(c, 2a101237a70, 2a101237aa0, 700100b8, a4, 0)
sendto+0x6c(c, 2a101237ad0, a4, 8, ffbfc728, 8000)
syscall_trap32+0x1e8(c, 9a750, a4, 0, ffbfc728, 20)
>
> panic_thread/J
panic_thread:
panic_thread:   439a5494ac0
>
> 439a5494ac0::findstack
stack pointer for thread 439a5494ac0: 2a1012366f1
  000002a1012372e1 1()
>
> 439a5494ac0::thread -p
            ADDR             PROC              LWP             CRED
00000439a5494ac0      300206580f0      60010354b80      60012fdc6a8
>
> 300206580f0::ps -flt
S    PID   PPID   PGID    SID    UID      FLAGS             ADDR NAME
R 863426      1 863425 863425      0 0x42000000 00000300206580f0
/usr/lib/inet/in.iked
        T     0x439a5494ac0 <TS_ONPROC>
        L     0x60010354b80 ID: 1
        T     0x439a548d3a0 <TS_SLEEP>
        L     0x6001b70e018 ID: 2
        T     0x3000825f440 <TS_SLEEP>
        L     0x600111780b0 ID: 3
> 300206580f0::ptree
000000000184ac40  sched
     00000600101930a8  init
          00000300206580f0  in.iked
>
Work Around 
N/A
Comments 
N/A