NetBSD Problem Report #33162
From riz@bottom.york.redcrowgroup.com Tue Mar 28 21:50:27 2006
Return-Path: <riz@bottom.york.redcrowgroup.com>
Received: from coconut.tastylime.net (coconut.tastylime.net [199.233.217.34])
by narn.netbsd.org (Postfix) with ESMTP id EF02463B877
for <gnats-bugs@gnats.NetBSD.org>; Tue, 28 Mar 2006 21:50:26 +0000 (UTC)
Message-Id: <20060328211227.2466D744D5@bottom.york.redcrowgroup.com>
Date: Tue, 28 Mar 2006 13:12:27 -0800 (PST)
From: riz@tastylime.net
Reply-To: riz@tastylime.net
To: gnats-bugs@netbsd.org
Subject: FAST_IPSEC crashes Xen domU kernel
X-Send-Pr-Version: 3.95
>Number: 33162
>Category: kern
>Synopsis: FAST_IPSEC crashes Xen domU kernel
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Mar 28 21:55:00 +0000 2006
>Closed-Date: Sat Feb 04 22:27:05 +0000 2012
>Last-Modified: Sat Feb 04 22:27:05 +0000 2012
>Originator: Jeff Rizzo
>Release: NetBSD 3.99.17
>Organization:
>Environment:
System: NetBSD xen5.york.redcrowgroup.com 3.99.17 NetBSD 3.99.17 (XENU.FAST_IPSEC) #1: Tue Mar 28 11:30:42 PST 2006 riz@fubar.york.redcrowgroup.com:/lfs/buildobj/usr/src/sys/arch/i386/compile/XENU.FAST_IPSEC i386
Architecture: i386 (xen)
Machine: i386
>Description:
When trying to initiate ipsec traffic on a Xen host with
options FAST_IPSEC in the kernel, it panics as follows:
xen5# ping fubar
PING fubar.york.redcrowgroup.com (192.168.3.8): 56 data bytes
panic: m_copyback0: read-only
Stopped in pid 3.1 (cryptoret) at netbsd:cpu_Debugger+0x4: popl %ebp
db> bt
cpu_Debugger(c041ed20,ca803e48,ca803e7c,c0317c26,c0488200) at netbsd:cpu_Debugger+0x4
panic(c041bc1d,ca804334,c07c0e00,b6cef66c,99) at netbsd:panic+0x12c
m_copyback0(ca803ec4,9,1,ca803f26,9) at netbsd:m_copyback0+0x913
m_copyback(c07c0e00,9,1,ca803f26,1e5) at netbsd:m_copyback+0x42
esp_input_cb(0,24,c040d32f,0,0) at netbsd:esp_input_cb+0x45f
cryptoret(c9fcbdec,52d000,c0537000,0,c010017c) at netbsd:cryptoret+0x12e
db>
>How-To-Repeat:
configure SPD entries between Xen host and another, and try to
ping the other host. (which works when the Xen host is using KAME ipsec)
my ipsec.conf contains this:
add 192.168.3.17 192.168.3.8 esp 8771 -E rijndael-cbc 0x09ab8987bc76dc8966548907bc2498761234654367890cad8576234d35461089;
add 192.168.3.8 192.168.3.17 esp 8772 -E rijndael-cbc 0x2134cafe987234fcefdefacb9b8b7b6b5b23874692dfdf342342aea324423556;
spdadd 192.168.3.17 192.168.3.8 any -P out ipsec esp/transport//use;
>Fix:
none provided.
>Release-Note:
>Audit-Trail:
From: Pavel Cahyna <pavel.cahyna@st.mff.cuni.cz>
To: Jeff Rizzo <riz@NetBSD.org>
Cc: gnats-bugs@NetBSD.org, port-xen@NetBSD.org
Subject: Re: port-xen/33162 [Re: FAST_IPSEC panics domU kernel]
Date: Wed, 29 Mar 2006 12:16:47 +0200
I think netipsec is wrong - it is using m_copyback, but can't be really
sure that the mbuf is not shared.
Try the following (not even compile-tested) patch.
AH and IPCOMP will probably need something similar.
Pavel
cvs diff: Diffing nbcvs/src/sys/netipsec
Index: nbcvs/src/sys/netipsec/xform_esp.c
===================================================================
RCS file: /cvsroot/src/sys/netipsec/xform_esp.c,v
retrieving revision 1.8
diff -u -r1.8 xform_esp.c
--- nbcvs/src/sys/netipsec/xform_esp.c 23 Mar 2006 15:25:46 -0000 1.8
+++ nbcvs/src/sys/netipsec/xform_esp.c 29 Mar 2006 10:01:45 -0000
@@ -634,7 +634,15 @@
m_adj(m, -(lastthree[1] + 2));
/* Restore the Next Protocol field */
- m_copyback(m, protoff, sizeof (u_int8_t), lastthree + 2);
+ m = m_copyback_cow(m, protoff, sizeof (u_int8_t), lastthree + 2,
+ M_DONTWAIT);
+
+ if (m == NULL) {
+ espstat.esps_crypto++;
+ DPRINTF(("esp_input_cb: failed to allocate mbuf\n"));
+ error = ENOBUFS;
+ goto bad;
+ }
IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag);
From: Manuel Bouyer <bouyer@antioche.eu.org>
To: Pavel Cahyna <pavel.cahyna@st.mff.cuni.cz>,
Jeff Rizzo <riz@netbsd.org>, gnats-bugs@netbsd.org,
port-xen@netbsd.org
Cc:
Subject: Re: port-xen/33162 [Re: FAST_IPSEC panics domU kernel]
Date: Wed, 29 Mar 2006 12:33:56 +0200
On Wed, Mar 29, 2006 at 12:16:47PM +0200, Pavel Cahyna wrote:
> I think netipsec is wrong - it is using m_copyback, but can't be really
> sure that the mbuf is not shared.
Yes. Xen is good for catching this kind of abuse, because the may not even
be mapped read/write :)
--
Manuel Bouyer <bouyer@antioche.eu.org>
NetBSD: 26 ans d'experience feront toujours la difference
--
Responsible-Changed-From-To: port-xen-maintainer->kern-bug-people
Responsible-Changed-By: pavel@netbsd.org
Responsible-Changed-When: Wed, 29 Mar 2006 10:42:09 +0000
Responsible-Changed-Why:
kernel bug
From: Jeff Rizzo <riz@NetBSD.org>
To: Pavel Cahyna <pavel.cahyna@st.mff.cuni.cz>,
Jeff Rizzo <riz@NetBSD.org>, gnats-bugs@netbsd.org,
port-xen@netbsd.org
Cc:
Subject: Re: port-xen/33162 [Re: FAST_IPSEC panics domU kernel]
Date: Wed, 29 Mar 2006 07:05:07 -0800
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigE5AAFDB097F20FFF1732C085
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Pavel Cahyna wrote:
> I think netipsec is wrong - it is using m_copyback, but can't be really=
> sure that the mbuf is not shared.
>
> Try the following (not even compile-tested) patch.
> =20
I can confirm this patch does, in fact, allow me to perform the simple
test that caused the domU to crash before.
Thanks!
+j
--------------enigE5AAFDB097F20FFF1732C085
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQCVAwUBRCqiKLOuUtxCgar5AQNNywP+I8vCYH9E+SDghUQVQCUpACp8NgkW5yMK
YhRZtky5tHN7FgvKxWkr4n9QUYfw+O2gYoNRfSWrxNQ2yi2JkaJLny3gEg5M4ZWy
MEpaQVOVSatBA0YG7HxMUKZx8cRnSXaNdAqCEBJugxS1C9Y3Z5RKilA7QqAS/pbv
IamBlskBfPo=
=c930
-----END PGP SIGNATURE-----
--------------enigE5AAFDB097F20FFF1732C085--
From: Pavel Cahyna <pavel@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: PR/33162 CVS commit: src/sys/netipsec
Date: Fri, 28 Apr 2006 22:39:02 +0000 (UTC)
Module Name: src
Committed By: pavel
Date: Fri Apr 28 22:39:02 UTC 2006
Modified Files:
src/sys/netipsec: xform_esp.c
Log Message:
The esp_input_cb function used m_copyback, which fails if the mbuf is
read-only. This can actually happen if the packet was received by the
xennet interface, see PR kern/33162. Change it to m_copyback_cow.
AH and IPCOMP probably need similar fixes.
Requested by Jeff Rizzo, tested on Xen with -current by him.
To generate a diff of this commit:
cvs rdiff -r1.9 -r1.10 src/sys/netipsec/xform_esp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Matthias Drochner" <drochner@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/33162 CVS commit: src/sys/netipsec
Date: Wed, 25 Jan 2012 20:31:23 +0000
Module Name: src
Committed By: drochner
Date: Wed Jan 25 20:31:23 UTC 2012
Modified Files:
src/sys/netipsec: xform_ah.c xform_esp.c xform_ipcomp.c
Log Message:
Make sure the mbufs in the input path (only the parts which we are going
to modify in the AH case) are writable/non-shared.
This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient
patch from that time by a radical solution.
(The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c,
so it needs a network driver modification to reproduce it.)
Being here, clarify a bit of ipcomp -- uncompression is done in-place,
the header must be removed explicitly.
To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.36 src/sys/netipsec/xform_ah.c
cvs rdiff -u -r1.39 -r1.40 src/sys/netipsec/xform_esp.c
cvs rdiff -u -r1.28 -r1.29 src/sys/netipsec/xform_ipcomp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->feedback
State-Changed-By: drochner@NetBSD.org
State-Changed-When: Wed, 25 Jan 2012 20:37:14 +0000
State-Changed-Why:
This has been worked around by xennetback_xenbus.c rev.1.3 (long ago),
and should be fixed in -current.
ok to close?
State-Changed-From-To: feedback->closed
State-Changed-By: riz@NetBSD.org
State-Changed-When: Sat, 04 Feb 2012 22:27:05 +0000
State-Changed-Why:
This is working now.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.