Discussion:
repeatable isakmpd kernel panic using shrewsoft vpn client
(too old to reply)
iamatt
2013-10-19 04:18:08 UTC
Permalink
Synopsis: Shrewsoft vpn client 2.2.0 (linux) causes openbsd to kernel panic
Category: isakmpd using basic psk
Environment:
System : OpenBSD 5.4
Details : OpenBSD 5.4-current (GENERIC) #63: Tue Oct 1
12:33:25 MDT 2013
***@i386.openbsd.org:
/usr/src/sys/arch/i386/compile/GENERIC

Architecture: OpenBSD.i386
Machine : i386
Description:
The Shrewsoft VPN client compiled version 2.2.0 for linux immediately
causes the openbsd server to kernel panic when initiating a connection.
Other vpn clients (strongswan, and NCP vpn for android ) do not crash the
server.

sample ipsec.conf

#isakmpd -4dv && ipsecctl -F -f /etc/ipsec.conf

dmz="172.18.1.0/24"
lan="10.22.1.0/24"
ike passive esp from any to {$dmz, $lan} \
main auth hmac-sha1 enc 3des \
quick auth hmac-sha1 enc 3des \
psk whatthehell

shrewsoft client version (http://www.shrew.net)

***@linux-smuw:~> ikec -v
ii : ## : VPN Connect, ver 2.2.0
## : Copyright 2013 Shrew Soft Inc.

linux-smuw:/home/matt # /usr/sbin/iked
ii : created ike socket 0.0.0.0:500
ii : created natt socket 0.0.0.0:4500
## : IKE Daemon, ver 2.2.0
## : Copyright 2013 Shrew Soft Inc.
## : This product linked OpenSSL 1.0.1e 11 Feb 2013



How-To-Repeat:
Initiate an ikev1 vpn connection to openbsd using the ipsec.conf file and
shrewsoft vpn client versions included in this bug report.
Fix:

dmesg:
OpenBSD 5.4-current (GENERIC) #63: Tue Oct 1 12:33:25 MDT 2013
***@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class)
500 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
real mem = 536408064 (511MB)
avail mem = 515915776 (492MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 20/71/05, BIOS32 rev. 0 @ 0xfac40
pcibios0 at bios0: rev 2.0 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc8000/0xa800
cpu0 at mainbus0: (uniprocessor)
amdmsr0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
0:20:0: io address conflict 0x6100/0x100
0:20:0: io address conflict 0x6200/0x200
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x31
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11,
address 00:00:24:c9:58:d0
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5,
address 00:00:24:c9:58:d1
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9,
address 00:00:24:c9:58:d2
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12,
address 00:00:24:c9:58:d3
ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit
3579545Hz timer, watchdog, gpio, i2c
gpio0 at glxpcib0: 32 pins
iic0 at glxpcib0
pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 1: <LEXAR ATA FLASH CARD>
wd0: 1-sector PIO, LBA, 7631MB, 15630048 sectors
wd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15, version
1.0, legacy support
ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 10: GPIO VLM TMS
gpio1 at nsclpcsio0: 29 pins
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1
mtrr: K6-family MTRR support (2 registers)
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root on wd0a swap on wd0b dump on wd0b
WARNING: / was not properly unmounted

usbdevs:
Controller /dev/usb0:
addr 1: high speed, self powered, config 1, EHCI root hub(0x0000),
AMD(0x1022), rev 1.00
port 1 powered
port 2 powered
port 3 powered
port 4 powered
Controller /dev/usb1:
addr 1: full speed, self powered, config 1, OHCI root hub(0x0000),
AMD(0x1022), rev 1.00
port 1 powered
port 2 powered
port 3 powered
port 4 powered

pcidump:
Domain /dev/pci0:
0:1:0: AMD Geode LX
0x0000: Vendor ID: 1022 Product ID: 2080
0x0004: Command: 0005 Status: 0220
0x0008: Class: 06 Subclass: 00 Interface: 00 Revision: 31
0x000c: BIST: 00 Header Type: 80 Latency Timer: f8 Cache Line Size:
08
0x0010: BAR empty (00000000)
0x0014: BAR empty (00000000)
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1022 Product ID: 2080
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 00 Line: 00 Min Gnt: 00 Max Lat: 00
0x0000: 20801022 02200005 06000031 0080f808
0x0010: 00000000 00000000 00000000 00000000
0x0020: 00000000 00000000 00000000 20801022
0x0030: 00000000 00000000 00000000 00000000
0x0040: 00000000 00000000 00000000 00000000
0x0050: 00000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:1:2: AMD Geode LX Crypto
0x0000: Vendor ID: 1022 Product ID: 2082
0x0004: Command: 0006 Status: 0220
0x0008: Class: 10 Subclass: 10 Interface: 00 Revision: 00
0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size:
08
0x0010: BAR mem 32bit addr: 0xa0000000/0x00004000
0x0014: BAR empty (00000000)
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1022 Product ID: 2082
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 0a Min Gnt: 00 Max Lat: 00
0x0000: 20821022 02200006 10100000 00000008
0x0010: a0000000 00000000 00000000 00000000
0x0020: 00000000 00000000 00000000 20821022
0x0030: 00000000 00000000 00000000 0000010a
0x0040: 00000000 00000000 00000000 00000000
0x0050: 00000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:6:0: VIA VT6105M RhineIII
0x0000: Vendor ID: 1106 Product ID: 3053
0x0004: Command: 0117 Status: 0210
0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 96
0x000c: BIST: 00 Header Type: 00 Latency Timer: 40 Cache Line Size:
08
0x0010: BAR io addr: 0x0000e100/0x0100
0x0014: BAR mem 32bit addr: 0xa0004000/0x00000100
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1106 Product ID: 0106
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 0b Min Gnt: 03 Max Lat: 08
0x0040: Capability 0x01: Power Management
0x0000: 30531106 02100117 02000096 00004008
0x0010: 0000e101 a0004000 00000000 00000000
0x0020: 00000000 00000000 00000000 01061106
0x0030: 00000000 00000040 00000000 0803010b
0x0040: fe020001 00000000 00000000 00000000
0x0050: 04000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:7:0: VIA VT6105M RhineIII
0x0000: Vendor ID: 1106 Product ID: 3053
0x0004: Command: 0117 Status: 0210
0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 96
0x000c: BIST: 00 Header Type: 00 Latency Timer: 40 Cache Line Size:
08
0x0010: BAR io addr: 0x0000e200/0x0100
0x0014: BAR mem 32bit addr: 0xa0004100/0x00000100
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1106 Product ID: 0106
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 05 Min Gnt: 03 Max Lat: 08
0x0040: Capability 0x01: Power Management
0x0000: 30531106 02100117 02000096 00004008
0x0010: 0000e201 a0004100 00000000 00000000
0x0020: 00000000 00000000 00000000 01061106
0x0030: 00000000 00000040 00000000 08030105
0x0040: fe020001 00000000 00000000 00000000
0x0050: 04000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:8:0: VIA VT6105M RhineIII
0x0000: Vendor ID: 1106 Product ID: 3053
0x0004: Command: 0117 Status: 0210
0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 96
0x000c: BIST: 00 Header Type: 00 Latency Timer: 40 Cache Line Size:
08
0x0010: BAR io addr: 0x0000e300/0x0100
0x0014: BAR mem 32bit addr: 0xa0004200/0x00000100
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1106 Product ID: 0106
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 09 Min Gnt: 03 Max Lat: 08
0x0040: Capability 0x01: Power Management
0x0000: 30531106 02100117 02000096 00004008
0x0010: 0000e301 a0004200 00000000 00000000
0x0020: 00000000 00000000 00000000 01061106
0x0030: 00000000 00000040 00000000 08030109
0x0040: fe020001 00000000 00000000 00000000
0x0050: 04000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:9:0: VIA VT6105M RhineIII
0x0000: Vendor ID: 1106 Product ID: 3053
0x0004: Command: 0117 Status: 0210
0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 96
0x000c: BIST: 00 Header Type: 00 Latency Timer: 40 Cache Line Size:
08
0x0010: BAR io addr: 0x0000e400/0x0100
0x0014: BAR mem 32bit addr: 0xa0004300/0x00000100
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1106 Product ID: 0106
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 0c Min Gnt: 03 Max Lat: 08
0x0040: Capability 0x01: Power Management
0x0000: 30531106 02100117 02000096 00004008
0x0010: 0000e401 a0004300 00000000 00000000
0x0020: 00000000 00000000 00000000 01061106
0x0030: 00000000 00000040 00000000 0803010c
0x0040: fe020001 00000000 00000000 00000000
0x0050: 04000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:20:0: AMD CS5536 ISA
0x0000: Vendor ID: 1022 Product ID: 2090
0x0004: Command: 0009 Status: 02a0
0x0008: Class: 06 Subclass: 01 Interface: 00 Revision: 03
0x000c: BIST: 00 Header Type: 80 Latency Timer: 40 Cache Line Size:
08
0x0010: BAR io addr: 0x00006000/0x2000
0x0014: BAR io addr: 0x00006100/0x0100
0x0018: BAR io addr: 0x00006200/0x0200
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1022 Product ID: 2090
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 00 Line: 00 Min Gnt: 00 Max Lat: 00
0x0000: 20901022 02a00009 06010003 00804008
0x0010: 00006001 00006101 00006201 00000000
0x0020: 00000000 00000000 00000000 20901022
0x0030: 00000000 00000000 00000000 00000000
0x0040: 00000000 00000000 00000000 00000000
0x0050: 00000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:20:2: AMD CS5536 IDE
0x0000: Vendor ID: 1022 Product ID: 209a
0x0004: Command: 0005 Status: 02a0
0x0008: Class: 01 Subclass: 01 Interface: 80 Revision: 01
0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size:
08
0x0010: BAR empty (00000000)
0x0014: BAR empty (00000000)
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR io addr: 0x0000e000/0x0010
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1022 Product ID: 209a
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 00 Line: 00 Min Gnt: 00 Max Lat: 00
0x0000: 209a1022 02a00005 01018001 00000008
0x0010: 00000000 00000000 00000000 00000000
0x0020: 0000e001 00000000 00000000 209a1022
0x0030: 00000000 00000000 00000000 00000000
0x0040: 00004002 00000000 0020a8a8 ffff00ff
0x0050: 00c00303 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:21:0: AMD CS5536 USB
0x0000: Vendor ID: 1022 Product ID: 2094
0x0004: Command: 0006 Status: 0230
0x0008: Class: 0c Subclass: 03 Interface: 10 Revision: 02
0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line Size:
08
0x0010: BAR mem 32bit addr: 0xa0005000/0x00001000
0x0014: BAR empty (00000000)
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1022 Product ID: 2094
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 0f Min Gnt: 00 Max Lat: 00
0x0000: 20941022 02300006 0c031002 00800008
0x0010: a0005000 00000000 00000000 00000000
0x0020: 00000000 00000000 00000000 20941022
0x0030: 00000000 00000000 00000000 0000010f
0x0040: c8020001 00000000 00000000 00000000
0x0050: 00000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:21:1: AMD CS5536 USB
0x0000: Vendor ID: 1022 Product ID: 2095
0x0004: Command: 0006 Status: 0230
0x0008: Class: 0c Subclass: 03 Interface: 20 Revision: 02
0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size:
08
0x0010: BAR mem 32bit addr: 0xa0006000/0x00001000
0x0014: BAR empty (00000000)
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1022 Product ID: 2095
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 0f Min Gnt: 00 Max Lat: 00
0x0000: 20951022 02300006 0c032002 00000008
0x0010: a0006000 00000000 00000000 00000000
0x0020: 00000000 00000000 00000000 20951022
0x0030: 00000000 00000000 00000000 0000010f
0x0040: c8020001 00000000 00000000 00000000
0x0050: 00000000 00000000 00000000 00000000
0x0060: 00002020 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000

acpidump:
Stuart Henderson
2013-10-19 09:45:53 UTC
Permalink
Please include the panic message and output from 'trace' in ddb.
Post by iamatt
Synopsis: Shrewsoft vpn client 2.2.0 (linux) causes openbsd to kernel panic
Category: isakmpd using basic psk
System : OpenBSD 5.4
Details : OpenBSD 5.4-current (GENERIC) #63: Tue Oct 1
12:33:25 MDT 2013
/usr/src/sys/arch/i386/compile/GENERIC
Architecture: OpenBSD.i386
Machine : i386
The Shrewsoft VPN client compiled version 2.2.0 for linux immediately
causes the openbsd server to kernel panic when initiating a connection.
Other vpn clients (strongswan, and NCP vpn for android ) do not crash the
server.
sample ipsec.conf
#isakmpd -4dv && ipsecctl -F -f /etc/ipsec.conf
dmz="172.18.1.0/24"
lan="10.22.1.0/24"
ike passive esp from any to {$dmz, $lan} \
main auth hmac-sha1 enc 3des \
quick auth hmac-sha1 enc 3des \
psk whatthehell
shrewsoft client version (http://www.shrew.net)
ii : ## : VPN Connect, ver 2.2.0
## : Copyright 2013 Shrew Soft Inc.
linux-smuw:/home/matt # /usr/sbin/iked
ii : created ike socket 0.0.0.0:500
ii : created natt socket 0.0.0.0:4500
## : IKE Daemon, ver 2.2.0
## : Copyright 2013 Shrew Soft Inc.
## : This product linked OpenSSL 1.0.1e 11 Feb 2013
Initiate an ikev1 vpn connection to openbsd using the ipsec.conf file and
shrewsoft vpn client versions included in this bug report.
OpenBSD 5.4-current (GENERIC) #63: Tue Oct 1 12:33:25 MDT 2013
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD"
586-class)
500 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
real mem = 536408064 (511MB)
avail mem = 515915776 (492MB)
mainbus0 at root
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc8000/0xa800
cpu0 at mainbus0: (uniprocessor)
amdmsr0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
0:20:0: io address conflict 0x6100/0x100
0:20:0: io address conflict 0x6200/0x200
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x31
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11,
address 00:00:24:c9:58:d0
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5,
address 00:00:24:c9:58:d1
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9,
address 00:00:24:c9:58:d2
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12,
address 00:00:24:c9:58:d3
ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit
3579545Hz timer, watchdog, gpio, i2c
gpio0 at glxpcib0: 32 pins
iic0 at glxpcib0
pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 1: <LEXAR ATA FLASH CARD>
wd0: 1-sector PIO, LBA, 7631MB, 15630048 sectors
wd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15, version
1.0, legacy support
ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 10: GPIO VLM TMS
gpio1 at nsclpcsio0: 29 pins
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1
mtrr: K6-family MTRR support (2 registers)
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root on wd0a swap on wd0b dump on wd0b
WARNING: / was not properly unmounted
addr 1: high speed, self powered, config 1, EHCI root hub(0x0000),
AMD(0x1022), rev 1.00
port 1 powered
port 2 powered
port 3 powered
port 4 powered
addr 1: full speed, self powered, config 1, OHCI root hub(0x0000),
AMD(0x1022), rev 1.00
port 1 powered
port 2 powered
port 3 powered
port 4 powered
0:1:0: AMD Geode LX
0x0000: Vendor ID: 1022 Product ID: 2080
0x0004: Command: 0005 Status: 0220
0x0008: Class: 06 Subclass: 00 Interface: 00 Revision: 31
08
0x0010: BAR empty (00000000)
0x0014: BAR empty (00000000)
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1022 Product ID: 2080
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 00 Line: 00 Min Gnt: 00 Max Lat: 00
0x0000: 20801022 02200005 06000031 0080f808
0x0010: 00000000 00000000 00000000 00000000
0x0020: 00000000 00000000 00000000 20801022
0x0030: 00000000 00000000 00000000 00000000
0x0040: 00000000 00000000 00000000 00000000
0x0050: 00000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:1:2: AMD Geode LX Crypto
0x0000: Vendor ID: 1022 Product ID: 2082
0x0004: Command: 0006 Status: 0220
0x0008: Class: 10 Subclass: 10 Interface: 00 Revision: 00
08
0x0010: BAR mem 32bit addr: 0xa0000000/0x00004000
0x0014: BAR empty (00000000)
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1022 Product ID: 2082
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 0a Min Gnt: 00 Max Lat: 00
0x0000: 20821022 02200006 10100000 00000008
0x0010: a0000000 00000000 00000000 00000000
0x0020: 00000000 00000000 00000000 20821022
0x0030: 00000000 00000000 00000000 0000010a
0x0040: 00000000 00000000 00000000 00000000
0x0050: 00000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:6:0: VIA VT6105M RhineIII
0x0000: Vendor ID: 1106 Product ID: 3053
0x0004: Command: 0117 Status: 0210
0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 96
08
0x0010: BAR io addr: 0x0000e100/0x0100
0x0014: BAR mem 32bit addr: 0xa0004000/0x00000100
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1106 Product ID: 0106
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 0b Min Gnt: 03 Max Lat: 08
0x0040: Capability 0x01: Power Management
0x0000: 30531106 02100117 02000096 00004008
0x0010: 0000e101 a0004000 00000000 00000000
0x0020: 00000000 00000000 00000000 01061106
0x0030: 00000000 00000040 00000000 0803010b
0x0040: fe020001 00000000 00000000 00000000
0x0050: 04000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:7:0: VIA VT6105M RhineIII
0x0000: Vendor ID: 1106 Product ID: 3053
0x0004: Command: 0117 Status: 0210
0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 96
08
0x0010: BAR io addr: 0x0000e200/0x0100
0x0014: BAR mem 32bit addr: 0xa0004100/0x00000100
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1106 Product ID: 0106
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 05 Min Gnt: 03 Max Lat: 08
0x0040: Capability 0x01: Power Management
0x0000: 30531106 02100117 02000096 00004008
0x0010: 0000e201 a0004100 00000000 00000000
0x0020: 00000000 00000000 00000000 01061106
0x0030: 00000000 00000040 00000000 08030105
0x0040: fe020001 00000000 00000000 00000000
0x0050: 04000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:8:0: VIA VT6105M RhineIII
0x0000: Vendor ID: 1106 Product ID: 3053
0x0004: Command: 0117 Status: 0210
0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 96
08
0x0010: BAR io addr: 0x0000e300/0x0100
0x0014: BAR mem 32bit addr: 0xa0004200/0x00000100
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1106 Product ID: 0106
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 09 Min Gnt: 03 Max Lat: 08
0x0040: Capability 0x01: Power Management
0x0000: 30531106 02100117 02000096 00004008
0x0010: 0000e301 a0004200 00000000 00000000
0x0020: 00000000 00000000 00000000 01061106
0x0030: 00000000 00000040 00000000 08030109
0x0040: fe020001 00000000 00000000 00000000
0x0050: 04000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:9:0: VIA VT6105M RhineIII
0x0000: Vendor ID: 1106 Product ID: 3053
0x0004: Command: 0117 Status: 0210
0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 96
08
0x0010: BAR io addr: 0x0000e400/0x0100
0x0014: BAR mem 32bit addr: 0xa0004300/0x00000100
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1106 Product ID: 0106
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 0c Min Gnt: 03 Max Lat: 08
0x0040: Capability 0x01: Power Management
0x0000: 30531106 02100117 02000096 00004008
0x0010: 0000e401 a0004300 00000000 00000000
0x0020: 00000000 00000000 00000000 01061106
0x0030: 00000000 00000040 00000000 0803010c
0x0040: fe020001 00000000 00000000 00000000
0x0050: 04000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:20:0: AMD CS5536 ISA
0x0000: Vendor ID: 1022 Product ID: 2090
0x0004: Command: 0009 Status: 02a0
0x0008: Class: 06 Subclass: 01 Interface: 00 Revision: 03
08
0x0010: BAR io addr: 0x00006000/0x2000
0x0014: BAR io addr: 0x00006100/0x0100
0x0018: BAR io addr: 0x00006200/0x0200
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1022 Product ID: 2090
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 00 Line: 00 Min Gnt: 00 Max Lat: 00
0x0000: 20901022 02a00009 06010003 00804008
0x0010: 00006001 00006101 00006201 00000000
0x0020: 00000000 00000000 00000000 20901022
0x0030: 00000000 00000000 00000000 00000000
0x0040: 00000000 00000000 00000000 00000000
0x0050: 00000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:20:2: AMD CS5536 IDE
0x0000: Vendor ID: 1022 Product ID: 209a
0x0004: Command: 0005 Status: 02a0
0x0008: Class: 01 Subclass: 01 Interface: 80 Revision: 01
08
0x0010: BAR empty (00000000)
0x0014: BAR empty (00000000)
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR io addr: 0x0000e000/0x0010
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1022 Product ID: 209a
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 00 Line: 00 Min Gnt: 00 Max Lat: 00
0x0000: 209a1022 02a00005 01018001 00000008
0x0010: 00000000 00000000 00000000 00000000
0x0020: 0000e001 00000000 00000000 209a1022
0x0030: 00000000 00000000 00000000 00000000
0x0040: 00004002 00000000 0020a8a8 ffff00ff
0x0050: 00c00303 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:21:0: AMD CS5536 USB
0x0000: Vendor ID: 1022 Product ID: 2094
0x0004: Command: 0006 Status: 0230
0x0008: Class: 0c Subclass: 03 Interface: 10 Revision: 02
08
0x0010: BAR mem 32bit addr: 0xa0005000/0x00001000
0x0014: BAR empty (00000000)
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1022 Product ID: 2094
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 0f Min Gnt: 00 Max Lat: 00
0x0000: 20941022 02300006 0c031002 00800008
0x0010: a0005000 00000000 00000000 00000000
0x0020: 00000000 00000000 00000000 20941022
0x0030: 00000000 00000000 00000000 0000010f
0x0040: c8020001 00000000 00000000 00000000
0x0050: 00000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:21:1: AMD CS5536 USB
0x0000: Vendor ID: 1022 Product ID: 2095
0x0004: Command: 0006 Status: 0230
0x0008: Class: 0c Subclass: 03 Interface: 20 Revision: 02
08
0x0010: BAR mem 32bit addr: 0xa0006000/0x00001000
0x0014: BAR empty (00000000)
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1022 Product ID: 2095
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 0f Min Gnt: 00 Max Lat: 00
0x0000: 20951022 02300006 0c032002 00000008
0x0010: a0006000 00000000 00000000 00000000
0x0020: 00000000 00000000 00000000 20951022
0x0030: 00000000 00000000 00000000 0000010f
0x0040: c8020001 00000000 00000000 00000000
0x0050: 00000000 00000000 00000000 00000000
0x0060: 00002020 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
iamatt
2013-10-21 15:29:04 UTC
Permalink
I do not have the console debug screen but I do have the files from
/var/crash/ Is there some commands I can run on them using gdb that can
be of use?

Re,

Matt
Post by Stuart Henderson
Please include the panic message and output from 'trace' in ddb.
Post by iamatt
Synopsis: Shrewsoft vpn client 2.2.0 (linux) causes openbsd to kernel panic
Category: isakmpd using basic psk
System : OpenBSD 5.4
Details : OpenBSD 5.4-current (GENERIC) #63: Tue Oct 1
12:33:25 MDT 2013
/usr/src/sys/arch/i386/compile/GENERIC
Architecture: OpenBSD.i386
Machine : i386
The Shrewsoft VPN client compiled version 2.2.0 for linux immediately
causes the openbsd server to kernel panic when initiating a connection.
Other vpn clients (strongswan, and NCP vpn for android ) do not crash the
server.
sample ipsec.conf
#isakmpd -4dv && ipsecctl -F -f /etc/ipsec.conf
dmz="172.18.1.0/24"
lan="10.22.1.0/24"
ike passive esp from any to {$dmz, $lan} \
main auth hmac-sha1 enc 3des \
quick auth hmac-sha1 enc 3des \
psk whatthehell
shrewsoft client version (http://www.shrew.net)
ii : ## : VPN Connect, ver 2.2.0
## : Copyright 2013 Shrew Soft Inc.
linux-smuw:/home/matt # /usr/sbin/iked
ii : created ike socket 0.0.0.0:500
ii : created natt socket 0.0.0.0:4500
## : IKE Daemon, ver 2.2.0
## : Copyright 2013 Shrew Soft Inc.
## : This product linked OpenSSL 1.0.1e 11 Feb 2013
Initiate an ikev1 vpn connection to openbsd using the ipsec.conf file and
shrewsoft vpn client versions included in this bug report.
OpenBSD 5.4-current (GENERIC) #63: Tue Oct 1 12:33:25 MDT 2013
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class)
500 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
real mem = 536408064 (511MB)
avail mem = 515915776 (492MB)
mainbus0 at root
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc8000/0xa800
cpu0 at mainbus0: (uniprocessor)
amdmsr0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
0:20:0: io address conflict 0x6100/0x100
0:20:0: io address conflict 0x6200/0x200
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x31
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11,
address 00:00:24:c9:58:d0
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5,
address 00:00:24:c9:58:d1
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9,
address 00:00:24:c9:58:d2
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12,
address 00:00:24:c9:58:d3
ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit
3579545Hz timer, watchdog, gpio, i2c
gpio0 at glxpcib0: 32 pins
iic0 at glxpcib0
pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 1: <LEXAR ATA FLASH CARD>
wd0: 1-sector PIO, LBA, 7631MB, 15630048 sectors
wd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15, version
1.0, legacy support
ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 10: GPIO VLM TMS
gpio1 at nsclpcsio0: 29 pins
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1
mtrr: K6-family MTRR support (2 registers)
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root on wd0a swap on wd0b dump on wd0b
WARNING: / was not properly unmounted
addr 1: high speed, self powered, config 1, EHCI root hub(0x0000),
AMD(0x1022), rev 1.00
port 1 powered
port 2 powered
port 3 powered
port 4 powered
addr 1: full speed, self powered, config 1, OHCI root hub(0x0000),
AMD(0x1022), rev 1.00
port 1 powered
port 2 powered
port 3 powered
port 4 powered
0:1:0: AMD Geode LX
0x0000: Vendor ID: 1022 Product ID: 2080
0x0004: Command: 0005 Status: 0220
0x0008: Class: 06 Subclass: 00 Interface: 00 Revision: 31
08
0x0010: BAR empty (00000000)
0x0014: BAR empty (00000000)
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1022 Product ID: 2080
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 00 Line: 00 Min Gnt: 00 Max Lat: 00
0x0000: 20801022 02200005 06000031 0080f808
0x0010: 00000000 00000000 00000000 00000000
0x0020: 00000000 00000000 00000000 20801022
0x0030: 00000000 00000000 00000000 00000000
0x0040: 00000000 00000000 00000000 00000000
0x0050: 00000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:1:2: AMD Geode LX Crypto
0x0000: Vendor ID: 1022 Product ID: 2082
0x0004: Command: 0006 Status: 0220
0x0008: Class: 10 Subclass: 10 Interface: 00 Revision: 00
08
0x0010: BAR mem 32bit addr: 0xa0000000/0x00004000
0x0014: BAR empty (00000000)
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1022 Product ID: 2082
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 0a Min Gnt: 00 Max Lat: 00
0x0000: 20821022 02200006 10100000 00000008
0x0010: a0000000 00000000 00000000 00000000
0x0020: 00000000 00000000 00000000 20821022
0x0030: 00000000 00000000 00000000 0000010a
0x0040: 00000000 00000000 00000000 00000000
0x0050: 00000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:6:0: VIA VT6105M RhineIII
0x0000: Vendor ID: 1106 Product ID: 3053
0x0004: Command: 0117 Status: 0210
0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 96
08
0x0010: BAR io addr: 0x0000e100/0x0100
0x0014: BAR mem 32bit addr: 0xa0004000/0x00000100
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1106 Product ID: 0106
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 0b Min Gnt: 03 Max Lat: 08
0x0040: Capability 0x01: Power Management
0x0000: 30531106 02100117 02000096 00004008
0x0010: 0000e101 a0004000 00000000 00000000
0x0020: 00000000 00000000 00000000 01061106
0x0030: 00000000 00000040 00000000 0803010b
0x0040: fe020001 00000000 00000000 00000000
0x0050: 04000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:7:0: VIA VT6105M RhineIII
0x0000: Vendor ID: 1106 Product ID: 3053
0x0004: Command: 0117 Status: 0210
0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 96
08
0x0010: BAR io addr: 0x0000e200/0x0100
0x0014: BAR mem 32bit addr: 0xa0004100/0x00000100
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1106 Product ID: 0106
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 05 Min Gnt: 03 Max Lat: 08
0x0040: Capability 0x01: Power Management
0x0000: 30531106 02100117 02000096 00004008
0x0010: 0000e201 a0004100 00000000 00000000
0x0020: 00000000 00000000 00000000 01061106
0x0030: 00000000 00000040 00000000 08030105
0x0040: fe020001 00000000 00000000 00000000
0x0050: 04000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:8:0: VIA VT6105M RhineIII
0x0000: Vendor ID: 1106 Product ID: 3053
0x0004: Command: 0117 Status: 0210
0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 96
08
0x0010: BAR io addr: 0x0000e300/0x0100
0x0014: BAR mem 32bit addr: 0xa0004200/0x00000100
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1106 Product ID: 0106
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 09 Min Gnt: 03 Max Lat: 08
0x0040: Capability 0x01: Power Management
0x0000: 30531106 02100117 02000096 00004008
0x0010: 0000e301 a0004200 00000000 00000000
0x0020: 00000000 00000000 00000000 01061106
0x0030: 00000000 00000040 00000000 08030109
0x0040: fe020001 00000000 00000000 00000000
0x0050: 04000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:9:0: VIA VT6105M RhineIII
0x0000: Vendor ID: 1106 Product ID: 3053
0x0004: Command: 0117 Status: 0210
0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 96
08
0x0010: BAR io addr: 0x0000e400/0x0100
0x0014: BAR mem 32bit addr: 0xa0004300/0x00000100
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1106 Product ID: 0106
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 0c Min Gnt: 03 Max Lat: 08
0x0040: Capability 0x01: Power Management
0x0000: 30531106 02100117 02000096 00004008
0x0010: 0000e401 a0004300 00000000 00000000
0x0020: 00000000 00000000 00000000 01061106
0x0030: 00000000 00000040 00000000 0803010c
0x0040: fe020001 00000000 00000000 00000000
0x0050: 04000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:20:0: AMD CS5536 ISA
0x0000: Vendor ID: 1022 Product ID: 2090
0x0004: Command: 0009 Status: 02a0
0x0008: Class: 06 Subclass: 01 Interface: 00 Revision: 03
08
0x0010: BAR io addr: 0x00006000/0x2000
0x0014: BAR io addr: 0x00006100/0x0100
0x0018: BAR io addr: 0x00006200/0x0200
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1022 Product ID: 2090
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 00 Line: 00 Min Gnt: 00 Max Lat: 00
0x0000: 20901022 02a00009 06010003 00804008
0x0010: 00006001 00006101 00006201 00000000
0x0020: 00000000 00000000 00000000 20901022
0x0030: 00000000 00000000 00000000 00000000
0x0040: 00000000 00000000 00000000 00000000
0x0050: 00000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:20:2: AMD CS5536 IDE
0x0000: Vendor ID: 1022 Product ID: 209a
0x0004: Command: 0005 Status: 02a0
0x0008: Class: 01 Subclass: 01 Interface: 80 Revision: 01
08
0x0010: BAR empty (00000000)
0x0014: BAR empty (00000000)
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR io addr: 0x0000e000/0x0010
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1022 Product ID: 209a
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 00 Line: 00 Min Gnt: 00 Max Lat: 00
0x0000: 209a1022 02a00005 01018001 00000008
0x0010: 00000000 00000000 00000000 00000000
0x0020: 0000e001 00000000 00000000 209a1022
0x0030: 00000000 00000000 00000000 00000000
0x0040: 00004002 00000000 0020a8a8 ffff00ff
0x0050: 00c00303 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:21:0: AMD CS5536 USB
0x0000: Vendor ID: 1022 Product ID: 2094
0x0004: Command: 0006 Status: 0230
0x0008: Class: 0c Subclass: 03 Interface: 10 Revision: 02
08
0x0010: BAR mem 32bit addr: 0xa0005000/0x00001000
0x0014: BAR empty (00000000)
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1022 Product ID: 2094
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 0f Min Gnt: 00 Max Lat: 00
0x0000: 20941022 02300006 0c031002 00800008
0x0010: a0005000 00000000 00000000 00000000
0x0020: 00000000 00000000 00000000 20941022
0x0030: 00000000 00000000 00000000 0000010f
0x0040: c8020001 00000000 00000000 00000000
0x0050: 00000000 00000000 00000000 00000000
0x0060: 00000000 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
0:21:1: AMD CS5536 USB
0x0000: Vendor ID: 1022 Product ID: 2095
0x0004: Command: 0006 Status: 0230
0x0008: Class: 0c Subclass: 03 Interface: 20 Revision: 02
08
0x0010: BAR mem 32bit addr: 0xa0006000/0x00001000
0x0014: BAR empty (00000000)
0x0018: BAR empty (00000000)
0x001c: BAR empty (00000000)
0x0020: BAR empty (00000000)
0x0024: BAR empty (00000000)
0x0028: Cardbus CIS: 00000000
0x002c: Subsystem Vendor ID: 1022 Product ID: 2095
0x0030: Expansion ROM Base Address: 00000000
0x0038: 00000000
0x003c: Interrupt Pin: 01 Line: 0f Min Gnt: 00 Max Lat: 00
0x0000: 20951022 02300006 0c032002 00000008
0x0010: a0006000 00000000 00000000 00000000
0x0020: 00000000 00000000 00000000 20951022
0x0030: 00000000 00000000 00000000 0000010f
0x0040: c8020001 00000000 00000000 00000000
0x0050: 00000000 00000000 00000000 00000000
0x0060: 00002020 00000000 00000000 00000000
0x0070: 00000000 00000000 00000000 00000000
0x0080: 00000000 00000000 00000000 00000000
0x0090: 00000000 00000000 00000000 00000000
0x00a0: 00000000 00000000 00000000 00000000
0x00b0: 00000000 00000000 00000000 00000000
0x00c0: 00000000 00000000 00000000 00000000
0x00d0: 00000000 00000000 00000000 00000000
0x00e0: 00000000 00000000 00000000 00000000
0x00f0: 00000000 00000000 00000000 00000000
Stuart Henderson
2013-10-21 22:20:30 UTC
Permalink
Post by iamatt
I do not have the console debug screen but I do have the files from
/var/crash/ Is there some commands I can run on them using gdb that can
be of use?
If you have a crashdump, possibly, see "man crash".

As the panic message goes,

RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!

This is much easier than for somebody else to install Linux
and the shrewsoft client before they can even start looking at the bug
(and even then, they might not be able to replicate it).
iamatt
2013-10-23 04:12:48 UTC
Permalink
# Data modified on freelist: word 153288032 of object 0xd17218e0 size 0x18
previ
ous type ??? (invalid addr
0x3557935e)
panic: Data modified on freelist: word 3 of object 0xd17218e0 size 0x18
previous
type ??? (0x594f69b5 !=
0x594f69b5)


Stopped at Debugger+0x4: popl
%ebp
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS
PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT
INFORMATION!
ddb>
trace
Debugger(d0976848,f53be668,d0952384,f53be668,d0a95014) at
Debugger+0x4
panic(d0952384,d095232c,3,d17218e0,18) at
panic+0x67
malloc(18,6c,a,f53be6fc,d1613000) at
malloc+0x5e4
glxsb_crypto_newsession(f53be73c,f53be794,0,10,40) at
glxsb_crypto_newsession+0
x133

crypto_newsession(d17264f0,f53be794,0,f53be7b8,d0b05340) at
crypto_newsession+0
x135

esp_init(d1726400,d0a96cd8,f53be900,d1724f50,d1724f68) at
esp_init+0x245
pfkeyv2_send(d5d1f008,d1724e00,198,d1724f98,d0b05340) at
pfkeyv2_send+0x1a6e
pfkey_register(d5d8cc00,d5d1f008,f53bedbc,d03c0a4a,88ab98a0) at
pfkey_register+
0x278

raw_usrreq(d5d1f008,9,d5d8cc00,0,0) at
raw_usrreq+0x221
sosend(d5d1f008,0,f53beeb0,d5d8cc00,0) at
sosend+0x48d
soo_write(d5d230ac,d5d230c8,f53beeb0,d5e202d0,55187908) at
soo_write+0x3b
dofilewritev(d5d3c618,8,d5d230ac,84fa7500,11) at
dofilewritev+0x133
sys_writev(d5d3c618,f53bef64,f53bef84,f53befa8,d5e11600) at
sys_writev+0x7c
syscall() at
syscall+0x1f9
--- syscall (number 5)
---
0x2:

ddb>
ps
PID PPID PGRP UID S FLAGS WAIT
COMMAND
31132 1 31132 0 3 0x83 ttyin
ksh
6230 1 6230 0 3 0x80 select
cron
1331 1 1331 601 3 0x90 kqread
unbound
30501 1 30501 535 3 0x90 nanosleep
symon
16688 1 16688 99 3 0x90 poll
sndiod
27774 30105 30105 0 3 0xb0 netcon2
sendmail
30105 1 30105 0 3 0xb0 select
sendmail
11400 1 11400 77 3 0x90 poll
dhcpd
1054 1 1054 0 3 0x80 kqread
ifstated
7646 1 7646 0 3 0x80 select
sshd
18014 0 0 0 3 0x100280 nfsidl
nfsio
20915 0 0 0 3 0x100280 nfsidl
nfsio
8480 0 0 0 3 0x100280 nfsidl
nfsio
13835 0 0 0 3 0x100280 nfsidl
nfsio
*25527 31834 31834 68 7 0x10
isakmpd
31834 1 31834 0 3 0x80 netio
isakmpd
19715 24693 17897 83 3 0x90 poll
ntpd
24693 17897 17897 83 3 0x90 poll
ntpd
17897 1 17897 0 3 0x80 poll
ntpd
630 4742 4742 74 3 0x90 bpf
pflogd
4742 1 4742 0 3 0x80 netio
pflogd
9803 9138 9138 73 2 0x90
syslogd
9138 1 9138 0 3 0x80 netio
syslogd
18744 1 18744 77 3 0x90 poll
dhclient
22501 1 22501 0 3 0x80 poll
dhclient
13 0 0 0 3 0x100200 aiodoned
aiodoned
12 0 0 0 3 0x100200 syncer
update
11 0 0 0 3 0x100200 cleaner
cleaner
10 0 0 0 3 0x100200 reaper
reaper
9 0 0 0 3 0x100200 pgdaemon
pagedaemon
8 0 0 0 3 0x100200 bored
crypto
7 0 0 0 3 0x100200 pftm
pfpurge
6 0 0 0 3 0x100200 usbtsk
usbtask
5 0 0 0 3 0x100200 usbatsk
usbatsk
4 0 0 0 3 0x100200 bored
syswq
3 0 0 0 3 0x40100200
idle0
2 0 0 0 3 0x100200 kmalloc
kmthread
1 0 1 0 3 0x82 wait
init
0 -1 0 0 3 0x200 scheduler
swapper
ddb>
Post by Stuart Henderson
Post by iamatt
I do not have the console debug screen but I do have the files from
/var/crash/ Is there some commands I can run on them using gdb that can
be of use?
If you have a crashdump, possibly, see "man crash".
As the panic message goes,
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
This is much easier than for somebody else to install Linux
and the shrewsoft client before they can even start looking at the bug
(and even then, they might not be able to replicate it).
Stuart Henderson
2013-10-23 07:45:28 UTC
Permalink
The panic seems odd (0x594f69b5 !=
0x594f69b5 - these are the same value) , maybe someone else will be able to comment on that.

It would be useful to know what isakmpd is doing at the time e.g. run it in the foreground with fairly high debug settings (maybe "isakmpd -K -d -DA=99" and "ipsecctl -f /etc/ipsrc.conf" - there will be a lot of output so run from ssh not serial console).

You may be able to workaround by using 'boot -c' at the bootloader prompt, then 'disable glxsb' and 'quit', or the kernel on-disk could be modified using 'config -ef /bsd'. (glxsb is for hardware AES acceleration for Geode LX systems).
Post by iamatt
# Data modified on freelist: word 153288032 of object 0xd17218e0 size 0x18
previ
ous type ??? (invalid addr
0x3557935e)
panic: Data modified on freelist: word 3 of object 0xd17218e0 size 0x18
previous
type ??? (0x594f69b5 !=
0x594f69b5)
Stopped at Debugger+0x4: popl
%ebp
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT
INFORMATION!
ddb>
trace
Debugger(d0976848,f53be668,d0952384,f53be668,d0a95014) at
Debugger+0x4
panic(d0952384,d095232c,3,d17218e0,18) at
panic+0x67
malloc(18,6c,a,f53be6fc,d1613000) at
malloc+0x5e4
glxsb_crypto_newsession(f53be73c,f53be794,0,10,40) at
glxsb_crypto_newsession+0
x133
crypto_newsession(d17264f0,f53be794,0,f53be7b8,d0b05340) at
crypto_newsession+0
x135
esp_init(d1726400,d0a96cd8,f53be900,d1724f50,d1724f68) at
esp_init+0x245
pfkeyv2_send(d5d1f008,d1724e00,198,d1724f98,d0b05340) at
pfkeyv2_send+0x1a6e
pfkey_register(d5d8cc00,d5d1f008,f53bedbc,d03c0a4a,88ab98a0) at
pfkey_register+
0x278
raw_usrreq(d5d1f008,9,d5d8cc00,0,0) at
raw_usrreq+0x221
sosend(d5d1f008,0,f53beeb0,d5d8cc00,0) at
sosend+0x48d
soo_write(d5d230ac,d5d230c8,f53beeb0,d5e202d0,55187908) at
soo_write+0x3b
dofilewritev(d5d3c618,8,d5d230ac,84fa7500,11) at
dofilewritev+0x133
sys_writev(d5d3c618,f53bef64,f53bef84,f53befa8,d5e11600) at
sys_writev+0x7c
syscall() at
syscall+0x1f9
--- syscall (number 5)
---
ddb>
ps
PID PPID PGRP UID S FLAGS WAIT
COMMAND
31132 1 31132 0 3 0x83 ttyin
ksh
6230 1 6230 0 3 0x80 select
cron
1331 1 1331 601 3 0x90 kqread
unbound
30501 1 30501 535 3 0x90 nanosleep
symon
16688 1 16688 99 3 0x90 poll
sndiod
27774 30105 30105 0 3 0xb0 netcon2
sendmail
30105 1 30105 0 3 0xb0 select
sendmail
11400 1 11400 77 3 0x90 poll
dhcpd
1054 1 1054 0 3 0x80 kqread
ifstated
7646 1 7646 0 3 0x80 select
sshd
18014 0 0 0 3 0x100280 nfsidl
nfsio
20915 0 0 0 3 0x100280 nfsidl
nfsio
8480 0 0 0 3 0x100280 nfsidl
nfsio
13835 0 0 0 3 0x100280 nfsidl
nfsio
*25527 31834 31834 68 7 0x10
isakmpd
31834 1 31834 0 3 0x80 netio
isakmpd
19715 24693 17897 83 3 0x90 poll
ntpd
24693 17897 17897 83 3 0x90 poll
ntpd
17897 1 17897 0 3 0x80 poll
ntpd
630 4742 4742 74 3 0x90 bpf
pflogd
4742 1 4742 0 3 0x80 netio
pflogd
9803 9138 9138 73 2 0x90
syslogd
9138 1 9138 0 3 0x80 netio
syslogd
18744 1 18744 77 3 0x90 poll
dhclient
22501 1 22501 0 3 0x80 poll
dhclient
13 0 0 0 3 0x100200 aiodoned
aiodoned
12 0 0 0 3 0x100200 syncer
update
11 0 0 0 3 0x100200 cleaner
cleaner
10 0 0 0 3 0x100200 reaper
reaper
9 0 0 0 3 0x100200 pgdaemon
pagedaemon
8 0 0 0 3 0x100200 bored
crypto
7 0 0 0 3 0x100200 pftm
pfpurge
6 0 0 0 3 0x100200 usbtsk
usbtask
5 0 0 0 3 0x100200 usbatsk
usbatsk
4 0 0 0 3 0x100200 bored
syswq
3 0 0 0 3 0x40100200
idle0
2 0 0 0 3 0x100200 kmalloc
kmthread
1 0 1 0 3 0x82 wait
init
0 -1 0 0 3 0x200 scheduler
swapper
ddb>
Post by Stuart Henderson
Post by iamatt
I do not have the console debug screen but I do have the files from
/var/crash/ Is there some commands I can run on them using gdb
that can
Post by Stuart Henderson
Post by iamatt
be of use?
If you have a crashdump, possibly, see "man crash".
As the panic message goes,
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS
PANIC!
Post by Stuart Henderson
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
This is much easier than for somebody else to install Linux
and the shrewsoft client before they can even start looking at the
bug
Post by Stuart Henderson
(and even then, they might not be able to replicate it).
Mike Belopuhov
2013-10-23 10:23:16 UTC
Permalink
Post by Stuart Henderson
The panic seems odd (0x594f69b5 !=
0x594f69b5 - these are the same value) , maybe someone else will be able to comment on that.
It would be useful to know what isakmpd is doing at the time e.g. run it in the foreground with fairly high debug settings (maybe "isakmpd -K -d -DA=99" and "ipsecctl -f /etc/ipsrc.conf" - there will be a lot of output so run from ssh not serial console).
You may be able to workaround by using 'boot -c' at the bootloader prompt, then 'disable glxsb' and 'quit', or the kernel on-disk could be modified using 'config -ef /bsd'. (glxsb is for hardware AES acceleration for Geode LX systems).
Post by iamatt
# Data modified on freelist: word 153288032 of object 0xd17218e0 size 0x18
previ
ous type ??? (invalid addr
0x3557935e)
panic: Data modified on freelist: word 3 of object 0xd17218e0 size 0x18
previous
type ??? (0x594f69b5 !=
0x594f69b5)
Stopped at Debugger+0x4: popl
%ebp
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT
INFORMATION!
ddb>
trace
Debugger(d0976848,f53be668,d0952384,f53be668,d0a95014) at
Debugger+0x4
panic(d0952384,d095232c,3,d17218e0,18) at
panic+0x67
malloc(18,6c,a,f53be6fc,d1613000) at
malloc+0x5e4
glxsb_crypto_newsession(f53be73c,f53be794,0,10,40) at
glxsb_crypto_newsession+0
x133
crypto_newsession(d17264f0,f53be794,0,f53be7b8,d0b05340) at
crypto_newsession+0
x135
esp_init(d1726400,d0a96cd8,f53be900,d1724f50,d1724f68) at
esp_init+0x245
pfkeyv2_send(d5d1f008,d1724e00,198,d1724f98,d0b05340) at
pfkeyv2_send+0x1a6e
pfkey_register(d5d8cc00,d5d1f008,f53bedbc,d03c0a4a,88ab98a0) at
pfkey_register+
0x278
raw_usrreq(d5d1f008,9,d5d8cc00,0,0) at
raw_usrreq+0x221
sosend(d5d1f008,0,f53beeb0,d5d8cc00,0) at
sosend+0x48d
soo_write(d5d230ac,d5d230c8,f53beeb0,d5e202d0,55187908) at
soo_write+0x3b
dofilewritev(d5d3c618,8,d5d230ac,84fa7500,11) at
dofilewritev+0x133
sys_writev(d5d3c618,f53bef64,f53bef84,f53befa8,d5e11600) at
sys_writev+0x7c
syscall() at
syscall+0x1f9
--- syscall (number 5)
---
ddb>
ps
PID PPID PGRP UID S FLAGS WAIT
COMMAND
31132 1 31132 0 3 0x83 ttyin
ksh
6230 1 6230 0 3 0x80 select
cron
1331 1 1331 601 3 0x90 kqread
unbound
30501 1 30501 535 3 0x90 nanosleep
symon
16688 1 16688 99 3 0x90 poll
sndiod
27774 30105 30105 0 3 0xb0 netcon2
sendmail
30105 1 30105 0 3 0xb0 select
sendmail
11400 1 11400 77 3 0x90 poll
dhcpd
1054 1 1054 0 3 0x80 kqread
ifstated
7646 1 7646 0 3 0x80 select
sshd
18014 0 0 0 3 0x100280 nfsidl
nfsio
20915 0 0 0 3 0x100280 nfsidl
nfsio
8480 0 0 0 3 0x100280 nfsidl
nfsio
13835 0 0 0 3 0x100280 nfsidl
nfsio
*25527 31834 31834 68 7 0x10
isakmpd
31834 1 31834 0 3 0x80 netio
isakmpd
19715 24693 17897 83 3 0x90 poll
ntpd
24693 17897 17897 83 3 0x90 poll
ntpd
17897 1 17897 0 3 0x80 poll
ntpd
630 4742 4742 74 3 0x90 bpf
pflogd
4742 1 4742 0 3 0x80 netio
pflogd
9803 9138 9138 73 2 0x90
syslogd
9138 1 9138 0 3 0x80 netio
syslogd
18744 1 18744 77 3 0x90 poll
dhclient
22501 1 22501 0 3 0x80 poll
dhclient
13 0 0 0 3 0x100200 aiodoned
aiodoned
12 0 0 0 3 0x100200 syncer
update
11 0 0 0 3 0x100200 cleaner
cleaner
10 0 0 0 3 0x100200 reaper
reaper
9 0 0 0 3 0x100200 pgdaemon
pagedaemon
8 0 0 0 3 0x100200 bored
crypto
7 0 0 0 3 0x100200 pftm
pfpurge
6 0 0 0 3 0x100200 usbtsk
usbtask
5 0 0 0 3 0x100200 usbatsk
usbatsk
4 0 0 0 3 0x100200 bored
syswq
3 0 0 0 3 0x40100200
idle0
2 0 0 0 3 0x100200 kmalloc
kmthread
1 0 1 0 3 0x82 wait
init
0 -1 0 0 3 0x200 scheduler
swapper
ddb>
Post by Stuart Henderson
Post by iamatt
I do not have the console debug screen but I do have the files from
/var/crash/ Is there some commands I can run on them using gdb
that can
Post by Stuart Henderson
Post by iamatt
be of use?
If you have a crashdump, possibly, see "man crash".
As the panic message goes,
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS
PANIC!
Post by Stuart Henderson
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
This is much easier than for somebody else to install Linux
and the shrewsoft client before they can even start looking at the
bug
Post by Stuart Henderson
(and even then, they might not be able to replicate it).
hi,

this is partially my screwup. please try the diff below. we
forget to actually allocate the memory for our key schedule
but free it later on in the glxsb_crypto_freesession. that's
why you get memory corruption all the way.

it has another seemingly unrelated chunk (pctr.h -> cpufunc.h
change) that i would like to commit as well (perhaps separately)
to limit pctr.h usage in kernel. so it would be nice to test
the whole thing together.

i also reformat one malloc block to shorten it (:

ok's are welcome (assuming this will pass the test).

diff --git sys/arch/i386/pci/glxsb.c sys/arch/i386/pci/glxsb.c
index dacb500..59a7e06 100644
--- sys/arch/i386/pci/glxsb.c
+++ sys/arch/i386/pci/glxsb.c
@@ -32,7 +32,7 @@
#include <sys/timeout.h>

#include <machine/bus.h>
-#include <machine/pctr.h>
+#include <machine/cpufunc.h>

#include <dev/rndvar.h>
#include <dev/pci/pcivar.h>
@@ -398,14 +398,24 @@ glxsb_crypto_newsession(uint32_t *sidp, struct cryptoini *cri)
case CRYPTO_AES_CBC:

if (c->cri_klen != 128) {
- swd = malloc(sizeof(struct swcr_data), M_CRYPTO_DATA,
- M_NOWAIT|M_ZERO);
+ swd = malloc(sizeof(struct swcr_data),
+ M_CRYPTO_DATA, M_NOWAIT|M_ZERO);
if (swd == NULL) {
glxsb_crypto_freesession(sesn);
return (ENOMEM);
}
ses->ses_swd_enc = swd;
txf = &enc_xform_rijndael128;
+ if (txf->ctxsize > 0) {
+ swd->sw_kschedule =
+ malloc(txf->ctxsize,
+ M_CRYPTO_DATA,
+ M_NOWAIT|M_ZERO);
+ if (swd->sw_kschedule == NULL) {
+ glxsb_crypto_freesession(sesn);
+ return (EINVAL);
+ }
+ }
if (txf->setkey(&(swd->sw_kschedule), c->cri_key,
c->cri_klen / 8) < 0) {
glxsb_crypto_freesession(sesn);
iamatt
2013-10-25 03:54:14 UTC
Permalink
Hi,

Trying to apply patch to newly cvs'd current

# cd
/usr/src/
/usr/src/sys/arch/i386/pci/glxsb.patch
<
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- sys/arch/i386/pci/glxsb.c
|+++ sys/arch/i386/pci/glxsb.c
--------------------------
Patching file sys/arch/i386/pci/glxsb.c using Plan A...
Hunk #1 succeeded at 32.
Hunk #2 failed at 398.
1 out of 2 hunks failed--saving rejects to sys/arch/i386/pci/glxsb.c.rej
done


# cat sys/arch/i386/pci/glxsb.c.rej
@@ -398,14 +398,24 @@
case CRYPTO_AES_CBC:

if (c->cri_klen != 128) {
- swd = malloc(sizeof(struct swcr_data),
M_CRYPTO_DATA,
- M_NOWAIT|M_ZERO);
+ swd = malloc(sizeof(struct swcr_data),
+ M_CRYPTO_DATA, M_NOWAIT|M_ZERO);
if (swd == NULL) {
glxsb_crypto_freesession(sesn);
return (ENOMEM);
}
ses->ses_swd_enc = swd;
txf = &enc_xform_rijndael128;
+ if (txf->ctxsize > 0) {
+ swd->sw_kschedule =
+ malloc(txf->ctxsize,
+ M_CRYPTO_DATA,
+ M_NOWAIT|M_ZERO);
+ if (swd->sw_kschedule == NULL) {
+
glxsb_crypto_freesession(sesn);
+ return (EINVAL);
+ }
+ }
if (txf->setkey(&(swd->sw_kschedule),
c->cri_key,
c->cri_klen / 8) < 0) {
glxsb_crypto_freesession(sesn);
Post by Stuart Henderson
Post by Stuart Henderson
The panic seems odd (0x594f69b5 !=
0x594f69b5 - these are the same value) , maybe someone else will
be able to comment on that.
Post by Stuart Henderson
It would be useful to know what isakmpd is doing at the time e.g. run it
in the foreground with fairly high debug settings (maybe "isakmpd -K -d
-DA=99" and "ipsecctl -f /etc/ipsrc.conf" - there will be a lot of output
so run from ssh not serial console).
Post by Stuart Henderson
You may be able to workaround by using 'boot -c' at the bootloader
prompt, then 'disable glxsb' and 'quit', or the kernel on-disk could be
modified using 'config -ef /bsd'. (glxsb is for hardware AES acceleration
for Geode LX systems).
Post by Stuart Henderson
Post by iamatt
# Data modified on freelist: word 153288032 of object 0xd17218e0 size 0x18
previ
ous type ??? (invalid addr
0x3557935e)
panic: Data modified on freelist: word 3 of object 0xd17218e0 size 0x18
previous
type ??? (0x594f69b5 !=
0x594f69b5)
Stopped at Debugger+0x4: popl
%ebp
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT
INFORMATION!
ddb>
trace
Debugger(d0976848,f53be668,d0952384,f53be668,d0a95014) at
Debugger+0x4
panic(d0952384,d095232c,3,d17218e0,18) at
panic+0x67
malloc(18,6c,a,f53be6fc,d1613000) at
malloc+0x5e4
glxsb_crypto_newsession(f53be73c,f53be794,0,10,40) at
glxsb_crypto_newsession+0
x133
crypto_newsession(d17264f0,f53be794,0,f53be7b8,d0b05340) at
crypto_newsession+0
x135
esp_init(d1726400,d0a96cd8,f53be900,d1724f50,d1724f68) at
esp_init+0x245
pfkeyv2_send(d5d1f008,d1724e00,198,d1724f98,d0b05340) at
pfkeyv2_send+0x1a6e
pfkey_register(d5d8cc00,d5d1f008,f53bedbc,d03c0a4a,88ab98a0) at
pfkey_register+
0x278
raw_usrreq(d5d1f008,9,d5d8cc00,0,0) at
raw_usrreq+0x221
sosend(d5d1f008,0,f53beeb0,d5d8cc00,0) at
sosend+0x48d
soo_write(d5d230ac,d5d230c8,f53beeb0,d5e202d0,55187908) at
soo_write+0x3b
dofilewritev(d5d3c618,8,d5d230ac,84fa7500,11) at
dofilewritev+0x133
sys_writev(d5d3c618,f53bef64,f53bef84,f53befa8,d5e11600) at
sys_writev+0x7c
syscall() at
syscall+0x1f9
--- syscall (number 5)
---
ddb>
ps
PID PPID PGRP UID S FLAGS WAIT
COMMAND
31132 1 31132 0 3 0x83 ttyin
ksh
6230 1 6230 0 3 0x80 select
cron
1331 1 1331 601 3 0x90 kqread
unbound
30501 1 30501 535 3 0x90 nanosleep
symon
16688 1 16688 99 3 0x90 poll
sndiod
27774 30105 30105 0 3 0xb0 netcon2
sendmail
30105 1 30105 0 3 0xb0 select
sendmail
11400 1 11400 77 3 0x90 poll
dhcpd
1054 1 1054 0 3 0x80 kqread
ifstated
7646 1 7646 0 3 0x80 select
sshd
18014 0 0 0 3 0x100280 nfsidl
nfsio
20915 0 0 0 3 0x100280 nfsidl
nfsio
8480 0 0 0 3 0x100280 nfsidl
nfsio
13835 0 0 0 3 0x100280 nfsidl
nfsio
*25527 31834 31834 68 7 0x10
isakmpd
31834 1 31834 0 3 0x80 netio
isakmpd
19715 24693 17897 83 3 0x90 poll
ntpd
24693 17897 17897 83 3 0x90 poll
ntpd
17897 1 17897 0 3 0x80 poll
ntpd
630 4742 4742 74 3 0x90 bpf
pflogd
4742 1 4742 0 3 0x80 netio
pflogd
9803 9138 9138 73 2 0x90
syslogd
9138 1 9138 0 3 0x80 netio
syslogd
18744 1 18744 77 3 0x90 poll
dhclient
22501 1 22501 0 3 0x80 poll
dhclient
13 0 0 0 3 0x100200 aiodoned
aiodoned
12 0 0 0 3 0x100200 syncer
update
11 0 0 0 3 0x100200 cleaner
cleaner
10 0 0 0 3 0x100200 reaper
reaper
9 0 0 0 3 0x100200 pgdaemon
pagedaemon
8 0 0 0 3 0x100200 bored
crypto
7 0 0 0 3 0x100200 pftm
pfpurge
6 0 0 0 3 0x100200 usbtsk
usbtask
5 0 0 0 3 0x100200 usbatsk
usbatsk
4 0 0 0 3 0x100200 bored
syswq
3 0 0 0 3 0x40100200
idle0
2 0 0 0 3 0x100200 kmalloc
kmthread
1 0 1 0 3 0x82 wait
init
0 -1 0 0 3 0x200 scheduler
swapper
ddb>
Post by Stuart Henderson
Post by iamatt
I do not have the console debug screen but I do have the files from
/var/crash/ Is there some commands I can run on them using gdb
that can
Post by Stuart Henderson
Post by iamatt
be of use?
If you have a crashdump, possibly, see "man crash".
As the panic message goes,
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS
PANIC!
Post by Stuart Henderson
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
This is much easier than for somebody else to install Linux
and the shrewsoft client before they can even start looking at the
bug
Post by Stuart Henderson
(and even then, they might not be able to replicate it).
hi,
this is partially my screwup. please try the diff below. we
forget to actually allocate the memory for our key schedule
but free it later on in the glxsb_crypto_freesession. that's
why you get memory corruption all the way.
it has another seemingly unrelated chunk (pctr.h -> cpufunc.h
change) that i would like to commit as well (perhaps separately)
to limit pctr.h usage in kernel. so it would be nice to test
the whole thing together.
ok's are welcome (assuming this will pass the test).
diff --git sys/arch/i386/pci/glxsb.c sys/arch/i386/pci/glxsb.c
index dacb500..59a7e06 100644
--- sys/arch/i386/pci/glxsb.c
+++ sys/arch/i386/pci/glxsb.c
@@ -32,7 +32,7 @@
#include <sys/timeout.h>
#include <machine/bus.h>
-#include <machine/pctr.h>
+#include <machine/cpufunc.h>
#include <dev/rndvar.h>
#include <dev/pci/pcivar.h>
@@ -398,14 +398,24 @@ glxsb_crypto_newsession(uint32_t *sidp, struct cryptoini *cri)
if (c->cri_klen != 128) {
- swd = malloc(sizeof(struct swcr_data),
M_CRYPTO_DATA,
- M_NOWAIT|M_ZERO);
+ swd = malloc(sizeof(struct swcr_data),
+ M_CRYPTO_DATA, M_NOWAIT|M_ZERO);
if (swd == NULL) {
glxsb_crypto_freesession(sesn);
return (ENOMEM);
}
ses->ses_swd_enc = swd;
txf = &enc_xform_rijndael128;
+ if (txf->ctxsize > 0) {
+ swd->sw_kschedule =
+ malloc(txf->ctxsize,
+ M_CRYPTO_DATA,
+ M_NOWAIT|M_ZERO);
+ if (swd->sw_kschedule == NULL) {
+
glxsb_crypto_freesession(sesn);
+ return (EINVAL);
+ }
+ }
if (txf->setkey(&(swd->sw_kschedule), c->cri_key,
c->cri_klen / 8) < 0) {
glxsb_crypto_freesession(sesn);
Stuart Henderson
2013-10-25 08:43:31 UTC
Permalink
Post by iamatt
Hi,
Trying to apply patch to newly cvs'd current
It applies OK for me; gmail is known to mangle diffs (both sent and
received). Try this:

cd /usr/src && ftp -o- 'http://marc.info/?l=openbsd-bugs&m=138252383014899&q=raw' | patch
iamatt
2013-10-26 03:26:59 UTC
Permalink
Hello that does not work. I've downloaded the patch using mutt and still
fails. Would really like to try and see if this works and not sure what I
am doing wrong.

re,

MB
Post by Stuart Henderson
Post by iamatt
Hi,
Trying to apply patch to newly cvs'd current
It applies OK for me; gmail is known to mangle diffs (both sent and
cd /usr/src && ftp -o- '
http://marc.info/?l=openbsd-bugs&m=138252383014899&q=raw' | patch
Philip Guenther
2013-10-26 04:00:03 UTC
Permalink
Hello that does not work. I've downloaded the patch using mutt and
still fails. Would really like to try and see if this works and not
sure what I am doing wrong.
How are we to diagnose why it's not working if you don't describe in any
way what happened when you tried to do so? When in doubt, show what
output!


Here's what's happen when I (successfully) do it. Note: my shell's prompt
is ": morgaine; ".

: morgaine; cd /usr/src
: morgaine; cvs -q up -APd sys/arch/i386
: morgaine; ftp -o- 'http://marc.info/?l=openbsd-bugs&m=138252383014899&q=raw' | patch
Trying 173.79.223.25...
Requesting http://marc.info/?l=openbsd-bugs&m=138252383014899&q=raw
7395 bytes received in 0.12 seconds (60.95 KB/s)
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|On Wed, Oct 23, 2013 at 08:45 +0100, Stuart Henderson wrote:
|> The panic seems odd (0x594f69b5 !=
|> 0x594f69b5 - these are the same value) , maybe someone else will be able to comment on that.
|>
|> It would be useful to know what isakmpd is doing at the time e.g. run it in the foreground with fairly high debug settings (maybe "isakmpd -K -d -DA=99" and "ipsecctl -f /etc/ipsrc.conf" - there will be a lot of output so run from ssh not serial console).
|>
|> You may be able to workaround by using 'boot -c' at the bootloader prompt, then 'disable glxsb' and 'quit', or the kernel on-disk could be modified using 'config -ef /bsd'. (glxsb is for hardware AES acceleration for Geode LX systems).
|>
|> iamatt <***@gmail.com> wrote:
|> ># Data modified on freelist: word 153288032 of object 0xd17218e0 size
|> >0x18
|> >previ
|> >ous type ??? (invalid addr
|> >0x3557935e)
|> >panic: Data modified on freelist: word 3 of object 0xd17218e0 size 0x18
|> >previous
|> > type ??? (0x594f69b5 !=
|> >0x594f69b5)
|> >
|> >
|> >Stopped at Debugger+0x4: popl
|> >%ebp
|> >RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS
|> >PANIC!
|> >DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT
|> >INFORMATION!
|> >ddb>
|> >trace
|> >Debugger(d0976848,f53be668,d0952384,f53be668,d0a95014) at
|> >Debugger+0x4
|> >panic(d0952384,d095232c,3,d17218e0,18) at
|> >panic+0x67
|> >malloc(18,6c,a,f53be6fc,d1613000) at
|> >malloc+0x5e4
|> >glxsb_crypto_newsession(f53be73c,f53be794,0,10,40) at
|> >glxsb_crypto_newsession+0
|> >x133
|> >
|> >crypto_newsession(d17264f0,f53be794,0,f53be7b8,d0b05340) at
|> >crypto_newsession+0
|> >x135
|> >
|> >esp_init(d1726400,d0a96cd8,f53be900,d1724f50,d1724f68) at
|> >esp_init+0x245
|> >pfkeyv2_send(d5d1f008,d1724e00,198,d1724f98,d0b05340) at
|> >pfkeyv2_send+0x1a6e
|> >pfkey_register(d5d8cc00,d5d1f008,f53bedbc,d03c0a4a,88ab98a0) at
|> >pfkey_register+
|> >0x278
|> >
|> >raw_usrreq(d5d1f008,9,d5d8cc00,0,0) at
|> >raw_usrreq+0x221
|> >sosend(d5d1f008,0,f53beeb0,d5d8cc00,0) at
|> >sosend+0x48d
|> >soo_write(d5d230ac,d5d230c8,f53beeb0,d5e202d0,55187908) at
|> >soo_write+0x3b
|> >dofilewritev(d5d3c618,8,d5d230ac,84fa7500,11) at
|> >dofilewritev+0x133
|> >sys_writev(d5d3c618,f53bef64,f53bef84,f53befa8,d5e11600) at
|> >sys_writev+0x7c
|> >syscall() at
|> >syscall+0x1f9
|> >--- syscall (number 5)
|> >---
|> >0x2:
|> >
|> >ddb>
|> >ps
|> > PID PPID PGRP UID S FLAGS WAIT
|> >COMMAND
|> > 31132 1 31132 0 3 0x83 ttyin
|> >ksh
|> > 6230 1 6230 0 3 0x80 select
|> >cron
|> > 1331 1 1331 601 3 0x90 kqread
|> >unbound
|> > 30501 1 30501 535 3 0x90 nanosleep
|> >symon
|> > 16688 1 16688 99 3 0x90 poll
|> >sndiod
|> > 27774 30105 30105 0 3 0xb0 netcon2
|> >sendmail
|> > 30105 1 30105 0 3 0xb0 select
|> >sendmail
|> > 11400 1 11400 77 3 0x90 poll
|> >dhcpd
|> > 1054 1 1054 0 3 0x80 kqread
|> >ifstated
|> > 7646 1 7646 0 3 0x80 select
|> >sshd
|> > 18014 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> > 20915 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> > 8480 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> > 13835 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> >*25527 31834 31834 68 7 0x10
|> >isakmpd
|> > 31834 1 31834 0 3 0x80 netio
|> >isakmpd
|> > 19715 24693 17897 83 3 0x90 poll
|> >ntpd
|> > 24693 17897 17897 83 3 0x90 poll
|> >ntpd
|> > 17897 1 17897 0 3 0x80 poll
|> >ntpd
|> > 630 4742 4742 74 3 0x90 bpf
|> >pflogd
|> > 4742 1 4742 0 3 0x80 netio
|> >pflogd
|> > 9803 9138 9138 73 2 0x90
|> >syslogd
|> > 9138 1 9138 0 3 0x80 netio
|> >syslogd
|> > 18744 1 18744 77 3 0x90 poll
|> >dhclient
|> > 22501 1 22501 0 3 0x80 poll
|> >dhclient
|> > 13 0 0 0 3 0x100200 aiodoned
|> >aiodoned
|> > 12 0 0 0 3 0x100200 syncer
|> >update
|> > 11 0 0 0 3 0x100200 cleaner
|> >cleaner
|> > 10 0 0 0 3 0x100200 reaper
|> >reaper
|> > 9 0 0 0 3 0x100200 pgdaemon
|> >pagedaemon
|> > 8 0 0 0 3 0x100200 bored
|> >crypto
|> > 7 0 0 0 3 0x100200 pftm
|> >pfpurge
|> > 6 0 0 0 3 0x100200 usbtsk
|> >usbtask
|> > 5 0 0 0 3 0x100200 usbatsk
|> >usbatsk
|> > 4 0 0 0 3 0x100200 bored
|> >syswq
|> > 3 0 0 0 3 0x40100200
|> >idle0
|> > 2 0 0 0 3 0x100200 kmalloc
|> >kmthread
|> > 1 0 1 0 3 0x82 wait
|> >init
|> > 0 -1 0 0 3 0x200 scheduler
|> >swapper
|> >ddb>
|> >
|> >
|> >
|> >On Mon, Oct 21, 2013 at 5:20 PM, Stuart Henderson <***@openbsd.org>
|> >wrote:
|> >
|> >> On 2013/10/21 10:29, iamatt wrote:
|> >> > I do not have the console debug screen but I do have the files from
|> >> > /var/crash/ Is there some commands I can run on them using gdb
|> >that can
|> >> > be of use?
|> >>
|> >> If you have a crashdump, possibly, see "man crash".
|> >>
|> >> As the panic message goes,
|> >>
|> >> RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS
|> >PANIC!
|> >> DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
|> >>
|> >> This is much easier than for somebody else to install Linux
|> >> and the shrewsoft client before they can even start looking at the
|> >bug
|> >> (and even then, they might not be able to replicate it).
|>
|
|hi,
|
|this is partially my screwup. please try the diff below. we
|forget to actually allocate the memory for our key schedule
|but free it later on in the glxsb_crypto_freesession. that's
|why you get memory corruption all the way.
|
|it has another seemingly unrelated chunk (pctr.h -> cpufunc.h
|change) that i would like to commit as well (perhaps separately)
|to limit pctr.h usage in kernel. so it would be nice to test
|the whole thing together.
|
|i also reformat one malloc block to shorten it (:
|
|ok's are welcome (assuming this will pass the test).
|
|diff --git sys/arch/i386/pci/glxsb.c sys/arch/i386/pci/glxsb.c
|index dacb500..59a7e06 100644
|--- sys/arch/i386/pci/glxsb.c
|+++ sys/arch/i386/pci/glxsb.c
--------------------------
Patching file sys/arch/i386/pci/glxsb.c using Plan A...
Hunk #1 succeeded at 32.
Hunk #2 succeeded at 398.
done
: morgaine;


Philip Guenther
iamatt
2013-10-28 19:12:07 UTC
Permalink
Ok got working and recompiled kernel, installed.

Still can crash system while connecting

login: Data modified on freelist: word 153278916 of object 0xd172ad20 size
0x20)
panic: Data modified on freelist: word 3 of object 0xd172ad20 size 0x20
previou)


Starting stack
trace...
panic(d097eaed,f53be6d8,d095a824,f53be6d8,d0a9e034) at
panic+0x75
panic(d095a824,d095a7cc,3,d172ad20,20) at
panic+0x75
malloc(20,4c,1,f53be7b8,d0b0e220) at
malloc+0x5e4
esp_init(d175e000,d0a9fcf8,f53be900,d175bb80,d175bb38) at
esp_init+0x148
pfkeyv2_send(d5d10008,d175ba00,198,d175bb98,d0b0e220) at
pfkeyv2_send+0x175a
pfkey_register(d5d96800,d5d10008,f53bedbc,d03c3d3a,8acde240) at
pfkey_register+8
raw_usrreq(d5d10008,9,d5d96800,0,0) at
raw_usrreq+0x221
sosend(d5d10008,0,f53beeb0,d5d96800,0) at
sosend+0x48d
soo_write(d5d170ac,d5d170c8,f53beeb0,d5e2a2d0,e3b7a840) at
soo_write+0x3b
dofilewritev(d5d3f618,8,d5d170ac,82c75600,11) at
dofilewritev+0x133
sys_writev(d5d3f618,f53bef64,f53bef84,f53befa8,d5e1b600) at
sys_writev+0x7c
syscall() at syscall+0x1f9
--- syscall (number 5)
---
0x2:

End of stack
trace.
syncing disks... 21 21 21 21 15 4
done
Hello that does not work. I've downloaded the patch using mutt and
still fails. Would really like to try and see if this works and not
sure what I am doing wrong.
How are we to diagnose why it's not working if you don't describe in any
way what happened when you tried to do so? When in doubt, show what
output!


Here's what's happen when I (successfully) do it. Note: my shell's prompt
is ": morgaine; ".

: morgaine; cd /usr/src
: morgaine; cvs -q up -APd sys/arch/i386
: morgaine; ftp -o- '
http://marc.info/?l=openbsd-bugs&m=138252383014899&q=raw' | patch
Trying 173.79.223.25...
Requesting http://marc.info/?l=openbsd-bugs&m=138252383014899&q=raw
7395 bytes received in 0.12 seconds (60.95 KB/s)
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|On Wed, Oct 23, 2013 at 08:45 +0100, Stuart Henderson wrote:
|> The panic seems odd (0x594f69b5 !=
|> 0x594f69b5 - these are the same value) , maybe someone else will
be able to comment on that.
|>
|> It would be useful to know what isakmpd is doing at the time e.g. run it
in the foreground with fairly high debug settings (maybe "isakmpd -K -d
-DA=99" and "ipsecctl -f /etc/ipsrc.conf" - there will be a lot of output
so run from ssh not serial console).
|>
|> You may be able to workaround by using 'boot -c' at the bootloader
prompt, then 'disable glxsb' and 'quit', or the kernel on-disk could be
modified using 'config -ef /bsd'. (glxsb is for hardware AES acceleration
for Geode LX systems).
|>
|> iamatt <***@gmail.com> wrote:
|> ># Data modified on freelist: word 153288032 of object 0xd17218e0 size
|> >0x18
|> >previ
|> >ous type ??? (invalid addr
|> >0x3557935e)
|> >panic: Data modified on freelist: word 3 of object 0xd17218e0 size 0x18
|> >previous
|> > type ??? (0x594f69b5 !=
|> >0x594f69b5)
|> >
|> >
|> >Stopped at Debugger+0x4: popl
|> >%ebp
|> >RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS
|> >PANIC!
|> >DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT
|> >INFORMATION!
|> >ddb>
|> >trace
|> >Debugger(d0976848,f53be668,
d0952384,f53be668,d0a95014) at
|> >Debugger+0x4
|> >panic(d0952384,d095232c,3,d17218e0,18) at
|> >panic+0x67
|> >malloc(18,6c,a,f53be6fc,d1613000) at
|> >malloc+0x5e4
|> >glxsb_crypto_newsession(f53be73c,f53be794,0,10,40) at
|> >glxsb_crypto_newsession+0
|> >x133
|> >
|> >crypto_newsession(d17264f0,f53be794,0,f53be7b8,d0b05340) at
|> >crypto_newsession+0
|> >x135
|> >
|> >esp_init(d1726400,d0a96cd8,f53be900,d1724f50,d1724f68) at
|> >esp_init+0x245
|> >pfkeyv2_send(d5d1f008,d1724e00,198,d1724f98,d0b05340) at
|> >pfkeyv2_send+0x1a6e
|> >pfkey_register(d5d8cc00,d5d1f008,f53bedbc,d03c0a4a,88ab98a0) at
|> >pfkey_register+
|> >0x278
|> >
|> >raw_usrreq(d5d1f008,9,d5d8cc00,0,0) at
|> >raw_usrreq+0x221
|> >sosend(d5d1f008,0,f53beeb0,d5d8cc00,0) at
|> >sosend+0x48d
|> >soo_write(d5d230ac,d5d230c8,f53beeb0,d5e202d0,55187908) at
|> >soo_write+0x3b
|> >dofilewritev(d5d3c618,8,d5d230ac,84fa7500,11) at
|> >dofilewritev+0x133
|> >sys_writev(d5d3c618,f53bef64,f53bef84,f53befa8,d5e11600) at
|> >sys_writev+0x7c
|> >syscall() at
|> >syscall+0x1f9
|> >--- syscall (number 5)
|> >---
|> >
|> >ddb>
|> >ps
|> > PID PPID PGRP UID S FLAGS WAIT
|> >COMMAND
|> > 31132 1 31132 0 3 0x83 ttyin
|> >ksh
|> > 6230 1 6230 0 3 0x80 select
|> >cron
|> > 1331 1 1331 601 3 0x90 kqread
|> >unbound
|> > 30501 1 30501 535 3 0x90 nanosleep
|> >symon
|> > 16688 1 16688 99 3 0x90 poll
|> >sndiod
|> > 27774 30105 30105 0 3 0xb0 netcon2
|> >sendmail
|> > 30105 1 30105 0 3 0xb0 select
|> >sendmail
|> > 11400 1 11400 77 3 0x90 poll
|> >dhcpd
|> > 1054 1 1054 0 3 0x80 kqread
|> >ifstated
|> > 7646 1 7646 0 3 0x80 select
|> >sshd
|> > 18014 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> > 20915 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> > 8480 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> > 13835 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> >*25527 31834 31834 68 7 0x10
|> >isakmpd
|> > 31834 1 31834 0 3 0x80 netio
|> >isakmpd
|> > 19715 24693 17897 83 3 0x90 poll
|> >ntpd
|> > 24693 17897 17897 83 3 0x90 poll
|> >ntpd
|> > 17897 1 17897 0 3 0x80 poll
|> >ntpd
|> > 630 4742 4742 74 3 0x90 bpf
|> >pflogd
|> > 4742 1 4742 0 3 0x80 netio
|> >pflogd
|> > 9803 9138 9138 73 2 0x90
|> >syslogd
|> > 9138 1 9138 0 3 0x80 netio
|> >syslogd
|> > 18744 1 18744 77 3 0x90 poll
|> >dhclient
|> > 22501 1 22501 0 3 0x80 poll
|> >dhclient
|> > 13 0 0 0 3 0x100200 aiodoned
|> >aiodoned
|> > 12 0 0 0 3 0x100200 syncer
|> >update
|> > 11 0 0 0 3 0x100200 cleaner
|> >cleaner
|> > 10 0 0 0 3 0x100200 reaper
|> >reaper
|> > 9 0 0 0 3 0x100200 pgdaemon
|> >pagedaemon
|> > 8 0 0 0 3 0x100200 bored
|> >crypto
|> > 7 0 0 0 3 0x100200 pftm
|> >pfpurge
|> > 6 0 0 0 3 0x100200 usbtsk
|> >usbtask
|> > 5 0 0 0 3 0x100200 usbatsk
|> >usbatsk
|> > 4 0 0 0 3 0x100200 bored
|> >syswq
|> > 3 0 0 0 3 0x40100200
|> >idle0
|> > 2 0 0 0 3 0x100200 kmalloc
|> >kmthread
|> > 1 0 1 0 3 0x82 wait
|> >init
|> > 0 -1 0 0 3 0x200 scheduler
|> >swapper
|> >ddb>
|> >
|> >
|> >
|> >
|> >> > I do not have the console debug screen but I do have the files from
|> >> > /var/crash/ Is there some commands I can run on them using gdb
|> >that can
|> >> > be of use?
|> >>
|> >> If you have a crashdump, possibly, see "man crash".
|> >>
|> >> As the panic message goes,
|> >>
|> >> RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS
|> >PANIC!
|> >> DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
|> >>
|> >> This is much easier than for somebody else to install Linux
|> >> and the shrewsoft client before they can even start looking at the
|> >bug
|> >> (and even then, they might not be able to replicate it).
|>
|
|hi,
|
|this is partially my screwup. please try the diff below. we
|forget to actually allocate the memory for our key schedule
|but free it later on in the glxsb_crypto_freesession. that's
|why you get memory corruption all the way.
|
|it has another seemingly unrelated chunk (pctr.h -> cpufunc.h
|change) that i would like to commit as well (perhaps separately)
|to limit pctr.h usage in kernel. so it would be nice to test
|the whole thing together.
|
|
|ok's are welcome (assuming this will pass the test).
|
|diff --git sys/arch/i386/pci/glxsb.c sys/arch/i386/pci/glxsb.c
|index dacb500..59a7e06 100644
|--- sys/arch/i386/pci/glxsb.c
|+++ sys/arch/i386/pci/glxsb.c
--------------------------
Patching file sys/arch/i386/pci/glxsb.c using Plan A...
Hunk #1 succeeded at 32.
Hunk #2 succeeded at 398.
done
: morgaine;
Philip Guenther
Matt
2013-10-29 03:25:45 UTC
Permalink
Disabling glxsb in kernel prevents the system from crashing.

mb
Post by iamatt
Ok got working and recompiled kernel, installed.
Still can crash system while connecting
login: Data modified on freelist: word 153278916 of object 0xd172ad20 size
0x20)
panic: Data modified on freelist: word 3 of object 0xd172ad20 size 0x20
previou)
Starting stack
trace...
panic(d097eaed,f53be6d8,d095a824,f53be6d8,d0a9e034) at
panic+0x75
panic(d095a824,d095a7cc,3,d172ad20,20) at
panic+0x75
malloc(20,4c,1,f53be7b8,d0b0e220) at
malloc+0x5e4
esp_init(d175e000,d0a9fcf8,f53be900,d175bb80,d175bb38) at
esp_init+0x148
pfkeyv2_send(d5d10008,d175ba00,198,d175bb98,d0b0e220) at
pfkeyv2_send+0x175a
pfkey_register(d5d96800,d5d10008,f53bedbc,d03c3d3a,8acde240) at
pfkey_register+8
raw_usrreq(d5d10008,9,d5d96800,0,0) at
raw_usrreq+0x221
sosend(d5d10008,0,f53beeb0,d5d96800,0) at
sosend+0x48d
soo_write(d5d170ac,d5d170c8,f53beeb0,d5e2a2d0,e3b7a840) at
soo_write+0x3b
dofilewritev(d5d3f618,8,d5d170ac,82c75600,11) at
dofilewritev+0x133
sys_writev(d5d3f618,f53bef64,f53bef84,f53befa8,d5e1b600) at
sys_writev+0x7c
syscall() at syscall+0x1f9
--- syscall (number 5)
---
End of stack
trace.
syncing disks... 21 21 21 21 15 4
done
Hello that does not work. I've downloaded the patch using mutt and
still fails. Would really like to try and see if this works and not
sure what I am doing wrong.
How are we to diagnose why it's not working if you don't describe in any
way what happened when you tried to do so? When in doubt, show what
output!
Here's what's happen when I (successfully) do it. Note: my shell's prompt
is ": morgaine; ".
: morgaine; cd /usr/src
: morgaine; cvs -q up -APd sys/arch/i386
: morgaine; ftp -o- '
http://marc.info/?l=openbsd-bugs&m=138252383014899&q=raw' | patch
Trying 173.79.223.25...
Requesting http://marc.info/?l=openbsd-bugs&m=138252383014899&q=raw
7395 bytes received in 0.12 seconds (60.95 KB/s)
Hmm... Looks like a unified diff to me...
--------------------------
|> The panic seems odd (0x594f69b5 !=
|> 0x594f69b5 - these are the same value) , maybe someone else will
be able to comment on that.
|>
|> It would be useful to know what isakmpd is doing at the time e.g. run it
in the foreground with fairly high debug settings (maybe "isakmpd -K -d
-DA=99" and "ipsecctl -f /etc/ipsrc.conf" - there will be a lot of output
so run from ssh not serial console).
|>
|> You may be able to workaround by using 'boot -c' at the bootloader
prompt, then 'disable glxsb' and 'quit', or the kernel on-disk could be
modified using 'config -ef /bsd'. (glxsb is for hardware AES acceleration
for Geode LX systems).
|>
|> ># Data modified on freelist: word 153288032 of object 0xd17218e0 size
|> >0x18
|> >previ
|> >ous type ??? (invalid addr
|> >0x3557935e)
|> >panic: Data modified on freelist: word 3 of object 0xd17218e0 size 0x18
|> >previous
|> > type ??? (0x594f69b5 !=
|> >0x594f69b5)
|> >
|> >
|> >Stopped at Debugger+0x4: popl
|> >%ebp
|> >RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS
|> >PANIC!
|> >DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT
|> >INFORMATION!
|> >ddb>
|> >trace
|> >Debugger(d0976848,f53be668,
d0952384,f53be668,d0a95014) at
|> >Debugger+0x4
|> >panic(d0952384,d095232c,3,d17218e0,18) at
|> >panic+0x67
|> >malloc(18,6c,a,f53be6fc,d1613000) at
|> >malloc+0x5e4
|> >glxsb_crypto_newsession(f53be73c,f53be794,0,10,40) at
|> >glxsb_crypto_newsession+0
|> >x133
|> >
|> >crypto_newsession(d17264f0,f53be794,0,f53be7b8,d0b05340) at
|> >crypto_newsession+0
|> >x135
|> >
|> >esp_init(d1726400,d0a96cd8,f53be900,d1724f50,d1724f68) at
|> >esp_init+0x245
|> >pfkeyv2_send(d5d1f008,d1724e00,198,d1724f98,d0b05340) at
|> >pfkeyv2_send+0x1a6e
|> >pfkey_register(d5d8cc00,d5d1f008,f53bedbc,d03c0a4a,88ab98a0) at
|> >pfkey_register+
|> >0x278
|> >
|> >raw_usrreq(d5d1f008,9,d5d8cc00,0,0) at
|> >raw_usrreq+0x221
|> >sosend(d5d1f008,0,f53beeb0,d5d8cc00,0) at
|> >sosend+0x48d
|> >soo_write(d5d230ac,d5d230c8,f53beeb0,d5e202d0,55187908) at
|> >soo_write+0x3b
|> >dofilewritev(d5d3c618,8,d5d230ac,84fa7500,11) at
|> >dofilewritev+0x133
|> >sys_writev(d5d3c618,f53bef64,f53bef84,f53befa8,d5e11600) at
|> >sys_writev+0x7c
|> >syscall() at
|> >syscall+0x1f9
|> >--- syscall (number 5)
|> >---
|> >
|> >ddb>
|> >ps
|> > PID PPID PGRP UID S FLAGS WAIT
|> >COMMAND
|> > 31132 1 31132 0 3 0x83 ttyin
|> >ksh
|> > 6230 1 6230 0 3 0x80 select
|> >cron
|> > 1331 1 1331 601 3 0x90 kqread
|> >unbound
|> > 30501 1 30501 535 3 0x90 nanosleep
|> >symon
|> > 16688 1 16688 99 3 0x90 poll
|> >sndiod
|> > 27774 30105 30105 0 3 0xb0 netcon2
|> >sendmail
|> > 30105 1 30105 0 3 0xb0 select
|> >sendmail
|> > 11400 1 11400 77 3 0x90 poll
|> >dhcpd
|> > 1054 1 1054 0 3 0x80 kqread
|> >ifstated
|> > 7646 1 7646 0 3 0x80 select
|> >sshd
|> > 18014 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> > 20915 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> > 8480 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> > 13835 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> >*25527 31834 31834 68 7 0x10
|> >isakmpd
|> > 31834 1 31834 0 3 0x80 netio
|> >isakmpd
|> > 19715 24693 17897 83 3 0x90 poll
|> >ntpd
|> > 24693 17897 17897 83 3 0x90 poll
|> >ntpd
|> > 17897 1 17897 0 3 0x80 poll
|> >ntpd
|> > 630 4742 4742 74 3 0x90 bpf
|> >pflogd
|> > 4742 1 4742 0 3 0x80 netio
|> >pflogd
|> > 9803 9138 9138 73 2 0x90
|> >syslogd
|> > 9138 1 9138 0 3 0x80 netio
|> >syslogd
|> > 18744 1 18744 77 3 0x90 poll
|> >dhclient
|> > 22501 1 22501 0 3 0x80 poll
|> >dhclient
|> > 13 0 0 0 3 0x100200 aiodoned
|> >aiodoned
|> > 12 0 0 0 3 0x100200 syncer
|> >update
|> > 11 0 0 0 3 0x100200 cleaner
|> >cleaner
|> > 10 0 0 0 3 0x100200 reaper
|> >reaper
|> > 9 0 0 0 3 0x100200 pgdaemon
|> >pagedaemon
|> > 8 0 0 0 3 0x100200 bored
|> >crypto
|> > 7 0 0 0 3 0x100200 pftm
|> >pfpurge
|> > 6 0 0 0 3 0x100200 usbtsk
|> >usbtask
|> > 5 0 0 0 3 0x100200 usbatsk
|> >usbatsk
|> > 4 0 0 0 3 0x100200 bored
|> >syswq
|> > 3 0 0 0 3 0x40100200
|> >idle0
|> > 2 0 0 0 3 0x100200 kmalloc
|> >kmthread
|> > 1 0 1 0 3 0x82 wait
|> >init
|> > 0 -1 0 0 3 0x200 scheduler
|> >swapper
|> >ddb>
|> >
|> >
|> >
|> >
|> >> > I do not have the console debug screen but I do have the files from
|> >> > /var/crash/ Is there some commands I can run on them using gdb
|> >that can
|> >> > be of use?
|> >>
|> >> If you have a crashdump, possibly, see "man crash".
|> >>
|> >> As the panic message goes,
|> >>
|> >> RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS
|> >PANIC!
|> >> DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
|> >>
|> >> This is much easier than for somebody else to install Linux
|> >> and the shrewsoft client before they can even start looking at the
|> >bug
|> >> (and even then, they might not be able to replicate it).
|>
|
|hi,
|
|this is partially my screwup. please try the diff below. we
|forget to actually allocate the memory for our key schedule
|but free it later on in the glxsb_crypto_freesession. that's
|why you get memory corruption all the way.
|
|it has another seemingly unrelated chunk (pctr.h -> cpufunc.h
|change) that i would like to commit as well (perhaps separately)
|to limit pctr.h usage in kernel. so it would be nice to test
|the whole thing together.
|
|
|ok's are welcome (assuming this will pass the test).
|
|diff --git sys/arch/i386/pci/glxsb.c sys/arch/i386/pci/glxsb.c
|index dacb500..59a7e06 100644
|--- sys/arch/i386/pci/glxsb.c
|+++ sys/arch/i386/pci/glxsb.c
--------------------------
Patching file sys/arch/i386/pci/glxsb.c using Plan A...
Hunk #1 succeeded at 32.
Hunk #2 succeeded at 398.
done
: morgaine;
Philip Guenther
Mike Belopuhov
2013-10-29 20:41:40 UTC
Permalink
Post by Matt
Disabling glxsb in kernel prevents the system from crashing.
mb
Post by iamatt
Ok got working and recompiled kernel, installed.
Still can crash system while connecting
login: Data modified on freelist: word 153278916 of object 0xd172ad20 size
0x20)
panic: Data modified on freelist: word 3 of object 0xd172ad20 size 0x20
previou)
Starting stack
trace...
panic(d097eaed,f53be6d8,d095a824,f53be6d8,d0a9e034) at
panic+0x75
panic(d095a824,d095a7cc,3,d172ad20,20) at
panic+0x75
malloc(20,4c,1,f53be7b8,d0b0e220) at
malloc+0x5e4
esp_init(d175e000,d0a9fcf8,f53be900,d175bb80,d175bb38) at
esp_init+0x148
pfkeyv2_send(d5d10008,d175ba00,198,d175bb98,d0b0e220) at
pfkeyv2_send+0x175a
pfkey_register(d5d96800,d5d10008,f53bedbc,d03c3d3a,8acde240) at
pfkey_register+8
raw_usrreq(d5d10008,9,d5d96800,0,0) at
raw_usrreq+0x221
sosend(d5d10008,0,f53beeb0,d5d96800,0) at
sosend+0x48d
soo_write(d5d170ac,d5d170c8,f53beeb0,d5e2a2d0,e3b7a840) at
soo_write+0x3b
dofilewritev(d5d3f618,8,d5d170ac,82c75600,11) at
dofilewritev+0x133
sys_writev(d5d3f618,f53bef64,f53bef84,f53befa8,d5e1b600) at
sys_writev+0x7c
syscall() at syscall+0x1f9
--- syscall (number 5)
---
End of stack
trace.
syncing disks... 21 21 21 21 15 4
done
Hello that does not work. I've downloaded the patch using mutt and
still fails. Would really like to try and see if this works and not
sure what I am doing wrong.
How are we to diagnose why it's not working if you don't describe in any
way what happened when you tried to do so? When in doubt, show what
output!
Here's what's happen when I (successfully) do it. Note: my shell's prompt
is ": morgaine; ".
: morgaine; cd /usr/src
: morgaine; cvs -q up -APd sys/arch/i386
: morgaine; ftp -o- '
http://marc.info/?l=openbsd-bugs&m=138252383014899&q=raw' | patch
Trying 173.79.223.25...
Requesting http://marc.info/?l=openbsd-bugs&m=138252383014899&q=raw
7395 bytes received in 0.12 seconds (60.95 KB/s)
Hmm... Looks like a unified diff to me...
--------------------------
|> The panic seems odd (0x594f69b5 !=
|> 0x594f69b5 - these are the same value) , maybe someone else will
be able to comment on that.
|>
|> It would be useful to know what isakmpd is doing at the time e.g. run it
in the foreground with fairly high debug settings (maybe "isakmpd -K -d
-DA=99" and "ipsecctl -f /etc/ipsrc.conf" - there will be a lot of output
so run from ssh not serial console).
|>
|> You may be able to workaround by using 'boot -c' at the bootloader
prompt, then 'disable glxsb' and 'quit', or the kernel on-disk could be
modified using 'config -ef /bsd'. (glxsb is for hardware AES acceleration
for Geode LX systems).
|>
|> ># Data modified on freelist: word 153288032 of object 0xd17218e0 size
|> >0x18
|> >previ
|> >ous type ??? (invalid addr
|> >0x3557935e)
|> >panic: Data modified on freelist: word 3 of object 0xd17218e0 size 0x18
|> >previous
|> > type ??? (0x594f69b5 !=
|> >0x594f69b5)
|> >
|> >
|> >Stopped at Debugger+0x4: popl
|> >%ebp
|> >RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS
|> >PANIC!
|> >DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT
|> >INFORMATION!
|> >ddb>
|> >trace
|> >Debugger(d0976848,f53be668,
d0952384,f53be668,d0a95014) at
|> >Debugger+0x4
|> >panic(d0952384,d095232c,3,d17218e0,18) at
|> >panic+0x67
|> >malloc(18,6c,a,f53be6fc,d1613000) at
|> >malloc+0x5e4
|> >glxsb_crypto_newsession(f53be73c,f53be794,0,10,40) at
|> >glxsb_crypto_newsession+0
|> >x133
|> >
|> >crypto_newsession(d17264f0,f53be794,0,f53be7b8,d0b05340) at
|> >crypto_newsession+0
|> >x135
|> >
|> >esp_init(d1726400,d0a96cd8,f53be900,d1724f50,d1724f68) at
|> >esp_init+0x245
|> >pfkeyv2_send(d5d1f008,d1724e00,198,d1724f98,d0b05340) at
|> >pfkeyv2_send+0x1a6e
|> >pfkey_register(d5d8cc00,d5d1f008,f53bedbc,d03c0a4a,88ab98a0) at
|> >pfkey_register+
|> >0x278
|> >
|> >raw_usrreq(d5d1f008,9,d5d8cc00,0,0) at
|> >raw_usrreq+0x221
|> >sosend(d5d1f008,0,f53beeb0,d5d8cc00,0) at
|> >sosend+0x48d
|> >soo_write(d5d230ac,d5d230c8,f53beeb0,d5e202d0,55187908) at
|> >soo_write+0x3b
|> >dofilewritev(d5d3c618,8,d5d230ac,84fa7500,11) at
|> >dofilewritev+0x133
|> >sys_writev(d5d3c618,f53bef64,f53bef84,f53befa8,d5e11600) at
|> >sys_writev+0x7c
|> >syscall() at
|> >syscall+0x1f9
|> >--- syscall (number 5)
|> >---
|> >
|> >ddb>
|> >ps
|> > PID PPID PGRP UID S FLAGS WAIT
|> >COMMAND
|> > 31132 1 31132 0 3 0x83 ttyin
|> >ksh
|> > 6230 1 6230 0 3 0x80 select
|> >cron
|> > 1331 1 1331 601 3 0x90 kqread
|> >unbound
|> > 30501 1 30501 535 3 0x90 nanosleep
|> >symon
|> > 16688 1 16688 99 3 0x90 poll
|> >sndiod
|> > 27774 30105 30105 0 3 0xb0 netcon2
|> >sendmail
|> > 30105 1 30105 0 3 0xb0 select
|> >sendmail
|> > 11400 1 11400 77 3 0x90 poll
|> >dhcpd
|> > 1054 1 1054 0 3 0x80 kqread
|> >ifstated
|> > 7646 1 7646 0 3 0x80 select
|> >sshd
|> > 18014 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> > 20915 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> > 8480 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> > 13835 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> >*25527 31834 31834 68 7 0x10
|> >isakmpd
|> > 31834 1 31834 0 3 0x80 netio
|> >isakmpd
|> > 19715 24693 17897 83 3 0x90 poll
|> >ntpd
|> > 24693 17897 17897 83 3 0x90 poll
|> >ntpd
|> > 17897 1 17897 0 3 0x80 poll
|> >ntpd
|> > 630 4742 4742 74 3 0x90 bpf
|> >pflogd
|> > 4742 1 4742 0 3 0x80 netio
|> >pflogd
|> > 9803 9138 9138 73 2 0x90
|> >syslogd
|> > 9138 1 9138 0 3 0x80 netio
|> >syslogd
|> > 18744 1 18744 77 3 0x90 poll
|> >dhclient
|> > 22501 1 22501 0 3 0x80 poll
|> >dhclient
|> > 13 0 0 0 3 0x100200 aiodoned
|> >aiodoned
|> > 12 0 0 0 3 0x100200 syncer
|> >update
|> > 11 0 0 0 3 0x100200 cleaner
|> >cleaner
|> > 10 0 0 0 3 0x100200 reaper
|> >reaper
|> > 9 0 0 0 3 0x100200 pgdaemon
|> >pagedaemon
|> > 8 0 0 0 3 0x100200 bored
|> >crypto
|> > 7 0 0 0 3 0x100200 pftm
|> >pfpurge
|> > 6 0 0 0 3 0x100200 usbtsk
|> >usbtask
|> > 5 0 0 0 3 0x100200 usbatsk
|> >usbatsk
|> > 4 0 0 0 3 0x100200 bored
|> >syswq
|> > 3 0 0 0 3 0x40100200
|> >idle0
|> > 2 0 0 0 3 0x100200 kmalloc
|> >kmthread
|> > 1 0 1 0 3 0x82 wait
|> >init
|> > 0 -1 0 0 3 0x200 scheduler
|> >swapper
|> >ddb>
|> >
|> >
|> >
|> >
|> >> > I do not have the console debug screen but I do have the files from
|> >> > /var/crash/ Is there some commands I can run on them using gdb
|> >that can
|> >> > be of use?
|> >>
|> >> If you have a crashdump, possibly, see "man crash".
|> >>
|> >> As the panic message goes,
|> >>
|> >> RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS
|> >PANIC!
|> >> DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
|> >>
|> >> This is much easier than for somebody else to install Linux
|> >> and the shrewsoft client before they can even start looking at the
|> >bug
|> >> (and even then, they might not be able to replicate it).
|>
|
|hi,
|
|this is partially my screwup. please try the diff below. we
|forget to actually allocate the memory for our key schedule
|but free it later on in the glxsb_crypto_freesession. that's
|why you get memory corruption all the way.
|
|it has another seemingly unrelated chunk (pctr.h -> cpufunc.h
|change) that i would like to commit as well (perhaps separately)
|to limit pctr.h usage in kernel. so it would be nice to test
|the whole thing together.
|
|
|ok's are welcome (assuming this will pass the test).
|
|diff --git sys/arch/i386/pci/glxsb.c sys/arch/i386/pci/glxsb.c
|index dacb500..59a7e06 100644
|--- sys/arch/i386/pci/glxsb.c
|+++ sys/arch/i386/pci/glxsb.c
--------------------------
Patching file sys/arch/i386/pci/glxsb.c using Plan A...
Hunk #1 succeeded at 32.
Hunk #2 succeeded at 398.
done
: morgaine;
Philip Guenther
hi,

one more line needed to be changed (txf->setkey). i've finally got
my net5501 going here so i could test the fix.

here's a copy: http://theapt.org/~mike/glxsb.diff

jsing, ok?

diff --git sys/arch/i386/pci/glxsb.c sys/arch/i386/pci/glxsb.c
index dacb500..9a2c8d3 100644
--- sys/arch/i386/pci/glxsb.c
+++ sys/arch/i386/pci/glxsb.c
@@ -32,7 +32,7 @@
#include <sys/timeout.h>

#include <machine/bus.h>
-#include <machine/pctr.h>
+#include <machine/cpufunc.h>

#include <dev/rndvar.h>
#include <dev/pci/pcivar.h>
@@ -398,15 +398,25 @@ glxsb_crypto_newsession(uint32_t *sidp, struct cryptoini *cri)
case CRYPTO_AES_CBC:

if (c->cri_klen != 128) {
- swd = malloc(sizeof(struct swcr_data), M_CRYPTO_DATA,
- M_NOWAIT|M_ZERO);
+ swd = malloc(sizeof(struct swcr_data),
+ M_CRYPTO_DATA, M_NOWAIT|M_ZERO);
if (swd == NULL) {
glxsb_crypto_freesession(sesn);
return (ENOMEM);
}
ses->ses_swd_enc = swd;
txf = &enc_xform_rijndael128;
- if (txf->setkey(&(swd->sw_kschedule), c->cri_key,
+ if (txf->ctxsize > 0) {
+ swd->sw_kschedule =
+ malloc(txf->ctxsize,
+ M_CRYPTO_DATA,
+ M_NOWAIT|M_ZERO);
+ if (swd->sw_kschedule == NULL) {
+ glxsb_crypto_freesession(sesn);
+ return (EINVAL);
+ }
+ }
+ if (txf->setkey(swd->sw_kschedule, c->cri_key,
c->cri_klen / 8) < 0) {
glxsb_crypto_freesession(sesn);
return (EINVAL);
Joel Sing
2013-10-30 00:30:39 UTC
Permalink
Post by Mike Belopuhov
Post by Matt
Disabling glxsb in kernel prevents the system from crashing.
mb
Post by iamatt
Ok got working and recompiled kernel, installed.
Still can crash system while connecting
login: Data modified on freelist: word 153278916 of object 0xd172ad20
size 0x20)
panic: Data modified on freelist: word 3 of object 0xd172ad20 size 0x20
previou)
Starting stack
trace...
panic(d097eaed,f53be6d8,d095a824,f53be6d8,d0a9e034) at
panic+0x75
panic(d095a824,d095a7cc,3,d172ad20,20) at
panic+0x75
malloc(20,4c,1,f53be7b8,d0b0e220) at
malloc+0x5e4
esp_init(d175e000,d0a9fcf8,f53be900,d175bb80,d175bb38) at
esp_init+0x148
pfkeyv2_send(d5d10008,d175ba00,198,d175bb98,d0b0e220) at
pfkeyv2_send+0x175a
pfkey_register(d5d96800,d5d10008,f53bedbc,d03c3d3a,8acde240) at
pfkey_register+8
raw_usrreq(d5d10008,9,d5d96800,0,0) at
raw_usrreq+0x221
sosend(d5d10008,0,f53beeb0,d5d96800,0) at
sosend+0x48d
soo_write(d5d170ac,d5d170c8,f53beeb0,d5e2a2d0,e3b7a840) at
soo_write+0x3b
dofilewritev(d5d3f618,8,d5d170ac,82c75600,11) at
dofilewritev+0x133
sys_writev(d5d3f618,f53bef64,f53bef84,f53befa8,d5e1b600) at
sys_writev+0x7c
syscall() at syscall+0x1f9
--- syscall (number 5)
---
End of stack
trace.
syncing disks... 21 21 21 21 15 4
done
On Fri, Oct 25, 2013 at 11:00 PM, Philip Guenther
Hello that does not work. I've downloaded the patch using mutt and
still fails. Would really like to try and see if this works and not
sure what I am doing wrong.
How are we to diagnose why it's not working if you don't describe in
any way what happened when you tried to do so? When in doubt, show
what output!
Here's what's happen when I (successfully) do it. Note: my shell's
prompt is ": morgaine; ".
: morgaine; cd /usr/src
: morgaine; cvs -q up -APd sys/arch/i386
: morgaine; ftp -o- '
http://marc.info/?l=openbsd-bugs&m=138252383014899&q=raw' | patch
Trying 173.79.223.25...
Requesting http://marc.info/?l=openbsd-bugs&m=138252383014899&q=raw
7395 bytes received in 0.12 seconds (60.95 KB/s)
Hmm... Looks like a unified diff to me...
--------------------------
|> The panic seems odd (0x594f69b5 !=
|> 0x594f69b5 - these are the same value) , maybe someone else
|> will
be able to comment on that.
|> It would be useful to know what isakmpd is doing at the time e.g.
|> run it
in the foreground with fairly high debug settings (maybe "isakmpd -K -d
-DA=99" and "ipsecctl -f /etc/ipsrc.conf" - there will be a lot of
output so run from ssh not serial console).
|> You may be able to workaround by using 'boot -c' at the bootloader
prompt, then 'disable glxsb' and 'quit', or the kernel on-disk could be
modified using 'config -ef /bsd'. (glxsb is for hardware AES
acceleration for Geode LX systems).
|> ># Data modified on freelist: word 153288032 of object 0xd17218e0
|> > size 0x18
|> >previ
|> >ous type ??? (invalid addr
|> >0x3557935e)
|> >panic: Data modified on freelist: word 3 of object 0xd17218e0 size
|> > 0x18 previous
|> > type ??? (0x594f69b5 !=
|> >0x594f69b5)
|> >
|> >
|> >Stopped at Debugger+0x4: popl
|> >%ebp
|> >RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING
|> > THIS PANIC!
|> >DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT
|> >INFORMATION!
|> >ddb>
|> >trace
|> >Debugger(d0976848,f53be668,
d0952384,f53be668,d0a95014) at
|> >Debugger+0x4
|> >panic(d0952384,d095232c,3,d17218e0,18) at
|> >panic+0x67
|> >malloc(18,6c,a,f53be6fc,d1613000) at
|> >malloc+0x5e4
|> >glxsb_crypto_newsession(f53be73c,f53be794,0,10,40) at
|> >glxsb_crypto_newsession+0
|> >x133
|> >
|> >crypto_newsession(d17264f0,f53be794,0,f53be7b8,d0b05340) at
|> >crypto_newsession+0
|> >x135
|> >
|> >esp_init(d1726400,d0a96cd8,f53be900,d1724f50,d1724f68) at
|> >esp_init+0x245
|> >pfkeyv2_send(d5d1f008,d1724e00,198,d1724f98,d0b05340) at
|> >pfkeyv2_send+0x1a6e
|> >pfkey_register(d5d8cc00,d5d1f008,f53bedbc,d03c0a4a,88ab98a0) at
|> >pfkey_register+
|> >0x278
|> >
|> >raw_usrreq(d5d1f008,9,d5d8cc00,0,0) at
|> >raw_usrreq+0x221
|> >sosend(d5d1f008,0,f53beeb0,d5d8cc00,0) at
|> >sosend+0x48d
|> >soo_write(d5d230ac,d5d230c8,f53beeb0,d5e202d0,55187908) at
|> >soo_write+0x3b
|> >dofilewritev(d5d3c618,8,d5d230ac,84fa7500,11) at
|> >dofilewritev+0x133
|> >sys_writev(d5d3c618,f53bef64,f53bef84,f53befa8,d5e11600) at
|> >sys_writev+0x7c
|> >syscall() at
|> >syscall+0x1f9
|> >--- syscall (number 5)
|> >---
|> >
|> >ddb>
|> >ps
|> > PID PPID PGRP UID S FLAGS WAIT
|> >COMMAND
|> > 31132 1 31132 0 3 0x83 ttyin
|> >ksh
|> > 6230 1 6230 0 3 0x80 select
|> >cron
|> > 1331 1 1331 601 3 0x90 kqread
|> >unbound
|> > 30501 1 30501 535 3 0x90 nanosleep
|> >symon
|> > 16688 1 16688 99 3 0x90 poll
|> >sndiod
|> > 27774 30105 30105 0 3 0xb0 netcon2
|> >sendmail
|> > 30105 1 30105 0 3 0xb0 select
|> >sendmail
|> > 11400 1 11400 77 3 0x90 poll
|> >dhcpd
|> > 1054 1 1054 0 3 0x80 kqread
|> >ifstated
|> > 7646 1 7646 0 3 0x80 select
|> >sshd
|> > 18014 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> > 20915 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> > 8480 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> > 13835 0 0 0 3 0x100280 nfsidl
|> >nfsio
|> >*25527 31834 31834 68 7 0x10
|> >isakmpd
|> > 31834 1 31834 0 3 0x80 netio
|> >isakmpd
|> > 19715 24693 17897 83 3 0x90 poll
|> >ntpd
|> > 24693 17897 17897 83 3 0x90 poll
|> >ntpd
|> > 17897 1 17897 0 3 0x80 poll
|> >ntpd
|> > 630 4742 4742 74 3 0x90 bpf
|> >pflogd
|> > 4742 1 4742 0 3 0x80 netio
|> >pflogd
|> > 9803 9138 9138 73 2 0x90
|> >syslogd
|> > 9138 1 9138 0 3 0x80 netio
|> >syslogd
|> > 18744 1 18744 77 3 0x90 poll
|> >dhclient
|> > 22501 1 22501 0 3 0x80 poll
|> >dhclient
|> > 13 0 0 0 3 0x100200 aiodoned
|> >aiodoned
|> > 12 0 0 0 3 0x100200 syncer
|> >update
|> > 11 0 0 0 3 0x100200 cleaner
|> >cleaner
|> > 10 0 0 0 3 0x100200 reaper
|> >reaper
|> > 9 0 0 0 3 0x100200 pgdaemon
|> >pagedaemon
|> > 8 0 0 0 3 0x100200 bored
|> >crypto
|> > 7 0 0 0 3 0x100200 pftm
|> >pfpurge
|> > 6 0 0 0 3 0x100200 usbtsk
|> >usbtask
|> > 5 0 0 0 3 0x100200 usbatsk
|> >usbatsk
|> > 4 0 0 0 3 0x100200 bored
|> >syswq
|> > 3 0 0 0 3 0x40100200
|> >idle0
|> > 2 0 0 0 3 0x100200 kmalloc
|> >kmthread
|> > 1 0 1 0 3 0x82 wait
|> >init
|> > 0 -1 0 0 3 0x200 scheduler
|> >swapper
|> >ddb>
|> >
|> >
|> >
|> >On Mon, Oct 21, 2013 at 5:20 PM, Stuart Henderson
|> >
|> >> > I do not have the console debug screen but I do have the
|> >> > files from /var/crash/ Is there some commands I can run on
|> >> > them using gdb
|> >
|> >that can
|> >
|> >> > be of use?
|> >>
|> >> If you have a crashdump, possibly, see "man crash".
|> >>
|> >> As the panic message goes,
|> >>
|> >> RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING
|> >> THIS
|> >
|> >PANIC!
|> >
|> >> DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT
|> >> INFORMATION!
|> >>
|> >> This is much easier than for somebody else to install Linux
|> >> and the shrewsoft client before they can even start looking at
|> >> the
|> >
|> >bug
|> >
|> >> (and even then, they might not be able to replicate it).
|
|hi,
|
|this is partially my screwup. please try the diff below. we
|forget to actually allocate the memory for our key schedule
|but free it later on in the glxsb_crypto_freesession. that's
|why you get memory corruption all the way.
|
|it has another seemingly unrelated chunk (pctr.h -> cpufunc.h
|change) that i would like to commit as well (perhaps separately)
|to limit pctr.h usage in kernel. so it would be nice to test
|the whole thing together.
|
|
|ok's are welcome (assuming this will pass the test).
|
|diff --git sys/arch/i386/pci/glxsb.c sys/arch/i386/pci/glxsb.c
|index dacb500..59a7e06 100644
|--- sys/arch/i386/pci/glxsb.c
|+++ sys/arch/i386/pci/glxsb.c
--------------------------
Patching file sys/arch/i386/pci/glxsb.c using Plan A...
Hunk #1 succeeded at 32.
Hunk #2 succeeded at 398.
done
: morgaine;
Philip Guenther
hi,
one more line needed to be changed (txf->setkey). i've finally got
my net5501 going here so i could test the fix.
here's a copy: http://theapt.org/~mike/glxsb.diff
jsing, ok?
diff --git sys/arch/i386/pci/glxsb.c sys/arch/i386/pci/glxsb.c
index dacb500..9a2c8d3 100644
--- sys/arch/i386/pci/glxsb.c
+++ sys/arch/i386/pci/glxsb.c
@@ -32,7 +32,7 @@
#include <sys/timeout.h>
#include <machine/bus.h>
-#include <machine/pctr.h>
+#include <machine/cpufunc.h>
#include <dev/rndvar.h>
#include <dev/pci/pcivar.h>
@@ -398,15 +398,25 @@ glxsb_crypto_newsession(uint32_t *sidp, struct
if (c->cri_klen != 128) {
- swd = malloc(sizeof(struct swcr_data), M_CRYPTO_DATA,
- M_NOWAIT|M_ZERO);
+ swd = malloc(sizeof(struct swcr_data),
+ M_CRYPTO_DATA, M_NOWAIT|M_ZERO);
if (swd == NULL) {
glxsb_crypto_freesession(sesn);
return (ENOMEM);
}
ses->ses_swd_enc = swd;
txf = &enc_xform_rijndael128;
- if (txf->setkey(&(swd->sw_kschedule), c->cri_key,
+ if (txf->ctxsize > 0) {
+ swd->sw_kschedule =
+ malloc(txf->ctxsize,
+ M_CRYPTO_DATA,
+ M_NOWAIT|M_ZERO);
+ if (swd->sw_kschedule == NULL) {
+ glxsb_crypto_freesession(sesn);
+ return (EINVAL);
+ }
+ }
+ if (txf->setkey(swd->sw_kschedule, c->cri_key,
c->cri_klen / 8) < 0) {
glxsb_crypto_freesession(sesn);
return (EINVAL);
Ouch... yes, ok jsing@
--
"Stop assuming that systems are secure unless demonstrated insecure;
start assuming that systems are insecure unless designed securely."
- Bruce Schneier
Loading...