On Wed, Jul 07, 2021 at 02:09:23PM +0200, Alexander Bluhm wrote:
> On Wed, Jul 07, 2021 at 12:52:26PM +0200, Hrvoje Popovski wrote:
> > On 7.7.2021. 12:46, Hrvoje Popovski wrote:
> > > Panic can be triggered when i have parallel diff and sending traffic
> > Different panic on same setup ...
>
> Thanks a lot for the report.
>
> I can see the same stop of traffic and crashes here. I use iked
> instead of isakmpd. I guess the traffic stop happens at rekeying.
>
> http://bluhm.genua.de/perform/results/2021-07-06T08:17:07Z/perform.html
> There are the yellow NOEXIT fields when the traffic stops.
>
> When clicking for more details you end here.
> http://bluhm.genua.de/perform/results/2021-07-06T08:17:07Z/2021-07-06T00%3A00%3A00Z/btrace-kstack.0/logs/ssh_perform%40lt13_iperf3_-c10.4.56.36_-P10_-t10.log
> After 18 seconds nothing is transmitted anymore.
>
> The crash may also be triggered by rekeying. But it happens less
> often than the traffic stop. The crash only happens with multiple
> forwarding diff. And it is not triggered by my regular iperf3 -t80
> test, it is a bit harder to reproduce.
>
> bluhm
>
Hi,
It seems the first the first panic occured because ipsp_spd_lookup()
modifies tdbp->tdb_policy_head and simultaneous execution breaks it.
I guess at least mutex(9) should be used to protect `tdb_policy_head'.
The second panic occured because ipsp_acquire_sa() does
`ipsec_acquire_pool' initialization in runtime so parallel execution
breaks it. It's easy to fix.
Could you try the diff below? It moves `ipsec_acquire_pool'
initialization to pfkey_init() just after `ipsec_policy_pool'
initialization. This should fix the second panic.
Index: sys/net/pfkeyv2.c
===================================================================
RCS file: /cvs/src/sys/net/pfkeyv2.c,v
retrieving revision 1.216
diff -u -p -r1.216 pfkeyv2.c
--- sys/net/pfkeyv2.c 5 Jul 2021 12:01:20 -0000 1.216
+++ sys/net/pfkeyv2.c 7 Jul 2021 17:35:32 -0000
@@ -249,6 +249,8 @@ pfkey_init(void)
IPL_SOFTNET, PR_WAITOK, "pkpcb", NULL);
pool_init(&ipsec_policy_pool, sizeof(struct ipsec_policy), 0,
IPL_SOFTNET, 0, "ipsec policy", NULL);
+ pool_init(&ipsec_acquire_pool, sizeof(struct ipsec_acquire), 0,
+ IPL_SOFTNET, 0, "ipsec acquire", NULL);
}
Index: sys/net/pfkeyv2.h
===================================================================
RCS file: /cvs/src/sys/net/pfkeyv2.h,v
retrieving revision 1.88
diff -u -p -r1.88 pfkeyv2.h
--- sys/net/pfkeyv2.h 5 Jul 2021 12:01:20 -0000 1.88
+++ sys/net/pfkeyv2.h 7 Jul 2021 17:35:32 -0000
@@ -449,6 +449,7 @@ extern const uint64_t sadb_exts_allowed_
extern const uint64_t sadb_exts_required_out[SADB_MAX+1];
extern struct pool ipsec_policy_pool;
+extern struct pool ipsec_acquire_pool;
#endif /* _KERNEL */
#endif /* _NET_PFKEY_V2_H_ */
Index: sys/netinet/ip_spd.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_spd.c,v
retrieving revision 1.103
diff -u -p -r1.103 ip_spd.c
--- sys/netinet/ip_spd.c 4 May 2021 09:28:04 -0000 1.103
+++ sys/netinet/ip_spd.c 7 Jul 2021 17:35:32 -0000
@@ -52,7 +52,6 @@ struct pool ipsec_policy_pool;
struct pool ipsec_acquire_pool;
/* Protected by the NET_LOCK(). */
-int ipsec_acquire_pool_initialized = 0;
struct radix_node_head **spd_tables;
unsigned int spd_table_max;
TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire) ipsec_acquire_head =
@@ -719,12 +718,6 @@ ipsp_acquire_sa(struct ipsec_policy *ipo
return 0;
/* Add request in cache and proceed. */
- if (ipsec_acquire_pool_initialized == 0) {
- ipsec_acquire_pool_initialized = 1;
- pool_init(&ipsec_acquire_pool, sizeof(struct ipsec_acquire),
- 0, IPL_SOFTNET, 0, "ipsec acquire", NULL);
- }
-
ipa = pool_get(&ipsec_acquire_pool, PR_NOWAIT|PR_ZERO);
if (ipa == NULL)
return ENOMEM;
