produced by following:<div><br></div><div>1.kernel version: latest stable 2.6.38.1</div><div><br></div><div><div>PL-SMS ~ # uname -r</div><div>2.6.38.1</div><div>PL-SMS ~ # </div><div><br></div><div>2.ipsec config file:</div>
<div><br></div><div>PL-SMS openswan-2.6.33 # cat /etc/ipsec.conf <div># /etc/ipsec.conf - Openswan IPsec configuration file</div><div><br></div><div># This file: /usr/local/share/doc/openswan/ipsec.conf-sample</div><div>
#</div><div># Manual: ipsec.conf.5</div><div><br></div><div><br></div><div>version 2.0 # conforms to second version of ipsec.conf specification</div><div><br></div><div># basic configuration</div><div>config setup</div>
<div> # Do not set debug options to debug configuration issues!</div><div> # plutodebug / klipsdebug = "all", "none" or a combation from below:</div><div> # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"</div>
<div> # eg:</div><div> # plutodebug="control parsing"</div><div> #</div><div> # enable to get logs per-peer</div><div> # plutoopts="--perpeerlog"</div><div> #</div><div> # Again: only enable plutodebug or klipsdebug when asked by a developer</div>
<div> #</div><div> # NAT-TRAVERSAL support, see README.NAT-Traversal</div><div> nat_traversal=yes</div><div> # exclude networks used on server side by adding %v4:!a.b.c.0/24</div><div> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</a></div>
<div> # OE is now off by default. Uncomment and change to on, to enable.</div><div> oe=off</div><div> # which IPsec stack to use. auto will try netkey, then klips then mast</div><div> protostack=mast</div>
<div><br></div><div><br></div><div># Add connections here</div><div><br></div><div># sample VPN connection</div><div># for more examples, see /etc/ipsec.d/examples/</div><div>#conn sample</div><div># # Left security gateway, subnet behind it, nexthop toward right.</div>
<div># left=10.0.0.1</div><div># leftsubnet=<a href="http://172.16.0.0/24">172.16.0.0/24</a></div><div># leftnexthop=10.22.33.44</div><div># # Right security gateway, subnet behind it, nexthop toward left.</div>
<div># right=10.12.12.1</div><div># rightsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a></div><div># rightnexthop=10.101.102.103</div><div># # To authorize this connection, but not actually start it, </div>
<div># # at startup, uncomment this.</div><div># #auto=add</div><div><br></div><div>PL-SMS openswan-2.6.33 # </div><div><br></div><div>3.how to produce kernel oops</div></div><div><br></div><div><br></div><div><div>
PL-SMS ~ # modprobe ipsec</div><div>PL-SMS ~ # rmmod ipsec</div><div>Killed</div><div>PL-SMS ~ # lsmod </div><div>Module Size Used by</div><div>ipsec 311608 0 </div><div>PL-SMS ~ # </div>
</div><div><br></div><div>4.kernel dmesg shows:</div><div><br></div><div><div>BUG: unable to handle kernel NULL pointer dereference at (null)</div><div>IP: [<f8101a59>] ipsec_mast_cleanup_devices+0x2f/0x4a [ipsec]</div>
<div>*pde = 00000000 </div><div>Oops: 0002 [#1] </div><div>last sysfs file: /sys/devices/virtual/net/ipsec0/address</div><div>Modules linked in: ipsec(-)</div><div><br></div><div>Pid: 3387, comm: rmmod Not tainted 2.6.38.1 #5 System manufacturer System Product Name/M2A-VM</div>
<div>EIP: 0060:[<f8101a59>] EFLAGS: 00010246 CPU: 0</div><div>EIP is at ipsec_mast_cleanup_devices+0x2f/0x4a [ipsec]</div><div>EAX: 00000000 EBX: 00000000 ECX: f5b1bef8 EDX: 00000001</div><div>ESI: 00000000 EDI: 00000880 EBP: f5b1bf2c ESP: f5b1bf28</div>
<div> DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068</div><div>Process rmmod (pid: 3387, ti=f5b1a000 task=f5f14c80 task.ti=f5b1a000)</div><div>Stack:</div><div> f813aa40 f5b1bf4c f80f4013 f5b1bf54 f5b1bf4c c103aa8b f813aa40 00000000</div>
<div> 00000880 f5b1bfac c103a479 65737069 00000063 f5b2edc0 f5b1bf70 c10599db</div><div> f5b2edc0 f5eb9380 f5b1bf9c c105a315 ffffffff b77aa000 b77ab000 f5b2ecc4</div><div>Call Trace:</div><div> [<f80f4013>] cleanup_module+0x13/0x12a [ipsec]</div>
<div> [<c103aa8b>] ? __try_stop_module+0xf/0x4c</div><div> [<c103a479>] sys_delete_module+0x17c/0x1cf</div><div> [<c10599db>] ? remove_vma+0x41/0x47</div><div> [<c105a315>] ? do_munmap+0x1de/0x20c</div>
<div> [<c1002710>] sysenter_do_call+0x12/0x26</div><div>Code: 31 db eb 35 8b 14 9d 60 c0 13 f8 85 d2 74 29 8b 82 d8 01 00 00 ff 08 89 d0 e8 c7 57 18 c9 8b 04 9d 60 c0 13 f8 8b 80 d8 01 00 00 <ff> 08 c7 04 9d 60 c0 13 f8 00 00 00 00 43 3b 1d e8 8c 13 f8 7e </div>
<div>EIP: [<f8101a59>] ipsec_mast_cleanup_devices+0x2f/0x4a [ipsec] SS:ESP 0068:f5b1bf28</div><div>CR2: 0000000000000000</div><div>---[ end trace 01ae9d869f653d55 ]---</div><div>PL-SMS ~ # </div></div><div><br></div>
<div>thanks for you reply!</div><div><br></div><div><div class="gmail_quote">2011/3/31 David McCullough <span dir="ltr"><<a href="mailto:david_mccullough@mcafee.com">david_mccullough@mcafee.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Jivin Zhiping Liu lays it down ...<br>
<div><div></div><div class="h5">> Hi all:<br>
><br>
> I don't know if anyone have found out this before,but it's obviously a bug in file: linux/net/ipsec/ipsec_mast.c<br>
><br>
><br>
> 1085 int<br>
> 1086 ipsec_mast_init_devices(void)<br>
> 1087 {<br>
> 1088 /*<br>
> 1089 * mast0 is used for transport mode stuff, and generally is<br>
> 1090 * the default unless the user decides to create more.<br>
> 1091 */<br>
> 1092 ipsec_mast_createnum(0);<br>
> 1093<br>
> 1094 return 0;<br>
> 1095 }<br>
><br>
> line 1092 set mast device num (mastdevices_max) to 0.<br>
><br>
> if we do a rmmod ipsec now ,in ipsec_mast_cleanup_devices<br>
><br>
> 1098 int<br>
> 1099 ipsec_mast_cleanup_devices(void)<br>
> 1100 {<br>
> 1101 int error = 0;<br>
> 1102 int i;<br>
> 1103 struct net_device *dev_mast;<br>
> 1104<br>
> 1105 for(i = 0; i <= mastdevices_max; i++) {<br>
> 1106 if(mastdevices[i]!=NULL) {<br>
> 1107 dev_mast = mastdevices[i];<br>
> 1108 //lzp add<br>
> 1109 if (!dev_mast)<br>
> 1110 printk(KERN_WARNING "dev_mast null");<br>
> 1111 ipsec_dev_put(dev_mast);<br>
> 1112 unregister_netdev(dev_mast);<br>
> 1113 #ifndef alloc_netdev<br>
> 1114 kfree(dev_mast->priv);<br>
> 1115 dev_mast->priv=NULL;<br>
> 1116 #endif<br>
> 1117 ipsec_dev_put(mastdevices[i]);<br>
> 1118 mastdevices[i]=NULL;<br>
> 1119 }<br>
> 1120 }<br>
> 1121 return error;<br>
> 1122 }<br>
><br>
> we will clean up mastdevices[0],which is not initialize yet.<br>
<br>
</div></div>It will be initialised because ipsec_mast_createnum initialises it.<br>
<br>
The code at 1106 checks if it's non-NULL before cleaning it up, so this is<br>
safe also as mastdevices will be initialised to all 0's, and we always set it<br>
back to NULL when we clean up.<br>
<div class="im"><br>
> change to this fix the problem<br>
> 1085 int<br>
> 1086 ipsec_mast_init_devices(void)<br>
> 1087 {<br>
> 1088 /*<br>
> 1089 * mast0 is used for transport mode stuff, and generally is<br>
> 1090 * the default unless the user decides to create more.<br>
> 1091 */<br>
> 1092 ipsec_mast_createnum(-1);<br>
> 1093<br>
> 1094 return 0;<br>
> 1095 }<br>
<br>
</div>This will almost certainly cause a problem as we will index into mastdevices<br>
with -1 which is bad.<br>
<br>
Do you have a kernel oops that points to a problem here? That might helps<br>
because as it stands I don't see a problem with that particular code path,<br>
<br>
Cheers,<br>
Davidm<br>
<font color="#888888"><br>
<br>
--<br>
David McCullough, <a href="mailto:david_mccullough@mcafee.com">david_mccullough@mcafee.com</a>, Ph:+61 734352815<br>
McAfee - SnapGear <a href="http://www.mcafee.com" target="_blank">http://www.mcafee.com</a> <a href="http://www.uCdot.org" target="_blank">http://www.uCdot.org</a><br>
</font></blockquote></div><br><br clear="all"><br>-- <br><br>
</div></div>