Re: port-xen/33162 [Re: FAST_IPSEC panics domU kernel]

[Pavel Cahyna <pavel.cahyna%st.mff.cuni.cz@localhost>]

I think netipsec is wrong - it is using m_copyback, but can't be really
sure that the mbuf is not shared.

Try the following (not even compile-tested) patch.

AH and IPCOMP will probably need something similar.

Pavel

cvs diff: Diffing nbcvs/src/sys/netipsec
Index: nbcvs/src/sys/netipsec/xform_esp.c
===================================================================
RCS file: /cvsroot/src/sys/netipsec/xform_esp.c,v
retrieving revision 1.8
diff -u -r1.8 xform_esp.c
--- nbcvs/src/sys/netipsec/xform_esp.c  23 Mar 2006 15:25:46 -0000      1.8
+++ nbcvs/src/sys/netipsec/xform_esp.c  29 Mar 2006 10:01:45 -0000
@@ -634,7 +634,15 @@
        m_adj(m, -(lastthree[1] + 2));
 
        /* Restore the Next Protocol field */
-       m_copyback(m, protoff, sizeof (u_int8_t), lastthree + 2);
+       m = m_copyback_cow(m, protoff, sizeof (u_int8_t), lastthree + 2,
+                          M_DONTWAIT);
+
+       if (m == NULL) {
+               espstat.esps_crypto++;
+               DPRINTF(("esp_input_cb: failed to allocate mbuf\n"));
+               error = ENOBUFS;
+               goto bad;
+       }
 
        IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag);