On Thu, Apr 11, 2002 at 02:09:18PM -0700, Bill Studenmund wrote:
> 
> data modified on free list e01a3fff size 320 prevtype ??
> invalid addr 0xefe01a4c deadbe != deadbeef
> unaligned addr e01a3fff size 128 type key mgmt XXX 127
> 
> panic was in mountd shutting down.
> 
> keydb_delsecpolicy
> key_delsp
> key_freesp
> ipsec4_delete_pcbpolicy
> in_pcvdetatch
> .L370+4
> soclose
> soo_close

Sounds like PR 13813 and/or 15953 (personally, they look the same to
me, but those who know more than I think that they're different <shrug>)

I can reproduce this one fairly easily.  I just need to use racoon and
add:

  # for clients with dynamic IPs
  generate_policy on;

to the config.  Then after hitting the machine from about 5 different
IPs (or from the same machine about 5 times), the machine will panic
in a call to key_delsp()

I spent some time figuring out what was going on.  Here's the email
that I sent as a result:

  http://mail-index.netbsd.org/current-users/2002/02/19/0007.html


Basically, I found that the kernel was dying inside of the LIST_REMOVE()
macro found in key_freesp().  The link list appears to have been stomped.
My best guess was that there's a missing splsoftnet()/splx() somewhere.

Paul
-- 
Paul Dokas                                            dokas@cs.umn.edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."