Page MenuHomeFreeBSD

Disable IPsec debugging code when IPSEC_DEBUG kernel options is not specified.
ClosedPublic

Authored by ae on May 23 2017, 11:49 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Dec 18, 5:35 PM
Unknown Object (File)
Mon, Dec 9, 7:24 AM
Unknown Object (File)
Oct 30 2024, 5:34 AM
Unknown Object (File)
Oct 30 2024, 5:34 AM
Unknown Object (File)
Oct 30 2024, 5:34 AM
Unknown Object (File)
Oct 30 2024, 5:14 AM
Unknown Object (File)
Oct 3 2024, 2:48 AM
Unknown Object (File)
Oct 1 2024, 7:22 AM
Subscribers

Details

Summary

Due to the long call chain IPsec code can produce the kernel stack exhaustion on the i386 architecture.
The debugging code usually is not used, but it requires a lot of stack space to keep buffers for strings formatting.
This patch adds conditionally defined macros to disable building of debug code.

IPsec currently has two sysctl variables to configure debug output:

  1. net.key.debug variable is used to enable debug output for PF_KEY protocol. Such debug messages are produced by KEYDBG() macro and usually they can be interesting for developers.
  2. net.inet.ipsec.debug variable is used to enable debug output for DPRINTF() macro and ipseclog() function. DPRINTF() macro usually is used for development debugging. ipseclog() function is used for debugging by administrator.

The patch disables KEYDBG() and DPRINTF() macros, and formatting buffers declarations when IPSEC_DEBUG is not present in kernel config. This reduces stack requirement for up to several hundreds of bytes.

The sysctl variables are not deleted when IPSEC_DEBUG is not defined. The net.inet.ipsec.debug can be used to enable ipseclog() messages by administrator. The net.key.debug is left due to ipsec.ko module can be build with and without debug, in such case it is needed.

Test Plan

eugene@ has reported about this problem, and he was able to reproduce the panic several times per day. With this patch his machine works about a day without panics.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable