Patrick McHardy wrote:
> Steve Hill wrote:
> 
>> This was a configuration mistake on my part and admittedly it 
>> shouldn't work properly - however, it triggered a kernel bug: sending 
>> a packet with the DF flag set which will grow to be > the MTU when 
>> encrypted causes the kernel to generate an ICMP Frag Needed packet, 
>> which got caught by the policy and this triggered the kernel to lock 
>> up hard.
> 
> 
> Thanks for tracking this down, we need to unlock the state before
> calling icmp_send(). This patch fixes it, it should apply to 2.6.10
> if you replace dst_mtu() by dst_pmtu() in the context.

Second try .. this one compiles.