244077 – panic on executing sys.netipsec.tunnel.aes_cbc_128_hmac_sha1:v4 after (r357802,r357812]

Bug 244077 - panic on executing sys.netipsec.tunnel.aes_cbc_128_hmac_sha1:v4 after (r357802,r357812]

Summary: panic on executing sys.netipsec.tunnel.aes_cbc_128_hmac_sha1:v4 after (r35780...

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Mateusz Guzik

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-02-12 17:44 UTC by Li-Wen Hsu
Modified:	2020-02-12 20:19 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Li-Wen Hsu freebsd_committer

2020-02-12 17:44:05 UTC

https://ci.freebsd.org/job/FreeBSD-head-amd64-test/14293/console

sys/netipsec/tunnel/aes_cbc_128_hmac_sha1:v4  ->  

Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address   = 0xffff80403f802e90
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff8104fb62
stack pointer           = 0x28:0xfffffe003acde880
frame pointer           = 0x28:0xfffffe003acde890
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 81485 (jail)
trap number             = 12
panic: page fault
cpuid = 1
time = 1581518615
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe003acde4e0
vpanic() at vpanic+0x185/frame 0xfffffe003acde540
panic() at panic+0x43/frame 0xfffffe003acde5a0
trap_fatal() at trap_fatal+0x386/frame 0xfffffe003acde600
trap_pfault() at trap_pfault+0x99/frame 0xfffffe003acde680
trap() at trap+0x2a7/frame 0xfffffe003acde7b0
calltrap() at calltrap+0x8/frame 0xfffffe003acde7b0
--- trap 0xc, rip = 0xffffffff8104fb62, rsp = 0xfffffe003acde880, rbp = 0xfffffe003acde890 ---
pmap_kextract() at pmap_kextract+0x142/frame 0xfffffe003acde890
uma_dbg_free() at uma_dbg_free+0x63/frame 0xfffffe003acde8d0
uma_zfree_arg() at uma_zfree_arg+0x131/frame 0xfffffe003acde930
key_freesav() at key_freesav+0xc9/frame 0xfffffe003acde960
key_freesah_flushed() at key_freesah_flushed+0x159/frame 0xfffffe003acde9b0
key_destroy() at key_destroy+0x413/frame 0xfffffe003acdea00
vnet_destroy() at vnet_destroy+0x123/frame 0xfffffe003acdea30
prison_deref() at prison_deref+0x29d/frame 0xfffffe003acdea70
sys_jail_remove() at sys_jail_remove+0x290/frame 0xfffffe003acdeac0
amd64_syscall() at amd64_syscall+0x2d3/frame 0xfffffe003acdebf0
fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe003acdebf0
--- syscall (508, FreeBSD ELF64, sys_jail_remove), rip = 0x80031c0fa, rsp = 0x7fffffffe978, rbp = 0x7fffffffea00 ---
KDB: enter: panic
[ thread pid 81485 tid 100136 ]
Stopped at      kdb_enter+0x37: movq    $0,0x1087f56(%rip)

Comment 1 Li-Wen Hsu freebsd_committer

2020-02-12 17:46:30 UTC

mjg: r357803~r357812 are all yours, can you help check this? Thanks!

Comment 2 Mateusz Guzik freebsd_committer

2020-02-12 17:47:38 UTC

I have a good suspicion what it is, I'll take care of it in few h.

Comment 3 Mateusz Guzik freebsd_committer

2020-02-12 19:46:09 UTC

So it's not what I thought it might be. How reproducible is the problem? Works for me on GENERIC kernel.

Comment 4 Mateusz Guzik freebsd_committer

2020-02-12 20:10:46 UTC

Ok, it is what I thought after all. I see the problem.

Comment 5 commit-hook freebsd_committer

2020-02-12 20:19:24 UTC

A commit references this bug:

Author: mjg
Date: Wed Feb 12 20:18:29 UTC 2020
New revision: 357842
URL: https://svnweb.freebsd.org/changeset/base/357842

Log:
  netipsec: fix a mismatched uma_zfree -> uma_zfree_pcpu

  PR:		244077
  Reported by:	lwhsu
  Fixes: r357805 ("amd64: store per-cpu allocations subtracted by __pcpu")

Changes:
  head/sys/netipsec/key.c