Bug 250423

Summary: sys.netipsec.tunnel.aesni_aes_gcm_128.v4 panics i386 kernel after r366713
Product: Base System Reporter: Li-Wen Hsu <lwhsu>
Component: testsAssignee: freebsd-testing (Nobody) <testing>
Status: Closed FIXED    
Severity: Affects Only Me CC: jhb, kib
Priority: ---    
Version: CURRENT   
Hardware: i386   
OS: Any   
Attachments:
Description Flags
i386_fpu_kern_leave.patch none

Description Li-Wen Hsu freebsd_committer freebsd_triage 2020-10-17 20:49:59 UTC 
Revision r366711 and r366712 are also in this build but r366713 looks mostly related:

https://ci.freebsd.org/job/FreeBSD-head-i386-test/10945/consoleFull

sys/netipsec/tunnel/aesni_aes_gcm_128:v4  ->  aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS>
panic: System call sendto returning with kernel FPU ctx leaked
cpuid = 0
time = 1602724639
KDB: stack backtrace:
db_trace_self_wrapper(2,1487d700,1487d700,0,251b5388,...) at db_trace_self_wrapper+0x28/frame 0x251b535c
vpanic(148c809,251b5394,251b5394,251b545c,13bc996,...) at vpanic+0x11a/frame 0x251b5374
panic(148c809,1432c1b,251b545c,1487d700,1487d990,...) at panic+0x14/frame 0x251b5388
syscall(251b5468,3b,3b,3b,68,...) at syscall+0x756/frame 0x251b545c
Xint0x80_syscall() at 0xffc033f9/frame 0x251b545c
--- syscall (133, FreeBSD ELF32, sys_sendto), eip = 0xffc01a98, esp = 0xffc07fe8, ebp = 0xffbf682c ---
KDB: enter: panic
[ thread pid 74925 tid 100114 ]
Stopped at      kdb_enter+0x35: movl    $0,kdb_why
db:0:kdb.enter.panic> show pcpu
cpuid        = 0
dynamic pcpu = 0x84e5c0
curthread    = 0x1487d700: pid 74925 tid 100114 critnest 1 "setkey"
curpcb       = 0x251b54c0
fpcurthread  = none
idlethread   = 0xb7e4e00: tid 100003 "idle: cpu0"
APIC ID      = 0
currentldt   = 0x50
trampstk     = 0xffc07ff0
kesp0        = 0x251b54b0
common_tssp  = 0xffc01130
tlb gen      = 1115928
curvnet      = 0
spin locks held:
db:0:kdb.enter.panic>
Comment 1 John Baldwin freebsd_committer freebsd_triage 2020-10-18 18:47:36 UTC 
When clearing PCB_KERNTHR, that commit used '|=' instead of '&=', so I suspect that is the issue.
Comment 2 John Baldwin freebsd_committer freebsd_triage 2020-10-18 18:52:05 UTC 
Created attachment 218865 [details]
i386_fpu_kern_leave.patch

Untested possible fix.
Comment 3 Li-Wen Hsu freebsd_committer freebsd_triage 2020-10-19 01:56:18 UTC 
(In reply to John Baldwin from comment #2)
Verified that all tests sys.netipsec.tunnel.* passed after applying the patch.
Comment 4 commit-hook freebsd_committer freebsd_triage 2020-10-19 17:36:05 UTC 
A commit references this bug:

Author: jhb
Date: Mon Oct 19 17:35:46 UTC 2020
New revision: 366843
URL: https://svnweb.freebsd.org/changeset/base/366843

Log:
  Properly clear PCB_KERNNPX in fpu_kern_leave().

  PR:		250423
  Reported by:	CI
  Tested by:	lwhsu

Changes:
  head/sys/i386/i386/npx.c