Revision r366711 and r366712 are also in this build but r366713 looks mostly related: https://ci.freebsd.org/job/FreeBSD-head-i386-test/10945/consoleFull sys/netipsec/tunnel/aesni_aes_gcm_128:v4 -> aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS> panic: System call sendto returning with kernel FPU ctx leaked cpuid = 0 time = 1602724639 KDB: stack backtrace: db_trace_self_wrapper(2,1487d700,1487d700,0,251b5388,...) at db_trace_self_wrapper+0x28/frame 0x251b535c vpanic(148c809,251b5394,251b5394,251b545c,13bc996,...) at vpanic+0x11a/frame 0x251b5374 panic(148c809,1432c1b,251b545c,1487d700,1487d990,...) at panic+0x14/frame 0x251b5388 syscall(251b5468,3b,3b,3b,68,...) at syscall+0x756/frame 0x251b545c Xint0x80_syscall() at 0xffc033f9/frame 0x251b545c --- syscall (133, FreeBSD ELF32, sys_sendto), eip = 0xffc01a98, esp = 0xffc07fe8, ebp = 0xffbf682c --- KDB: enter: panic [ thread pid 74925 tid 100114 ] Stopped at kdb_enter+0x35: movl $0,kdb_why db:0:kdb.enter.panic> show pcpu cpuid = 0 dynamic pcpu = 0x84e5c0 curthread = 0x1487d700: pid 74925 tid 100114 critnest 1 "setkey" curpcb = 0x251b54c0 fpcurthread = none idlethread = 0xb7e4e00: tid 100003 "idle: cpu0" APIC ID = 0 currentldt = 0x50 trampstk = 0xffc07ff0 kesp0 = 0x251b54b0 common_tssp = 0xffc01130 tlb gen = 1115928 curvnet = 0 spin locks held: db:0:kdb.enter.panic>
When clearing PCB_KERNTHR, that commit used '|=' instead of '&=', so I suspect that is the issue.
Created attachment 218865 [details] i386_fpu_kern_leave.patch Untested possible fix.
(In reply to John Baldwin from comment #2) Verified that all tests sys.netipsec.tunnel.* passed after applying the patch.
A commit references this bug: Author: jhb Date: Mon Oct 19 17:35:46 UTC 2020 New revision: 366843 URL: https://svnweb.freebsd.org/changeset/base/366843 Log: Properly clear PCB_KERNNPX in fpu_kern_leave(). PR: 250423 Reported by: CI Tested by: lwhsu Changes: head/sys/i386/i386/npx.c