Re: OpenBSD 7.6/amd64 - system drops into ddb on APU2 and APU4

Sat, 18 Jan 2025 09:16:52 -0800 

On Sat, Jan 18, 2025 at 02:54:41PM +0100, Radek wrote:
> Hi,
> this is another crash, including the output that was before the ddb> prompt:
> 
> panic: mtx 0xffffffff828b6010: locking against myself
> Stopped at      db_enter+0x14:  popq    %rbp
>     TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
> *307531  49394      0     0x14000      0x200    2K softnet0
> db_enter() at db_enter+0x14
> panic(ffffffff823bc733) at panic+0xdd
> mtx_enter_try(ffffffff828b6010) at mtx_enter_try+0xd1
> mtx_enter(ffffffff828b6010) at mtx_enter+0x35
> pool_put(ffffffff828b6010,fffffd8125ad6d20) at pool_put+0x60
> esp_output(fffffd80cd286e00,ffff800012f7e628,14,9) at esp_output+0x899
> ipsp_process_packet(fffffd80cd286100,ffff800012f7e628,2,0) at 
> ipsp_process_pack
> et+0x418
> ip_output_ipsec_send(ffff800012f7e628,fffffd80cd286100,ffff80002d67cd78,1) at 
> i
> p_output_ipsec_send+0x2a0
> ip_output(fffffd80cd286100,0,ffff80002d67cd78,1,0,0,ce37a086de3f581f) at 
> ip_out
> put+0x82b
> ip_forward(fffffd80cd286100,ffff8000000b2048,ffff80002d67cd78,1) at 
> ip_forward+
> 0x1e1
> ip_input_if(ffff80002d67ce58,ffff80002d67ce64,7c,0,ffff8000000b2048) at 
> ip_inpu
> t_if+0x3fa
> ipv4_input(ffff8000000b2048,fffffd80cd286100) at ipv4_input+0x38
> ether_input(ffff8000000b2048,fffffd80cd286100) at ether_input+0x3df
> if_input_process(ffff8000000b2048,ffff80002d67cf48) at if_input_process+0x78
> end trace frame: 0xffff80002d67cf90, count: 0
> https://www.openbsd.org/ddb.html describes the minimum info required in bug
> reports.  Insufficient info makes it difficult to find and fix bugs.

It crashes here:

/home/bluhm/openbsd/stable-7.6/src/sys/netinet/ip_esp.c:947
    1c94:       48 89 df                mov    %rbx,%rdi
    1c97:       e8 00 00 00 00          callq  1c9c <esp_output+0x87c>
    1c9c:       48 c7 44 24 f8 00 00    movq   $0x0,0xfffffffffffffff8(%rsp)
    1ca3:       00 00
    1ca5:       83 f8 23                cmp    $0x23,%eax
    1ca8:       74 d6                   je     1c80 <esp_output+0x860>
    1caa:       41 89 c4                mov    %eax,%r12d
    1cad:       85 c0                   test   %eax,%eax
    1caf:       75 60                   jne    1d11 <esp_output+0x8f1>
/home/bluhm/openbsd/stable-7.6/src/sys/netinet/ip_esp.c:959
    1cb1:       48 89 df                mov    %rbx,%rdi
    1cb4:       e8 00 00 00 00          callq  1cb9 <esp_output+0x899>
/home/bluhm/openbsd/stable-7.6/src/sys/netinet/ip_esp.c:962
*   1cb9:       48 c7 44 24 f8 00 00    movq   $0x0,0xfffffffffffffff8(%rsp)
    1cc0:       00 00
    1cc2:       4c 89 f7                mov    %r14,%rdi
    1cc5:       4c 89 fe                mov    %r15,%rsi
    1cc8:       e8 00 00 00 00          callq  1ccd <esp_output+0x8ad>
    1ccd:       48 c7 44 24 f8 00 00    movq   $0x0,0xfffffffffffffff8(%rsp)
    1cd4:       00 00
/home/bluhm/openbsd/stable-7.6/src/sys/netinet/ip_esp.c:963

/home/bluhm/openbsd/stable-7.6/src/sys/netinet/ip_esp.c
   947          while ((error = crypto_invoke(crp)) == EAGAIN) {
   948                  /* Reset the session ID */
   949                  if (tdb->tdb_cryptoid != 0)
   950                          tdb->tdb_cryptoid = crp->crp_sid;
   951          }
   952          if (error) {
   953                  DPRINTF("crypto error %d", error);
   954                  ipsecstat_inc(ipsec_noxform);
   955                  goto drop;
   956          }
   957
   958          /* Release the crypto descriptors */
*  959          crypto_freereq(crp);
   960
   961          /* Call the IPsec input callback. */
   962          error = ipsp_process_done(m, tdb);
   963          if (error)
   964                  espstat_inc(esps_outfail);
   965          return (error);

/home/bluhm/openbsd/stable-7.6/src/sys/kern/subr_pool.c:789
    24a8:       49 83 be b0 00 00 00    cmpq   $0x0,0xb0(%r14)
    24af:       00
    24b0:       74 0e                   je     24c0 <pool_put+0x50>
    24b2:       49 83 be 50 01 00 00    cmpq   $0x0,0x150(%r14)
    24b9:       00
    24ba:       0f 84 d0 01 00 00       je     2690 <pool_put+0x220>
/home/bluhm/openbsd/stable-7.6/src/sys/kern/subr_pool.c:104
    24c0:       49 8b 46 10             mov    0x10(%r14),%rax
    24c4:       4c 8b 58 08             mov    0x8(%rax),%r11
    24c8:       4c 89 f7                mov    %r14,%rdi
    24cb:       e8 00 00 00 00          callq  24d0 <pool_put+0x60>
/home/bluhm/openbsd/stable-7.6/src/sys/kern/subr_pool.c:797
*   24d0:       48 c7 44 24 f8 00 00    movq   $0x0,0xfffffffffffffff8(%rsp)
    24d7:       00 00
    24d9:       4c 89 f7                mov    %r14,%rdi
    24dc:       4c 89 fe                mov    %r15,%rsi
    24df:       e8 00 00 00 00          callq  24e4 <pool_put+0x74>
/home/bluhm/openbsd/stable-7.6/src/sys/kern/subr_pool.c:799

/home/bluhm/openbsd/stable-7.6/src/sys/kern/subr_pool.c
   101  static inline void
   102  pl_enter(struct pool *pp, union pool_lock *pl)
   103  {
*  104          pp->pr_lock_ops->pl_enter(pl);
   105  }
...
   788  #ifdef MULTIPROCESSOR
   789          if (pp->pr_cache != NULL && TAILQ_EMPTY(&pp->pr_requests)) {
   790                  pool_cache_put(pp, v);
   791                  return;
   792          }
   793  #endif
   794
*  795          pl_enter(pp, &pp->pr_lock);
   796
   797          pool_do_put(pp, v);
   798
   799          pp->pr_nout--;

The crypto pool is protect by a mutex with IPL_VM.  The crypto
descriptors are allocated and freed in the same function esp_output().
I don't understand how this could go wrong.

bluhm

Reply via email to