From owner-freebsd-current@FreeBSD.ORG Sat Nov 15 08:48:42 2014 Return-Path: Delivered-To: current@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7DDA22AD; Sat, 15 Nov 2014 08:48:42 +0000 (UTC) Received: from forward8l.mail.yandex.net (forward8l.mail.yandex.net [IPv6:2a02:6b8:0:1819::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 27591C06; Sat, 15 Nov 2014 08:48:41 +0000 (UTC) Received: from smtp19.mail.yandex.net (smtp19.mail.yandex.net [95.108.252.19]) by forward8l.mail.yandex.net (Yandex) with ESMTP id 5C3CF1A4113C; Sat, 15 Nov 2014 11:48:36 +0300 (MSK) Received: from smtp19.mail.yandex.net (localhost [127.0.0.1]) by smtp19.mail.yandex.net (Yandex) with ESMTP id D7FC3BE00E1; Sat, 15 Nov 2014 11:48:35 +0300 (MSK) Received: from 84.201.165.9-vpn.dhcp.yndx.net (84.201.165.9-vpn.dhcp.yndx.net [84.201.165.9]) by smtp19.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id JK53Lvrmrn-mZE4w57u; Sat, 15 Nov 2014 11:48:35 +0300 (using TLSv1.2 with cipher AES128-SHA (128/128 bits)) (Client certificate not present) X-Yandex-Uniq: fe6cbe72-41f4-4572-b52f-33c9ebf71ceb DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1416041315; bh=S4S9cyEHVMb8+LzhOce0ix6CTyH4Lljfye0DLgzA86k=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:Subject: References:In-Reply-To:Content-Type; b=QSiHCOUhgW3hRlEYi1juWO2Qa66zFw+2widFIoGI3+jLXOXR3mZ9fC7JTAS97dVFk 5xI1eEt2EvqV0TjZY8odY45TP4G6nUgwMIBQsSnJXUKxub9VyR+V4y9qkW/NtsVglL MsI9U7ItSpg6xGXOncqfXe/Nz9WZmKXk4if5AVVQ= Authentication-Results: smtp19.mail.yandex.net; dkim=pass header.i=@yandex.ru Message-ID: <5467134A.70005@yandex.ru> Date: Sat, 15 Nov 2014 11:48:10 +0300 From: "Andrey V. Elsukov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-security@FreeBSD.org, current@FreeBSD.org Subject: Re: CFR: AES-GCM and OpenCrypto work review References: <20141108042300.GA24601@funkthat.com> <54655257.8080705@yandex.ru> <54660389.9060409@yandex.ru> <20141114193911.GR24601@funkthat.com> <20141115024201.GW24601@funkthat.com> In-Reply-To: <20141115024201.GW24601@funkthat.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="JHJuh6QQcG1kKIRAJEMv6E6o8teNfe88x" X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2014 08:48:42 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --JHJuh6QQcG1kKIRAJEMv6E6o8teNfe88x Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 15.11.2014 05:42, John-Mark Gurney wrote: > John-Mark Gurney wrote this message on Fri, Nov 14, 2014 at 11:39 > -0800: >> Well.. It looks like IPSEC is still broken in head... I can get=20 >> pings to pass, but now on IPv4 transport mode, I can't get syn's >> to be sent out... I see the output packet in the protocol stats, >> but no packets go out the interface... >>=20 >> If you could provide me w/ a simple set of spdadd commands, or the=20 >> dumps from the machine, that'd be good... >>=20 >> Hmm.... I just ran ping -f so I could generate some traffic, and=20 >> managed to get a: panic: System call sendto returing with kernel >> FPU ctx leaked >>=20 >> I'll look into this... >=20 > I just verified that this happens on a clean HEAD @ r274534: FreeBSD > 11.0-CURRENT #0 r274534: Fri Nov 14 17:17:10 PST 2014=20 > jmg@carbon.funkthat.com:/scratch/jmg/clean/sys/amd64/compile/IPSEC > amd64 >=20 > No modifications, nothing, and I got the same panic: panic: System > call sendto returing with kernel FPU ctx leaked cpuid =3D 0 KDB: stack > backtrace: db_trace_self_wrapper() at > db_trace_self_wrapper+0x2b/frame 0xfffffe001de7a800 kdb_backtrace() > at kdb_backtrace+0x39/frame 0xfffffe001de7a8b0 vpanic() at > vpanic+0x189/frame 0xfffffe001de7a930 kassert_panic() at > kassert_panic+0x139/frame 0xfffffe001de7a9a0 amd64_syscall() at > amd64_syscall+0x616/frame 0xfffffe001de7aab0 Xfast_syscall() at > Xfast_syscall+0xfb/frame 0xfffffe001de7aab0 --- syscall (64, FreeBSD > ELF64, nosys), rip =3D 0x8011975aa, rsp =3D 0x7ffffffee588, rbp =3D > 0x7ffffffee5c0 --- KDB: enter: panic >=20 > So, it's clearly not my patch that is causing the issue... >=20 > Andrey, can you verify that you do not receive the same panic w/o my=20 > patches? 11.0-CURRENT r274469 after 20 minutes and # netstat -sp esp | grep out 424360710 packets out 17823149820 bytes out can't reproduce the panic. I'll update and retry on fresh CURRENT. My ipsec.conf: add 10.9.12.25 10.9.12.15 esp 15701 -E rijndael-cbc "1111111111111111" ; spdadd 192.168.0.0/16 192.168.0.0/16 any -P out ipsec esp/tunnel/10.9.12.25-10.9.12.15/default; aesni.ko is loaded and pmcstat shows that it is in use: PMC: [INSTR_RETIRED_ANY] Samples: 128994 (100.0%) , 7506 unresolved Key: q =3D> exiting... %SAMP IMAGE FUNCTION CALLERS 13.5 kernel cpu_search_highest cpu_search_highest:11.3 sched_idletd:2.2 4.6 kernel __mtx_unlock_flags ip_output:0.8 key_checkrequest:0.6 ip_rtaddr:0.6 key_allocsp:0.5 4.0 kernel __mtx_lock_flags _key_freesp:0.8 rtalloc1_fib:0.8 key_checkrequest:0.6 3.5 kernel cpu_search_lowest cpu_search_lowest:2.6 sched_pickcpu:0.9 3.2 kernel bcopy m_copydata:1.7 m_copyback:0.7 3.2 libc.so.7 bsearch 3.0 kernel __rw_rlock rtalloc1_fib 2.5 kernel uma_zalloc_arg malloc:0.8 crypto_getreq:0.6 2.4 kernel uma_zfree_arg m_freem:1.0 free:0.7 2.2 kernel bzero uma_zalloc_arg 2.1 kernel _rw_runlock_cookie rtalloc1_fib:0.7 arpresolve:0.5 2.0 kernel rn_match rtalloc1_fib 1.7 kernel __mtx_lock_sleep __mtx_lock_flags 1.7 kernel ip_output ipsec_process_done:1.1 ip_forward:0= =2E6 1.4 kernel critical_exit spinlock_exit 1.3 kernel spinlock_exit ether_nh_input 1.3 kernel ixgbe_rxeof ixgbe_msix_que 1.2 kernel malloc 1.2 kernel critical_enter 1.2 kernel ixgbe_xmit ixgbe_mq_start_locked 1.1 aesni.ko aesni_encrypt_cbc aesni_process 1.1 kernel esp_output ipsec4_process_packet 1.1 kernel key_allocsp ipsec_getpolicybyaddr 1.0 kernel __mtx_lock_spin_flag 1.0 kernel in_cksumdata in_cksum_skip 1.0 kernel free 1.0 kernel ip_input netisr_dispatch_src 1.0 kernel ether_nh_input netisr_dispatch_src 1.0 kernel bounce_bus_dmamap_lo bus_dmamap_load_mbuf_sg 0.9 kernel _mtx_lock_spin_cooki pmclog_reserve 0.8 kernel m_copydata 0.8 kernel ipsec4_process_packe ip_ipsec_output --=20 WBR, Andrey V. Elsukov --JHJuh6QQcG1kKIRAJEMv6E6o8teNfe88x Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJUZxNQAAoJEAHF6gQQyKF6fukIAJ35XlpYwXLQnEBxOGIJJtZa wW36xLPzUFEBmDjwJHgWyIUM0nYaKPJF97ehzJbQoI5XPo/iqPP27/YdcLKcVDmu hUGY/dAZwZKHw7LMa17yKw7MHQQ123wtZ/k8kWBjxXi5aqUuvOFOBzYWyOvqlPgk lB2aX9TZP+5lSgL9LSxef7LDYXvIm7Mr4UAOn1OAuTQm+NqvlpG9M/yH8LCB7jhV h/dEWjb5Xs+pQBxvK5Uhi/sn23+NeRlV5Az5wRyja6pobzPYBU5DWrI5LD3ZZyvd CpXojg+vzu8wKjyr8LcWGzwhx6kybfHObuFOtUYZlHGsXrIuk5VJ90Q2VnNs6tA= =Zivg -----END PGP SIGNATURE----- --JHJuh6QQcG1kKIRAJEMv6E6o8teNfe88x--