NetBSD Problem Report #58021
From www@netbsd.org Sat Mar 9 20:21:54 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id BB9911A923B
for <gnats-bugs@gnats.NetBSD.org>; Sat, 9 Mar 2024 20:21:53 +0000 (UTC)
Message-Id: <20240309202152.2F1C11A923C@mollari.NetBSD.org>
Date: Sat, 9 Mar 2024 20:21:52 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: wg-userspace(8) crashes on psref abuse without binding to rump CPU
X-Send-Pr-Version: www-1.0
>Number: 58021
>Category: bin
>Synopsis: wg-userspace(8) crashes on psref abuse without binding to rump CPU
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Mar 09 20:25:00 +0000 2024
>Closed-Date: Mon Mar 11 22:27:53 +0000 2024
>Last-Modified: Mon Mar 11 22:27:53 +0000 2024
>Originator: Taylor R Campbell
>Release: current, 10
>Organization:
The NetWG Userspace
>Environment:
>Description:
kernel diagnostic assertion "(psref->psref_cpu == curcpu())" failed: file "/home/riastradh/netbsd/10/src/lib/librump/../../sys/rump/../kern/subr_psref.c", line 360 passive reference transferred from CPU 1 to CPU 0
#0 0x00007c4ed6b9114a in _lwp_kill () from /usr/lib/libc.so.12
#1 0x00007c4ed6b9163a in abort ()
at /home/riastradh/netbsd/10/src/lib/libc/stdlib/abort.c:74
#2 0x00007c4ed76094ef in rumpuser_exit (rv=rv@entry=-1)
at /home/riastradh/netbsd/10/src/lib/librumpuser/rumpuser.c:236
#3 0x00007c4ed82d9413 in cpu_reboot (howto=<optimized out>,
bootstr=<optimized out>)
at /home/riastradh/netbsd/10/src/lib/librump/../../sys/rump/librump/rumpkern/emul.c:431
#4 0x00007c4ed82833c8 in kern_reboot (howto=4, bootstr=0x0)
at /home/riastradh/netbsd/10/src/lib/librump/../../sys/rump/../kern/kern_reboot.c:73
#5 0x00007c4ed82827a4 in vpanic (
fmt=0x7c4ed82e6918 "kernel %sassertion \"%s\" failed: file \"%s\", line %d passive reference transferred from CPU %u to CPU %u", ap=0x7c4ec81cfb78)
at /home/riastradh/netbsd/10/src/lib/librump/../../sys/rump/../kern/subr_prf.c:291
#6 0x00007c4ed8263f6a in kern_assert (fmt=<optimized out>)
at /home/riastradh/netbsd/10/src/lib/librump/../../sys/rump/../lib/libkern/kern_assert.c:51
#7 0x00007c4ed827fe6f in psref_release (psref=0x7c4ec81cfc38,
target=0x7c4ed7597980, class=0x7c4ed78835c0)
at /home/riastradh/netbsd/10/src/lib/librump/../../sys/rump/../kern/subr_psref.c:360
#8 0x00007c4ed44063e4 in wg_put_sa (psref=0x7c4ec81cfc38,
wgsa=0x7c4ed7597900, wgp=<optimized out>)
at /home/riastradh/netbsd/10/src/sys/rump/net/lib/libwg/../../../../net/if_wg.c:1659
#9 wg_send_user (wgp=<optimized out>, m=0x7c4ed7d71038)
at /home/riastradh/netbsd/10/src/sys/rump/net/lib/libwg/../../../../net/if_wg.c:4946
#10 0x00007c4ed440b1f0 in wg_send_data_msg (wgp=wgp@entry=0x7c4ed7467000,
wgs=wgs@entry=0x7c4ed7487840, m=<optimized out>)
at /home/riastradh/netbsd/10/src/sys/rump/net/lib/libwg/../../../../net/if_wg.c:4040
#11 0x00007c4ed440c484 in wg_send_keepalive_msg (wgs=0x7c4ed7487840,
wgp=0x7c4ed7467000)
at /home/riastradh/netbsd/10/src/sys/rump/net/lib/libwg/../../../../net/if_wg.c:2310
#12 wg_handle_msg_resp (wg=wg@entry=0x7c4ed7508000, wgmr=0x7c4ed7d712b0,
src=src@entry=0x7c4ec81cff40)
at /home/riastradh/netbsd/10/src/sys/rump/net/lib/libwg/../../../../net/if_wg.c:2033
#13 0x00007c4ed440e7fe in wg_handle_packet (wg=0x7c4ed7508000,
m=0x7c4ed7d71240, src=0x7c4ec81cff40)
at /home/riastradh/netbsd/10/src/sys/rump/net/lib/libwg/../../../../net/if_wg.c:2884
#14 0x00007c4ed4405864 in wg_user_rcvthread () from /usr/lib/librumpnet_wg.so
#15 0x00007c4ed720c89f in pthread__create_tramp (cookie=0x7c4ed7520400)
at /home/riastradh/netbsd/10/src/lib/libpthread/pthread.c:595
#16 0x00007c4ed6a97950 in ?? () from /usr/lib/libc.so.12
Backtrace stopped: Cannot access memory at address 0x7c4ec81d0000
Unclear if this also applies to kernel wg(4), haven't reproduced it.
>How-To-Repeat:
leave wg-userspace(8) running for a while on a system with multiple CPUs (for some reason, this one had rump_server running with ncpu=2, even though the host has 8 threads)
>Fix:
curlwp_bind/bindx in the appropriate place
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->needs-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Sun, 10 Mar 2024 04:23:55 +0000
State-Changed-Why:
fixed in HEAD, needs pullup-10, inapplicable <10
(no wg before 10)
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58021 CVS commit: src/sys/net
Date: Sun, 10 Mar 2024 04:21:47 +0000
Module Name: src
Committed By: riastradh
Date: Sun Mar 10 04:21:47 UTC 2024
Modified Files:
src/sys/net: if_wg.c
Log Message:
wg(4): Bind to CPU in wg_handle_packet.
Required by use of psref there.
Assert we're bound up front so we catch mistakes early, rather than
later on if we get unlucky in preemption and scheduling.
PR bin/58021
To generate a diff of this commit:
cvs rdiff -u -r1.77 -r1.78 src/sys/net/if_wg.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: needs-pullups->pending-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Mon, 11 Mar 2024 01:10:27 +0000
State-Changed-Why:
pullup-10 #628
inapplicable <10, no wg(4)
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58021 CVS commit: [netbsd-10] src/sys/net
Date: Mon, 11 Mar 2024 19:34:00 +0000
Module Name: src
Committed By: martin
Date: Mon Mar 11 19:34:00 UTC 2024
Modified Files:
src/sys/net [netbsd-10]: if_wg.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #628):
sys/net/if_wg.c: revision 1.78
wg(4): Bind to CPU in wg_handle_packet.
Required by use of psref there.
Assert we're bound up front so we catch mistakes early, rather than
later on if we get unlucky in preemption and scheduling.
PR bin/58021
To generate a diff of this commit:
cvs rdiff -u -r1.71.2.2 -r1.71.2.3 src/sys/net/if_wg.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Mon, 11 Mar 2024 22:27:53 +0000
State-Changed-Why:
fixed and pulled up
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home