cryptosoft SLIST
Hi, Can we use the SLIST macro for cryptosoft sessions? ok? bluhm Index: crypto/cryptosoft.c === RCS file: /data/mirror/openbsd/cvs/src/sys/crypto/cryptosoft.c,v retrieving revision 1.87 diff -u -p -r1.87 cryptosoft.c --- crypto/cryptosoft.c 8 Jul 2021 09:22:30 - 1.87 +++ crypto/cryptosoft.c 8 Jul 2021 23:55:54 - @@ -73,7 +73,7 @@ const u_int8_t hmac_opad_buffer[HMAC_MAX }; -struct swcr_data **swcr_sessions = NULL; +struct swcr_list *swcr_sessions = NULL; u_int32_t swcr_sesnum = 0; int32_t swcr_id = -1; @@ -485,6 +485,7 @@ swcr_authenc(struct cryptop *crp) u_char iv[EALG_MAX_BLOCK_LEN]; union authctx ctx; struct cryptodesc *crd, *crda = NULL, *crde = NULL; + struct swcr_list *session; struct swcr_data *sw, *swa, *swe = NULL; const struct auth_hash *axf = NULL; const struct enc_xform *exf = NULL; @@ -494,12 +495,13 @@ swcr_authenc(struct cryptop *crp) ivlen = blksz = iskip = oskip = 0; + session = _sessions[crp->crp_sid & 0x]; for (i = 0; i < crp->crp_ndesc; i++) { crd = >crp_desc[i]; - for (sw = swcr_sessions[crp->crp_sid & 0x]; -sw && sw->sw_alg != crd->crd_alg; -sw = sw->sw_next) - ; + SLIST_FOREACH(sw, session, sw_next) { + if (sw->sw_alg == crd->crd_alg) + break; + } if (sw == NULL) return (EINVAL); @@ -728,7 +730,8 @@ swcr_compdec(struct cryptodesc *crd, str int swcr_newsession(u_int32_t *sid, struct cryptoini *cri) { - struct swcr_data **swd; + struct swcr_list *session; + struct swcr_data *swd, *prev; const struct auth_hash *axf; const struct enc_xform *txf; const struct comp_algo *cxf; @@ -738,9 +741,9 @@ swcr_newsession(u_int32_t *sid, struct c if (sid == NULL || cri == NULL) return EINVAL; - if (swcr_sessions) { + if (swcr_sessions != NULL) { for (i = 1; i < swcr_sesnum; i++) - if (swcr_sessions[i] == NULL) + if (SLIST_EMPTY(_sessions[i])) break; } @@ -751,9 +754,9 @@ swcr_newsession(u_int32_t *sid, struct c } else swcr_sesnum *= 2; - swd = mallocarray(swcr_sesnum, sizeof(struct swcr_data *), + session = mallocarray(swcr_sesnum, sizeof(struct swcr_list), M_CRYPTO_DATA, M_NOWAIT | M_ZERO); - if (swd == NULL) { + if (session == NULL) { /* Reset session number */ if (swcr_sesnum == CRYPTO_SW_SESSIONS) swcr_sesnum = 0; @@ -764,25 +767,30 @@ swcr_newsession(u_int32_t *sid, struct c /* Copy existing sessions */ if (swcr_sessions) { - bcopy(swcr_sessions, swd, - (swcr_sesnum / 2) * sizeof(struct swcr_data *)); + bcopy(swcr_sessions, session, + (swcr_sesnum / 2) * sizeof(struct swcr_list)); free(swcr_sessions, M_CRYPTO_DATA, - (swcr_sesnum / 2) * sizeof(struct swcr_data *)); + (swcr_sesnum / 2) * sizeof(struct swcr_list)); } - swcr_sessions = swd; + swcr_sessions = session; } - swd = _sessions[i]; + session = _sessions[i]; *sid = i; + prev = NULL; while (cri) { - *swd = malloc(sizeof(struct swcr_data), M_CRYPTO_DATA, + swd = malloc(sizeof(struct swcr_data), M_CRYPTO_DATA, M_NOWAIT | M_ZERO); - if (*swd == NULL) { + if (swd == NULL) { swcr_freesession(i); return ENOBUFS; } + if (prev == NULL) + SLIST_INSERT_HEAD(session, swd, sw_next); + else + SLIST_INSERT_AFTER(prev, swd, sw_next); switch (cri->cri_alg) { case CRYPTO_3DES_CBC: @@ -808,7 +816,7 @@ swcr_newsession(u_int32_t *sid, struct c goto enccommon; case CRYPTO_AES_GMAC: txf = _xform_aes_gmac; - (*swd)->sw_exf = txf; + swd->sw_exf = txf; break; case CRYPTO_CHACHA20_POLY1305: txf = _xform_chacha20_poly1305; @@ -818,19 +826,19 @@ swcr_newsession(u_int32_t *sid, struct c goto enccommon; enccommon: if (txf->ctxsize > 0)
Re: update xf86-video-amdgpu to latest git
On Thu, Jul 08, 2021 at 05:29:01PM +1000, Jonathan Gray wrote: > The latest xf86-video-amdgpu release was in 2019. > > xf86-video-amdgpu-19.1.0..origin/master Hi, Works so far here on my X395 (Vega Mobile 8) with -current. -- Matthieu Herrb
feature request: dhclient reject more than a single IP address
Dear devs, I came across a limitation which I would like to request to be implemented: In dhclient.conf the reject declaration only accepts a single IP address, and it would be great if we could define more than one by comma separation and even ranges in CIDR notation like in Linux. I wanted to configure this after a rogue DHCP server leased an IP address to my OpenBSD box. I think this would be a nice way to make OpenBSD more robust and secure. >From OpenBSD man pages: https://man.openbsd.org/OpenBSD-6.4/dhclient.conf.5 reject ip-address; >From Linux man pages: https://linux.die.net/man/5/dhclient.conf reject cidr-ip-address [, ... cidr-ip-address ] ; BRs /Andras
const struct xformsw
Hi, The array of struct xformsw can also be declared constant. ok? bluhm Index: netinet/ip_ah.c === RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_ah.c,v retrieving revision 1.149 diff -u -p -r1.149 ip_ah.c --- netinet/ip_ah.c 8 Jul 2021 15:13:14 - 1.149 +++ netinet/ip_ah.c 8 Jul 2021 19:23:25 - @@ -99,7 +99,7 @@ ah_attach(void) * ah_init() is called when an SPI is being set up. */ int -ah_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) +ah_init(struct tdb *tdbp, const struct xformsw *xsp, struct ipsecinit *ii) { const struct auth_hash *thash = NULL; struct cryptoini cria, crin; Index: netinet/ip_esp.c === RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_esp.c,v retrieving revision 1.166 diff -u -p -r1.166 ip_esp.c --- netinet/ip_esp.c8 Jul 2021 15:13:14 - 1.166 +++ netinet/ip_esp.c8 Jul 2021 19:23:45 - @@ -93,7 +93,7 @@ esp_attach(void) * esp_init() is called when an SPI is being set up. */ int -esp_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) +esp_init(struct tdb *tdbp, const struct xformsw *xsp, struct ipsecinit *ii) { const struct enc_xform *txform = NULL; const struct auth_hash *thash = NULL; Index: netinet/ip_ipcomp.c === RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_ipcomp.c,v retrieving revision 1.70 diff -u -p -r1.70 ip_ipcomp.c --- netinet/ip_ipcomp.c 8 Jul 2021 15:13:14 - 1.70 +++ netinet/ip_ipcomp.c 8 Jul 2021 19:23:42 - @@ -80,7 +80,7 @@ ipcomp_attach(void) * ipcomp_init() is called when an CPI is being set up. */ int -ipcomp_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) +ipcomp_init(struct tdb *tdbp, const struct xformsw *xsp, struct ipsecinit *ii) { const struct comp_algo *tcomp = NULL; struct cryptoini cric; Index: netinet/ip_ipip.c === RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_ipip.c,v retrieving revision 1.92 diff -u -p -r1.92 ip_ipip.c --- netinet/ip_ipip.c 8 Jul 2021 15:13:14 - 1.92 +++ netinet/ip_ipip.c 8 Jul 2021 19:24:11 - @@ -554,7 +554,7 @@ ipe4_attach(void) } int -ipe4_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) +ipe4_init(struct tdb *tdbp, const struct xformsw *xsp, struct ipsecinit *ii) { tdbp->tdb_xform = xsp; return 0; Index: netinet/ip_ipsp.c === RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_ipsp.c,v retrieving revision 1.239 diff -u -p -r1.239 ip_ipsp.c --- netinet/ip_ipsp.c 8 Jul 2021 15:13:14 - 1.239 +++ netinet/ip_ipsp.c 8 Jul 2021 19:25:46 - @@ -119,7 +119,7 @@ RBT_GENERATE(ipsec_ids_flows, ipsec_ids, * This is the proper place to define the various encapsulation transforms. */ -struct xformsw xformsw[] = { +const struct xformsw xformsw[] = { #ifdef IPSEC { .xf_type = XF_IP4, @@ -176,7 +176,7 @@ struct xformsw xformsw[] = { #endif /* TCP_SIGNATURE */ }; -struct xformsw *xformswNXFORMSW = [nitems(xformsw)]; +const struct xformsw *const xformswNXFORMSW = [nitems(xformsw)]; #defineTDB_HASHSIZE_INIT 32 @@ -902,7 +902,7 @@ tdb_reaper(void *xtdbp) int tdb_init(struct tdb *tdbp, u_int16_t alg, struct ipsecinit *ii) { - struct xformsw *xsp; + const struct xformsw *xsp; int err; #ifdef ENCDEBUG char buf[INET6_ADDRSTRLEN]; Index: netinet/ip_ipsp.h === RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_ipsp.h,v retrieving revision 1.199 diff -u -p -r1.199 ip_ipsp.h --- netinet/ip_ipsp.h 8 Jul 2021 09:22:30 - 1.199 +++ netinet/ip_ipsp.h 8 Jul 2021 19:22:51 - @@ -320,7 +320,7 @@ struct tdb {/* tunnel descriptor blo struct tdb *tdb_inext; struct tdb *tdb_onext; - struct xformsw *tdb_xform; /* Transform to use */ + const struct xformsw*tdb_xform; /* Transform to use */ const struct enc_xform *tdb_encalgxform; /* Enc algorithm */ const struct auth_hash *tdb_authalgxform; /* Auth algorithm */ const struct comp_algo *tdb_compalgxform; /* Compression algo */ @@ -473,7 +473,8 @@ struct xformsw { u_short xf_flags; /* flags (see below) */ char*xf_name; /* human-readable name */ int (*xf_attach)(void); /* called at config time */ - int (*xf_init)(struct tdb *, struct xformsw *, struct ipsecinit *); + int (*xf_init)(struct tdb *, const struct xformsw *, + struct ipsecinit *);
Re: forwarding in parallel with ipsec panic
On Thu, Jul 08, 2021 at 08:08:23AM +0200, Hrvoje Popovski wrote: > On 8.7.2021. 0:10, Vitaliy Makkoveev wrote: > > On Wed, Jul 07, 2021 at 11:07:08PM +0200, Hrvoje Popovski wrote: > >> On 7.7.2021. 22:36, Vitaliy Makkoveev wrote: > >>> Thanks. ipsp_spd_lookup() stopped panic in pool_get(9). > >>> > >>> I guess the panics continue because simultaneous modifications of > >>> 'tdbp->tdb_policy_head' break it. Could you try the diff below? It > >>> introduces `tdb_polhd_mtx' mutex(9) and uses it to protect > >>> 'tdbp->tdb_policy_head' modifications. I don't propose this diff for > >>> commit but to check my suggestion. > >> > >> > >> Hi, > >> > >> with this diff i'm getting this panic > >> > >> r620-1# panic: acquiring blockable sleep lock with spinlock or critical > >> section held (kernel_lock) _lock > >> Stopped at db_enter+0x10: popq%rbp > >> TIDPIDUID PRFLAGS PFLAGS CPU COMMAND > >> 375321 87823 0 0x14000 0x2005 crynlk > >> 455594 99250 0 0x14000 0x2000 crypto > >> 124997 16472 0 0x14000 0x2001 softnet > >> 409214 30226 0 0x14000 0x2003 softnet > >> 347403 66039 0 0x14000 0x2004 softnet > >> *345146 25512 0 0x14000 0x2002 softnet > >> db_enter() at db_enter+0x10 > >> panic(81e7ce76) at panic+0xbf > >> witness_checkorder(82348dc0,9,0) at witness_checkorder+0xbce > >> __mp_lock(82348bb8) at __mp_lock+0x5f > >> kpageflttrap(800023864a30,147) at kpageflttrap+0x178 > >> kerntrap(800023864a30) at kerntrap+0x91 > >> alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b > >> ipsp_spd_lookup(fd80a05e9200,2,14,800023864d0c,2,0) at > >> ipsp_spd_lookup+0x9fd > >> ip_output_ipsec_lookup(fd80a05e9200,14,800023864d0c,0,0) at > >> ip_output_ipsec_lookup+0x4d > >> ip_output(fd80a05e9200,0,800023864e98,1,0,0) at ip_output+0x42a > >> ip_forward(fd80a05e9200,80087048,fd83b39799a8,0) at > >> ip_forward+0x26a > >> ip_input_if(800023864fd8,800023864fe4,4,0,80087048) at > >> ip_input_if+0x365 > >> ipv4_input(80087048,fd80a05e9200) at ipv4_input+0x39 > >> if_input_process(80087048,800023865058) at > >> if_input_process+0x6f > >> end trace frame: 0x8000238650a0, count: 0 > >> https://www.openbsd.org/ddb.html describes the minimum info required in > >> bug reports. Insufficient info makes it difficult to find and fix bugs. > >> ddb{2}> > >> > >> ddb{2}> show locks > >> shared rwlock netlock r = 0 (0x8219ce60) > >> #0 witness_lock+0x339 > >> #1 if_input_process+0x43 > >> #2 ifiq_process+0x69 > >> #3 taskq_thread+0x9f > >> #4 proc_trampoline+0x1c > >> shared rwlock softnet r = 0 (0x80030070) > >> #0 witness_lock+0x339 > >> #1 taskq_thread+0x92 > >> #2 proc_trampoline+0x1c > >> exclusive mutex /sys/netinet/ip_ipsp.c:95 r = 0 (0x82192398) > >> #0 witness_lock+0x339 > >> #1 mtx_enter_try+0x95 > >> #2 mtx_enter+0x48 > >> #3 ipsp_spd_lookup+0x961 > >> #4 ip_output_ipsec_lookup+0x4d > >> #5 ip_output+0x42a > >> #6 ip_forward+0x26a > >> #7 ip_input_if+0x365 > >> #8 ipv4_input+0x39 > >> #9 if_input_process+0x6f > >> #10 ifiq_process+0x69 > >> #11 taskq_thread+0x9f > >> #12 proc_trampoline+0x1c > >> > > > > Thanks. > > > > Now panics only in ipsp_spd_lookup() and never in pfkeyv2_send() or in > > tdb_free() called from pfkeyv2_send(), right? > > > > Yes, > > i can only trigger this panic > Thanks. That means simultaneous ipsp_spd_lookup() execution breaks not only `tdb_policy_head' but the 'ipo->ipo_tdb' pointer too. Also I like to remind, about the logic we have in sys/net/pfkeyv2.c: 2017/* 2018 * XXXSMP IPsec data structures are not ready to be 2019 * accessed by multiple Network threads in parallel, 2020 * so force all packets to be processed by the first 2021 * one. 2022 */ 2023extern int nettaskqs; 2024nettaskqs = 1; It seems to be not working with parallel forwarding diff.
Re: /etc/ssl/cert.pem doesn't need to be unveiled on ntpd(8)
my eyes may be tricking me, but it looks like the main proc doesn't speak with sockets during the main loop and setpriority plus privdrop at this point are all set and done so pledge("inet id") are not required. I have it running for a couple of hours now without issues so far so is this change also OK? whole diff included, but if this is also OK I'll split them in 2 commits. Index: ntpd.c === RCS file: /cvs/src/usr.sbin/ntpd/ntpd.c,v retrieving revision 1.129 diff -u -p -u -r1.129 ntpd.c --- ntpd.c 12 Feb 2020 19:14:56 - 1.129 +++ ntpd.c 8 Jul 2021 10:58:59 - @@ -283,11 +283,9 @@ main(int argc, char *argv[]) * Constraint processes are forked with certificates in memory, * then privdrop into chroot before speaking to the outside world. */ - if (unveil(tls_default_ca_cert_file(), "r") == -1) - err(1, "unveil"); if (unveil("/usr/sbin/ntpd", "x") == -1) err(1, "unveil"); - if (pledge("stdio rpath inet settime proc exec id", NULL) == -1) + if (pledge("stdio settime proc exec", NULL) == -1) err(1, "pledge"); while (quit == 0) { On 10:37 Thu 08 Jul , Klemens Nanni wrote: > On Thu, Jul 08, 2021 at 08:43:30AM +0100, Ricardo Mestre wrote: > > /etc/ssl/cert.pem is loaded into mem with tls_load_file(3) on local function > > priv_constraint_child() which is called before we reach the code below, > > therefore we don't need to unveil(2) it nor having pledge(2) "rpath". > > OK kn
Re: /etc/ssl/cert.pem doesn't need to be unveiled on ntpd(8)
On Thu, Jul 08, 2021 at 08:43:30AM +0100, Ricardo Mestre wrote: > /etc/ssl/cert.pem is loaded into mem with tls_load_file(3) on local function > priv_constraint_child() which is called before we reach the code below, > therefore we don't need to unveil(2) it nor having pledge(2) "rpath". OK kn
/etc/ssl/cert.pem doesn't need to be unveiled on ntpd(8)
Hi, /etc/ssl/cert.pem is loaded into mem with tls_load_file(3) on local function priv_constraint_child() which is called before we reach the code below, therefore we don't need to unveil(2) it nor having pledge(2) "rpath". Comments? OK? Index: ntpd.c === RCS file: /cvs/src/usr.sbin/ntpd/ntpd.c,v retrieving revision 1.129 diff -u -p -u -r1.129 ntpd.c --- ntpd.c 12 Feb 2020 19:14:56 - 1.129 +++ ntpd.c 8 Jul 2021 07:35:51 - @@ -283,11 +283,9 @@ main(int argc, char *argv[]) * Constraint processes are forked with certificates in memory, * then privdrop into chroot before speaking to the outside world. */ - if (unveil(tls_default_ca_cert_file(), "r") == -1) - err(1, "unveil"); if (unveil("/usr/sbin/ntpd", "x") == -1) err(1, "unveil"); - if (pledge("stdio rpath inet settime proc exec id", NULL) == -1) + if (pledge("stdio inet settime proc exec id", NULL) == -1) err(1, "pledge"); while (quit == 0) {
update xf86-video-amdgpu to latest git
The latest xf86-video-amdgpu release was in 2019. xf86-video-amdgpu-19.1.0..origin/master minus commits we already have cb27a5b Handle NULL fb_ptr in pixmap_get_fb e2cd67a Bail from amdgpu_pixmap_get_handle with ShadowFB edcbe5f Fix link failure with gcc 10 With a X_PRIVSEP path added to amdgpu_probe.c to handle the change from drmOpen() to open(). aedbf47 Include xf86drm.h instead of sarea.h 6ed4863 Drop dri.h includes 6234a1b Fix drmmode_crtc_scanout_create logic 6bd3dc6 Check for AMDGPU_CREATE_PIXMAP_SCANOUT in amdgpu_glamor_create_pixmap 2202cdf Replace a few more instances of "master" 0d1d479 Fix build against ABI_VIDEODRV_VERSION 25.2 442efe7 Make drmmode_crtc_scanout_create/destroy static 99f3c82 Drop struct drmmode_scanout altogether in favour of PixmapPtrs cfce4b3 Drop bo/width/height members from struct drmmode_scanout 680b9a2 Fix return value check of drmIoctl() e923642 gitlab CI: update to use the latest CI templates 0732f81 glamor: Make pixmap scanout compatible if its dimensions are 42a3148 Factor out common code to amdgpu_probe() eeaaf37 Introduce amdgpu_device_setup helper 1c9742e Kill off drmOpen/Close/drmSetInterfaceVersion in favour of drmDevices 2dd7307 Use the device_id straight from gpu_info 655b3c5 Reuse the existing busid string b357a84 Store the busid string in AMDGPUEnt 2c0c154 Remove NULL check after a "cannot fail" function 16ae0d0 Fixup the amdgpu_bus_id() string format abbe23f Remove drmCheckModesettingSupported and kernel module loading, on Linux 0b3bc7a Use ODEV_ATTRIB_PATH where possible for the device node. fd66f5c kms: Handle changes to SourceValidate call chain in xserver 19 Index: driver/xf86-video-amdgpu/Makefile.in === RCS file: /cvs/xenocara/driver/xf86-video-amdgpu/Makefile.in,v retrieving revision 1.2 diff -u -p -r1.2 Makefile.in --- driver/xf86-video-amdgpu/Makefile.in16 Apr 2019 01:59:34 - 1.2 +++ driver/xf86-video-amdgpu/Makefile.in8 Jul 2021 07:13:57 - @@ -314,6 +314,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ Index: driver/xf86-video-amdgpu/README.md === RCS file: /cvs/xenocara/driver/xf86-video-amdgpu/README.md,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 README.md --- driver/xf86-video-amdgpu/README.md 16 Apr 2019 01:49:01 - 1.1.1.1 +++ driver/xf86-video-amdgpu/README.md 7 Jul 2021 13:42:19 - @@ -9,7 +9,7 @@ Please to the Xorg bugzilla. The -[master development code repository](https://gitlab.freedesktop.org/xorg/driver/xf86-video-amdgpu) +[main development code repository](https://gitlab.freedesktop.org/xorg/driver/xf86-video-amdgpu) can be found at FreeDesktop Gitlab. Please use merge requests for patch submission. Index: driver/xf86-video-amdgpu/aclocal.m4 === RCS file: /cvs/xenocara/driver/xf86-video-amdgpu/aclocal.m4,v retrieving revision 1.2 diff -u -p -r1.2 aclocal.m4 --- driver/xf86-video-amdgpu/aclocal.m4 16 Apr 2019 01:59:34 - 1.2 +++ driver/xf86-video-amdgpu/aclocal.m4 8 Jul 2021 07:13:54 - @@ -19,9 +19,9 @@ You have another version of autoconf. I If you have problems, you may need to regenerate the build system entirely. To do so, use the procedure documented by the package, typically 'autoreconf'.])]) -dnl pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- -dnl serial 11 (pkg-config-0.29.1) -dnl +# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- +# serial 12 (pkg-config-0.29.2) + dnl Copyright © 2004 Scott James Remnant . dnl Copyright © 2012-2015 Dan Nicholson dnl @@ -62,7 +62,7 @@ dnl dnl See the "Since" comment for each macro you use to see what version dnl of the macros you require. m4_defun([PKG_PREREQ], -[m4_define([PKG_MACROS_VERSION], [0.29.1]) +[m4_define([PKG_MACROS_VERSION], [0.29.2]) m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1, [m4_fatal([pkg.m4 version $1 or higher is required but ]PKG_MACROS_VERSION[ found])]) ])dnl PKG_PREREQ @@ -163,7 +163,7 @@ AC_ARG_VAR([$1][_CFLAGS], [C compiler fl AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl pkg_failed=no -AC_MSG_CHECKING([for $1]) +AC_MSG_CHECKING([for $2]) _PKG_CONFIG([$1][_CFLAGS], [cflags], [$2]) _PKG_CONFIG([$1][_LIBS], [libs], [$2]) @@ -173,11 +173,11 @@ and $1[]_LIBS to avoid the need to call See the pkg-config man page for more details.]) if test $pkg_failed = yes; then - AC_MSG_RESULT([no]) +AC_MSG_RESULT([no]) _PKG_SHORT_ERRORS_SUPPORTED if test $_pkg_short_errors_supported = yes; then $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1` -else +
Re: forwarding in parallel with ipsec panic
On 8.7.2021. 0:10, Vitaliy Makkoveev wrote: > On Wed, Jul 07, 2021 at 11:07:08PM +0200, Hrvoje Popovski wrote: >> On 7.7.2021. 22:36, Vitaliy Makkoveev wrote: >>> Thanks. ipsp_spd_lookup() stopped panic in pool_get(9). >>> >>> I guess the panics continue because simultaneous modifications of >>> 'tdbp->tdb_policy_head' break it. Could you try the diff below? It >>> introduces `tdb_polhd_mtx' mutex(9) and uses it to protect >>> 'tdbp->tdb_policy_head' modifications. I don't propose this diff for >>> commit but to check my suggestion. >> >> >> Hi, >> >> with this diff i'm getting this panic >> >> r620-1# panic: acquiring blockable sleep lock with spinlock or critical >> section held (kernel_lock) _lock >> Stopped at db_enter+0x10: popq%rbp >> TIDPIDUID PRFLAGS PFLAGS CPU COMMAND >> 375321 87823 0 0x14000 0x2005 crynlk >> 455594 99250 0 0x14000 0x2000 crypto >> 124997 16472 0 0x14000 0x2001 softnet >> 409214 30226 0 0x14000 0x2003 softnet >> 347403 66039 0 0x14000 0x2004 softnet >> *345146 25512 0 0x14000 0x2002 softnet >> db_enter() at db_enter+0x10 >> panic(81e7ce76) at panic+0xbf >> witness_checkorder(82348dc0,9,0) at witness_checkorder+0xbce >> __mp_lock(82348bb8) at __mp_lock+0x5f >> kpageflttrap(800023864a30,147) at kpageflttrap+0x178 >> kerntrap(800023864a30) at kerntrap+0x91 >> alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b >> ipsp_spd_lookup(fd80a05e9200,2,14,800023864d0c,2,0) at >> ipsp_spd_lookup+0x9fd >> ip_output_ipsec_lookup(fd80a05e9200,14,800023864d0c,0,0) at >> ip_output_ipsec_lookup+0x4d >> ip_output(fd80a05e9200,0,800023864e98,1,0,0) at ip_output+0x42a >> ip_forward(fd80a05e9200,80087048,fd83b39799a8,0) at >> ip_forward+0x26a >> ip_input_if(800023864fd8,800023864fe4,4,0,80087048) at >> ip_input_if+0x365 >> ipv4_input(80087048,fd80a05e9200) at ipv4_input+0x39 >> if_input_process(80087048,800023865058) at if_input_process+0x6f >> end trace frame: 0x8000238650a0, count: 0 >> https://www.openbsd.org/ddb.html describes the minimum info required in >> bug reports. Insufficient info makes it difficult to find and fix bugs. >> ddb{2}> >> >> ddb{2}> show locks >> shared rwlock netlock r = 0 (0x8219ce60) >> #0 witness_lock+0x339 >> #1 if_input_process+0x43 >> #2 ifiq_process+0x69 >> #3 taskq_thread+0x9f >> #4 proc_trampoline+0x1c >> shared rwlock softnet r = 0 (0x80030070) >> #0 witness_lock+0x339 >> #1 taskq_thread+0x92 >> #2 proc_trampoline+0x1c >> exclusive mutex /sys/netinet/ip_ipsp.c:95 r = 0 (0x82192398) >> #0 witness_lock+0x339 >> #1 mtx_enter_try+0x95 >> #2 mtx_enter+0x48 >> #3 ipsp_spd_lookup+0x961 >> #4 ip_output_ipsec_lookup+0x4d >> #5 ip_output+0x42a >> #6 ip_forward+0x26a >> #7 ip_input_if+0x365 >> #8 ipv4_input+0x39 >> #9 if_input_process+0x6f >> #10 ifiq_process+0x69 >> #11 taskq_thread+0x9f >> #12 proc_trampoline+0x1c >> > > Thanks. > > Now panics only in ipsp_spd_lookup() and never in pfkeyv2_send() or in > tdb_free() called from pfkeyv2_send(), right? > Yes, i can only trigger this panic r620-1# panic: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) _lock Stopped at db_enter+0x10: popq%rbp TIDPIDUID PRFLAGS PFLAGS CPU COMMAND 340098 10711 0 0x14000 0x2003 crynlk *173315 77636 0 0x14000 0x2001 softnet 211687 60430 0 0x14000 0x2002 softnet db_enter() at db_enter+0x10 panic(81e79af6) at panic+0xbf witness_checkorder(8237dbb8,9,0) at witness_checkorder+0xbce __mp_lock(8237d9b0) at __mp_lock+0x5f kpageflttrap(800023871010,147) at kpageflttrap+0x178 kerntrap(800023871010) at kerntrap+0x91 alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b ipsp_spd_lookup(fd80a1bde300,2,14,8000238712ec,2,0) at ipsp_spd_lookup+0x9fd ip_output_ipsec_lookup(fd80a1bde300,14,8000238712ec,0,0) at ip_output_ipsec_lookup+0x4d ip_output(fd80a1bde300,0,800023871478,1,0,0) at ip_output+0x42a ip_forward(fd80a1bde300,80087048,fd83b4060cb8,0) at ip_forward+0x26a ip_input_if(8000238715b8,8000238715c4,4,0,80087048) at ip_input_if+0x365 ipv4_input(80087048,fd80a1bde300) at ipv4_input+0x39 if_input_process(80087048,800023871638) at if_input_process+0x6f end trace frame: 0x800023871680, count: 0 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs.