current-users: Re: IPSEC still fails on BETA2/vax (not anymore!)

Subject: Re: IPSEC still fails on BETA2/vax (not anymore!)
To: Olaf Seibert <rhialto@polderland.nl>
From: Jaromir Dolecek <jdolecek@netbsd.org>
List: current-users
Date: 07/18/2002 14:02:40
--ELM728330593-3077-0_
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII

Can you try if appended patch would be sufficient to fix the stack
overflow problem with IPsec?

Olaf Seibert wrote:
> On Mon 15 Jul 2002 at 13:09:43 +0200, Jaromir Dolecek wrote:
> > BTW, can you try -current (1.6D) kernel without your stack size
> > changes? There was a fix to kernel stack usage for IPsec committed
> > not too long ago, and the fix has not been pulled up to 1.6 branch
> > yet.
> 
> I tried it just now (source supped 15 july). The results are better than
> with the unmodified 1.5ZC kernel: ESP ping traffic works now without
> overflowing the interrupt stack. The NFS mount however still overflows
> the kernel stack with the following backtrace:
> 
> bash-2.04# mount /vol1
> panic: kernel stack invalid
> Stopped in pid 170 (mount_nfs) at       trap+0x174:     tstl    64(r8)
> db> tr
> panic: kernel stack invalid
> Stack traceback :
> 0x80336b34: trap+0x174(0x80336bb4)
> 0x80336bb4: trap type=0xf code=0x0 pc=0x8012a96c psl=0xcc0008
> 0x80336b80: SHA1Transform+0x15a(0x8aae94f4,0x8aae9510)
> 0x8aae9470: SHA1Update+0x66(0x8aae94f4,0x801904ac,0x200)
> 0x8aae94a8: rndpool_extract_data+0x5a(0x80190484,0x886822f0,0x8,0)
> 0x8aae9550: rnd_extract_data+0x23(0x886822f0,0x8,0)
> 0x8aae9590: key_randomfill+0x1a(0x886822f0,0x8)
> 0x8aae95bc: key_sa_stir_iv+0x25(0x88694380)
> 0x8aae95e8: esp_cbc_encrypt+0x457(0x80dc2200,0x14,0x68,0x88694380,0x801648a0,0x8
> )
> 0x8aae9648: esp_output+0x60b(0x80dc2200,0x80dc22f5,0x81ecd100,0x88602a00,0x2)
> 0x8aae96c0: esp4_output+0x42(0x80dc2200,0x88602a00)
> 0x8aae9704: ipsec4_output+0x22f(0x8aae97a4,0x8868b240,0)
> 0x8aae9728: ip_output+0x637(0x81ecd100,0,0x81372384,0,0)
> 0x8aae97c8: udp_output+0x19a(0x80dc2900,0x81372364)
> 0x8aae980c: udp_usrreq+0x1ca(0x8139967c,0x9,0x80dc2900,0x805d3500,0,0x81f7871c)
> 0x8aae9844: sosend+0x4b3(0x8139967c,0x805d3500,0,0x80dc2900,0,0)
> 0x8aae98a8: nfs_send+0x87(0x8139967c,0x805d3500,0x80dc2900,0x88696300)
> 0x8aae98f0: nfs_request+0x2a6(0x80d10034,0x80dc2a00,0x13,0x81f7871c,0x8867ca00,0
> x8aae99d4,0x8aae99d8,0x8aae99dc)
> 0x8aae997c: nfs_fsinfo+0x1e3(0x88602200,0x80d10034,0x8867ca00,0x81f7871c)
> 0x8aae99e8: nfs_bioread+0x80(0x80d10034,0x8aae9bb0,0,0x8867ca00,0x1)
> 0x8aae9acc: nfs_readdir+0x65(0x8aae9b50)
> 0x8aae9b1c: VOP_READDIR+0x4f(0x80d10034,0x8aae9bb0,0x8867ca00,0x8aae9b9c,0x8aae9
> ba0,0x8aae9ba4)
> 0x8aae9b6c: nfs_cookieheuristic+0x6f(0x80d10034,0x886023c0,0x81f7871c,0x8867ca00
> )
> 0x8aae9bd0: mountnfs+0x1f8(0x8aae9dc8,0x88685000,0x805d3500,0x8aae9d6c,0x8aae9d1
> 0,0x8aae9cc4,0x81f7871c)
> 0x8aae9c78: nfs_mount+0x135(0x88685000,0x7ffffca9,0x7ffffacc,0x8aae9e58,0x81f787
> 1c)
> 0x8aae9e10: sys_mount+0x2dc(0x81f7871c,0x8aae9f60,0x8aae9f58)
> 0x8aae9f14: syscall+0x10f(0x8aae9fb4)
> db> 
> 
> I wonder how close the interrupt stack comes to overflowing - I don't
> suppose there is an easy way to determine this. Perhaps I can pre-fill
> it with known data and then examine it periodically. How do I break into
> ddb from the serial console on a VAX? I find code in vax/vsa/lkc.c for a
> graphics console (ctrl-alt-esc) - perhaps I'll need to add that too.
> 
> > Jaromir
> -Olaf.
> -- 
> ___ Olaf 'Rhialto' Seibert - rhialto@       -- Woe betide the one who feels
> \X/ polderland.nl  -- remorse without sin - Tom Poes, "Het boze oog", 4444.
> 


-- 
Jaromir Dolecek <jdolecek@NetBSD.org> http://www.NetBSD.org/Ports/i386/ps2.html
-=- We should be mindful of the potential goal, but as the tantric    -=-
-=- Buddhist masters say, ``You may notice during meditation that you -=-
-=- sometimes levitate or glow.   Do not let this distract you.''     -=-

--ELM728330593-3077-0_
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=ISO-8859-2
Content-Disposition: attachment; filename=nfsmountstfix.diff

Index: nfs_vfsops.c
===================================================================
RCS file: /cvsroot/syssrc/sys/nfs/nfs_vfsops.c,v
retrieving revision 1.112
diff -u -p -r1.112 nfs_vfsops.c
--- nfs_vfsops.c	2001/12/04 18:38:08	1.112
+++ nfs_vfsops.c	2002/07/18 12:01:06
@@ -560,9 +560,9 @@ nfs_mount(mp, path, data, ndp, p)
 	struct nfs_args args;
 	struct mbuf *nam;
 	struct vnode *vp;
-	char pth[MNAMELEN], hst[MNAMELEN];
+	char *pth=NULL, *hst=NULL;
 	size_t len;
-	u_char nfh[NFSX_V3FHMAX];
+	u_char *nfh=NULL;
 
 	error = copyin(data, (caddr_t)&args, sizeof (struct nfs_args));
 	if (error)
@@ -591,25 +591,36 @@ nfs_mount(mp, path, data, ndp, p)
 		nfs_decode_args(nmp, &args);
 		return (0);
 	}
+	/* sockargs() call must be after above copyin() calls */
+	error = sockargs(&nam, (caddr_t)args.addr, args.addrlen, MT_SONAME);
+	if (error)
+		return (error);
 	if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX)
 		return (EINVAL);
+	MALLOC(nfh, u_char *, NFSX_V3FHMAX, M_TEMP, M_WAITOK);
 	error = copyin((caddr_t)args.fh, (caddr_t)nfh, args.fhsize);
 	if (error)
-		return (error);
+		goto out;
+	MALLOC(pth, char *, MNAMELEN, M_TEMP, M_WAITOK);
 	error = copyinstr(path, pth, MNAMELEN-1, &len);
 	if (error)
-		return (error);
+		goto out;
 	memset(&pth[len], 0, MNAMELEN - len);
+	MALLOC(hst, char *, MNAMELEN, M_TEMP, M_WAITOK);
 	error = copyinstr(args.hostname, hst, MNAMELEN-1, &len);
 	if (error)
-		return (error);
+		goto out;
 	memset(&hst[len], 0, MNAMELEN - len);
-	/* sockargs() call must be after above copyin() calls */
-	error = sockargs(&nam, (caddr_t)args.addr, args.addrlen, MT_SONAME);
-	if (error)
-		return (error);
 	args.fh = nfh;
 	error = mountnfs(&args, mp, nam, pth, hst, &vp, p);
+
+    out:
+	FREE(nfh, M_TEMP);
+	if (pth)
+		FREE(pth, M_TEMP);
+	if (hst)
+		FREE(hst, M_TEMP);
+
 	return (error);
 }
 
@@ -628,7 +639,7 @@ mountnfs(argp, mp, nam, pth, hst, vpp, p
 	struct nfsmount *nmp;
 	struct nfsnode *np;
 	int error;
-	struct vattr attrs;
+	struct vattr *attrs;
 	struct ucred *cr;
 
 	/* 
@@ -727,15 +738,17 @@ mountnfs(argp, mp, nam, pth, hst, vpp, p
 	if (error)
 		goto bad;
 	*vpp = NFSTOV(np);
-	VOP_GETATTR(*vpp, &attrs, p->p_ucred, p);
+	MALLOC(attrs, struct vattr *, sizeof(struct vattr), M_TEMP, M_WAITOK);
+	VOP_GETATTR(*vpp, attrs, p->p_ucred, p);
 	if ((nmp->nm_flag & NFSMNT_NFSV3) && ((*vpp)->v_type == VDIR)) {
 		cr = crget();
-		cr->cr_uid = attrs.va_uid;
-		cr->cr_gid = attrs.va_gid;
+		cr->cr_uid = attrs->va_uid;
+		cr->cr_gid = attrs->va_gid;
 		cr->cr_ngroups = 0;
 		nfs_cookieheuristic(*vpp, &nmp->nm_iflag, p, cr);
 		crfree(cr);
 	}
+	FREE(attrs, M_TEMP);
 
 	/*
 	 * A reference count is needed on the nfsnode representing the

--ELM728330593-3077-0_--