bin/58021: wg-userspace(8) crashes on psref abuse without binding to rump CPU

[campbell+netbsd%mumble.net@localhost]

>Number:         58021
>Category:       bin
>Synopsis:       wg-userspace(8) crashes on psref abuse without binding to rump CPU
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 09 20:25:00 +0000 2024
>Originator:     Taylor R Campbell
>Release:        current, 10
>Organization:
The NetWG Userspace
>Environment:
>Description:
kernel diagnostic assertion "(psref->psref_cpu == curcpu())" failed: file "/home/riastradh/netbsd/10/src/lib/librump/../../sys/rump/../kern/subr_psref.c", line 360 passive reference transferred from CPU 1 to CPU 0

#0  0x00007c4ed6b9114a in _lwp_kill () from /usr/lib/libc.so.12
#1  0x00007c4ed6b9163a in abort ()
    at /home/riastradh/netbsd/10/src/lib/libc/stdlib/abort.c:74
#2  0x00007c4ed76094ef in rumpuser_exit (rv=rv@entry=-1)
    at /home/riastradh/netbsd/10/src/lib/librumpuser/rumpuser.c:236
#3  0x00007c4ed82d9413 in cpu_reboot (howto=<optimized out>,
    bootstr=<optimized out>)
    at /home/riastradh/netbsd/10/src/lib/librump/../../sys/rump/librump/rumpkern/emul.c:431
#4  0x00007c4ed82833c8 in kern_reboot (howto=4, bootstr=0x0)
    at /home/riastradh/netbsd/10/src/lib/librump/../../sys/rump/../kern/kern_reboot.c:73
#5  0x00007c4ed82827a4 in vpanic (
    fmt=0x7c4ed82e6918 "kernel %sassertion \"%s\" failed: file \"%s\", line %d passive reference transferred from CPU %u to CPU %u", ap=0x7c4ec81cfb78)
    at /home/riastradh/netbsd/10/src/lib/librump/../../sys/rump/../kern/subr_prf.c:291
#6  0x00007c4ed8263f6a in kern_assert (fmt=<optimized out>)
    at /home/riastradh/netbsd/10/src/lib/librump/../../sys/rump/../lib/libkern/kern_assert.c:51
#7  0x00007c4ed827fe6f in psref_release (psref=0x7c4ec81cfc38,
    target=0x7c4ed7597980, class=0x7c4ed78835c0)
    at /home/riastradh/netbsd/10/src/lib/librump/../../sys/rump/../kern/subr_psref.c:360
#8  0x00007c4ed44063e4 in wg_put_sa (psref=0x7c4ec81cfc38,
    wgsa=0x7c4ed7597900, wgp=<optimized out>)
    at /home/riastradh/netbsd/10/src/sys/rump/net/lib/libwg/../../../../net/if_wg.c:1659
#9  wg_send_user (wgp=<optimized out>, m=0x7c4ed7d71038)
    at /home/riastradh/netbsd/10/src/sys/rump/net/lib/libwg/../../../../net/if_wg.c:4946
#10 0x00007c4ed440b1f0 in wg_send_data_msg (wgp=wgp@entry=0x7c4ed7467000,
    wgs=wgs@entry=0x7c4ed7487840, m=<optimized out>)
    at /home/riastradh/netbsd/10/src/sys/rump/net/lib/libwg/../../../../net/if_wg.c:4040
#11 0x00007c4ed440c484 in wg_send_keepalive_msg (wgs=0x7c4ed7487840,
    wgp=0x7c4ed7467000)
    at /home/riastradh/netbsd/10/src/sys/rump/net/lib/libwg/../../../../net/if_wg.c:2310
#12 wg_handle_msg_resp (wg=wg@entry=0x7c4ed7508000, wgmr=0x7c4ed7d712b0,
    src=src@entry=0x7c4ec81cff40)
    at /home/riastradh/netbsd/10/src/sys/rump/net/lib/libwg/../../../../net/if_wg.c:2033
#13 0x00007c4ed440e7fe in wg_handle_packet (wg=0x7c4ed7508000,
    m=0x7c4ed7d71240, src=0x7c4ec81cff40)
    at /home/riastradh/netbsd/10/src/sys/rump/net/lib/libwg/../../../../net/if_wg.c:2884
#14 0x00007c4ed4405864 in wg_user_rcvthread () from /usr/lib/librumpnet_wg.so
#15 0x00007c4ed720c89f in pthread__create_tramp (cookie=0x7c4ed7520400)
    at /home/riastradh/netbsd/10/src/lib/libpthread/pthread.c:595
#16 0x00007c4ed6a97950 in ?? () from /usr/lib/libc.so.12
Backtrace stopped: Cannot access memory at address 0x7c4ec81d0000

Unclear if this also applies to kernel wg(4), haven't reproduced it.
>How-To-Repeat:
leave wg-userspace(8) running for a while on a system with multiple CPUs (for some reason, this one had rump_server running with ncpu=2, even though the host has 8 threads)
>Fix:
curlwp_bind/bindx in the appropriate place