[Bug 251462] Failing transfers over nfsv4 with krb5i on CPU with SHA acceleration

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251462

            Bug ID: 251462
           Summary: Failing transfers over nfsv4 with krb5i on CPU with
                    SHA acceleration
           Product: Base System
           Version: 12.2-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: zaltys at inbox.ru

Initially I stumbled on this problem on TrueNAS12, but for debug purposes
reproduced it on FreeBSD 12.0, 12.1, and 12.2, because TrueNAS uses FreeBSD as
upstream/base OS.

I have setup an FreeBSD 12.x nfsv4 server requiring krb5i (note "i" - with
integrity). Clients are Linux 5.8. Everything is joined to Active Directory and
using aes256-cts-hmac-sha1-96 as cipher suite for kerberos. 

The problem:

If I run FreeBSD server inside VM on Intel Atom C3558 CPU, only small file 
transfers succeed. Files transfers over 200MB become increasingly unreliable:
they either hang (server timeout) or terminate with input/output error. After
network traffic ceases, gssd on server still has high CPU usage for a while.
Server side logs do not contain anything related. This CPU has AES-NI and SHA
support.

What I have tried to narrow the culprit down:
1) Downgrading the security to krb5 (no integrity, just auth) fixed the
transfers and saturated gigabit link.
2) Disabling aesni module fixed the failing transfers with krb5i.
3) Patching aesni module (so that detection of CPU support for SHA always
failed) also fixed the failing transfers even with aesni module loaded.

-- 
You are receiving this mail because:
You are the assignee for the bug.