VIMAGE + PF crash in mbuf destructor

Marko Zec zec at fer.hr
Mon Jul 22 13:06:41 UTC 2013


On Monday 22 July 2013 08:57:43 Craig Rodrigues wrote:
> On Sun, Jul 21, 2013 at 11:38 PM, Adrian Chadd <adrian at freebsd.org> wrote:
> > hm. There's lots of mbuf free calls in the net80211 TX and RX path; do
> > we have to have to set the vnet context during the whole tx/rx path?
>
> I'm not sure about that.
> In src/sys/netpfil/pf/pf.c, we have this in pf_initialize():
>
>     751         /* Mbuf tags */
>     752         V_pf_mtag_z = uma_zcreate("pf mtags", sizeof(struct
> m_tag) + 753             sizeof(struct pf_mtag), NULL, NULL,
> pf_mtag_init, NULL, 754             UMA_ALIGN_PTR, 0);
>
> and further down this:
>
>     812 static int
>     813 pf_mtag_init(void *mem, int size, int how)
>     814 {
>     815         struct m_tag *t;
>     816
>     817         t = (struct m_tag *)mem;
>     818         t->m_tag_cookie = MTAG_ABI_COMPAT;
>     819         t->m_tag_id = PACKET_TAG_PF;
>     820         t->m_tag_len = sizeof(struct pf_mtag);
>     821         t->m_tag_free = pf_mtag_free;
>     822
>     823         return (0);
>     824 }
>     825
>     826 static void
>     827 pf_mtag_free(struct m_tag *t)
>     828 {
>     829
>     830         uma_zfree(V_pf_mtag_z, t);
>     831 }
>
>
> Can we somehow modify pf_mtag_init() so that it passes the
> vnet into the pf_mtag?
> Then we can call CURVNET_SET/CURVNET_RESTORE in pf_mtag_free().

I'd say just de-virtualize V_pf_mtag_z, and you're done.

Marko


> --
> Craig
>
> > -adrian
> >
> > On 21 July 2013 23:32, Craig Rodrigues <rodrigc at freebsd.org> wrote:
> > > Hi,
> > >
> > > I used a kernel config with the following lines:
> > >
> > > include GENERIC
> > > options VIMAGE
> > >
> > > and compiled a CURRENT kernel from svn://
> >
> > svn.freebsd.org/base/head at 253346 .
> >
> > > I also have PF enabled on my system.
> > >
> > > Once in a while I have been getting kernel panics like these:
> > >
> > >
> > > ====================================================================
> > > (kgdb) #0  doadump (textdump=1) at pcpu.h:236
> > > #1  0xffffffff808bc617 in kern_reboot (howto=260)
> > >     at /usr/home/rodrigc/freebsd/head/sys/kern/kern_shutdown.c:447
> > > #2  0xffffffff808bcb25 in vpanic (fmt=<value optimized out>,
> > >     ap=<value optimized out>)
> > >     at /usr/home/rodrigc/freebsd/head/sys/kern/kern_shutdown.c:754
> > > #3  0xffffffff808bcb73 in panic (fmt=<value optimized out>)
> > >     at /usr/home/rodrigc/freebsd/head/sys/kern/kern_shutdown.c:683
> > > #4  0xffffffff8033dff7 in db_panic (addr=<value optimized out>,
> > >     have_addr=<value optimized out>, count=<value optimized out>,
> > >     modif=<value optimized out>)
> > >     at /usr/home/rodrigc/freebsd/head/sys/ddb/db_command.c:482
> > > #5  0xffffffff8033dbcd in db_command (cmd_table=<value optimized
> > > out>) at /usr/home/rodrigc/freebsd/head/sys/ddb/db_command.c:449 #6 
> > > 0xffffffff8033d944 in db_command_loop ()
> > >     at /usr/home/rodrigc/freebsd/head/sys/ddb/db_command.c:502
> > > #7  0xffffffff803402f0 in db_trap (type=<value optimized out>,
> > > code=0) at /usr/home/rodrigc/freebsd/head/sys/ddb/db_main.c:231
> > > #8  0xffffffff808f3623 in kdb_trap (type=12, code=0, tf=<value
> > > optimized out>)
> > >     at /usr/home/rodrigc/freebsd/head/sys/kern/subr_kdb.c:654
> > > #9  0xffffffff80cda43a in trap_fatal (frame=0xffffff811dbab6b0,
> > >     eva=<value optimized out>)
> > >     at /usr/home/rodrigc/freebsd/head/sys/amd64/amd64/trap.c:868
> > > #10 0xffffffff80cda6f4 in trap_pfault (frame=0x0, usermode=0)
> > >     at /usr/home/rodrigc/freebsd/head/sys/amd64/amd64/trap.c:699
> > > #11 0xffffffff80cd9ef0 in trap (frame=0xffffff811dbab6b0)
> > >     at /usr/home/rodrigc/freebsd/head/sys/amd64/amd64/trap.c:463
> > > #12 0xffffffff80cc31a2 in calltrap ()
> > >     at /usr/home/rodrigc/freebsd/head/sys/amd64/amd64/exception.S:232
> > > #13 0xffffffff8208f7b7 in pf_mtag_free (t=0xfffffe00a8797870)
> > >     at
> > > /usr/home/rodrigc/freebsd/head/sys/modules/pf/../../netpfil/pf/pf.c:8
> > >30 #14 0xffffffff808a51c9 in mb_dtor_mbuf (mem=0xfffffe000d0bc500,
> > > size=256, arg=0x0) at
> > > /usr/home/rodrigc/freebsd/head/sys/kern/kern_mbuf.c:499 #15
> > > 0xffffffff80b55d4d in uma_zfree_arg (zone=0xfffffe000b4ab900,
> > > item=0xfffffe000d0bc500, udata=0x0)
> > >     at /usr/home/rodrigc/freebsd/head/sys/vm/uma_core.c:2560
> > > #16 0xffffffff8092d1f5 in m_freem (mb=<value optimized out>) at
> > > uma.h:364 #17 0xffffffff8058ba72 in iwn_tx_done
> > > (sc=0xffffff8000974000, desc=<value optimized out>, ackfailcnt=16,
> > > status=131 '\203') at
> > > /usr/home/rodrigc/freebsd/head/sys/dev/iwn/if_iwn.c:2817 #18
> > > 0xffffffff80583e60 in iwn_notif_intr (sc=0xffffff8000974000) at
> > > /usr/home/rodrigc/freebsd/head/sys/dev/iwn/if_iwn.c:3015 #19
> > > 0xffffffff80583684 in iwn_intr (arg=0xffffff8000974000)
> > >     at /usr/home/rodrigc/freebsd/head/sys/dev/iwn/if_iwn.c:3306
> > > #20 0xffffffff8088daf3 in intr_event_execute_handlers (
> > >     p=<value optimized out>, ie=0xfffffe000b696600)
> > >     at /usr/home/rodrigc/freebsd/head/sys/kern/kern_intr.c:1263
> > > #21 0xffffffff8088e4c6 in ithread_loop (arg=0xfffffe000b31b040)
> > >     at /usr/home/rodrigc/freebsd/head/sys/kern/kern_intr.c:1276
> > > #22 0xffffffff8088b3f4 in fork_exit (
> > >     callout=0xffffffff8088e420 <ithread_loop>,
> > > arg=0xfffffe000b31b040, frame=0xffffff811dbabac0)
> > >     at /usr/home/rodrigc/freebsd/head/sys/kern/kern_fork.c:991
> > > #23 0xffffffff80cc36de in fork_trampoline ()
> > >     at /usr/home/rodrigc/freebsd/head/sys/amd64/amd64/exception.S:606
> > > #24 0x0000000000000000 in ?? ()
> > > Current language:  auto; currently minimal
> > > (kgdb)
> > > ====================================================================
> > >
> > >
> > > It turns out that in this file: src/sys/netpfil/pf/pf.c
> > >
> > >     826 static void
> > >     827 pf_mtag_free(struct m_tag *t)
> > >     828 {
> > >     829
> > >     830         uma_zfree(V_pf_mtag_z, t);
> > >     831 }
> > >
> > > when line 830 is hit, it turns out that curthread->td_vnet is NULL.
> > >
> > > Does anyone have an idea as to the best place
> > > to put CURVNET_SET() to avoid this problem?
> > >
> > > I am a little less famiiar with mbuf and pf.
> > >
> > > Thanks.
> > > --
> > > Craig
>
> _______________________________________________
> freebsd-virtualization at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization
> To unsubscribe, send any mail to
> "freebsd-virtualization-unsubscribe at freebsd.org"




More information about the freebsd-pf mailing list