Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 21 Jul 2013 23:38:56 -0700
From:      Adrian Chadd <adrian@freebsd.org>
To:        Craig Rodrigues <rodrigc@freebsd.org>
Cc:        "freebsd-virtualization@freebsd.org" <freebsd-virtualization@freebsd.org>, freebsd-pf@freebsd.org
Subject:   Re: VIMAGE + PF crash in mbuf destructor
Message-ID:  <CAJ-VmokdrcpmgCGdt0bXWj2urtNQkiS7cw-Cifs3isvaserYCg@mail.gmail.com>
In-Reply-To: <CAG=rPVfxFiOVOeSyDP=wBubNQCHK5dqcgBBaJjeS6XXtSZSZqg@mail.gmail.com>
References:  <CAG=rPVfxFiOVOeSyDP=wBubNQCHK5dqcgBBaJjeS6XXtSZSZqg@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
hm. There's lots of mbuf free calls in the net80211 TX and RX path; do
we have to have to set the vnet context during the whole tx/rx path?



-adrian

On 21 July 2013 23:32, Craig Rodrigues <rodrigc@freebsd.org> wrote:
> Hi,
>
> I used a kernel config with the following lines:
>
> include GENERIC
> options VIMAGE
>
> and compiled a CURRENT kernel from svn://svn.freebsd.org/base/head@253346 .
>
> I also have PF enabled on my system.
>
> Once in a while I have been getting kernel panics like these:
>
>
> ====================================================================
> (kgdb) #0  doadump (textdump=1) at pcpu.h:236
> #1  0xffffffff808bc617 in kern_reboot (howto=260)
>     at /usr/home/rodrigc/freebsd/head/sys/kern/kern_shutdown.c:447
> #2  0xffffffff808bcb25 in vpanic (fmt=<value optimized out>,
>     ap=<value optimized out>)
>     at /usr/home/rodrigc/freebsd/head/sys/kern/kern_shutdown.c:754
> #3  0xffffffff808bcb73 in panic (fmt=<value optimized out>)
>     at /usr/home/rodrigc/freebsd/head/sys/kern/kern_shutdown.c:683
> #4  0xffffffff8033dff7 in db_panic (addr=<value optimized out>,
>     have_addr=<value optimized out>, count=<value optimized out>,
>     modif=<value optimized out>)
>     at /usr/home/rodrigc/freebsd/head/sys/ddb/db_command.c:482
> #5  0xffffffff8033dbcd in db_command (cmd_table=<value optimized out>)
>     at /usr/home/rodrigc/freebsd/head/sys/ddb/db_command.c:449
> #6  0xffffffff8033d944 in db_command_loop ()
>     at /usr/home/rodrigc/freebsd/head/sys/ddb/db_command.c:502
> #7  0xffffffff803402f0 in db_trap (type=<value optimized out>, code=0)
>     at /usr/home/rodrigc/freebsd/head/sys/ddb/db_main.c:231
> #8  0xffffffff808f3623 in kdb_trap (type=12, code=0, tf=<value optimized
> out>)
>     at /usr/home/rodrigc/freebsd/head/sys/kern/subr_kdb.c:654
> #9  0xffffffff80cda43a in trap_fatal (frame=0xffffff811dbab6b0,
>     eva=<value optimized out>)
>     at /usr/home/rodrigc/freebsd/head/sys/amd64/amd64/trap.c:868
> #10 0xffffffff80cda6f4 in trap_pfault (frame=0x0, usermode=0)
>     at /usr/home/rodrigc/freebsd/head/sys/amd64/amd64/trap.c:699
> #11 0xffffffff80cd9ef0 in trap (frame=0xffffff811dbab6b0)
>     at /usr/home/rodrigc/freebsd/head/sys/amd64/amd64/trap.c:463
> #12 0xffffffff80cc31a2 in calltrap ()
>     at /usr/home/rodrigc/freebsd/head/sys/amd64/amd64/exception.S:232
> #13 0xffffffff8208f7b7 in pf_mtag_free (t=0xfffffe00a8797870)
>     at
> /usr/home/rodrigc/freebsd/head/sys/modules/pf/../../netpfil/pf/pf.c:830
> #14 0xffffffff808a51c9 in mb_dtor_mbuf (mem=0xfffffe000d0bc500, size=256,
>     arg=0x0) at /usr/home/rodrigc/freebsd/head/sys/kern/kern_mbuf.c:499
> #15 0xffffffff80b55d4d in uma_zfree_arg (zone=0xfffffe000b4ab900,
>     item=0xfffffe000d0bc500, udata=0x0)
>     at /usr/home/rodrigc/freebsd/head/sys/vm/uma_core.c:2560
> #16 0xffffffff8092d1f5 in m_freem (mb=<value optimized out>) at uma.h:364
> #17 0xffffffff8058ba72 in iwn_tx_done (sc=0xffffff8000974000,
>     desc=<value optimized out>, ackfailcnt=16, status=131 '\203')
>     at /usr/home/rodrigc/freebsd/head/sys/dev/iwn/if_iwn.c:2817
> #18 0xffffffff80583e60 in iwn_notif_intr (sc=0xffffff8000974000)
>     at /usr/home/rodrigc/freebsd/head/sys/dev/iwn/if_iwn.c:3015
> #19 0xffffffff80583684 in iwn_intr (arg=0xffffff8000974000)
>     at /usr/home/rodrigc/freebsd/head/sys/dev/iwn/if_iwn.c:3306
> #20 0xffffffff8088daf3 in intr_event_execute_handlers (
>     p=<value optimized out>, ie=0xfffffe000b696600)
>     at /usr/home/rodrigc/freebsd/head/sys/kern/kern_intr.c:1263
> #21 0xffffffff8088e4c6 in ithread_loop (arg=0xfffffe000b31b040)
>     at /usr/home/rodrigc/freebsd/head/sys/kern/kern_intr.c:1276
> #22 0xffffffff8088b3f4 in fork_exit (
>     callout=0xffffffff8088e420 <ithread_loop>, arg=0xfffffe000b31b040,
>     frame=0xffffff811dbabac0)
>     at /usr/home/rodrigc/freebsd/head/sys/kern/kern_fork.c:991
> #23 0xffffffff80cc36de in fork_trampoline ()
>     at /usr/home/rodrigc/freebsd/head/sys/amd64/amd64/exception.S:606
> #24 0x0000000000000000 in ?? ()
> Current language:  auto; currently minimal
> (kgdb)
> ====================================================================
>
>
> It turns out that in this file: src/sys/netpfil/pf/pf.c
>
>     826 static void
>     827 pf_mtag_free(struct m_tag *t)
>     828 {
>     829
>     830         uma_zfree(V_pf_mtag_z, t);
>     831 }
>
> when line 830 is hit, it turns out that curthread->td_vnet is NULL.
>
> Does anyone have an idea as to the best place
> to put CURVNET_SET() to avoid this problem?
>
> I am a little less famiiar with mbuf and pf.
>
> Thanks.
> --
> Craig
>
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJ-VmokdrcpmgCGdt0bXWj2urtNQkiS7cw-Cifs3isvaserYCg>