From owner-freebsd-net@freebsd.org  Mon Dec 14 00:07:24 2015
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0074EA14293
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Mon, 14 Dec 2015 00:07:24 +0000 (UTC)
 (envelope-from ralsaadi@swin.edu.au)
Received: from iport1.cc.swin.edu.au (iport1.cc.swin.edu.au [136.186.0.49])
 by mx1.freebsd.org (Postfix) with ESMTP id 2EC2F1C57
 for <freebsd-net@freebsd.org>; Mon, 14 Dec 2015 00:07:22 +0000 (UTC)
 (envelope-from ralsaadi@swin.edu.au)
X-IronPort-AV: E=Sophos;i="5.20,424,1444654800"; d="scan'208";a="15734189"
Received: from gsp-ex03.ds.swin.edu.au (HELO outlook.swin.edu.au)
 ([136.186.126.19])
 by iport1.cc.swin.edu.au with ESMTP; 14 Dec 2015 11:06:13 +1100
Received: from GSP-EX02.ds.swin.edu.au ([169.254.2.2]) by
 gsp-ex03.ds.swin.edu.au ([169.254.3.127]) with mapi id 14.03.0248.002; Mon,
 14 Dec 2015 11:06:13 +1100
From: Rasool Al-Saadi <ralsaadi@swin.edu.au>
To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject: Random kernel panic when unloading Dummynet module in multicore
 processor
Thread-Topic: Random kernel panic when unloading Dummynet module in
 multicore processor
Thread-Index: AdE2AqZsQe+FMyqeQvO4bfEq/b84EQ==
Date: Mon, 14 Dec 2015 00:06:12 +0000
Message-ID: <6545444AE21C2749939E637E56594CEA3C10B9DA@gsp-ex02.ds.swin.edu.au>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [136.186.126.11]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2015 00:07:24 -0000

Hi everyone,

I am not sure if this bug was reported before or not (I didn't find exact p=
roblem) .=20

When I try to unload dummynet module (kldunload dummynet) in FreeBSD11-CURR=
ENT, sometimes the system is halt or panic. I noticed that this only happen=
s with multicore processor.
When I disable all CPU's cores except one (using hint.lapic.x.disabled=3D1)=
, the panic does not appear.
I tried to reproduce the panic in a system with Intel Core 2 Due 2.33HGz pr=
ocessor and also in VirtualBox VM (I set number of processors in VM setting=
 to 2), and in both cases I got system panic.

Most of the times the panic is:
Fatal trap 12: page fault while in kernel mode
...
Stopped at  callout_process+...

Kernel version:
FreeBSD 11.0-CURRENT #0 r291495: Mon Nov 30 23:14:34 UTC 2015     root@rele=
ng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

To reproduce the panic:
Run 'kldload dummynet && kldunload dummynet' many times (or write a shell s=
cript loop to do that)

Debug Info:

DUMMYNET 0 with IPv6 initialized (100409)
load_dn_sched dn_sched FIFO loaded
load_dn_sched dn_sched QFQ loaded
load_dn_sched dn_sched RR loaded
load_dn_sched dn_sched WF2Q+ loaded
load_dn_sched dn_sched PRIO loaded
unload_dn_sched dn_sched PRIO unloaded
unload_dn_sched dn_sched WF2Q+ unloaded
unload_dn_sched dn_sched RR unloaded
unload_dn_sched dn_sched QFQ unloaded
unload_dn_sched dn_sched FIFO unloaded
kernel trap 12 with interrupts disabled


Fatal trap 12: page fault while in kernel mode
cpuid =3D 0; apic id =3D 00
fault virtual address   =3D 0xffffffff82251c68
fault code              =3D supervisor read data, page not present
instruction pointer     =3D 0x20:0xffffffff80a36c50
stack pointer           =3D 0x28:0xfffffe0116b0c710
frame pointer           =3D 0x28:0xfffffe0116b0c7a0
code segment            =3D base 0x0, limit 0xfffff, type 0x1b
                        =3D DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        =3D resume, IOPL =3D 0
current process         =3D 11 (idle: cpu0)

Backtrace:

#0  doadump (textdump=3D380682592) at pcpu.h:221
221     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) backtrace
#0  doadump (textdump=3D380682592) at pcpu.h:221
#1  0xffffffff8037d906 in db_fncall (dummy1=3D<value optimized out>,
    dummy2=3D<value optimized out>, dummy3=3D<value optimized out>,
    dummy4=3D<value optimized out>) at /usr/src/sys/ddb/db_command.c:568
#2  0xffffffff8037d39e in db_command (cmd_table=3D0x0)
    at /usr/src/sys/ddb/db_command.c:440
#3  0xffffffff8037d134 in db_command_loop ()
    at /usr/src/sys/ddb/db_command.c:493
#4  0xffffffff8037fbcb in db_trap (type=3D<value optimized out>, code=3D0)
    at /usr/src/sys/ddb/db_main.c:251
#5  0xffffffff80a5e593 in kdb_trap (type=3D12, code=3D0, tf=3D<value optimi=
zed out>)
    at /usr/src/sys/kern/subr_kdb.c:654
#6  0xffffffff80e69d01 in trap_fatal (frame=3D0xfffffe0116b0c660,
    eva=3D<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:829
#7  0xffffffff80e69f4d in trap_pfault (frame=3D0xfffffe0116b0c660,
    usermode=3D<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:68=
4
#8  0xffffffff80e6967f in trap (frame=3D0xfffffe0116b0c660)
    at /usr/src/sys/amd64/amd64/trap.c:435
#9  0xffffffff80e49447 in calltrap ()
    at /usr/src/sys/amd64/amd64/exception.S:234
#10 0xffffffff80a36c50 in callout_process (now=3D307238251753)
    at /usr/src/sys/kern/kern_timeout.c:480
#11 0xffffffff80f6809d in handleevents (now=3D307238251753, fake=3D0)
    at /usr/src/sys/kern/kern_clocksource.c:212
#12 0xffffffff80f68725 in timercb (et=3D<value optimized out>,
    arg=3D<value optimized out>) at /usr/src/sys/kern/kern_clocksource.c:34=
5
#13 0xffffffff80e6f766 in hpet_intr_single (arg=3D<value optimized out>)
    at /usr/src/sys/dev/acpica/acpi_hpet.c:273
#14 0xffffffff80e6f819 in hpet_intr (arg=3D0xfffffe0000dcb000)
    at /usr/src/sys/dev/acpica/acpi_hpet.c:291
#15 0xffffffff809e9f9c in intr_event_handle (ie=3D0xfffff80003ca1a00,
    frame=3D0xfffffe0116b0c970) at /usr/src/sys/kern/kern_intr.c:1436
#16 0xffffffff80fa1fb8 in intr_execute_handlers (isrc=3D0xfffff80003cea590,
    frame=3D0xfffffe0116b0c970) at /usr/src/sys/x86/x86/intr_machdep.c:275
#17 0xffffffff80fa6a78 in lapic_handle_intr (vector=3D<value optimized out>=
,
    frame=3D0xfffffe0116b0c970) at /usr/src/sys/x86/x86/local_apic.c:1008
#18 0xffffffff80e49b27 in Xapic_isr1 () at apic_vector.S:116
#19 0xffffffff80f9f6b6 in acpi_cpu_c1 ()
    at /usr/src/sys/x86/x86/cpu_machdep.c:133
#20 0xffffffff8039f855 in acpi_cpu_idle (sbt=3D<value optimized out>)
    at /usr/src/sys/dev/acpica/acpi_cpu.c:1157
#21 0xffffffff80f9f99f in cpu_idle_acpi (sbt=3D160862)
    at /usr/src/sys/x86/x86/cpu_machdep.c:263
#22 0xffffffff80f9fa47 in cpu_idle (busy=3D0)
    at /usr/src/sys/x86/x86/cpu_machdep.c:415
#23 0xffffffff80a4c565 in sched_idletd (dummy=3D<value optimized out>)
    at /usr/src/sys/kern/sched_ule.c:2688
#24 0xffffffff809e7714 in fork_exit (
    callout=3D0xffffffff80a4c0c0 <sched_idletd>, arg=3D0x0,
    frame=3D0xfffffe0116b0cc00) at /usr/src/sys/kern/kern_fork.c:1011
#25 0xffffffff80e4997e in fork_trampoline ()
    at /usr/src/sys/amd64/amd64/exception.S:609
#26 0x0000000000000000 in ?? ()


Cheers,
Rasool