Date: Thu, 25 Jun 2009 22:57:45 -0700 From: Kip Macy <kmacy@freebsd.org> To: Andrew Gallatin <gallatin@cs.duke.edu> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, Sam Leffler <sam@freebsd.org>, src-committers@freebsd.org Subject: Re: svn commit: r194909 - head/sys/dev/mxge Message-ID: <3c1674c90906252257q7fe4c725m3840b2bb3c8aeb51@mail.gmail.com> In-Reply-To: <4A42D629.8060806@cs.duke.edu> References: <200906242109.n5OL9uVb029380@svn.freebsd.org> <4A42983C.6050307@freebsd.org> <4A42D629.8060806@cs.duke.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
This is my bug. Hold off for a day or two. -Kip On Wed, Jun 24, 2009 at 6:43 PM, Andrew Gallatin<gallatin@cs.duke.edu> wrot= e: > Sam Leffler wrote: > >> There's something else wrong. =A0This is just covering up the real bug. > > I'm pretty sure the "real bug" is in bpf, but I'm not sure its a bug, > and I suspect there are probably other, similar, bugs lurking when > you try to tear down a busy interface. > > What I was doing was: > > - point a packet generator offering 1.5Mpps at the NIC > > - in a tight shell loop, do > > while (1) > =A0 =A0 =A0 =A0tcpdump -ni mxge0 host 172.31.0.1 > end > > - in another shell loop: > > while (1) > =A0 =A0 =A0 =A0ifconfig mxge0 192.168.1.22 up > =A0 =A0 =A0 =A0sleep 1 > =A0 =A0 =A0 =A0kldunload if_mxge > end > > Before the commit, with the old order: > > =A0 =A0 =A0 lock() > =A0 =A0 =A0 close() > =A0 =A0 =A0 unlock() > =A0 =A0 =A0 ether_ifdetach() > > I'd see either an exhaustion of mbufs because tcpdump snuck in after > I'd closed the device and re-opened it on me (so I never closed it > again, resulting in leaked mbufs), or a panic. > > I then moved the ether_ifdetach() to the new position: > =A0 =A0 =A0 ether_ifdetach() > =A0 =A0 =A0 lock() > =A0 =A0 =A0 close() > =A0 =A0 =A0 unlock() > > This worked great until I started the packet generator, > then it crashed. =A0 The stack I saw (which I don't have > saved, so this is from memory) when I had ether_ifdetach() > first was: > > > panic: mtx_lock() (don't remember exact text) > bpf_mtap() > ether_input() > mxge_rx_done_small() > mxge_clean_rx_done() > mxge_intr() > <...> > > When I looked at the ifp in kgdb, I noticed that all the operations > (if_input(), if_output(), etc) pointed to ifdead_* > The machine I'm using for this is a MacPro, and I can't get ddb > to work on the USB based console, so I'm working purely from dumps. > I don't know how to get a stack of another process in kgdb on > amd64, so that's all the information I have. > > My assumption is that my interrupt thread was running when > ether_ifdetach() called bpfdetach(), and was starting bpf_mtap() > while bpfdetach() was destroying the bpf_if. =A0There doesn't > seem to be anything to prevent bpfdetach() from racing with > bpf_mtap(). > > By calling my close() routine (with a dying flag so nothing can > sneak in before detach), I'm assured that my NIC is quiescent, > and cannot be calling into the stack while the interface is being > torn down. =A0I'd prefer to leave my commit as-is because: > > 1) it works, and fixes a bug > 2) it can be MFC'ed as is > 3) it just feels wrong to be blasting packets up into the stack > =A0 while detaching. =A0With this NIC, the best way to make it > =A0 quiescent is to call close(). =A0There's an interrupt handshake > =A0 done with the NIC to ensure its is quiescent, so doing something > =A0 like disabling its interrupt could leave the things in a weird state. > > Drew > --=20 When bad men combine, the good must associate; else they will fall one by one, an unpitied sacrifice in a contemptible struggle. Edmund Burke
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3c1674c90906252257q7fe4c725m3840b2bb3c8aeb51>