From owner-freebsd-virtualization@FreeBSD.ORG  Mon Jul 22 06:57:46 2013
Return-Path: <owner-freebsd-virtualization@FreeBSD.ORG>
Delivered-To: freebsd-virtualization@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id C0139231;
 Mon, 22 Jul 2013 06:57:46 +0000 (UTC)
 (envelope-from crodr001@gmail.com)
Received: from mail-lb0-x230.google.com (mail-lb0-x230.google.com
 [IPv6:2a00:1450:4010:c04::230])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id C29C624CD;
 Mon, 22 Jul 2013 06:57:45 +0000 (UTC)
Received: by mail-lb0-f176.google.com with SMTP id z5so4980433lbh.35
 for <multiple recipients>; Sun, 21 Jul 2013 23:57:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:date
 :x-google-sender-auth:message-id:subject:from:to:cc:content-type;
 bh=ZV4bFKg5tUhFkjt544/ufAT/r2TJTHUz3qDLzRLH9f0=;
 b=WCkHeMbw3YZS+BtqlLKe6c+ATPU3BnGbuk1GsiZ7XWs5vOyUzXhVUqpaOtaCVSQnXG
 y77hkzriOheNNWtuhiR5gPFHiBjkeSLzzRg3SyNAfxKIRcCA2RLPX1M1iASncQSTt3bn
 eZrUgMDICCGmoouMfLakE3uZdOFelAzzgtmrGEpTOUzcvd0wrnM0W/O01/5JtCEQksM3
 HYEO16T+oJkmpANFbokKxPdBC4/jYzXIpgUn9qKf7tdpi2xKIenK3B03Kg8Si6WBsbdx
 4sph9GTrqj0KGU289qFdQg5m9Jp7iXuHK3Lq9KGxqhnv418GZZJjnG7zKKo3ygDZYfHq
 /YMw==
MIME-Version: 1.0
X-Received: by 10.112.150.231 with SMTP id ul7mr11876865lbb.92.1374476263543; 
 Sun, 21 Jul 2013 23:57:43 -0700 (PDT)
Sender: crodr001@gmail.com
Received: by 10.112.149.38 with HTTP; Sun, 21 Jul 2013 23:57:43 -0700 (PDT)
In-Reply-To: <CAJ-VmokdrcpmgCGdt0bXWj2urtNQkiS7cw-Cifs3isvaserYCg@mail.gmail.com>
References: <CAG=rPVfxFiOVOeSyDP=wBubNQCHK5dqcgBBaJjeS6XXtSZSZqg@mail.gmail.com>
 <CAJ-VmokdrcpmgCGdt0bXWj2urtNQkiS7cw-Cifs3isvaserYCg@mail.gmail.com>
Date: Sun, 21 Jul 2013 23:57:43 -0700
X-Google-Sender-Auth: 1X-fsdhdb5dO17S5pVBIBHky6Po
Message-ID: <CAG=rPVf4YxSE4jLt62Y6VX-S96oqVK-q77+yXAgJNtoffq-f0w@mail.gmail.com>
Subject: Re: VIMAGE + PF crash in mbuf destructor
From: Craig Rodrigues <rodrigc@FreeBSD.org>
To: Adrian Chadd <adrian@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.14
Cc: "freebsd-virtualization@freebsd.org" <freebsd-virtualization@freebsd.org>,
 freebsd-pf@freebsd.org
X-BeenThere: freebsd-virtualization@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Discussion of various virtualization techniques FreeBSD supports."
 <freebsd-virtualization.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-virtualization>, 
 <mailto:freebsd-virtualization-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-virtualization>
List-Post: <mailto:freebsd-virtualization@freebsd.org>
List-Help: <mailto:freebsd-virtualization-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization>, 
 <mailto:freebsd-virtualization-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2013 06:57:46 -0000

On Sun, Jul 21, 2013 at 11:38 PM, Adrian Chadd <adrian@freebsd.org> wrote:

> hm. There's lots of mbuf free calls in the net80211 TX and RX path; do
> we have to have to set the vnet context during the whole tx/rx path?
>

I'm not sure about that.
In src/sys/netpfil/pf/pf.c, we have this in pf_initialize():

    751         /* Mbuf tags */
    752         V_pf_mtag_z = uma_zcreate("pf mtags", sizeof(struct m_tag) +
    753             sizeof(struct pf_mtag), NULL, NULL, pf_mtag_init, NULL,
    754             UMA_ALIGN_PTR, 0);

and further down this:

    812 static int
    813 pf_mtag_init(void *mem, int size, int how)
    814 {
    815         struct m_tag *t;
    816
    817         t = (struct m_tag *)mem;
    818         t->m_tag_cookie = MTAG_ABI_COMPAT;
    819         t->m_tag_id = PACKET_TAG_PF;
    820         t->m_tag_len = sizeof(struct pf_mtag);
    821         t->m_tag_free = pf_mtag_free;
    822
    823         return (0);
    824 }
    825
    826 static void
    827 pf_mtag_free(struct m_tag *t)
    828 {
    829
    830         uma_zfree(V_pf_mtag_z, t);
    831 }


Can we somehow modify pf_mtag_init() so that it passes the
vnet into the pf_mtag?
Then we can call CURVNET_SET/CURVNET_RESTORE in pf_mtag_free().

--
Craig





>
>
>
> -adrian
>
> On 21 July 2013 23:32, Craig Rodrigues <rodrigc@freebsd.org> wrote:
> > Hi,
> >
> > I used a kernel config with the following lines:
> >
> > include GENERIC
> > options VIMAGE
> >
> > and compiled a CURRENT kernel from svn://
> svn.freebsd.org/base/head@253346 .
> >
> > I also have PF enabled on my system.
> >
> > Once in a while I have been getting kernel panics like these:
> >
> >
> > ====================================================================
> > (kgdb) #0  doadump (textdump=1) at pcpu.h:236
> > #1  0xffffffff808bc617 in kern_reboot (howto=260)
> >     at /usr/home/rodrigc/freebsd/head/sys/kern/kern_shutdown.c:447
> > #2  0xffffffff808bcb25 in vpanic (fmt=<value optimized out>,
> >     ap=<value optimized out>)
> >     at /usr/home/rodrigc/freebsd/head/sys/kern/kern_shutdown.c:754
> > #3  0xffffffff808bcb73 in panic (fmt=<value optimized out>)
> >     at /usr/home/rodrigc/freebsd/head/sys/kern/kern_shutdown.c:683
> > #4  0xffffffff8033dff7 in db_panic (addr=<value optimized out>,
> >     have_addr=<value optimized out>, count=<value optimized out>,
> >     modif=<value optimized out>)
> >     at /usr/home/rodrigc/freebsd/head/sys/ddb/db_command.c:482
> > #5  0xffffffff8033dbcd in db_command (cmd_table=<value optimized out>)
> >     at /usr/home/rodrigc/freebsd/head/sys/ddb/db_command.c:449
> > #6  0xffffffff8033d944 in db_command_loop ()
> >     at /usr/home/rodrigc/freebsd/head/sys/ddb/db_command.c:502
> > #7  0xffffffff803402f0 in db_trap (type=<value optimized out>, code=0)
> >     at /usr/home/rodrigc/freebsd/head/sys/ddb/db_main.c:231
> > #8  0xffffffff808f3623 in kdb_trap (type=12, code=0, tf=<value optimized
> > out>)
> >     at /usr/home/rodrigc/freebsd/head/sys/kern/subr_kdb.c:654
> > #9  0xffffffff80cda43a in trap_fatal (frame=0xffffff811dbab6b0,
> >     eva=<value optimized out>)
> >     at /usr/home/rodrigc/freebsd/head/sys/amd64/amd64/trap.c:868
> > #10 0xffffffff80cda6f4 in trap_pfault (frame=0x0, usermode=0)
> >     at /usr/home/rodrigc/freebsd/head/sys/amd64/amd64/trap.c:699
> > #11 0xffffffff80cd9ef0 in trap (frame=0xffffff811dbab6b0)
> >     at /usr/home/rodrigc/freebsd/head/sys/amd64/amd64/trap.c:463
> > #12 0xffffffff80cc31a2 in calltrap ()
> >     at /usr/home/rodrigc/freebsd/head/sys/amd64/amd64/exception.S:232
> > #13 0xffffffff8208f7b7 in pf_mtag_free (t=0xfffffe00a8797870)
> >     at
> > /usr/home/rodrigc/freebsd/head/sys/modules/pf/../../netpfil/pf/pf.c:830
> > #14 0xffffffff808a51c9 in mb_dtor_mbuf (mem=0xfffffe000d0bc500, size=256,
> >     arg=0x0) at /usr/home/rodrigc/freebsd/head/sys/kern/kern_mbuf.c:499
> > #15 0xffffffff80b55d4d in uma_zfree_arg (zone=0xfffffe000b4ab900,
> >     item=0xfffffe000d0bc500, udata=0x0)
> >     at /usr/home/rodrigc/freebsd/head/sys/vm/uma_core.c:2560
> > #16 0xffffffff8092d1f5 in m_freem (mb=<value optimized out>) at uma.h:364
> > #17 0xffffffff8058ba72 in iwn_tx_done (sc=0xffffff8000974000,
> >     desc=<value optimized out>, ackfailcnt=16, status=131 '\203')
> >     at /usr/home/rodrigc/freebsd/head/sys/dev/iwn/if_iwn.c:2817
> > #18 0xffffffff80583e60 in iwn_notif_intr (sc=0xffffff8000974000)
> >     at /usr/home/rodrigc/freebsd/head/sys/dev/iwn/if_iwn.c:3015
> > #19 0xffffffff80583684 in iwn_intr (arg=0xffffff8000974000)
> >     at /usr/home/rodrigc/freebsd/head/sys/dev/iwn/if_iwn.c:3306
> > #20 0xffffffff8088daf3 in intr_event_execute_handlers (
> >     p=<value optimized out>, ie=0xfffffe000b696600)
> >     at /usr/home/rodrigc/freebsd/head/sys/kern/kern_intr.c:1263
> > #21 0xffffffff8088e4c6 in ithread_loop (arg=0xfffffe000b31b040)
> >     at /usr/home/rodrigc/freebsd/head/sys/kern/kern_intr.c:1276
> > #22 0xffffffff8088b3f4 in fork_exit (
> >     callout=0xffffffff8088e420 <ithread_loop>, arg=0xfffffe000b31b040,
> >     frame=0xffffff811dbabac0)
> >     at /usr/home/rodrigc/freebsd/head/sys/kern/kern_fork.c:991
> > #23 0xffffffff80cc36de in fork_trampoline ()
> >     at /usr/home/rodrigc/freebsd/head/sys/amd64/amd64/exception.S:606
> > #24 0x0000000000000000 in ?? ()
> > Current language:  auto; currently minimal
> > (kgdb)
> > ====================================================================
> >
> >
> > It turns out that in this file: src/sys/netpfil/pf/pf.c
> >
> >     826 static void
> >     827 pf_mtag_free(struct m_tag *t)
> >     828 {
> >     829
> >     830         uma_zfree(V_pf_mtag_z, t);
> >     831 }
> >
> > when line 830 is hit, it turns out that curthread->td_vnet is NULL.
> >
> > Does anyone have an idea as to the best place
> > to put CURVNET_SET() to avoid this problem?
> >
> > I am a little less famiiar with mbuf and pf.
> >
> > Thanks.
> > --
> > Craig
> >
> >
>