From owner-freebsd-current@FreeBSD.ORG  Wed May 13 05:45:32 2015
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 84938161;
 Wed, 13 May 2015 05:45:32 +0000 (UTC)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com
 [IPv6:2607:f8b0:4003:c06::22c])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4E15E1EB3;
 Wed, 13 May 2015 05:45:32 +0000 (UTC)
Received: by oica37 with SMTP id a37so23323596oic.0;
 Tue, 12 May 2015 22:45:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=PkJuGgt3/wgtOcacQCyc0iq2F0U3sEER/NjFA5rYLc0=;
 b=NgbX2FfXyGwYWbN+RVZ5IB865F8+pLlaGQdeJVF19WXi+3Rnd1A6qblFWRW52P1eDT
 BJad/5H3cRA4Wdvrb/nbN+gexcRpS25I80pcE9+ufWyN0emXfUktR/2wbkkmk9p7XGGQ
 FypkV/Evh5lAU2d3VrDsthqKRFpQa3wrlsD0n+ACPqNSi5ctTtPfjnwIwROOtLeltMx5
 YaQVmrP79T+Dvqg6P6S/QgLWp8kLVZxxdzrO7IiFiAuIdmBeRW8y043gTua9z+r0d8jx
 IAbf+k3HyanbgWOS0uo2URatVH+8fqLkSh7Z4j7dwp6qNxdAd+TFxL14kO1wcxlt/fzx
 Ll9w==
MIME-Version: 1.0
X-Received: by 10.60.123.83 with SMTP id ly19mr14655770oeb.13.1431495930885;
 Tue, 12 May 2015 22:45:30 -0700 (PDT)
Received: by 10.202.214.133 with HTTP; Tue, 12 May 2015 22:45:30 -0700 (PDT)
In-Reply-To: <55526EDD.4050105@freebsd.org>
References: <55526EDD.4050105@freebsd.org>
Date: Wed, 13 May 2015 08:45:30 +0300
Message-ID: <CAE-mSOK1o--DaYCyuGQLM4AtrQ=Wf=DEvtS2EkaxdmtPcwir-A@mail.gmail.com>
Subject: Re: Panic using QLogic NetXtreme II BCM57810 with latest CURRENT
 snapshot
From: Sergey Kandaurov <pluknet@gmail.com>
To: Niclas Zeising <zeising@freebsd.org>
Cc: current <current@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2015 05:45:32 -0000

On 13 May 2015 at 00:21, Niclas Zeising <zeising@freebsd.org> wrote:
> Hi!
> I got the following panic with a QLogic NetXtreme II BCM57810 when
> trying to assign an IP address using dhclient.  The network card uses
> the bxe driver.  The machine in question is a HP DL380 Gen9.
>
> Kernel page fault with the following non-sleepable locks held:
> shared rw if_addr_lock (if_addr_lock) locked @ /usr/src/sys/net/if.c:1539
> exclusive sleep mutex bxe0_mcast_lock lockeed @
> /usr/src/sys/dev/bxe/bxe.c:12548
>
> See screenshots at the links below for details and a stack trace.
> I can provoke this panic at will, let me know if you need more details.
>  Unfortunately I don't have access to a console where I can copy things
> out currently, so screenshots have to do.
>
> Screenshot 1: https://people.freebsd.org/~zeising/panic1.png
> Screenshot 2: https://people.freebsd.org/~zeising/panic2.png
>

I'm not in any way a network/bxe expert, and this is probably unrelated,
but I see there at least a missing unlock at the error path.

Index: sys/dev/bxe/bxe.c
===================================================================
--- sys/dev/bxe/bxe.c   (revision 282468)
+++ sys/dev/bxe/bxe.c   (working copy)
@@ -12551,6 +12551,7 @@
     rc = ecore_config_mcast(sc, &rparam, ECORE_MCAST_CMD_DEL);
     if (rc < 0) {
         BLOGE(sc, "Failed to clear multicast configuration: %d\n", rc);
+        BXE_MCAST_UNLOCK(sc);
         return (rc);
     }

BXE_MCAST_LOCK acquires two locks: sc mutex, and if_maddr_rlock(ifp)

OTOH, in bxe_init_mcast_macs_list(), down the path, if_maddr_rlock is acquired
(and released) one more time: in if_multiaddr_array / if_multiaddr_count
functions. Is it recursive?

Another one is bcopy under lock. It is probably inlined
under bxe_handle_rx_mode_tq() in ddb, so the actual place
where it's called is not visible.
My guess is bcopy in bxe_init_mcast_macs_list():

         bcopy((mta + (i * ETHER_ADDR_LEN)), mc_mac->mac, ETHER_ADDR_LEN);

Previously, there was a pointer assignment, see stable/10:

        mc_mac->mac = (uint8_t *)LLADDR((struct sockaddr_dl *)ifma->ifma_addr);

mc_mac itself is malloc(M_ZERO)'ed, so that mc_mac->mac is NULL.

Probably bcopy should be restored to assignment (not even compile tested):

Index: sys/dev/bxe/bxe.c
===================================================================
--- sys/dev/bxe/bxe.c   (revision 282468)
+++ sys/dev/bxe/bxe.c   (working copy)
@@ -12506,7 +12506,7 @@
                                                       to be  different */
     for(i=0; i< mcnt; i++) {

-        bcopy((mta + (i * ETHER_ADDR_LEN)), mc_mac->mac, ETHER_ADDR_LEN);
+        mc_mac->mac = (uint8_t *)(mta + (i * ETHER_ADDR_LEN));
         ECORE_LIST_PUSH_TAIL(&mc_mac->link, &p->mcast_list);

         BLOGD(sc, DBG_LOAD,

-- 
wbr,
pluknet