From owner-freebsd-bugs@FreeBSD.ORG Mon Aug 11 19:38:04 2014 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5314ED42 for ; Mon, 11 Aug 2014 19:38:04 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1FEB628D4 for ; Mon, 11 Aug 2014 19:38:04 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s7BJc39i063885 for ; Mon, 11 Aug 2014 19:38:04 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 192558] [patch] hard-to-hit crash in bpf catchpacket() Date: Mon, 11 Aug 2014 19:38:04 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: jhb@FreeBSD.org X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2014 19:38:04 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192558 John Baldwin changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Triage |In Discussion CC| |jhb@FreeBSD.org, | |rwatson@FreeBSD.org --- Comment #1 from John Baldwin --- I think your diagnosis is correct, but I'm unsure of the fix. In particular, I suspect we may want to avoid sleeping if the fbuf is full so that this "fails fast" to avoid blocking network traffic. Also, when you are awakened, other threads might have already called catchpacket() (e.g. a multiq NIC), so you don't actually know that you should be in the current state. I worry that you need to jump back to the preceding if, so something like: again: if (curlen + totlen > d->bd_bufsize || !bpf_canwritebuf(d)) { if (d->bd_fbuf == NULL) { ... } if (d->hd_buf_in_use) { mtx_sleep(...); goto again; } ... } Arguably the earlier call to mtx_sleep() earlier in this function is also racy as you don't know that the condition is still true when you awake given a concurrent call to catchpacket() from another RX queue on the same NIC. That is, I think that loop should also be altered, though it can probably avoid a goto: while (d->bd_fbuf == NULL && bpf_canfreebuf(d)) { if (d->bd_hbuf_in_use) { mtx_sleep(...); continue; } ... } Possibly, the 'again' label needs to move all the way up to before this 'while' loop, and if so, the hrdlen/totlen/curlen assigments should be moved up before the first while. -- You are receiving this mail because: You are the assignee for the bug.