From nobody Tue Apr 14 09:14:18 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fvz9k3XSVz6ZTZY for ; Tue, 14 Apr 2026 09:14:18 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fvz9k2WnFz3FpH for ; Tue, 14 Apr 2026 09:14:18 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776158058; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3Gp7Z6+WRGsLUL3ZjufK2qZ1quPiJDVBkQLJKoWXlGo=; b=emjfqgb0uJgq6j6orDRhWYRB9XVpD5PnQlL3uQdIaG8BeyqzxyoFasxwNSVzQeVFFTESLB K7/igAEQiHlsZCMaB/bXSaXc5pTtWlvNltDQFn3Y7jYUVpMpjkpIR1qIic5mwW9TJcd8Wr XoL1wOz2XHlqGTino/d4922WIV2dgdFr/mJCTfDT0jN00pTMmnzuBAVhRde0eUtf8eLnpM MPiGvOYkKzr3w8Hv5/uKlvU79w7R3RthpTkXsPN8qTTsgWUmWaB5N9yPeDFVHHd64pBj1Y Kxpcj0dic54eMhOzBngAQLOZp3d/svmHDbxgWam09WDVhOk0lUQnV11Ppnr20Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1776158058; a=rsa-sha256; cv=none; b=cK/5RNBjjqmsQJXBvEGwtYPH9PFZ+ZcKb1jHdb7ewvcextjKizAlapyw/zF7brErQVC7t3 PplQp+4VdPkwuA6RQd+HqqGYzdaTxMC4uo3xo9SPIlq0sC9/W4mDvCp8+/YBcOrY0Y05EM TNy5v5EoPTWvpyOTkG/Z4WcjBKZF9GZwFBoa5e9v4Xn/eYUz4vbwlbO6p3gi1Lc1C/jHaE XMQjxF5h7Nk5ZFJLvDu+eG4Zg65H1XcInzyfkjtApCk0m09qqGXbsa/O6GHjlG9BS+oH01 ozhXq5F/XG/3RbieHtXP+aSbQdhXlRygUar4U/tBw/weC0QXWeNTPAHbL5s57w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776158058; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3Gp7Z6+WRGsLUL3ZjufK2qZ1quPiJDVBkQLJKoWXlGo=; b=FgeMHngm6djUyHSq3BrDCyxcgJk1thmYsEHsR9n1NMpr0u+B5+7wV7cnUFCLSqiBFQ/wlq CS/sZQfiTH/slYaQYDrD+0iD9xJXEZ9jKunSonPKKIlhPQ85htlOgV43GmLcM0NHMSC+Xr yXxb5U8dry4w37RJ51W2UsvxJhNtHDG/VlrqZrTdeJimfdP1Vf8PZordhjMjNNcBCDtue2 o0HwwkCkoYV50e0LmRVDozCHahzbhQAozFdpoU3I9uP79jtd8Iit3GfrN6APHnDBXH144U ScA+5/kqJCAH3H8lJjL/b/c49eHrLthyfaSra1jUngn13NGMLCPQ/7iQ0qjSyg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fvz9k1tQszkxQ for ; Tue, 14 Apr 2026 09:14:18 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1efdc by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 14 Apr 2026 09:14:18 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Cc: Sreekanth Reddy From: Sumit Saxena Subject: git: d2b96f654a67 - main - iflib: Fix panic observed while doing sysctl -a with if_bnxt unload List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ssaxena X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: d2b96f654a672f6059c5c623c276dcd76841ed12 Auto-Submitted: auto-generated Date: Tue, 14 Apr 2026 09:14:18 +0000 Message-Id: <69de056a.1efdc.319ecdb4@gitrepo.freebsd.org> The branch main has been updated by ssaxena: URL: https://cgit.FreeBSD.org/src/commit/?id=d2b96f654a672f6059c5c623c276dcd76841ed12 commit d2b96f654a672f6059c5c623c276dcd76841ed12 Author: Sreekanth Reddy AuthorDate: 2026-04-13 06:28:08 +0000 Commit: Sumit Saxena CommitDate: 2026-04-14 09:13:34 +0000 iflib: Fix panic observed while doing sysctl -a with if_bnxt unload Observed below kernel panic calltrace while performing sysctl -a operation while unloading the if_bnxt driver, Fatal trap 9: general protection fault while in kernel mode KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe02a7569940 vpanic() at vpanic+0x136/frame 0xfffffe02a7569a70 panic() at panic+0x43/frame 0xfffffe02a7569ad0 trap_fatal() at trap_fatal+0x68/frame 0xfffffe02a7569af0 calltrap() at calltrap+0x8/frame 0xfffffe02a7569af0 trap 0x9, rip = 0xffffffff80c0b411, rsp = 0xfffffe02a7569bc0, rbp = 0xfffffe02a7569be0 --- sysctl_handle_counter_u64() at sysctl_handle_counter_u64+0x61/frame 0xfffffe02a7569be0 sysctl_root_handler_locked() at sysctl_root_handler_locked+0x9c/frame 0xfffffe02a7569c30 sysctl_root() at sysctl_root+0x22f/frame 0xfffffe02a7569cb0 userland_sysctl() at userland_sysctl+0x196/frame 0xfffffe02a7569d50 sys___sysctl() at sys___sysctl+0x65/frame 0xfffffe02a7569e00 amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe02a7569f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe02a7569f30 Root Cause: iflib adds per-device sysctl nodes under the device tree using the device sysctl context. Some of those nodes are counter sysctl that point at fields inside txq→ift_br. When the if_bnxt driver is unloaded, iflib_device_deregister runs and calls iflib_tx_structures_free, which frees the txqs ift_br. The device sysctl tree is only freed when the device is destroyed. If sysctl -a runs during unload, it can still traverse the device tree and call sysctl_handle_counter_u64 for those nodes. The handler does counter_u64_fetch(*(counter_u64_t *)arg1). By then arg1 can point into freed memory and leads to use after free type kernel panic. Fix: flib now uses its own sysctl context for all iflib-related nodes instead of using device’s context. And iflib sysctl context is now removed before any queue/ring memory is freed. MFC after: 2 weeks Reviewed by: gallatin, ssaxena, #iflib Differential Revision: https://reviews.freebsd.org/D55981 --- sys/net/iflib.c | 45 ++++++++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/sys/net/iflib.c b/sys/net/iflib.c index f9d0b1af0f83..186c41d9f839 100644 --- a/sys/net/iflib.c +++ b/sys/net/iflib.c @@ -190,6 +190,7 @@ struct iflib_ctx { struct ifmedia ifc_media; struct ifmedia *ifc_mediap; + struct sysctl_ctx_list ifc_sysctl_ctx; struct sysctl_oid *ifc_sysctl_node; uint16_t ifc_sysctl_ntxqs; uint16_t ifc_sysctl_nrxqs; @@ -5293,6 +5294,8 @@ iflib_device_register(device_t dev, void *sc, if_shared_ctx_t sctx, if_ctx_t *ct fail_detach: ether_ifdetach(ctx->ifc_ifp); fail_queues: + sysctl_ctx_free(&ctx->ifc_sysctl_ctx); + ctx->ifc_sysctl_node = NULL; taskqueue_free(ctx->ifc_tq); iflib_tqg_detach(ctx); iflib_tx_structures_free(ctx); @@ -5332,6 +5335,9 @@ iflib_device_deregister(if_ctx_t ctx) if_t ifp = ctx->ifc_ifp; device_t dev = ctx->ifc_dev; + sysctl_ctx_free(&ctx->ifc_sysctl_ctx); + ctx->ifc_sysctl_node = NULL; + /* Make sure VLANS are not using driver */ if (if_vlantrunkinuse(ifp)) { device_printf(dev, "Vlan in use, detach first\n"); @@ -6787,62 +6793,61 @@ iflib_add_device_sysctl_pre(if_ctx_t ctx) { device_t dev = iflib_get_dev(ctx); struct sysctl_oid_list *child, *oid_list; - struct sysctl_ctx_list *ctx_list; struct sysctl_oid *node; - ctx_list = device_get_sysctl_ctx(dev); + sysctl_ctx_init(&ctx->ifc_sysctl_ctx); child = SYSCTL_CHILDREN(device_get_sysctl_tree(dev)); - ctx->ifc_sysctl_node = node = SYSCTL_ADD_NODE(ctx_list, child, + ctx->ifc_sysctl_node = node = SYSCTL_ADD_NODE(&ctx->ifc_sysctl_ctx, child, OID_AUTO, "iflib", CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, "IFLIB fields"); oid_list = SYSCTL_CHILDREN(node); - SYSCTL_ADD_CONST_STRING(ctx_list, oid_list, OID_AUTO, "driver_version", + SYSCTL_ADD_CONST_STRING(&ctx->ifc_sysctl_ctx, oid_list, OID_AUTO, "driver_version", CTLFLAG_RD, ctx->ifc_sctx->isc_driver_version, "driver version"); - SYSCTL_ADD_BOOL(ctx_list, oid_list, OID_AUTO, "simple_tx", + SYSCTL_ADD_BOOL(&ctx->ifc_sysctl_ctx, oid_list, OID_AUTO, "simple_tx", CTLFLAG_RDTUN, &ctx->ifc_sysctl_simple_tx, 0, "use simple tx ring"); - SYSCTL_ADD_U16(ctx_list, oid_list, OID_AUTO, "override_ntxqs", + SYSCTL_ADD_U16(&ctx->ifc_sysctl_ctx, oid_list, OID_AUTO, "override_ntxqs", CTLFLAG_RWTUN, &ctx->ifc_sysctl_ntxqs, 0, "# of txqs to use, 0 => use default #"); - SYSCTL_ADD_U16(ctx_list, oid_list, OID_AUTO, "override_nrxqs", + SYSCTL_ADD_U16(&ctx->ifc_sysctl_ctx, oid_list, OID_AUTO, "override_nrxqs", CTLFLAG_RWTUN, &ctx->ifc_sysctl_nrxqs, 0, "# of rxqs to use, 0 => use default #"); - SYSCTL_ADD_U16(ctx_list, oid_list, OID_AUTO, "override_qs_enable", + SYSCTL_ADD_U16(&ctx->ifc_sysctl_ctx, oid_list, OID_AUTO, "override_qs_enable", CTLFLAG_RWTUN, &ctx->ifc_sysctl_qs_eq_override, 0, "permit #txq != #rxq"); - SYSCTL_ADD_INT(ctx_list, oid_list, OID_AUTO, "disable_msix", + SYSCTL_ADD_INT(&ctx->ifc_sysctl_ctx, oid_list, OID_AUTO, "disable_msix", CTLFLAG_RWTUN, &ctx->ifc_softc_ctx.isc_disable_msix, 0, "disable MSI-X (default 0)"); - SYSCTL_ADD_U16(ctx_list, oid_list, OID_AUTO, "rx_budget", + SYSCTL_ADD_U16(&ctx->ifc_sysctl_ctx, oid_list, OID_AUTO, "rx_budget", CTLFLAG_RWTUN, &ctx->ifc_sysctl_rx_budget, 0, "set the RX budget"); - SYSCTL_ADD_U16(ctx_list, oid_list, OID_AUTO, "tx_abdicate", + SYSCTL_ADD_U16(&ctx->ifc_sysctl_ctx, oid_list, OID_AUTO, "tx_abdicate", CTLFLAG_RWTUN, &ctx->ifc_sysctl_tx_abdicate, 0, "cause TX to abdicate instead of running to completion"); ctx->ifc_sysctl_core_offset = CORE_OFFSET_UNSPECIFIED; - SYSCTL_ADD_U16(ctx_list, oid_list, OID_AUTO, "core_offset", + SYSCTL_ADD_U16(&ctx->ifc_sysctl_ctx, oid_list, OID_AUTO, "core_offset", CTLFLAG_RDTUN, &ctx->ifc_sysctl_core_offset, 0, "offset to start using cores at"); - SYSCTL_ADD_U8(ctx_list, oid_list, OID_AUTO, "separate_txrx", + SYSCTL_ADD_U8(&ctx->ifc_sysctl_ctx, oid_list, OID_AUTO, "separate_txrx", CTLFLAG_RDTUN, &ctx->ifc_sysctl_separate_txrx, 0, "use separate cores for TX and RX"); - SYSCTL_ADD_U8(ctx_list, oid_list, OID_AUTO, "use_logical_cores", + SYSCTL_ADD_U8(&ctx->ifc_sysctl_ctx, oid_list, OID_AUTO, "use_logical_cores", CTLFLAG_RDTUN, &ctx->ifc_sysctl_use_logical_cores, 0, "try to make use of logical cores for TX and RX"); - SYSCTL_ADD_U16(ctx_list, oid_list, OID_AUTO, "use_extra_msix_vectors", + SYSCTL_ADD_U16(&ctx->ifc_sysctl_ctx, oid_list, OID_AUTO, "use_extra_msix_vectors", CTLFLAG_RDTUN, &ctx->ifc_sysctl_extra_msix_vectors, 0, "attempt to reserve the given number of extra MSI-X vectors during driver load for the creation of additional interfaces later"); - SYSCTL_ADD_INT(ctx_list, oid_list, OID_AUTO, "allocated_msix_vectors", + SYSCTL_ADD_INT(&ctx->ifc_sysctl_ctx, oid_list, OID_AUTO, "allocated_msix_vectors", CTLFLAG_RDTUN, &ctx->ifc_softc_ctx.isc_vectors, 0, "total # of MSI-X vectors allocated by driver"); /* XXX change for per-queue sizes */ - SYSCTL_ADD_PROC(ctx_list, oid_list, OID_AUTO, "override_ntxds", + SYSCTL_ADD_PROC(&ctx->ifc_sysctl_ctx, oid_list, OID_AUTO, "override_ntxds", CTLTYPE_STRING | CTLFLAG_RWTUN | CTLFLAG_NEEDGIANT, ctx, IFLIB_NTXD_HANDLER, mp_ndesc_handler, "A", "list of # of TX descriptors to use, 0 = use default #"); - SYSCTL_ADD_PROC(ctx_list, oid_list, OID_AUTO, "override_nrxds", + SYSCTL_ADD_PROC(&ctx->ifc_sysctl_ctx, oid_list, OID_AUTO, "override_nrxds", CTLTYPE_STRING | CTLFLAG_RWTUN | CTLFLAG_NEEDGIANT, ctx, IFLIB_NRXD_HANDLER, mp_ndesc_handler, "A", "list of # of RX descriptors to use, 0 = use default #"); @@ -6853,9 +6858,8 @@ iflib_add_device_sysctl_post(if_ctx_t ctx) { if_shared_ctx_t sctx = ctx->ifc_sctx; if_softc_ctx_t scctx = &ctx->ifc_softc_ctx; - device_t dev = iflib_get_dev(ctx); struct sysctl_oid_list *child; - struct sysctl_ctx_list *ctx_list; + struct sysctl_ctx_list *ctx_list = &ctx->ifc_sysctl_ctx; iflib_fl_t fl; iflib_txq_t txq; iflib_rxq_t rxq; @@ -6864,7 +6868,6 @@ iflib_add_device_sysctl_post(if_ctx_t ctx) char *qfmt; struct sysctl_oid *queue_node, *fl_node, *node; struct sysctl_oid_list *queue_list, *fl_list; - ctx_list = device_get_sysctl_ctx(dev); node = ctx->ifc_sysctl_node; child = SYSCTL_CHILDREN(node);