From nobody Sun May 22 20:44:19 2022
X-Original-To: net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id AB7001AEA38C
	for <net@mlmmj.nyi.freebsd.org>; Sun, 22 May 2022 20:44:19 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4L5srg3Yxfz3q3w
	for <net@FreeBSD.org>; Sun, 22 May 2022 20:44:19 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5A32922347
	for <net@FreeBSD.org>; Sun, 22 May 2022 20:44:19 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 24MKiJn9003874
	for <net@FreeBSD.org>; Sun, 22 May 2022 20:44:19 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 24MKiJhC003873
	for net@FreeBSD.org; Sun, 22 May 2022 20:44:19 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: net@FreeBSD.org
Subject: [Bug 264094] cc_htcp(4): Setting net.inet.tcp.cc.algorithm to htcp
 triggers panic on the most recent CURRENT
Date: Sun, 22 May 2022 20:44:19 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: crash, needs-qa
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: tuexen@freebsd.org
X-Bugzilla-Status: In Progress
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: tuexen@freebsd.org
X-Bugzilla-Flags: mfc-stable13? mfc-stable12?
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-264094-7501-JpzPzaXjhy@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-264094-7501@https.bugs.freebsd.org/bugzilla/>
References: <bug-264094-7501@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@freebsd.org
MIME-Version: 1.0
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1653252259;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=XhNIaaFdXGfJnBkx7eLAuXGpnBulYwY2Aw1OriX/gv8=;
	b=VJwDrKEjgqojCqUqfKtckvRlAC6ZwpDywMR+PXI3WHIbR2lHb9LMmu4HMPt+o9qUpjMVMA
	qt8IMz4XzsJ6yuDg7d6tXVISz37koKzXCd6XedLYj7Uvho2L3uNYqIfXQkKAStdU1OmgkE
	mxfoBDDX+yXeh6H0GX4MTjnRLIUY4s/lv7B2x0HWJFi9RK1dHYnu5l9dzbfa4Z/9VLcHSP
	gCOn60ENVSjMzNNUP4nNCucW6mIQiRI4LLyT6BpCyq1IBD+k8ZrC2fT985YpRf6R6Ut6dZ
	4VNhVi7XCu1f8lM2l+fMHn7DRzJ3/BxD4MMyu+YU/JB3jSimAq8NizsQsPbrRQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1653252259; a=rsa-sha256; cv=none;
	b=fOo1+UpxSK3qC13J9lgzrZcoUOqzB7L4OisFUSg3jGBrl83QFS3SbRObEZ4IsGpDeAB4/n
	OepSBehbGL7Qj7qde0Angv+y7SxRhZSOh/tSt/00uZh7RHyT+GrkLx6LbueEWG6RBH5W1O
	I1Pm9SY3yIgQtnByke5GiSbSe3VhYB3vi+1KZOIIpc1JOmOn3IKI41+24AWzow41n0zpwR
	BtWF4S2UPqP+yI4w4bK1sWGuN5IDUW05XoExQLVghimM4oIrVT80VAXLfsIbx+ueH/zzTs
	AE5D5PEgYmBxSRLDk+jj2YYqeeg++h8yxztrbV35VZqEIb1rnJ0DdCNtVbUkDw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264094

--- Comment #2 from Michael Tuexen <tuexen@freebsd.org> ---
The panic happens on arm64, but not amd64. It does happen when using clang14
(most recent version in the main tree), it does not happen when using clang=
13.
I also does not happen using clang14 when forcing htcp_recalc_beta() not to=
 be
inlined.

The panic happens when accessing V_htcp_adaptive_backoff in
https://cgit.freebsd.org/src/tree/sys/netinet/cc/cc_htcp.c#n471

I disassembled htcp_recalc_beta() when using clang14 and the function not b=
eing
inlined. This is the relevant code:

(kgdb) disassemble htcp_recalc_beta
Dump of assembler code for function htcp_recalc_beta:
  0x00000000000113cc <+0>:      stp     x29, x30, [sp, #-16]!
  0x00000000000113d0 <+4>:      mov     x29, sp
  0x00000000000113d4 <+8>:      ldr     x8, [x0]          ; x8 =3D ccv
  0x00000000000113d8 <+12>:     ldr     x9, [x18]         ; x9 =3D curthread
  0x00000000000113dc <+16>:     adrp    x10, 0x21000      ; x10 =3D ???
  0x00000000000113e0 <+20>:     ldr     x9, [x9, #1368]   ; x9 =3D
curthread->td_vnet
  0x00000000000113e4 <+24>:     ldr     x10, [x10, #2168] ; x10 =3D ???
  0x00000000000113e8 <+28>:     ldr     x9, [x9, #40]     ; x9 =3D
curthread->td_vnet->vnet_data_base
  0x00000000000113ec <+32>:     ldr     w9, [x9, x10]     ; w9 =3D
V_htcp_adaptive_backoff ???
  0x00000000000113f0 <+36>:     cbz     w9, 0x11428 <htcp_recalc_beta+92>

I don't understand the computations in relation to x10, which is the offset
used to get the relevant variable.

However, this code works.

Looking at the code generated by clang13 when htcp_recalc_beta() is inlined,
one gets:

  0xffff000150610f28 <+212>:    ldr     x10, [x0]                ; x10 =3D =
ccv
  0xffff000150610f2c <+216>:    ldr     x11, [x18]               ; x11 =3D
curthread
  0xffff000150610f30 <+220>:    ldr     x11, [x11, #1368]        ; x11 =3D
curthread->td_vnet
  0xffff000150610f34 <+224>:    ldr     x12, [x11, #40]          ; x12 =3D
curthread->td_vnet->vnet_data_base
  0xffff000150610f38 <+228>:    adrp    x11, 0xffff000150621000  ; ???
  0xffff000150610f3c <+232>:    ldr     x11, [x11, #2256]        ; ???
  0xffff000150610f40 <+236>:    ldr     w12, [x12, x11]
  0xffff000150610f44 <+240>:    cbz     w12, 0xffff000150610f7c
<htcp_ack_received+296>

It looks similar and it does work.

Now comes the inlined code from clang14:

  0xffff0001016acf28 <+212>:    ldr     x10, [x0]         ; x10 =3D ccv
  0xffff0001016acf2c <+216>:    ldr     x11, [x18]        ; x11 =3D curthre=
ad
  0xffff0001016acf30 <+220>:    ldr     x12, [x11, #1368] ; x12 =3D
curthread->td_vnet
  0xffff0001016acf34 <+224>:    nop
  0xffff0001016acf38 <+228>:    adr     x11, 0xffff0001016bd520
<vnet_entry_htcp_adaptive_backoff>
  0xffff0001016acf3c <+232>:    ldr     x12, [x12, #40]   ; x12 =3D
curthread->td_vnet->vnet_data_base
=3D=3D>0xffff0001016acf40 <+236>:   ldr     w12, [x12, x11]
  0xffff0001016acf44 <+240>:    cbz     w12, 0xffff0001016acf7c
<htcp_ack_received+296>

I reached out at arm-freebsd@freebsd.org for some help regarding the genera=
ted
code.

--=20
You are receiving this mail because:
You are on the CC list for the bug.=