kern/182964: [pf] pf_mtag panic on 10-BETA1 r256398 with VIMAGE and pf

Martin Matuska mm at freebsd.org
Mon Oct 14 11:30:00 UTC 2013 

>Number:         182964
>Category:       kern
>Synopsis:       [pf] pf_mtag panic on 10-BETA1 r256398 with VIMAGE and pf
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 14 11:30:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Martin Matuska
>Release:        FreeBSD 10.0-BETA1 amd64
>Organization:
>Environment:
>Description:
10-BETA1 r256398 kernel panics if using VIMAGE and pf 

#0  doadump (textdump=<value optimized out>) at pcpu.h:219
219     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) #0  doadump (textdump=<value optimized out>) at pcpu.h:219
#1  0xffffffff804a4450 in kern_reboot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:447
#2  0xffffffff804a4814 in panic (fmt=<value optimized out>)
    at /usr/src/sys/kern/kern_shutdown.c:754
#3  0xffffffff8070c3d2 in trap_fatal (frame=<value optimized out>,
    eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:882
#4  0xffffffff8070c6a9 in trap_pfault (frame=0xfffffe03de1a3800, usermode=0)
    at /usr/src/sys/amd64/amd64/trap.c:699
#5  0xffffffff8070be36 in trap (frame=0xfffffe03de1a3800)
    at /usr/src/sys/amd64/amd64/trap.c:463
#6  0xffffffff806f3212 in calltrap ()
    at /usr/src/sys/amd64/amd64/exception.S:232
#7  0xffffffff8122cb47 in pf_mtag_free (t=0xfffff80111a2f2d0)
    at /usr/src/sys/modules/pf/../../netpfil/pf/pf.c:830
#8  0xffffffff806cd0b0 in uma_zfree_arg (zone=0xfffff8043fdb2000,
    item=0xfffff8011113dd00, udata=0x0) at /usr/src/sys/vm/uma_core.c:2549
#9  0xffffffff8050bd33 in m_freem (mb=<value optimized out>) at uma.h:364
#10 0xffffffff8038ab70 in re_txeof (sc=0xfffffe00009d1000)
    at /usr/src/sys/dev/re/if_re.c:2388
#11 0xffffffff8038ca0d in re_intr_msi (xsc=0xfffffe00009d1000)
    at /usr/src/sys/dev/re/if_re.c:2652
#12 0xffffffff8047897b in intr_event_execute_handlers (
    p=<value optimized out>, ie=0xfffff80005511a00)
    at /usr/src/sys/kern/kern_intr.c:1263
#13 0xffffffff80478dc6 in ithread_loop (arg=0xfffff80005521080)
    at /usr/src/sys/kern/kern_intr.c:1276
#14 0xffffffff8047654a in fork_exit (
    callout=0xffffffff80478d30 <ithread_loop>, arg=0xfffff80005521080,
    frame=0xfffffe03de1a3ac0) at /usr/src/sys/kern/kern_fork.c:995
#15 0xffffffff806f374e in fork_trampoline ()
    at /usr/src/sys/amd64/amd64/exception.S:606
#16 0x0000000000000000 in ?? ()
>How-To-Repeat:
>Fix:
One of possible fixes is to devirtualize V_pf_mtag_z (as discussed on freebsd-pf mailing list)

Index: sys/netpfil/pf/pf.c
===================================================================
--- sys/netpfil/pf/pf.c	(revision 256398)
+++ sys/netpfil/pf/pf.c	(working copy)
@@ -187,8 +187,7 @@
 
 static VNET_DEFINE(uma_zone_t,	pf_sources_z);
 #define	V_pf_sources_z	VNET(pf_sources_z)
-static VNET_DEFINE(uma_zone_t,	pf_mtag_z);
-#define	V_pf_mtag_z	VNET(pf_mtag_z)
+uma_zone_t pf_mtag_z;
 VNET_DEFINE(uma_zone_t,	 pf_state_z);
 VNET_DEFINE(uma_zone_t,	 pf_state_key_z);
 
@@ -749,9 +748,10 @@
 	V_pf_altqs_inactive = &V_pf_altqs[1];
 
 	/* Mbuf tags */
-	V_pf_mtag_z = uma_zcreate("pf mtags", sizeof(struct m_tag) +
-	    sizeof(struct pf_mtag), NULL, NULL, pf_mtag_init, NULL,
-	    UMA_ALIGN_PTR, 0);
+	if (IS_DEFAULT_VNET(curvnet))
+		pf_mtag_z = uma_zcreate("pf mtags", sizeof(struct m_tag) +
+		    sizeof(struct pf_mtag), NULL, NULL, pf_mtag_init, NULL,
+		    UMA_ALIGN_PTR, 0);
 
 	/* Send & overload+flush queues. */
 	STAILQ_INIT(&V_pf_sendqueue);
@@ -803,7 +803,8 @@
 	mtx_destroy(&pf_overloadqueue_mtx);
 	mtx_destroy(&pf_unlnkdrules_mtx);
 
-	uma_zdestroy(V_pf_mtag_z);
+	if (IS_DEFAULT_VNET(curvnet))
+		uma_zdestroy(pf_mtag_z);
 	uma_zdestroy(V_pf_sources_z);
 	uma_zdestroy(V_pf_state_z);
 	uma_zdestroy(V_pf_state_key_z);
@@ -827,7 +828,7 @@
 pf_mtag_free(struct m_tag *t)
 {
 
-	uma_zfree(V_pf_mtag_z, t);
+	uma_zfree(pf_mtag_z, t);
 }
 
 struct pf_mtag *
@@ -838,7 +839,7 @@
 	if ((mtag = m_tag_find(m, PACKET_TAG_PF, NULL)) != NULL)
 		return ((struct pf_mtag *)(mtag + 1));
 
-	mtag = uma_zalloc(V_pf_mtag_z, M_NOWAIT);
+	mtag = uma_zalloc(pf_mtag_z, M_NOWAIT);
 	if (mtag == NULL)
 		return (NULL);
 	bzero(mtag + 1, sizeof(struct pf_mtag));
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list