On 9.8.2022. 22:22, Vitaliy Makkoveev wrote:
> Hi,
>
> The kernel lock within pflow_output_process() doesn't help because the
> following sosend() has sleep points. So, at least pflow_clone_destroy()
> should wait until pflow_output_process() finished. We should use
> taskq_del_barrier(9) instead of task_del(9).
>
> Also we need to unlink dying pflow(4) interface from the stack before
> start destruction.
>
> This diff should help. Please keep in mind, this diff is incomplete,
> because it doesn't fix the race between pflowioctl() and
> pflow_output_process(). This race is much more complicated, because we
> need to introduce the new lock to protect `so' and take it before call
> sosend(), but the sosend() takes netlock, which is taken before
> pflowioctl() where we modify `so'. This introduces re-locking games to
> pflowioctl() path, I so want to make this with separate diff, because
> this potential panic was not triggered.
>
Hi,
with this diff I'm getting this protection fault trap
r620-1# ifconfig pflow0 destroy
kernel: protection fault trap, code=0
Stopped at sblock+0x35: movq 0x8(%rax),%rax
ddb{0}> show panic
the kernel did not panic
ddb{0}> trace
sblock(fffffd842c34d8e8,fffffd842c34da10,1) at sblock+0x35
sosend(fffffd842c34d8e8,fffffd80cd292800,0,fffffd80a3f37c00,0,0) at
sosend+0x163
pflow_output_process(ffff8000008ca000) at pflow_output_process+0x67
taskq_thread(ffff800000030100) at taskq_thread+0x100
end trace frame: 0x0, count: -4
ddb{0}>
ddb{0}> show reg
rdi 0xfffffd842c34d8e8
rsi 0xfffffd842c34da10
rbp 0xffff800022d66710
rbx 0x501
rdx 0x1
rcx 0xffff8000ffffea84
rax 0x9f3ebe5199894262
r8 0x1
r9 0xffffffff821c7080 rw_ops+0x10
r10 0xffffffffffffffff
r11 0x6db1a912181c98f1
r12 0
r13 0x1
r14 0xfffffd842c34da60
r15 0xfffffd842c34d8e8
rip 0xffffffff81d71565 sblock+0x35
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff800022d666c0
ss 0x10
sblock+0x35: movq 0x8(%rax),%rax
ddb{0}>
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
1364 367790 19987 0 7 0x3 ifconfig
19987 130981 1 0 3 0x10008b sigsusp ksh
74340 115416 1 0 3 0x100098 kqread cron
68578 240636 2156 95 3 0x1100092 kqread smtpd
86507 443747 2156 103 3 0x1100092 kqread smtpd
47223 261838 2156 95 3 0x1100092 kqread smtpd
38121 503884 2156 95 3 0x100092 kqread smtpd
29539 133065 2156 95 3 0x1100092 kqread smtpd
83786 266601 2156 95 3 0x1100092 kqread smtpd
2156 411192 1 0 3 0x100080 kqread smtpd
62749 20828 1 0 3 0x88 kqread sshd
85488 424702 1 0 3 0x100080 kqread ntpd
4633 197093 51224 83 3 0x100092 kqread ntpd
51224 139274 1 83 7 0x1100012 ntpd
19966 136109 61788 73 3 0x1100090 kqread syslogd
61788 27725 1 0 3 0x100082 netio syslogd
31851 123130 0 0 3 0x14200 bored smr
12870 490593 0 0 3 0x14200 pgzero zerothread
51010 283420 0 0 3 0x14200 aiodoned aiodoned
69180 131489 0 0 3 0x14200 syncer update
36711 165342 0 0 3 0x14200 cleaner cleaner
75263 504085 0 0 3 0x14200 reaper reaper
72069 133609 0 0 3 0x14200 pgdaemon pagedaemon
99378 234898 0 0 3 0x14200 usbtsk usbtask
30200 405105 0 0 3 0x14200 usbatsk usbatsk
96366 324880 0 0 3 0x40014200 acpi0 acpi0
24969 140748 0 0 7 0x40014200 idle5
95045 386153 0 0 3 0x40014200 idle4
72849 289914 0 0 7 0x40014200 idle3
49815 213569 0 0 3 0x40014200 idle2
39848 84701 0 0 3 0x40014200 idle1
43651 137149 0 0 7 0x40014200 sensors
10764 419906 0 0 3 0x14200 netlock softnet
51829 300708 0 0 3 0x14200 netlock softnet
*58674 303202 0 0 7 0x14200 softnet
60899 100126 0 0 3 0x14200 netlock softnet
49625 511441 0 0 3 0x14200 bored systqmp
5435 16476 0 0 3 0x14200 bored systq
8069 217014 0 0 2 0x40014200 softclock
59081 306832 0 0 3 0x40014200 idle0
1 42126 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}>
ddb{0}> ps /o
TID PID UID PRFLAGS PFLAGS CPU COMMAND
367790 1364 0 0x3 0 4 ifconfig
139274 51224 83 0x1100012 0 2 ntpd
137149 43651 0 0x14000 0x40000200 1 sensors
*303202 58674 0 0x14000 0x200 0K softnet
ddb{0}>
ddb{0}> trace /t 0t367790
sleep_finish(ffff800022e25800,1) at sleep_finish+0xfe
rw_enter(ffffffff822dd970,1) at rw_enter+0x1cb
if_detach(ffff8000008ca000) at if_detach+0x28
pflow_clone_destroy(ffff8000008ca000) at pflow_clone_destroy+0x1a0
if_clone_destroy(ffff800022e259c0) at if_clone_destroy+0xd9
soo_ioctl(fffffd83addf2da8,80206979,ffff800022e259c0,ffff800022de8d20)
at soo_ioctl+0x161
sys_ioctl(ffff800022de8d20,ffff800022e25ad0,ffff800022e25b30) at
sys_ioctl+0x2c4
syscall(ffff800022e25ba0) at syscall+0x384
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffd81f0, count: -9
ddb{0}> trace /t 0t139274
sleep_finish(ffff800022e31380,1) at sleep_finish+0xfe
rw_enter(ffffffff822dd970,1) at rw_enter+0x1cb
soo_kqfilter(fffffd83b05fc4b8,fffffd83aec1a008) at soo_kqfilter+0x2c
kqueue_register(fffffd83b0ca8ac8,ffff800022e31590,3,ffff800022de9a40) at
kqueue_register+0x633
ppollregister_evts(ffff800022de9a40,ffff800022e31590,1,ffff800022e31898,3)
at ppollregister_evts+0xb3
ppollregister(ffff800022de9a40,ffff800022e31880,4,ffff800022e318f4,ffff800022e3
18f0) at ppollregister+0x209
doppoll(ffff800022de9a40,6e239bc22c0,4,ffff800022e31978,0,ffff800022e31a20)
at doppoll+0x12c
sys_poll(ffff800022de9a40,ffff800022e319c0,ffff800022e31a20) at
sys_poll+0x6a
syscall(ffff800022e31a90) at syscall+0x35f
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffdc0d0, count: -10
ddb{0}> trace /t 0t137149
sched_peg_curproc(ffff800022509ff0) at sched_peg_curproc+0x65
cpu_hz_update_sensor(ffff800022509ff0) at cpu_hz_update_sensor+0x1d
sensor_task_work(ffff800000024b00) at sensor_task_work+0x44
taskq_thread(ffff80000006a680) at taskq_thread+0x100
end trace frame: 0x0, count: -4
ddb{0}> trace /t 0t303202
alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b
sblock(fffffd842c34d8e8,fffffd842c34da10,1) at sblock+0x35
sosend(fffffd842c34d8e8,fffffd80cd292800,0,fffffd80a3f37c00,0,0) at
sosend+0x163
pflow_output_process(ffff8000008ca000) at pflow_output_process+0x67
taskq_thread(ffff800000030100) at taskq_thread+0x100
end trace frame: 0x0, count: -5
ddb{0}>
ddb{0}> mach ddbcpu 1
Stopped at x86_ipi_db+0x12: leave
ddb{1}> mach ddbcpu 2
Stopped at x86_ipi_db+0x12: leave
ddb{2}> mach ddbcpu 3
Stopped at x86_ipi_db+0x12: leave
ddb{3}> mach ddbcpu 4
Stopped at x86_ipi_db+0x12: leave
ddb{4}> mach ddbcpu 5
Stopped at x86_ipi_db+0x12: leave
ddb{5}> mach ddbcpu 0
Stopped at sblock+0x35: movq 0x8(%rax),%rax
