On Wed, Jan 03, 2024 at 12:26:26AM +0100, Hrvoje Popovski wrote: > While testing kettenis@ ipl diff from tech@ and doing iperf3 to bnxt > interface and ifconfig bnxt0 down/up at the same time I can trigger > panic. Panic can be triggered without kettenis@ diff...
It is easy to reproduce. ifconfig bnxt1 down/up a few times while receiving TCP traffic with iperf3. Machine still has kettenis@ diff. My panic looks different. root@ot42:.../~# ifconfig bnxt1 down bnxt1: unexpected completion type 3 ... bnxt1: unexpected completion type 3 uvm_fault(0xffffffff8256c0b8, 0x30, 0, 1) -> e kernel: page fault trap, code=0 Stopped at bnxt_rx_fill+0x5f: movq 0x30(%rdx),%rdx TID PID UID PRFLAGS PFLAGS CPU COMMAND 452275 8801 0 0x100003 0x4000000 3 iperf3 343849 34751 0 0x14000 0x200 2 softnet1 154248 41240 0 0x14000 0x200 1 softnet0 bnxt_rx_fill(ffff8000002df888) at bnxt_rx_fill+0x5f bnxt_intr(ffff8000002df888) at bnxt_intr+0x406 intr_handler(ffff80005c04c040,ffff8000000a7800) at intr_handler+0x72 Xintr_ioapic_edge1_untramp() at Xintr_ioapic_edge1_untramp+0x18f acpicpu_idle() at acpicpu_idle+0x11f sched_idle(ffff80005a61fff0) at sched_idle+0x282 end trace frame: 0x0, count: 9 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{7}> show panic *cpu7: uvm_fault(0xffffffff8256c0b8, 0x30, 0, 1) -> e ddb{7}> trace bnxt_rx_fill(ffff8000002df888) at bnxt_rx_fill+0x5f bnxt_intr(ffff8000002df888) at bnxt_intr+0x406 intr_handler(ffff80005c04c040,ffff8000000a7800) at intr_handler+0x72 Xintr_ioapic_edge1_untramp() at Xintr_ioapic_edge1_untramp+0x18f acpicpu_idle() at acpicpu_idle+0x11f sched_idle(ffff80005a61fff0) at sched_idle+0x282 end trace frame: 0x0, count: -6 ddb{7}> show register rdi 0xffff8000002df958 rsi 0xffff8000002df918 rbp 0xffff80005c04bf20 rbx 0xffff8000002df024 rdx 0 rcx 0 rax 0x4 r8 0xcccccccccccccc01 r9 0x1 r10 0x7be05f26dfeb8079 r11 0x81c2c48b86f2e7bd r12 0x1 r13 0x1 r14 0xffff8000002df888 r15 0xffff8000002df000 rip 0xffffffff81b6180f bnxt_rx_fill+0x5f cs 0x8 rflags 0x10202 __ALIGN_SIZE+0xf202 rsp 0xffff80005c04bee0 ss 0x10 bnxt_rx_fill+0x5f: movq 0x30(%rdx),%rdx In my case, I would say rx->rx_ring_mem is NULL. slots = bnxt_rx_fill_slots(sc, &rx->rx_ring, BNXT_DMA_KVA(rx->rx_ring_mem), rx->rx_slots, &rx->rx_prod, MCLBYTES, RX_PROD_PKT_BD_TYPE_RX_PROD_PKT, slots); For Hrvoje's panic it looks like tx->tx_slots is NULL. bnxt_free_slots(sc, tx->tx_slots, tx->tx_ring.ring_size, tx->tx_ring.ring_size);