Hi,
I have seen this crash trace on a 6.6 based system, but I think the
bug exists still in -current. It happened when an ixl(4) interface
was removed from trunk(4).
uvm_fault(0xfffffd8739dc6558, 0x0, 0, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 rip ffffffff81012a86 cs 8 rflags 10202 cr2 0 cpl 7 rsp
ffff80002e4bd170
gsbase 0xffffffff816d6ff0 kgsbase 0x0
panic: trap type 6, code=0, pc=ffffffff81012a86
Starting stack trace...
panic() at panic+0x113
kerntrap(ffff800000bf3000) at kerntrap+0xdc
alltraps_kern_meltdown(6,0,4,0,ffff800000bf3000,0) at
alltraps_kern_meltdown+0x7b
ixl_intr(ffff800000bf3000) at ixl_intr+0x3e6
intr_handler(ffffffff816d6ff0,ffff800000b57200) at intr_handler+0x5b
Xintr_ioapic_edge30_untramp(4,ffffffff814d3a00,4,18041969,ffffffff816d6ff0,d)
at Xintr_ioapic_edge30_untramp+0x19f
Xspllower(ffffffff8178fb58,ffffffff816d6ff0,ffffffff8139d743,ffff800000bffd00,ffffffff8178fb40,10)
at Xspllower+0xc
softintr_dispatch(0) at softintr_dispatch+0xc5
Xsoftclock(ffff800000bf3048,0,ffffffff8139d743,ffff800000bf3048,ffff800001207800,ffffffff814e862f)
at Xsoftclock+0x1f
ifnewlladdr(ffff800001624e10) at ifnewlladdr+0xf8
trunk_port_destroy(ffff80002e4bd6e0) at trunk_port_destroy+0x2fd
trunk_ioctl(fffffd87387594c0,ffff800001207800,8048698e) at trunk_ioctl+0x6a6
ifioctl(fffffd87623df448,ffff80002e46e2d8,48,ffff80002e4bd7d0) at ifioctl+0x2d6
sys_ioctl(360,ffff80002e46e2d8,36) at sys_ioctl+0x3cd
syscall(0) at syscall+0x3d1
Xsyscall(6,36,1,36,7f7ffffda720,7f7ffffdaa21) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffda780, count: 241
End of stack trace.
syncing disks...
ifnewlladdr() is interrupted by ixl transmit interrupt. There it
crashes in ixl_txeof as txr is NULL. The code in -current if_ixl.c
has changed, so it might not happen anymore. But I think the bug
is in ifnewlladdr().
ifnewlladdr() sets splnet() and configures the interface up and
down. The ixl_down() code has some interrupt barriers which cannot
work while interrupts are blocked by splnet(). So interrupts fire
at splx() when the driver does not expect them.
Combining interrupt barriers with spl protection looks like a bad
idea.
Is there anything that lowers spl in all cases during intr_barrier(),
ifq_barrier() or timeout_del_barrier()?
How should spls work together with barriers?
The integrity of ifnewlladdr() state should be guaranteed by netlock.
Changing if_flags needs splnet() as they are used by all drivers.
The in6_ functions need netlock. And driver SIOCSIFFLAGS ioctl
must not have splnet().
Is reducing splnet() the correct aproach?
bluhm
Index: net/if.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/if.c,v
retrieving revision 1.641
diff -u -p -r1.641 if.c
--- net/if.c 25 May 2021 22:45:09 -0000 1.641
+++ net/if.c 10 Jun 2021 14:32:12 -0000
@@ -3109,6 +3109,8 @@ ifnewlladdr(struct ifnet *ifp)
short up;
int s;
+ NET_ASSERT_LOCKED();
+
s = splnet();
up = ifp->if_flags & IFF_UP;
@@ -3116,11 +3118,14 @@ ifnewlladdr(struct ifnet *ifp)
/* go down for a moment... */
ifp->if_flags &= ~IFF_UP;
ifrq.ifr_flags = ifp->if_flags;
+ splx(s);
(*ifp->if_ioctl)(ifp, SIOCSIFFLAGS, (caddr_t)&ifrq);
+ s = splnet();
}
ifp->if_flags |= IFF_UP;
ifrq.ifr_flags = ifp->if_flags;
+ splx(s);
(*ifp->if_ioctl)(ifp, SIOCSIFFLAGS, (caddr_t)&ifrq);
#ifdef INET6
@@ -3139,11 +3144,12 @@ ifnewlladdr(struct ifnet *ifp)
#endif
if (!up) {
/* go back down */
+ s = splnet();
ifp->if_flags &= ~IFF_UP;
ifrq.ifr_flags = ifp->if_flags;
+ splx(s);
(*ifp->if_ioctl)(ifp, SIOCSIFFLAGS, (caddr_t)&ifrq);
}
- splx(s);
}
void
