Bug 275381

Summary: page fault while re-enabling network nic via devctl
Product: Base System Reporter: Zhenlei Huang <zlei>
Component: kernAssignee: Zhenlei Huang <zlei>
Status: Closed DUPLICATE    
Severity: Affects Some People CC: dpetrov67, jhb, khng, markj
Priority: ---    
Version: 14.0-RELEASE   
Hardware: Any   
OS: Any   
URL: https://reviews.freebsd.org/D42678

Description Zhenlei Huang freebsd_committer freebsd_triage 2023-11-27 17:14:39 UTC 
This is originally reported by khng@ on Telegram bsd dev group. Post it here to make it public.

Steps to repeat:

Boot with Ethernet interface disabled, then try to enable it.

```
> set hint.hn.0.disabled="1"
> boot
...
# devctl enable hn0
```


Part of core text dump:

freebsd dumped core - see /var/crash/vmcore.0

Mon Nov 20 04:17:24 UTC 2023

FreeBSD freebsd 14.0-RELEASE FreeBSD 14.0-RELEASE #0 releng/14.0-n265380-f9716eee8ab4: Fri Nov 10 05:57:23 UTC 2023     root@releng1.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64

panic: page fault

GNU gdb (GDB) 13.2 [GDB v13.2 for FreeBSD]
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-portbld-freebsd14.0".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /boot/kernel/kernel...
Reading symbols from /usr/lib/debug//boot/kernel/kernel.debug...

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address	= 0x28
fault code		= supervisor read data, page not present
instruction pointer	= 0x20:0xffffffff80c5e0c8
stack pointer	        = 0x28:0xfffffe0053f4b900
frame pointer	        = 0x28:0xfffffe0053f4b940
code segment		= base rx0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 650 (devctl)
rdi: fffff80006eb6800 rsi: fffff80001027500 rdx: 0000000000000001
rcx: 0000000000000001  r8: 0000000000000000  r9: 8080808080808080
rax: 0000000000000000 rbx: fffffe0054963c80 rbp: fffffe0053f4b940
r10: ffffffff811e1f39 r11: 8b9091ff93939e00 r12: fffff80007fca000
r13: fffff80007305c20 r14: ffffffff811e1f39 r15: 0000000000000000
trap number		= 12
panic: page fault
cpuid = 1
time = 1700453806
KDB: stack backtrace:
#0 0xffffffff80b9002d at kdb_backtrace+0x5d
#1 0xffffffff80b43132 at vpanic+0x132
#2 0xffffffff80b42ff3 at panic+0x43
#3 0xffffffff8100c85c at trap_fatal+0x40c
#4 0xffffffff8100c8af at trap_pfault+0x4f
#5 0xffffffff80fe3828 at calltrap+0x8
#6 0xffffffff80c5ceb5 at if_attach_internal+0x55
#7 0xffffffff80c6824c at ether_ifattach+0x2c
#8 0xffffffff80f779c6 at hn_attach+0x21d6
#9 0xffffffff80b7fa1e at device_attach+0x3be
#10 0xffffffff80b84dcf at devctl2_ioctl+0x56f
#11 0xffffffff809d10dc at devfs_ioctl+0xcc
#12 0xffffffff80c3b9b4 at vn_ioctl+0xd4
#13 0xffffffff809d177e at devfs_ioctl_f+0x1e
#14 0xffffffff80bb1535 at kern_ioctl+0x255
#15 0xffffffff80bb1273 at sys_ioctl+0x123
#16 0xffffffff8100d119 at amd64_syscall+0x109
#17 0xffffffff80fe413b at fast_syscall_common+0xf8
Uptime: 15s
Dumping 212 out of 470 MB:..8%..16%..23%..31%..46%..53%..61%..76%..83%..91%

__curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:57
57	/usr/src/sys/amd64/include/pcpu_aux.h: No such file or directory.
(kgdb) #0  __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:57
#1  doadump (textdump=<optimized out>)
    at /usr/src/sys/kern/kern_shutdown.c:405
#2  0xffffffff80b42cc7 in kern_reboot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:526
#3  0xffffffff80b4319f in vpanic (fmt=0xffffffff81136b3b "%s", 
    ap=ap@entry=0xfffffe0053f4b750) at /usr/src/sys/kern/kern_shutdown.c:970
#4  0xffffffff80b42ff3 in panic (fmt=<unavailable>)
    at /usr/src/sys/kern/kern_shutdown.c:894
#5  0xffffffff8100c85c in trap_fatal (frame=0xfffffe0053f4b840, eva=40)
    at /usr/src/sys/amd64/amd64/trap.c:952
#6  0xffffffff8100c8af in trap_pfault (frame=0xfffffe0053f4b840, 
    usermode=false, signo=<optimized out>, ucode=<optimized out>)
    at /usr/src/sys/amd64/amd64/trap.c:760
#7  <signal handler called>
#8  0xffffffff80c5e0c8 in if_addgroup (ifp=ifp@entry=0xfffff80007fca000, 
    groupname=0xffffffff811e1f39 "all") at /usr/src/sys/net/if.c:1477
#9  0xffffffff80c5ceb5 in if_attach_internal (
    ifp=ifp@entry=0xfffff80007fca000, vmove=false)
    at /usr/src/sys/net/if.c:842
#10 0xffffffff80c5ce59 in if_attach (ifp=0xfffff80006eb6800, 
    ifp@entry=0xfffff80007fca000) at /usr/src/sys/net/if.c:772
#11 0xffffffff80c6824c in ether_ifattach (ifp=0xfffff80006eb6800, 
    ifp@entry=0xfffff80007fca000, lla=0xfffff80001027500 "", 
    lla@entry=0xfffffe0053f4ba80 "") at /usr/src/sys/net/if_ethersubr.c:1001
#12 0xffffffff80f779c6 in hn_attach (dev=0xfffff8000291ce00)
    at /usr/src/sys/dev/hyperv/netvsc/if_hn.c:2436
#13 0xffffffff80b7fa1e in DEVICE_ATTACH (dev=0xfffff8000291ce00)
    at ./device_if.h:195
#14 device_attach (dev=dev@entry=0xfffff8000291ce00)
    at /usr/src/sys/kern/subr_bus.c:2535
#15 0xffffffff80b84dcf in devctl2_ioctl (cdev=<optimized out>, 
    cmd=2157462531, data=<optimized out>, fflag=<optimized out>, 
    td=0xfffffe0054963c80) at /usr/src/sys/kern/subr_bus.c:5433
#16 0xffffffff809d10dc in devfs_ioctl (ap=0xfffffe0053f4bc40)
    at /usr/src/sys/fs/devfs/devfs_vnops.c:933
#17 0xffffffff80c3b9b4 in vn_ioctl (fp=0xfffff8000704ce10, 
    com=18446735277633467648, data=0xfffff8000779ee00, 
    active_cred=0xfffff8000702cb00, td=0x0)
    at /usr/src/sys/kern/vfs_vnops.c:1701
#18 0xffffffff809d177e in devfs_ioctl_f (fp=0xfffff80006eb6800, 
    com=18446735277633467648, data=0x1, cred=0x1, td=0x0)
    at /usr/src/sys/fs/devfs/devfs_vnops.c:864
#19 0xffffffff80bb1535 in fo_ioctl (fp=0xfffff8000704ce10, com=2157462531, 
    data=0x1, active_cred=0x1, td=0xfffffe0054963c80)
    at /usr/src/sys/sys/file.h:366
#20 kern_ioctl (td=td@entry=0xfffffe0054963c80, fd=<optimized out>, 
    com=com@entry=2157462531, 
    data=0x1 <error: Cannot access memory at address 0x1>, 
    data@entry=0xfffff8000779ee00 "hn0")
    at /usr/src/sys/kern/sys_generic.c:805
#21 0xffffffff80bb1273 in sys_ioctl (td=0xfffffe0054963c80, 
    uap=0xfffffe0054964080) at /usr/src/sys/kern/sys_generic.c:713
#22 0xffffffff8100d119 in syscallenter (td=0xfffffe0054963c80)
    at /usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:187
#23 amd64_syscall (td=0xfffffe0054963c80, traced=0)
    at /usr/src/sys/amd64/amd64/trap.c:1197
#24 <signal handler called>
#25 0x000032e7074bce0a in ?? ()
Backtrace stopped: Cannot access memory at address 0x32e7069aff48
(kgdb)
Comment 1 Zhenlei Huang freebsd_committer freebsd_triage 2023-11-27 17:20:15 UTC 
Other ethernet interface drivers are also affected, tested with re(4) and cxgbe(4).

Proposed fix: https://reviews.freebsd.org/D42678
Comment 2 Mark Linimon freebsd_committer freebsd_triage 2024-10-03 07:17:38 UTC 
^Triage: clear stale flags.
Comment 3 Mark Linimon freebsd_committer freebsd_triage 2024-10-08 05:04:24 UTC 
^Triage: clear unneeded flags.  Nothing has yet been committed to be merged.
Comment 4 Mark Johnston freebsd_committer freebsd_triage 2024-10-18 13:36:08 UTC 
This is the same bug as PR 282168, more or less.  I posted a patch for it.  https://reviews.freebsd.org/D42678 isn't sufficient for that particular crash, since the device_attach() call comes from a bus driver, not the devctl ioctl.
Comment 5 Zhenlei Huang freebsd_committer freebsd_triage 2024-10-19 01:14:14 UTC 
(In reply to Mark Johnston from comment #4)
In D42678 @jhb and @bz hint setting vnet0 in bus is layer violation, and that should be fixed in ifnet layer. But I'm fine with your patch. It just **works** :). There should be no side effects from my perspective.
Comment 6 Mark Johnston freebsd_committer freebsd_triage 2024-10-19 12:42:30 UTC 

*** This bug has been marked as a duplicate of bug 282168 ***