Re: kern/59675 (pppoe crashes kernel)

To: kern-bug-people%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,riastradh%NetBSD.org@localhost,sc.dying%gmail.com@localhost
Subject: Re: kern/59675 (pppoe crashes kernel)
From: riastradh%NetBSD.org@localhost
Date: Wed, 31 Dec 2025 14:21:19 +0000 (UTC)

Synopsis: pppoe crashes kernel

State-Changed-From-To: open->analyzed
State-Changed-By: riastradh%NetBSD.org@localhost
State-Changed-When: Wed, 31 Dec 2025 14:21:18 +0000
State-Changed-Why:
sppp_set_ip_addrs used to be run from softint context but as of
if_spppsubr.c 1.227 (or a related one, not 100% sure which one is the
culprit since there's a tangle of function pointers in the call graph)
is run from thread context in a workqueue.  Since that change, it is no
longer run in a context that allows psref(9).  Fixing it requires
curlwp_bind/bindx around the psref.

knakahara@ fixed this for sppp_get_ip_addrs in 1.260 but the same
treatment is needed for sppp_set_ip_addrs, and, presumably,
sppp_clear_ip_addrs, as well as the ip6 variants thereof.

Side note: The locking in these looks very suspicious:

	KASSERT(SPPP_WLOCKED(sp));

	ifp = &sp->pp_if;

	SPPP_UNLOCK(sp);
	IFNET_LOCK(ifp);
	SPPP_LOCK(sp, RW_WRITER);

I suspect that what should really happen here is that the callers
should take the ifnet lock where they currently take the sppp lock, and
the sppp lock should either go away or be made much finer-grained over
whatever resources are actually used in the packet-processing path.

Prev by Date: kern/59870: kernel lock runtime diagnostics are difficult
Next by Date: PR/59675 CVS commit: src/sys/net
Previous by Thread: kern/59870: kernel lock runtime diagnostics are difficult
Next by Thread: PR/59675 CVS commit: src/sys/net
Indexes:

Home | Main Index | Thread Index | Old Index