From owner-freebsd-bugs@freebsd.org  Tue Dec 27 16:42:14 2016
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A4AEEC93C9D
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Tue, 27 Dec 2016 16:42:14 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 948271005
 for <freebsd-bugs@FreeBSD.org>; Tue, 27 Dec 2016 16:42:14 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id uBRGgESH074450
 for <freebsd-bugs@FreeBSD.org>; Tue, 27 Dec 2016 16:42:14 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 215613] [panic] if if_ixl due to NULL pointer dereference
Date: Tue, 27 Dec 2016 16:42:14 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: ae@FreeBSD.org
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-215613-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Dec 2016 16:42:14 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D215613

            Bug ID: 215613
           Summary: [panic] if if_ixl due to NULL pointer dereference
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: ae@FreeBSD.org

Sometimes the system panics just after reboot when it starts network activi=
ty.

# grep ixl /var/run/dmesg.boot
ixl0: <Intel(R) Ethernet Connection XL710/X722 Driver, Version - 1.6.6-k> m=
em
0xdc000000-0xdc7fffff,0xdd000000-0xdd007fff irq 42 at device 0.0 numa-domai=
n 0
on pci7
ixl0: Using MSIX interrupts with 9 vectors
ixl0: fw 4.22.26225 api 1.2 nvm 4.24 etid 800013fd oem 0.0.0
ixl0: The driver for the device detected an older version of the NVM image =
than
expected.
ixl0: PF-ID[0]: VFs 128, MSIX 129, VF MSIX 5, QPs 1536, I2C
ixl0: Allocating 8 queues for PF LAN VSI; 8 queues active
ixl0: Ethernet address: 68:05:ca:30:45:30
ixl0: PCI Express Bus: Speed 8.0GT/s Width x8
ixl0: SR-IOV ready
ixl0: netmap queues/slots: TX 8/1024, RX 8/1024
ixl0: link state changed to UP

----

Fatal trap 12: page fault while in kernel mode
cpuid =3D 21; apic id =3D 25
fault virtual address   =3D 0x64
fault code              =3D supervisor read data, page not present
instruction pointer     =3D 0x20:0xffffffff80b44d79
stack pointer           =3D 0x28:0xfffffe1048a133b0
frame pointer           =3D 0x28:0xfffffe1048a133d0
code segment            =3D base 0x0, limit 0xfffff, type 0x1b
                        =3D DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        =3D interrupt enabled, resume, IOPL =3D 0
current process         =3D 1159 (bird)

(kgdb) bt
#0  doadump (textdump=3D1218522560) at pcpu.h:222
#1  0xffffffff8038c596 in db_fncall (dummy1=3D<value optimized out>,
dummy2=3D<value optimized out>, dummy3=3D<value optimized out>, dummy4=3D<v=
alue
optimized out>)
    at /usr/src/sys/ddb/db_command.c:581
#2  0xffffffff8038c0f9 in db_command (cmd_table=3D<value optimized out>) at
/usr/src/sys/ddb/db_command.c:453
#3  0xffffffff8038be54 in db_command_loop () at
/usr/src/sys/ddb/db_command.c:506
#4  0xffffffff8038efbf in db_trap (type=3D<value optimized out>, code=3D<va=
lue
optimized out>) at /usr/src/sys/ddb/db_main.c:248
#5  0xffffffff80b32f33 in kdb_trap (type=3D<value optimized out>, code=3D<v=
alue
optimized out>, tf=3D<value optimized out>) at /usr/src/sys/kern/subr_kdb.c=
:654
#6  0xffffffff80fa25b1 in trap_fatal (frame=3D0xfffffe1048a132f0, eva=3D100=
) at
/usr/src/sys/amd64/amd64/trap.c:796
#7  0xffffffff80fa27e3 in trap_pfault (frame=3D0xfffffe1048a132f0, usermode=
=3D0) at
/usr/src/sys/amd64/amd64/trap.c:658
#8  0xffffffff80fa1de3 in trap (frame=3D0xfffffe1048a132f0) at
/usr/src/sys/amd64/amd64/trap.c:421
#9  0xffffffff80f84191 in calltrap () at
/usr/src/sys/amd64/amd64/exception.S:236
#10 0xffffffff80b44d79 in taskqueue_enqueue (queue=3D0x0,
task=3D0xfffffe0001a0e0b0) at pcpu.h:222
#11 0xffffffff8103f1ef in ixl_mq_start (ifp=3D<value optimized out>, m=3D<v=
alue
optimized out>) at /usr/src/sys/dev/ixl/ixl_txrx.c:135
#12 0xffffffff80c06894 in vlan_transmit (ifp=3D<value optimized out>, m=3D<=
value
optimized out>) at /usr/src/sys/net/if_vlan.c:1116
#13 0xffffffff80bfc5fe in ether_output (ifp=3D<value optimized out>, m=3D<v=
alue
optimized out>, dst=3D0xfffffe1048a13610, ro=3D<value optimized out>)
    at /usr/src/sys/net/if_ethersubr.c:424
#14 0xffffffff80c80a3f in ip_output (m=3D0xfffffe0001a0e0b0, opt=3D<value o=
ptimized
out>, ro=3D<value optimized out>, flags=3D<value optimized out>, imo=3D0x0,=
=20
    inp=3D<value optimized out>) at /usr/src/sys/netinet/ip_output.c:660
#15 0xffffffff80c84423 in rip_output (m=3D0xfffff803405eab00, so=3D<value o=
ptimized
out>) at /usr/src/sys/netinet/raw_ip.c:538
#16 0xffffffff80b86757 in sosend_generic (so=3D<value optimized out>, addr=
=3D<value
optimized out>, uio=3D<value optimized out>, top=3D<value optimized out>,=20
    control=3D<value optimized out>, flags=3D<value optimized out>, td=3D<v=
alue
optimized out>) at /usr/src/sys/kern/uipc_socket.c:1359
#17 0xffffffff80b8e4c3 in kern_sendit (td=3D<value optimized out>, s=3D<val=
ue
optimized out>, mp=3D<value optimized out>, flags=3D0, control=3D<value opt=
imized
out>,=20
    segflg=3DUIO_USERSPACE) at /usr/src/sys/kern/uipc_syscalls.c:811
#18 0xffffffff80b8e8cf in sendit (td=3D0xfffff802e58a8000, s=3D<value optim=
ized
out>, mp=3D0xfffffe1048a138d8, flags=3D<value optimized out>)
    at /usr/src/sys/kern/uipc_syscalls.c:736
#19 0xffffffff80b8e981 in sys_sendmsg (td=3D0xfffff802e58a8000,
uap=3D0xfffffe1048a139d0) at /usr/src/sys/kern/uipc_syscalls.c:912
#20 0xffffffff80fa2f9e in amd64_syscall (td=3D<value optimized out>, traced=
=3D0) at
subr_syscall.c:135
#21 0xffffffff80f8447b in Xfast_syscall () at
/usr/src/sys/amd64/amd64/exception.S:396
#22 0x0000000800c2386a in ?? ()
Previous frame inner to this frame (corrupt stack?)

(kgdb) f 11
#11 0xffffffff8103f1ef in ixl_mq_start (ifp=3D<value optimized out>, m=3D<v=
alue
optimized out>) at /usr/src/sys/dev/ixl/ixl_txrx.c:135
warning: Source file is more recent than executable.

135                     taskqueue_enqueue(que->tq, &que->tx_task);
(kgdb) i lo
vsi =3D <value optimized out>
txr =3D (struct tx_ring *) 0xfffffe0001a0de68
(kgdb) p *txr
$1 =3D {que =3D 0xfffffe0001a0de38, mtx =3D {lock_object =3D {lo_name =3D
0xfffffe0001a0df10 "ixl0:tx(5)", lo_flags =3D 16973824, lo_data =3D 0, lo_w=
itness =3D
0x0}, mtx_lock =3D 4},=20
  tail =3D 1081364, base =3D 0xfffffe1045c49000, dma =3D {va =3D 0xfffffe10=
45c49000, pa
=3D 214208512, tag =3D 0xfffff8000ca4d900, map =3D 0x0, seg =3D {ds_addr =
=3D 0, ds_len =3D
0},=20
    size =3D 16512, nseg =3D 1, flags =3D 0}, next_avail =3D 13, next_to_cl=
ean =3D 0,
atr_rate =3D 0, atr_count =3D 0, itr =3D 122, latency =3D 1, buffers =3D
0xfffffe0001abf000,=20
  avail =3D 1011, cmd =3D 0, tx_tag =3D 0xfffff8000ca4d800, tso_tag =3D
0xfffff8000ca4d700, mtx_name =3D 0xfffffe0001a0df10 "ixl0:tx(5)", br =3D
0xfffffe0001ac7000, packets =3D 0,=20
  bytes =3D 0, tx_bytes =3D 0, no_desc =3D 0, total_packets =3D 8}
(kgdb) p *txr->que
$3 =3D {vsi =3D 0xfffffe000168e730, me =3D 5, msix =3D 0, eims =3D 0, res =
=3D 0x0, tag =3D
0x0, num_desc =3D 1024, busy =3D 1, txr =3D {que =3D 0xfffffe0001a0de38, mt=
x =3D
{lock_object =3D {
        lo_name =3D 0xfffffe0001a0df10 "ixl0:tx(5)", lo_flags =3D 16973824,=
 lo_data
=3D 0, lo_witness =3D 0x0}, mtx_lock =3D 4}, tail =3D 1081364, base =3D
0xfffffe1045c49000, dma =3D {
      va =3D 0xfffffe1045c49000, pa =3D 214208512, tag =3D 0xfffff8000ca4d9=
00, map =3D
0x0, seg =3D {ds_addr =3D 0, ds_len =3D 0}, size =3D 16512, nseg =3D 1, fla=
gs =3D 0},
next_avail =3D 13,=20
    next_to_clean =3D 0, atr_rate =3D 0, atr_count =3D 0, itr =3D 122, late=
ncy =3D 1,
buffers =3D 0xfffffe0001abf000, avail =3D 1011, cmd =3D 0, tx_tag =3D
0xfffff8000ca4d800,=20
    tso_tag =3D 0xfffff8000ca4d700, mtx_name =3D 0xfffffe0001a0df10 "ixl0:t=
x(5)",
br =3D 0xfffffe0001ac7000, packets =3D 0, bytes =3D 0, tx_bytes =3D 0, no_d=
esc =3D 0,=20
    total_packets =3D 8}, rxr =3D {que =3D 0xfffffe0001a0de38, mtx =3D {loc=
k_object =3D
{lo_name =3D 0xfffffe0001a0e02c "ixl0:rx(5)", lo_flags =3D 16973824, lo_dat=
a =3D 0,=20
        lo_witness =3D 0x0}, mtx_lock =3D 4}, base =3D 0xfffffe1045c4e000, =
dma =3D {va
=3D 0xfffffe1045c4e000, pa =3D 214228992, tag =3D 0xfffff8000ca4d600, map =
=3D 0x0, seg
=3D {
        ds_addr =3D 0, ds_len =3D 0}, size =3D 32768, nseg =3D 1, flags =3D=
 0}, lro =3D
{ifp =3D 0xfffff8000c7ad800, lro_mbuf_data =3D 0xfffff801d814f000, lro_queu=
ed =3D 0,=20
      lro_flushed =3D 0, lro_bad_csum =3D 0, lro_cnt =3D 8, lro_mbuf_count =
=3D 0,
lro_mbuf_max =3D 0, lro_ackcnt_lim =3D 65535, lro_length_lim =3D 65535, lro=
_hashsz =3D
1,=20
      lro_hash =3D 0xfffff8020981bf00, lro_active =3D {lh_first =3D 0x0}, l=
ro_free =3D
{lh_first =3D 0xfffff801d814f3f0}}, lro_enabled =3D false, hdr_split =3D fa=
lse,
discard =3D false,=20
    next_refresh =3D 0, next_check =3D 0, itr =3D 62, latency =3D 1, mtx_na=
me =3D
0xfffffe0001a0e02c "ixl0:rx(5)", buffers =3D 0xfffffe0001ad7000, mbuf_sz =
=3D 4096,
tail =3D 1212436,=20
    htag =3D 0xfffff8000ca4d500, ptag =3D 0xfffff8000ca4d400, packets =3D 0=
, bytes =3D
0, split =3D 0, rx_packets =3D 0, rx_bytes =3D 0, desc_errs =3D 0, not_done=
 =3D 0}, task
=3D {
    ta_link =3D {stqe_next =3D 0x0}, ta_pending =3D 0, ta_priority =3D 0, t=
a_func =3D 0,
ta_context =3D 0x0}, tx_task =3D {ta_link =3D {stqe_next =3D 0x0}, ta_pendi=
ng =3D 0,=20
    ta_priority =3D 0, ta_func =3D 0, ta_context =3D 0x0}, tq =3D 0x0, irqs=
 =3D 0, tso =3D
0, mbuf_defrag_failed =3D 0, mbuf_hdr_failed =3D 0, mbuf_pkt_failed =3D 0,
tx_dmamap_failed =3D 0,=20
  dropped_pkts =3D 0}
(kgdb) p txr->que->tq
$4 =3D (struct taskqueue *) 0x0
(kgdb) p &txr->que->tq->tq_spin
$5 =3D (int *) 0x64


It looks like ixl_mq_start() somehow was called when queues are not yet
initialized (or already freed).

--=20
You are receiving this mail because:
You are the assignee for the bug.=