Date: Tue, 26 Oct 2021 13:21:16 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 259458] iflib_rxeof NULL pointer crash with vmxnet3 driver Message-ID: <bug-259458-227-1IRAsuYdVn@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-259458-227@https.bugs.freebsd.org/bugzilla/> References: <bug-259458-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D259458 --- Comment #2 from Andriy Gapon <avg@FreeBSD.org> --- (kgdb) fr 20=20=20 #20 iflib_rxeof (rxq=3D<optimized out>, budget=3D<optimized out>) at /usr/src/sys/net/iflib.c:2879 2879 in /usr/src/sys/net/iflib.c (kgdb) i loc ri =3D {iri_qsidx =3D 0, iri_vtag =3D 0, iri_len =3D 60, iri_cidx =3D 328, = iri_ifp =3D 0xfffff80002d9e000, iri_frags =3D 0xfffffe00ea9f5180, iri_flowid =3D 0, iri_csum_flags =3D 0, iri_csum_data =3D 0, iri_flags =3D 0 '\000', iri_nfra= gs =3D 1 '\001', iri_rsstype =3D 0 '\000', iri_pad =3D 0 '\000'} ctx =3D 0xfffff80002dd2000 lro_possible =3D <error reading variable lro_possible (Cannot access memory= at address 0x0)> v4_forwarding =3D <error reading variable v4_forwarding (Cannot access memo= ry at address 0x0)> v6_forwarding =3D <error reading variable v6_forwarding (Cannot access memo= ry at address 0x0)> retval =3D <error reading variable retval (Cannot access memory at address = 0x0)> scctx =3D <optimized out> sctx =3D 0xffffffff810f1100 <vmxnet3_sctx_init> rx_pkts =3D <error reading variable rx_pkts (Cannot access memory at address 0x0)> rx_bytes =3D <error reading variable rx_bytes (Cannot access memory at addr= ess 0x0)> mh =3D 0xfffff800b371d100 mt =3D 0xfffff800b371d100 ifp =3D 0xfffff80002d9e000 cidxp =3D 0xfffffe00ea9f5018 avail =3D 1 budget_left =3D 15 err =3D <optimized out> m =3D <optimized out> i =3D <optimized out> fl =3D <optimized out> mf =3D <optimized out> lro_enabled =3D <optimized out> (kgdb) p *cidxp $4 =3D 328 (kgdb) p ri.iri_frags[0] $5 =3D {irf_flid =3D 0 '\000', irf_idx =3D 327, irf_len =3D 60} (kgdb) fr 19 #19 0xffffffff8084d049 in iflib_rxd_pkt_get (rxq=3D0xfffffe00ea9f5000, ri=3D<optimized out>) at /usr/src/sys/net/iflib.c:2737 2737 /usr/src/sys/net/iflib.c: No such file or directory. (kgdb) p *rxq $6 =3D {ifr_ctx =3D 0xfffff80002dd2000, ifr_fl =3D 0xfffff80002d93400, ifr_= rx_irq =3D 0, ifr_cq_cidx =3D 328, ifr_id =3D 0, ifr_nfl =3D 2 '\002', ifr_ntxqirq =3D= 1 '\001', ifr_txqid =3D "\000\000\000", ifr_fl_offset =3D 1 '\001', ifr_lc =3D { ifp =3D 0xfffff80002d9e000, lro_mbuf_data =3D 0xfffffe00ea9f1000, lro_q= ueued =3D 0, lro_flushed =3D 0, lro_bad_csum =3D 0, lro_cnt =3D 8, lro_mbuf_count =3D= 0, lro_mbuf_max =3D 512, lro_ackcnt_lim =3D 65535, lro_length_lim =3D 65535, lro_hashsz =3D 509, lro_hash =3D 0xfffff8000410d000, lro_active =3D {lh= _first =3D 0x0}, lro_free =3D {lh_first =3D 0xfffffe00ea9f33f0}}, ifr_task =3D {gt_tas= k =3D {ta_link =3D {stqe_next =3D 0x0}, ta_flags =3D 2, ta_priority =3D 0, ta_func =3D 0xffffffff8084cd90 <_task_fn_rx>, ta_context =3D 0xfffffe00ea9f5000}, gt_taskqueue =3D 0xfffff800020c7200, gt_list =3D {le_n= ext =3D 0x0, le_prev =3D 0xfffffe00015f08a8}, gt_uniq =3D 0xfffffe00ea9f5000, gt_name =3D "rxq0", '\000' <repeats 27 times>, gt_irq =3D 257, gt_cpu = =3D 0}, ifr_watchdog =3D {c_links =3D {le =3D {le_next =3D 0x0, le_prev =3D 0x0}, s= le =3D {sle_next =3D 0x0}, tqe =3D {tqe_next =3D 0x0, tqe_prev =3D 0x0}}, c_time =3D 0, c_precision =3D 0, c_arg =3D 0x0, c_func =3D 0x0, c_lock =3D 0x0, c_fla= gs =3D 0, c_iflags =3D 16, c_cpu =3D 0, c_exec_time =3D 0, c_lines =3D {u128 =3D 1528= , u16 =3D {1528, 0, 0, 0, 0, 0, 0, 0}}}, ifr_filter_info =3D { ifi_filter =3D 0xffffffff80a3c580 <vmxnet3_rxq_intr>, ifi_filter_arg =3D 0xfffff80004110000, ifi_task =3D 0xfffffe00ea9f5088, ifi_ctx =3D 0xfffffe00ea9f5000}, ifr_ifdi =3D 0xfffff80002d99400, ifr_frags =3D {{irf_f= lid =3D 0 '\000', irf_idx =3D 327, irf_len =3D 60}, {irf_flid =3D 0 '\000', irf_idx =3D= 0, irf_len =3D 0} <repeats 63 times>}} (kgdb) p rxq->ifr_fl[0] $7 =3D {ifl_cidx =3D 328, ifl_pidx =3D 341, ifl_credits =3D 509, ifl_gen = =3D 0 '\000', ifl_rxd_size =3D 0 '\000', ifl_rx_bitmap =3D 0xfffff80002cb5ec0, ifl_fragid= x =3D 142, ifl_size =3D 512, ifl_buf_size =3D 2048, ifl_cltype =3D 1, ifl_zone =3D 0xfffff800029c6000, ifl_sds =3D {ifsd_map =3D 0xfffff80002d5= f000, ifsd_m =3D 0xfffff80002d62000, ifsd_cl =3D 0xfffff80002d61000, ifsd_ba =3D 0xfffff80002d60000}, ifl_rxq =3D 0xfffffe00ea9f5000, ifl_id =3D 0 '\000', ifl_buf_tag =3D 0xfffff80002d74400, ifl_ifdi =3D 0xfffff80002d99428, ifl_bus_addrs =3D {4884103168, 4884094976, 4887971840, 4887965696, 48986562= 56, 4898662400, 4898660352, 4898617344, 4753053696, 4753018880, 4753020928, 4883597312, 4898639872, 4898646016, 4898643968, 4898650112, 4884144128, 4884150272, 4884148224, 4884154368, 4884152320, 4884158464, 4884156416, 4884162560, 4884160512, 4884166656, 4884111360, 4884117504, 4884115456, 4884121600, 4884119552, 4884125696}, ifl_rxd_idxs =3D {141, 137, 120, 121, 323, 324= , 325, 326, 0, 1, 2, 3, 315, 316, 317, 318, 496, 497, 498, 499, 500, 501, 502, 503, 504, 505, 506, 507, 508, 509, 510, 511}} (kgdb) p $7.ifl_sds.ifsd_cl[327] $8 =3D (caddr_t) 0x0 (kgdb) p $7.ifl_sds.ifsd_cl[326] $9 =3D (caddr_t) 0xfffff80123faf800 "\377\377\377\377\377\377" (kgdb) p $7.ifl_sds.ifsd_cl[328] $10 =3D (caddr_t) 0xfffff8012322b800 "\377\377\377\377\377\377" --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-259458-227-1IRAsuYdVn>