Date: Sun, 14 Feb 2021 22:52:26 +0000 From: bugzilla-noreply@freebsd.org To: virtualization@FreeBSD.org Subject: [Bug 253521] bhyve crash with e1000 emulation Message-ID: <bug-253521-27103@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253521 Bug ID: 253521 Summary: bhyve crash with e1000 emulation Product: Base System Version: 12.2-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bhyve Assignee: virtualization@FreeBSD.org Reporter: sigsys@gmail.com bhyve sometimes crashes with a Windows 10 guest and a e1000 emulated NIC. It only happened on boot with a VNC viewer connected to bhyve but I don't know how related that might be. (gdb) bt #0 memcpy () at /usr/src/lib/libc/amd64/string/memmove.S:306 #1 0x0000104da5a873e2 in e82545_transmit (sc=<optimized out>, head=<optimized out>, tail=<optimized out>, dsize=<optimized out>, rhead=0x1e10f92, tdwb=0x1e10f84) at /usr/src/usr.sbin/bhyve/pci_e82545.c:1301 #2 0x0000104da5a8642c in e82545_tx_run (sc=0x1056f8b1c000) at /usr/src/usr.sbin/bhyve/pci_e82545.c:1458 #3 e82545_tx_thread (param=0x1056f8b1c000) at /usr/src/usr.sbin/bhyve/pci_e82545.c:1497 #4 0x00001055a934efac in thread_start (curthread=0x1056fd98d500) at /usr/src/lib/libthr/thread/thr_create.c:292 #5 0x0000000000000000 in ?? () Backtrace stopped: Cannot access memory at address 0x1e11000 (gdb) frame 1 #1 0x0000104da5a873e2 in e82545_transmit (sc=<optimized out>, head=<optimized out>, tail=<optimized out>, dsize=<optimized out>, rhead=0x1e10f92, tdwb=0x1e10f84) at /usr/src/usr.sbin/bhyve/pci_e82545.c:1301 1301 memcpy(hdrp, iov->iov_base, now); (gdb) p iovcnt $14 = 1 (gdb) p *iov $15 = { iov_base = 0x0, iov_len = 286 } I don't understand most of this function, but there's clearly a bug in e82545_transmit() with an uninitialized iov being used. diff --git a/usr.sbin/bhyve/pci_e82545.c b/usr.sbin/bhyve/pci_e82545.c index dca981be85fa..a4b631b8b8de 100644 --- a/usr.sbin/bhyve/pci_e82545.c +++ b/usr.sbin/bhyve/pci_e82545.c @@ -1145,22 +1145,22 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail, if (len > 0) { /* Strip checksum supplied by guest. */ if ((dsc->td.lower.data & E1000_TXD_CMD_EOP) != 0 && (dsc->td.lower.data & E1000_TXD_CMD_IFCS) == 0) len -= 2; tlen += len; if (iovcnt < I82545_MAX_TXSEGS) { iov[iovcnt].iov_base = paddr_guest2host( sc->esc_ctx, dsc->td.buffer_addr, len); iov[iovcnt].iov_len = len; + iovcnt++; } - iovcnt++; } /* * Pull out info that is valid in the final descriptor * and exit descriptor loop. */ if (dsc->td.lower.data & E1000_TXD_CMD_EOP) { if (dtype == E1000_TXD_TYP_L) { if (dsc->td.lower.data & E1000_TXD_CMD_IC) { ckinfo[0].ck_valid = 1; -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-253521-27103>