Date: Sun, 14 Feb 2021 22:52:26 +0000 From: bugzilla-noreply@freebsd.org To: virtualization@FreeBSD.org Subject: [Bug 253521] bhyve crash with e1000 emulation Message-ID: <bug-253521-27103@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D253521 Bug ID: 253521 Summary: bhyve crash with e1000 emulation Product: Base System Version: 12.2-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bhyve Assignee: virtualization@FreeBSD.org Reporter: sigsys@gmail.com bhyve sometimes crashes with a Windows 10 guest and a e1000 emulated NIC. = It only happened on boot with a VNC viewer connected to bhyve but I don't know= how related that might be. (gdb) bt #0 memcpy () at /usr/src/lib/libc/amd64/string/memmove.S:306 #1 0x0000104da5a873e2 in e82545_transmit (sc=3D<optimized out>, head=3D<op= timized out>, tail=3D<optimized out>, dsize=3D<optimized out>, rhead=3D0x1e10f92, tdwb=3D0x1e10f84) at /usr/src/usr.sbin/bhyve/pci_e82545.c:1301 #2 0x0000104da5a8642c in e82545_tx_run (sc=3D0x1056f8b1c000) at /usr/src/usr.sbin/bhyve/pci_e82545.c:1458 #3 e82545_tx_thread (param=3D0x1056f8b1c000) at /usr/src/usr.sbin/bhyve/pci_e82545.c:1497 #4 0x00001055a934efac in thread_start (curthread=3D0x1056fd98d500) at /usr/src/lib/libthr/thread/thr_create.c:292 #5 0x0000000000000000 in ?? () Backtrace stopped: Cannot access memory at address 0x1e11000 (gdb) frame 1 #1 0x0000104da5a873e2 in e82545_transmit (sc=3D<optimized out>, head=3D<op= timized out>, tail=3D<optimized out>, dsize=3D<optimized out>, rhead=3D0x1e10f92, tdwb=3D0x1e10f84) at /usr/src/usr.sbin/bhyve/pci_e82545.c:1301 1301 memcpy(hdrp, iov->iov_base, now); (gdb) p iovcnt $14 =3D 1 (gdb) p *iov $15 =3D { iov_base =3D 0x0, iov_len =3D 286 } I don't understand most of this function, but there's clearly a bug in e82545_transmit() with an uninitialized iov being used. diff --git a/usr.sbin/bhyve/pci_e82545.c b/usr.sbin/bhyve/pci_e82545.c index dca981be85fa..a4b631b8b8de 100644 --- a/usr.sbin/bhyve/pci_e82545.c +++ b/usr.sbin/bhyve/pci_e82545.c @@ -1145,22 +1145,22 @@ e82545_transmit(struct e82545_softc *sc, uint16_t h= ead, uint16_t tail, if (len > 0) { /* Strip checksum supplied by guest. */ if ((dsc->td.lower.data & E1000_TXD_CMD_EOP) !=3D 0= && (dsc->td.lower.data & E1000_TXD_CMD_IFCS) =3D= =3D 0) len -=3D 2; tlen +=3D len; if (iovcnt < I82545_MAX_TXSEGS) { iov[iovcnt].iov_base =3D paddr_guest2host( sc->esc_ctx, dsc->td.buffer_addr, len); iov[iovcnt].iov_len =3D len; + iovcnt++; } - iovcnt++; } /* * Pull out info that is valid in the final descriptor * and exit descriptor loop. */ if (dsc->td.lower.data & E1000_TXD_CMD_EOP) { if (dtype =3D=3D E1000_TXD_TYP_L) { if (dsc->td.lower.data & E1000_TXD_CMD_IC) { ckinfo[0].ck_valid =3D 1; --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-253521-27103>