From owner-freebsd-virtualization@freebsd.org Sun Feb 14 22:52:26 2021 Return-Path: Delivered-To: freebsd-virtualization@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E8A13540014 for ; Sun, 14 Feb 2021 22:52:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4Df2Yk641Bz4hkt for ; Sun, 14 Feb 2021 22:52:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id D032953FDBE; Sun, 14 Feb 2021 22:52:26 +0000 (UTC) Delivered-To: virtualization@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CFFC6540142 for ; Sun, 14 Feb 2021 22:52:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Df2Yk5Tvkz4hmx for ; Sun, 14 Feb 2021 22:52:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id AF83413011 for ; Sun, 14 Feb 2021 22:52:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 11EMqQRd017620 for ; Sun, 14 Feb 2021 22:52:26 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 11EMqQSJ017619 for virtualization@FreeBSD.org; Sun, 14 Feb 2021 22:52:26 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: virtualization@FreeBSD.org Subject: [Bug 253521] bhyve crash with e1000 emulation Date: Sun, 14 Feb 2021 22:52:26 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bhyve X-Bugzilla-Version: 12.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: sigsys@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: virtualization@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Feb 2021 22:52:27 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D253521 Bug ID: 253521 Summary: bhyve crash with e1000 emulation Product: Base System Version: 12.2-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bhyve Assignee: virtualization@FreeBSD.org Reporter: sigsys@gmail.com bhyve sometimes crashes with a Windows 10 guest and a e1000 emulated NIC. = It only happened on boot with a VNC viewer connected to bhyve but I don't know= how related that might be. (gdb) bt #0 memcpy () at /usr/src/lib/libc/amd64/string/memmove.S:306 #1 0x0000104da5a873e2 in e82545_transmit (sc=3D, head=3D, tail=3D, dsize=3D, rhead=3D0x1e10f92, tdwb=3D0x1e10f84) at /usr/src/usr.sbin/bhyve/pci_e82545.c:1301 #2 0x0000104da5a8642c in e82545_tx_run (sc=3D0x1056f8b1c000) at /usr/src/usr.sbin/bhyve/pci_e82545.c:1458 #3 e82545_tx_thread (param=3D0x1056f8b1c000) at /usr/src/usr.sbin/bhyve/pci_e82545.c:1497 #4 0x00001055a934efac in thread_start (curthread=3D0x1056fd98d500) at /usr/src/lib/libthr/thread/thr_create.c:292 #5 0x0000000000000000 in ?? () Backtrace stopped: Cannot access memory at address 0x1e11000 (gdb) frame 1 #1 0x0000104da5a873e2 in e82545_transmit (sc=3D, head=3D, tail=3D, dsize=3D, rhead=3D0x1e10f92, tdwb=3D0x1e10f84) at /usr/src/usr.sbin/bhyve/pci_e82545.c:1301 1301 memcpy(hdrp, iov->iov_base, now); (gdb) p iovcnt $14 =3D 1 (gdb) p *iov $15 =3D { iov_base =3D 0x0, iov_len =3D 286 } I don't understand most of this function, but there's clearly a bug in e82545_transmit() with an uninitialized iov being used. diff --git a/usr.sbin/bhyve/pci_e82545.c b/usr.sbin/bhyve/pci_e82545.c index dca981be85fa..a4b631b8b8de 100644 --- a/usr.sbin/bhyve/pci_e82545.c +++ b/usr.sbin/bhyve/pci_e82545.c @@ -1145,22 +1145,22 @@ e82545_transmit(struct e82545_softc *sc, uint16_t h= ead, uint16_t tail, if (len > 0) { /* Strip checksum supplied by guest. */ if ((dsc->td.lower.data & E1000_TXD_CMD_EOP) !=3D 0= && (dsc->td.lower.data & E1000_TXD_CMD_IFCS) =3D= =3D 0) len -=3D 2; tlen +=3D len; if (iovcnt < I82545_MAX_TXSEGS) { iov[iovcnt].iov_base =3D paddr_guest2host( sc->esc_ctx, dsc->td.buffer_addr, len); iov[iovcnt].iov_len =3D len; + iovcnt++; } - iovcnt++; } /* * Pull out info that is valid in the final descriptor * and exit descriptor loop. */ if (dsc->td.lower.data & E1000_TXD_CMD_EOP) { if (dtype =3D=3D E1000_TXD_TYP_L) { if (dsc->td.lower.data & E1000_TXD_CMD_IC) { ckinfo[0].ck_valid =3D 1; --=20 You are receiving this mail because: You are the assignee for the bug.=