Date: Tue, 26 Oct 2021 15:12:16 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 259458] iflib_rxeof NULL pointer crash with vmxnet3 driver Message-ID: <bug-259458-227-8FNnG5gBEG@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-259458-227@https.bugs.freebsd.org/bugzilla/> References: <bug-259458-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D259458 --- Comment #6 from Andriy Gapon <avg@FreeBSD.org> --- I noticed a discrepancy between ifl_cidx / iri_cidx / ifr_cq_cidx that are equal to 328 and irf_idx that's set to 327. Initially, I thought that this could be a come back of an older problem: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D243126#c2 But in this case I do not see any zero-length packets near the current inde= x. In fact, given that vxcr_zero_length is zero, there hadn't been any zero-le= ngth packets at all. Looking at the code in vmxnet3_isc_rxd_pkt_get(), I think that iri_cidx !=3D irf_idx is not a problem. irf_idx is the last processed fragment's (packet= 's) descriptor ID, while iri_cidx is the next one. So, everything is correct there. (kgdb) p $20->ifc_softc=20 $34 =3D (void *) 0xfffff80002d93800 (kgdb) p *(struct vmxnet3_softc *)$20->ifc_softc $35 =3D {vmx_dev =3D 0xfffff80002db6300, vmx_ctx =3D 0xfffff80002dd2000, vm= x_sctx =3D 0xffffffff810f1100 <vmxnet3_sctx_init>, vmx_scctx =3D 0xfffff80002dd2048, v= mx_ifp =3D 0xfffff80002d9e000, vmx_ds =3D 0xfffff80002d91400, vmx_flags =3D 2,=20 vmx_rxq =3D 0xfffff80004110000, vmx_txq =3D 0xfffff80004110800, vmx_res0 = =3D 0xfffff80002d98b00, vmx_iot0 =3D 1, vmx_ioh0 =3D 18446735281866391552, vmx_= res1 =3D 0xfffff80002d98a00, vmx_iot1 =3D 1, vmx_ioh1 =3D 18446735281866395648,=20 vmx_link_active =3D 1, vmx_intr_mask_mode =3D 0, vmx_event_intr_idx =3D 8, vmx_event_intr_irq =3D {ii_res =3D 0xfffff80002d99d00, ii_rid =3D 9, ii_tag= =3D 0xfffff80004413e80}, vmx_mcast =3D 0xfffff8000440bc00 "",=20 vmx_rss =3D 0xfffff8000440bb00, vmx_ds_dma =3D {idi_paddr =3D 47780864, i= di_vaddr =3D 0xfffff80002d91400 "\341\376\276\272", idi_tag =3D 0xfffff8000440b900, idi_= map =3D 0x0, idi_size =3D 720}, vmx_qs_dma =3D {idi_paddr =3D 68214784,=20 idi_vaddr =3D 0xfffff8000410e000 "", idi_tag =3D 0xfffff80002db4c00, id= i_map =3D 0x0, idi_size =3D 4096}, vmx_mcast_dma =3D {idi_paddr =3D 71351296, idi_vad= dr =3D 0xfffff8000440bc00 "", idi_tag =3D 0xfffff8000440b700, idi_map =3D 0x0,=20 idi_size =3D 192}, vmx_rss_dma =3D {idi_paddr =3D 71351040, idi_vaddr = =3D 0xfffff8000440bb00 "\017", idi_tag =3D 0xfffff8000440b800, idi_map =3D 0x0, idi_size =3D 176}, vmx_media =3D 0xfffff80002dd22f0, vmx_vlan_filter =3D { 0 <repeats 128 times>}, vmx_lladdr =3D "\000PV\246\237\""} (kgdb) p $35.vmx_rxq[0] $36 =3D {vxrxq_sc =3D 0xfffff80002d93800, vxrxq_id =3D 0, vxrxq_intr_idx = =3D 0, vxrxq_irq =3D {ii_res =3D 0xfffff80002df8f00, ii_rid =3D 1, ii_tag =3D 0xfffff80002d99000}, vxrxq_cmd_ring =3D {{vxrxr_rxd =3D 0xfffffe00eaaf4000, vxrxr_ndesc =3D 512,=20 vxrxr_gen =3D 0, vxrxr_paddr =3D 57622528, vxrxr_desc_skips =3D 1017, vxrxr_refill_start =3D 142}, {vxrxr_rxd =3D 0xfffffe00eaaf6000, vxrxr_ndesc= =3D 512, vxrxr_gen =3D 1, vxrxr_paddr =3D 57630720, vxrxr_desc_skips =3D 0,=20 vxrxr_refill_start =3D 511}}, vxrxq_comp_ring =3D {vxcr_u =3D {txcd = =3D 0xfffffe00eaaf0000, rxcd =3D 0xfffffe00eaaf0000}, vxcr_next =3D 0, vxcr_nde= sc =3D 1024, vxcr_gen =3D 1, vxcr_paddr =3D 57606144, vxcr_zero_length =3D 0,=20 vxcr_pkt_errors =3D 0}, vxrxq_rs =3D 0xfffff8000410e800, vxrxq_sysctl = =3D 0xfffff80004415480, vxrxq_name =3D "vmx0-rx0\000\000\000\000\000\000\000"} (kgdb) p $36.vxrxq_comp_ring $37 =3D {vxcr_u =3D {txcd =3D 0xfffffe00eaaf0000, rxcd =3D 0xfffffe00eaaf00= 00}, vxcr_next =3D 0, vxcr_ndesc =3D 1024, vxcr_gen =3D 1, vxcr_paddr =3D 576061= 44, vxcr_zero_length =3D 0, vxcr_pkt_errors =3D 0} (kgdb) p $37.vxcr_u.rxcd[325] $38 =3D {rxd_idx =3D 325, pad1 =3D 0, eop =3D 1, sop =3D 1, qid =3D 0, rss_= type =3D 0, no_csum =3D 1, pad2 =3D 0, rss_hash =3D 0, len =3D 60, error =3D 0, vlan = =3D 0, vtag =3D 0, csum =3D 0, csum_ok =3D 0, udp =3D 0, tcp =3D 0, ipcsum_ok =3D 0, ipv6 =3D = 0, ipv4 =3D 0,=20 fragment =3D 0, fcs =3D 0, type =3D 3, gen =3D 1} (kgdb) p $37.vxcr_u.rxcd[326] $39 =3D {rxd_idx =3D 326, pad1 =3D 0, eop =3D 1, sop =3D 1, qid =3D 0, rss_= type =3D 0, no_csum =3D 1, pad2 =3D 0, rss_hash =3D 0, len =3D 60, error =3D 0, vlan = =3D 0, vtag =3D 0, csum =3D 0, csum_ok =3D 0, udp =3D 0, tcp =3D 0, ipcsum_ok =3D 0, ipv6 =3D = 0, ipv4 =3D 0,=20 fragment =3D 0, fcs =3D 0, type =3D 3, gen =3D 1} (kgdb) p $37.vxcr_u.rxcd[327] $40 =3D {rxd_idx =3D 327, pad1 =3D 0, eop =3D 1, sop =3D 1, qid =3D 0, rss_= type =3D 0, no_csum =3D 1, pad2 =3D 0, rss_hash =3D 0, len =3D 60, error =3D 0, vlan = =3D 0, vtag =3D 0, csum =3D 0, csum_ok =3D 0, udp =3D 0, tcp =3D 0, ipcsum_ok =3D 0, ipv6 =3D = 0, ipv4 =3D 0,=20 fragment =3D 0, fcs =3D 0, type =3D 3, gen =3D 1} (kgdb) p $37.vxcr_u.rxcd[328] $41 =3D {rxd_idx =3D 328, pad1 =3D 0, eop =3D 1, sop =3D 1, qid =3D 0, rss_= type =3D 0, no_csum =3D 1, pad2 =3D 0, rss_hash =3D 0, len =3D 60, error =3D 0, vlan = =3D 0, vtag =3D 0, csum =3D 0, csum_ok =3D 0, udp =3D 0, tcp =3D 0, ipcsum_ok =3D 0, ipv6 =3D = 0, ipv4 =3D 0,=20 fragment =3D 0, fcs =3D 0, type =3D 3, gen =3D 1} --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-259458-227-8FNnG5gBEG>