Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 01 Nov 2021 13:03:01 +0000
From:      bugzilla-noreply@freebsd.org
To:        net@FreeBSD.org
Subject:   [Bug 259458] iflib_rxeof NULL pointer crash with vmxnet3 driver
Message-ID:  <bug-259458-7501-FCVUmvlWXH@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-259458-7501@https.bugs.freebsd.org/bugzilla/>
References:  <bug-259458-7501@https.bugs.freebsd.org/bugzilla/>

next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D259458

--- Comment #17 from Andriy Gapon <avg@FreeBSD.org> ---
Some additional observations from another crash of exactly the same kind.

There are 8 receive queues with 2 free lists per each.
As far as I can tell, all free lists had been initialized and had initial 1=
28
credits. Just a single packet had been received.  It was on rxq0 and its
descriptor matched free list number 0.  So, a single credit was consumed fr=
om
that free list and its cidx was advanced to 1.  After that the free list was
topped up with credits.  Additionally the code was also topping up the other
free list for rxq0 and that's when the problem happened.  iflib_fl_refill()=
 was
called with count of 1919 (2048 - 128 - 1) and it was able to fill 1247 cre=
dits
before the free list's bitmap became full somehow...

Free lists for receive queues other than zero look like this:
(kgdb) p *ctx->ifc_rxqs[$i++].ifr_fl@2
$52 =3D {{ifl_cidx =3D 0, ifl_pidx =3D 128, ifl_credits =3D 128, ifl_gen =
=3D 0 '\000',
ifl_rxd_size =3D 0 '\000', ifl_rx_bitmap =3D 0xfffff80002fb0c00, ifl_fragid=
x =3D 128,
ifl_size =3D 2048, ifl_buf_size =3D 2048, ifl_cltype =3D 1,=20
    ifl_zone =3D 0xfffff800029c6000, ifl_sds =3D {ifsd_map =3D 0xfffffe00ea=
c18000,
ifsd_m =3D 0xfffffe00eabfc000, ifsd_cl =3D 0xfffffe00eac10000, ifsd_ba =3D
0xfffffe00eac14000}, ifl_rxq =3D 0xfffffe00ea9f5300, ifl_id =3D 0 '\000',=20
    ifl_buf_tag =3D 0xfffff80002fb0e00, ifl_ifdi =3D 0xfffff80002fc56a8,
ifl_bus_addrs =3D {6106355712, 6106349568, 6106351616, 6106345472, 61063475=
20,
6106361856, 6106363904, 6106357760, 6106359808, 6106353664, 6106376192,=20
      6106370048, 6106372096, 6106365952, 6106368000, 6106382336, 610638438=
4,
6106378240, 6106380288, 6106374144, 6106396672, 6106390528, 6106392576,
6106386432, 6106388480, 6106402816, 6106404864, 6106398720, 6106400768,=20
      6106394624, 6104950784, 6106415104}, ifl_rxd_idxs =3D {96, 97, 98, 99=
, 100,
101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, =
116,
117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127}},
{ ifl_cidx =3D 0, ifl_pidx =3D 128, ifl_credits =3D 128, ifl_gen =3D 0 '\00=
0',
ifl_rxd_size =3D 0 '\000', ifl_rx_bitmap =3D 0xfffff80002fb0b00, ifl_fragid=
x =3D 128,
ifl_size =3D 2048, ifl_buf_size =3D 4096, ifl_cltype =3D 3,=20
    ifl_zone =3D 0xfffff800029c5000, ifl_sds =3D {ifsd_map =3D 0xfffffe00ea=
c28000,
ifsd_m =3D 0xfffffe00eac1c000, ifsd_cl =3D 0xfffffe00eac20000, ifsd_ba =3D
0xfffffe00eac24000}, ifl_rxq =3D 0xfffffe00ea9f5300, ifl_id =3D 1 '\001',=20
    ifl_buf_tag =3D 0xfffff80002fb0d00, ifl_ifdi =3D 0xfffff80002fc56d0,
ifl_bus_addrs =3D {8338677760, 8338681856, 8338685952, 8338690048, 83386204=
16,
8338624512, 8338628608, 8338632704, 6105874432, 6105878528, 6105882624,=20
      6105886720, 6105890816, 6105894912, 6105899008, 6105903104, 610590720=
0,
6105911296, 6105915392, 6105919488, 6105923584, 6105927680, 6105931776,
6105935872, 6105939968, 6105944064, 6105948160, 6105952256, 6105956352,=20
      6105960448, 6105964544, 6105968640}, ifl_rxd_idxs =3D {96, 97, 98, 99=
, 100,
101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, =
116,
117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127}}}

And their bitmaps are all like this:
$62 =3D {0xffffffffffffffff, 0xffffffffffffffff, 0x0 <repeats 30 times>}

Here are the free lists of rxq0 at the time of the crash:
$51 =3D {{ifl_cidx =3D 1, ifl_pidx =3D 0, ifl_credits =3D 2047, ifl_gen =3D=
 0 '\000',
ifl_rxd_size =3D 0 '\000', ifl_rx_bitmap =3D 0xfffff80002faf400, ifl_fragid=
x =3D 0,
ifl_size =3D 2048, ifl_buf_size =3D 2048, ifl_cltype =3D 1,=20
    ifl_zone =3D 0xfffff800029c6000, ifl_sds =3D {ifsd_map =3D 0xfffffe00ea=
bd8000,
ifsd_m =3D 0xfffffe00eabcc000, ifsd_cl =3D 0xfffffe00eabd0000, ifsd_ba =3D
0xfffffe00eabd4000}, ifl_rxq =3D 0xfffffe00ea9f5000, ifl_id =3D 0 '\000',=20
    ifl_buf_tag =3D 0xfffff80002faf600, ifl_ifdi =3D 0xfffff80002fc5728,
ifl_bus_addrs =3D {6101612544, 6101651456, 6101649408, 6101639168, 61016412=
16,
6101626880, 6101628928, 6101635072, 6101637120, 6101659648, 6101661696,=20
      6101647360, 6101624832, 6101618688, 6101620736, 6101614592, 610161664=
0,
6101671936, 6101673984, 6101667840, 6101669888, 6101622784, 6101678080,
6101680128, 6101682176, 6101655552, 6101657600, 6101786624, 6101788672,=20
      6101766144, 6101768192, 6101676032}, ifl_rxd_idxs =3D {2016, 2017, 20=
18,
2019, 2020, 2021, 2022, 2023, 2024, 2025, 2026, 2027, 2028, 2029, 2030, 203=
1,
2032, 2033, 2034, 2035, 2036, 2037, 2038, 2039, 2040, 2041, 2042, 2043,=20
      2044, 2045, 2046, 2047}},
{ifl_cidx =3D 0, ifl_pidx =3D 1344, ifl_credits =3D 1344, ifl_gen =3D 0 '\0=
00',
ifl_rxd_size =3D 0 '\000', ifl_rx_bitmap =3D 0xfffff80002faf300, ifl_fragid=
x =3D 128,
ifl_size =3D 2048, ifl_buf_size =3D 4096,=20
    ifl_cltype =3D 3, ifl_zone =3D 0xfffff800029c5000, ifl_sds =3D {ifsd_ma=
p =3D
0xfffffe00eabe8000, ifsd_m =3D 0xfffffe00eabdc000, ifsd_cl =3D 0xfffffe00ea=
be0000,
ifsd_ba =3D 0xfffffe00eabe4000}, ifl_rxq =3D 0xfffffe00ea9f5000,=20
    ifl_id =3D 1 '\001', ifl_buf_tag =3D 0xfffff80002faf500, ifl_ifdi =3D
0xfffff80002fc5750, ifl_bus_addrs =3D {8347934720, 8347938816, 8347942912,
8347824128, 8347828224, 8347832320, 8347836416, 8347840512, 8347844608,
8347848704,=20
      8347852800, 8347856896, 8347860992, 8347865088, 8347869184, 834787328=
0,
8347877376, 8347881472, 8347758592, 8347762688, 8347770880, 8347774976,
8347779072, 8347783168, 8347787264, 8347791360, 8347795456, 8347799552,=20
      8347803648, 8347807744, 8347811840, 8347930624}, ifl_rxd_idxs =3D {13=
44,
1345, 1346, 1347, 1348, 1349, 1350, 1351, 1352, 1353, 1354, 1355, 1356, 135=
7,
1358, 1359, 1360, 1361, 1362, 1363, 1364, 1365, 1366, 1367, 1368, 1369,=20
      1370, 1371, 1372, 1373, 2047, 1343}}}

And their bitmaps:
(kgdb) set $i=3D0
(kgdb) p/x *ctx->ifc_rxqs[$i/2].ifr_fl[$i++%2].ifl_rx_bitmap@32
$60 =3D {0xfffffffffffffffe, 0xffffffffffffffff <repeats 31 times>}
(kgdb)=20
$61 =3D {0xffffffffffffffff <repeats 32 times>}

I am out of ideas what could have caused the full bitmap for fl 1 of rxq0 a=
fter
receiving just one packet.  All other fields in the free list do not appear=
 to
be corrupt or inconsistent.  It's only ifl_rx_bitmap and ifl_rxd_idxs at
position 30.

--=20
You are receiving this mail because:
You are the assignee for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-259458-7501-FCVUmvlWXH>