FreeBSD Mail Archives

Date:      Tue, 15 Aug 2023 21:47:27 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 273152] cxgbe: panic in sousrsend() after enabling "toe"
Message-ID:  <bug-273152-227@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D273152

            Bug ID: 273152
           Summary: cxgbe: panic in sousrsend() after enabling "toe"
           Product: Base System
           Version: CURRENT
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: greg@codeconcepts.com

If I enable "toe" on cc0 (sudo ifconfig cc0 toe), then mount an NFS file sy=
stem
over cc0's network, I get a page fault in sousrsend() because the function
pointer so->so_proto->pr_sosend is NULL.

It turns out that this pointer is also NULL in the call to t4_tom_mod_load()
after bcopying tcp_protosw to toe_protosw (after line 1996 in t4_tom.c), and
it's not obvious to me that it gets set anywhere else...


FreeBSD sm2.cc.codeconcepts.com 14.0-ALPHA1 FreeBSD 14.0-ALPHA1 amd64 14000=
94
#7 main-n264750-081c22db8507-dirty: Tue Aug 15 19:20:35 CDT 2023=20=20=20=20
greg@sm2.cc.codeconcepts.com:/usr/obj/usr/src/amd64.amd64/sys/SM2 amd64


$ ifconfig cc0
cc0: flags=3D1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metri=
c 0
mtu 9000
=20=20=20=20=20=20=20
options=3D66ec07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWC=
SUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,HWRX=
TSTMP,MEXTPG,VXLAN_HWCSUM,VXLAN_HWTSO>
        ether 00:07:43:44:0c:c0
        inet 172.16.100.202 netmask 0xffffff00 broadcast 172.16.100.255
        media: Ethernet autoselect (100GBase-CR4 <full-duplex,rxpause,txpau=
se>)
        status: active
        nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>


#9  0x0000000000000000 in ?? ()
#10 0xffffffff80e3b85d in sousrsend (so=3D0xfffff8022b3e7b40, addr=3D0x0,
uio=3D0xfffffe0411e71dd8, control=3D0x0, flags=3D0, userproc=3D0x0)
    at /usr/src/sys/kern/uipc_socket.c:1894
#11 0xffffffff80df6d39 in soo_write (fp=3D0xfffff8013319dc80,
uio=3D0xfffffe0411e71dd8, active_cred=3D0xfffff810a3e7ca00, flags=3D0,=20
    td=3D0xfffffe0284530ac0) at /usr/src/sys/kern/sys_socket.c:148
#12 0xffffffff80dec41c in fo_write (fp=3D0xfffff8013319dc80,
uio=3D0xfffffe0411e71dd8, active_cred=3D0xfffff810a3e7ca00, flags=3D0,=20
    td=3D0xfffffe0284530ac0) at /usr/src/sys/sys/file.h:351
#13 0xffffffff80de7d48 in dofilewrite (td=3D0xfffffe0284530ac0, fd=3D3,
fp=3D0xfffff8013319dc80, auio=3D0xfffffe0411e71dd8, offset=3D-1, flags=3D0)
    at /usr/src/sys/kern/sys_generic.c:565
#14 0xffffffff80de7962 in kern_writev (td=3D0xfffffe0284530ac0, fd=3D3,
auio=3D0xfffffe0411e71dd8) at /usr/src/sys/kern/sys_generic.c:492
#15 0xffffffff80de78ea in sys_write (td=3D0xfffffe0284530ac0,
uap=3D0xfffffe0284530ec0) at /usr/src/sys/kern/sys_generic.c:407
#16 0xffffffff814f04cf in syscallenter (td=3D0xfffffe0284530ac0) at
/usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:190
#17 0xffffffff814efc1b in amd64_syscall (td=3D0xfffffe0284530ac0, traced=3D=
0) at
/usr/src/sys/amd64/amd64/trap.c:1199
--Type <RET> for more, q to quit, c to continue without paging--
#18 <signal handler called>
#19 0x000002e037f5958a in ?? ()
Backtrace stopped: Cannot access memory at address 0x2e03623fb68

(kgdb) f 10
#10 0xffffffff80e3b85d in sousrsend (so=3D0xfffff8022b3e7b40, addr=3D0x0,
uio=3D0xfffffe0411e71dd8, control=3D0x0, flags=3D0, userproc=3D0x0)
    at /usr/src/sys/kern/uipc_socket.c:1894
1894            error =3D so->so_proto->pr_sosend(so, addr, uio, NULL, cont=
rol,
flags,

(kgdb) p *so
$1 =3D {so_lock =3D {lock_object =3D {lo_name =3D 0xffffffff81619f55 "socke=
t", lo_flags
=3D 21168128, lo_data =3D 0,=20
      lo_witness =3D 0xfffff8207fd86d00}, mtx_lock =3D 0}, so_count =3D 1, =
so_rdsel =3D
{si_tdlist =3D {tqh_first =3D 0x0, tqh_last =3D 0x0},=20
    si_note =3D {kl_list =3D {slh_first =3D 0x0}, kl_lock =3D 0xffffffff80e=
36500
<so_rdknl_lock>,=20
      kl_unlock =3D 0xffffffff80e36620 <so_rdknl_unlock>, kl_assert_lock =3D
0xffffffff80e366f0 <so_rdknl_assert_lock>,=20
      kl_lockarg =3D 0xfffff8022b3e7b40, kl_autodestroy =3D 0}, si_mtx =3D =
0x0},
so_wrsel =3D {si_tdlist =3D {tqh_first =3D 0x0, tqh_last =3D 0x0},=20
    si_note =3D {kl_list =3D {slh_first =3D 0x0}, kl_lock =3D 0xffffffff80e=
36880
<so_wrknl_lock>,=20
      kl_unlock =3D 0xffffffff80e369a0 <so_wrknl_unlock>, kl_assert_lock =3D
0xffffffff80e36a70 <so_wrknl_assert_lock>,=20
      kl_lockarg =3D 0xfffff8022b3e7b40, kl_autodestroy =3D 0}, si_mtx =3D =
0x0},
so_options =3D 0, so_type =3D 1, so_state =3D 2,=20
  so_pcb =3D 0xfffff805ea45ca80, so_vnet =3D 0xfffff8010181ef80, so_proto =
=3D
0xffffffff834f9148 <toe_protosw>, so_linger =3D 0, so_timeo =3D 0,=20
  so_error =3D 0, so_rerror =3D 0, so_sigio =3D 0x0, so_cred =3D 0xfffff810=
a3e7ca00,
so_label =3D 0x0, so_gencnt =3D 19473, so_emuldata =3D 0x0,=20
  so_dtor =3D 0x0, osd =3D {osd_nslots =3D 0, osd_slots =3D 0x0, osd_next =
=3D {le_next =3D
0x0, le_prev =3D 0x0}}, so_fibnum =3D 0, so_user_cookie =3D 0,=20
  so_ts_clock =3D 0, so_max_pacing_rate =3D 0, so_snd_sx =3D {lock_object =
=3D {lo_name
=3D 0xffffffff81633c20 "so_snd_sx", lo_flags =3D 36896768,=20
      lo_data =3D 0, lo_witness =3D 0xfffff8207fd86d80}, sx_lock =3D 1}, so=
_snd_mtx =3D
{lock_object =3D {lo_name =3D 0xffffffff81748892 "so_snd",=20
      lo_flags =3D 16973824, lo_data =3D 0, lo_witness =3D 0xfffff8207fd727=
80},
mtx_lock =3D 0}, so_rcv_sx =3D {lock_object =3D {
      lo_name =3D 0xffffffff816fa664 "so_rcv_sx", lo_flags =3D 36896768, lo=
_data =3D
0, lo_witness =3D 0xfffff8207fd86e00}, sx_lock =3D 1},=20
  so_rcv_mtx =3D {lock_object =3D {lo_name =3D 0xffffffff81676ddb "so_rcv",=
 lo_flags
=3D 16973824, lo_data =3D 0, lo_witness =3D 0xfffff8207fd72800},=20
    mtx_lock =3D 0}, {{so_rcv =3D {sb_sel =3D 0xfffff8022b3e7b68, sb_state =
=3D 0,
sb_flags =3D 2560, sb_acc =3D 0, sb_ccc =3D 0, sb_mbcnt =3D 0,=20
        sb_ctl =3D 0, sb_hiwat =3D 65536, sb_lowat =3D 1, sb_mbmax =3D 5242=
88, sb_timeo
=3D 0, sb_upcall =3D 0x0, sb_upcallarg =3D 0x0, sb_aiojobq =3D {
          tqh_first =3D 0x0, tqh_last =3D 0xfffff8022b3e7d40}, sb_aiotask =
=3D
{ta_link =3D {stqe_next =3D 0x0}, ta_pending =3D 0,=20
          ta_priority =3D 0 '\000', ta_flags =3D 0 '\000', ta_func =3D
0xffffffff80df81c0 <soaio_rcv>, ta_context =3D 0xfffff8022b3e7b40}, {{
            sb_mtx =3D 0xfffff8022b3e7ce0, sb_mb =3D 0x0, sb_mbtail =3D 0x0,
sb_lastrecord =3D 0x0, sb_sndptr =3D 0x0, sb_fnrdy =3D 0x0,=20
            sb_sndptroff =3D 0, sb_tlscc =3D 0, sb_tlsdcc =3D 0, sb_mtls =
=3D 0x0,
sb_mtlstail =3D 0x0, sb_tls_seqno =3D 0, sb_tls_info =3D 0x0}, {
            uxdg_mb =3D {stqh_first =3D 0xfffff8022b3e7ce0, stqh_last =3D 0=
x0},
uxdg_peeked =3D 0x0, {uxdg_conns =3D {tqh_first =3D 0x0,=20
--Type <RET> for more, q to quit, c to continue without paging--
                tqh_last =3D 0x0}, uxdg_clist =3D {tqe_next =3D 0x0, tqe_pr=
ev =3D
0x0}}, uxdg_cc =3D 0, uxdg_ctl =3D 0, uxdg_mbcnt =3D 0}}}, so_snd =3D {
        sb_sel =3D 0xfffff8022b3e7bb0, sb_state =3D 0, sb_flags =3D 2560, s=
b_acc =3D 0,
sb_ccc =3D 0, sb_mbcnt =3D 0, sb_ctl =3D 0, sb_hiwat =3D 32768,=20
        sb_lowat =3D 2048, sb_mbmax =3D 262144, sb_timeo =3D 0, sb_upcall =
=3D 0x0,
sb_upcallarg =3D 0x0, sb_aiojobq =3D {tqh_first =3D 0x0,=20
          tqh_last =3D 0xfffff8022b3e7e10}, sb_aiotask =3D {ta_link =3D {st=
qe_next =3D
0x0}, ta_pending =3D 0, ta_priority =3D 0 '\000',=20
          ta_flags =3D 0 '\000', ta_func =3D 0xffffffff80df8570 <soaio_snd>,
ta_context =3D 0xfffff8022b3e7b40}, {{sb_mtx =3D 0xfffff8022b3e7ca0,=20
            sb_mb =3D 0x0, sb_mbtail =3D 0x0, sb_lastrecord =3D 0x0, sb_snd=
ptr =3D 0x0,
sb_fnrdy =3D 0x0, sb_sndptroff =3D 0, sb_tlscc =3D 0,=20
            sb_tlsdcc =3D 0, sb_mtls =3D 0x0, sb_mtlstail =3D 0x0, sb_tls_s=
eqno =3D 0,
sb_tls_info =3D 0x0}, {uxdg_mb =3D {
              stqh_first =3D 0xfffff8022b3e7ca0, stqh_last =3D 0x0}, uxdg_p=
eeked =3D
0x0, {uxdg_conns =3D {tqh_first =3D 0x0, tqh_last =3D 0x0},=20
              uxdg_clist =3D {tqe_next =3D 0x0, tqe_prev =3D 0x0}}, uxdg_cc=
 =3D 0,
uxdg_ctl =3D 0, uxdg_mbcnt =3D 0}}}, so_list =3D {tqe_next =3D 0x0,=20
        tqe_prev =3D 0x0}, so_listen =3D 0x0, so_qstate =3D SQ_NONE, so_pee=
rlabel =3D
0x0, so_oobmark =3D 0, so_ktls_rx_list =3D {stqe_next =3D 0x0}}, {
      sol_incomp =3D {tqh_first =3D 0xfffff8022b3e7b68, tqh_last =3D 0xa000=
000},
sol_comp =3D {tqh_first =3D 0x0, tqh_last =3D 0x1000000000000},=20
      sol_qlen =3D 1, sol_incqlen =3D 524288, sol_qlimit =3D 0, sol_accept_=
filter =3D
0x0, sol_accept_filter_arg =3D 0x0,=20
      sol_accept_filter_str =3D 0x0, sol_upcall =3D 0xfffff8022b3e7d40,
sol_upcallarg =3D 0x0, sol_sbrcv_lowat =3D 0, sol_sbsnd_lowat =3D 0,=20
      sol_sbrcv_hiwat =3D 2162131392, sol_sbsnd_hiwat =3D 4294967295,
sol_sbrcv_flags =3D 31552, sol_sbsnd_flags =3D 11070,=20
      sol_sbrcv_timeo =3D -8786777572128, sol_sbsnd_timeo =3D 0, sol_lastov=
er =3D
{tv_sec =3D 0, tv_usec =3D 0}, sol_overcount =3D 0}}}

(kgdb) p so->so_proto->pr_sosend
$2 =3D (pr_sosend_t *) 0x0

(kgdb) p *so->so_proto
$3 =3D {pr_type =3D 1, pr_protocol =3D 6, pr_flags =3D 172, pr_unused =3D 0=
, pr_domain =3D
0x0, pr_soreceive =3D 0x0,=20
  pr_rcvd =3D 0xffffffff810619f0 <tcp_usr_rcvd>, pr_sosend =3D 0x0, pr_send=
 =3D
0xffffffff81061bd0 <tcp_usr_send>,=20
  pr_ready =3D 0xffffffff81062a20 <tcp_usr_ready>, pr_sopoll =3D 0x0, pr_at=
tach =3D
0xffffffff81062ba0 <tcp_usr_attach>,=20
  pr_detach =3D 0xffffffff81062dd0 <tcp_usr_detach>, pr_connect =3D
0xffffffff81062f50 <tcp_usr_connect>,=20
  pr_disconnect =3D 0xffffffff810632a0 <tcp_usr_disconnect>, pr_close =3D
0xffffffff81063450 <tcp_usr_close>,=20
  pr_shutdown =3D 0xffffffff81063630 <tcp_usr_shutdown>, pr_abort =3D
0xffffffff810637d0 <tcp_usr_abort>,=20
  pr_aio_queue =3D 0xffffffff834f3220 <t4_aio_queue_tom>, pr_bind =3D
0xffffffff810639a0 <tcp_usr_bind>, pr_bindat =3D 0x0,=20
  pr_listen =3D 0xffffffff81063c10 <tcp_usr_listen>, pr_accept =3D
0xffffffff81063ef0 <tcp_usr_accept>, pr_connectat =3D 0x0,=20
  pr_connect2 =3D 0x0, pr_control =3D 0xffffffff80ff14e0 <in_control>, pr_r=
cvoob =3D
0xffffffff810640b0 <tcp_usr_rcvoob>,=20
  pr_ctloutput =3D 0xffffffff81064300 <tcp_ctloutput>, pr_peeraddr =3D
0xffffffff81006240 <in_getpeeraddr>,=20
  pr_sockaddr =3D 0xffffffff81006170 <in_getsockaddr>, pr_sense =3D 0x0, pr=
_flush =3D
0x0,=20
  pr_sosetlabel =3D 0xffffffff81007590 <in_pcbsosetlabel>, pr_setsbopt =3D =
0x0}
(kgdb)

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-273152-227>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation