Date: Thu, 16 Jan 2020 11:52:57 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 240608] if_vmx(4): iflib - Panic with INVARIANTS: Memory modified after free (12.1-pre-QA) Message-ID: <bug-240608-7501-N7BomzrzW8@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-240608-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-240608-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240608 --- Comment #14 from Andriy Gapon <avg@FreeBSD.org> --- As to why the hardware can exhaust all descriptors in a free list. I think that there is a certain impedance mismatch. iflib_rxeof() takes its budget in terms of full packets and also iflib_rxd_avail() works in the same terms. __iflib_fl_refill_lt() is called with a limit equal to budget + 8. But the descriptors are used by packet fragments and a single packet may have many fragments. Also, a driver like vmx may waste some descriptors[*] for reasons that are known only to vmware. For example, in one crash dumps that I have here I see that iflib_rxeof() was processing its 11th packet (rx_pkts = 11, avail = 7, budget = 16) and that packet had iri_nfrags = 14. It's conceivable that such a batch could exhaust all descriptors populated by the last refill. [*] eop=1, sop=1, len=0 but a command descriptor 141 in rx queue 0 is "consumed": (kgdb) p $19.vxcr_u.rxcd[475] $22 = {rxd_idx = 141, pad1 = 0, eop = 1, sop = 1, qid = 0, rss_type = 0, no_csum = 0, pad2 = 0, rss_hash = 0, len = 0, error = 0, vlan = 0, vtag = 0, csum = 0, csum_ok = 0, udp = 0, tcp = 0, ipcsum_ok = 0, ipv6 = 0, ipv4 = 0, fragment = 0, fcs = 0, type = 3, gen = 1} -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-240608-7501-N7BomzrzW8>