Date: Thu, 16 Jan 2020 11:52:57 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 240608] if_vmx(4): iflib - Panic with INVARIANTS: Memory modified after free (12.1-pre-QA) Message-ID: <bug-240608-7501-N7BomzrzW8@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-240608-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-240608-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D240608 --- Comment #14 from Andriy Gapon <avg@FreeBSD.org> --- As to why the hardware can exhaust all descriptors in a free list. I think that there is a certain impedance mismatch. iflib_rxeof() takes its budget in terms of full packets and also iflib_rxd_avail() works in the same terms. __iflib_fl_refill_lt() is called with a limit equal to budget + 8.=20 But the descriptors are used by packet fragments and a single packet may ha= ve many fragments. Also, a driver like vmx may waste some descriptors[*] for reasons that are known only to vmware. For example, in one crash dumps that I have here I see that iflib_rxeof() w= as processing its 11th packet (rx_pkts =3D 11, avail =3D 7, budget =3D 16) and= that packet had iri_nfrags =3D 14. It's conceivable that such a batch could exhaust all descriptors populated = by the last refill. [*] eop=3D1, sop=3D1, len=3D0 but a command descriptor 141 in rx queue 0 is "co= nsumed": (kgdb) p $19.vxcr_u.rxcd[475] $22 =3D {rxd_idx =3D 141, pad1 =3D 0, eop =3D 1, sop =3D 1, qid =3D 0, rss_= type =3D 0, no_csum =3D 0, pad2 =3D 0, rss_hash =3D 0, len =3D 0, error =3D 0, vlan =3D= 0, vtag =3D 0, csum =3D 0, csum_ok =3D 0, udp =3D 0, tcp =3D 0, ipcsum_ok =3D 0, ipv6 =3D = 0, ipv4 =3D 0, fragment =3D 0, fcs =3D 0, type =3D 3, gen =3D 1} --=20 You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-240608-7501-N7BomzrzW8>