Date: Wed, 17 Feb 2016 12:41:33 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 168411] [vm] [panic] uma_find_refcnt(): zone possibly not UMA_ZONE_REFCNT Message-ID: <bug-168411-8-5f3uolPKhZ@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-168411-8@https.bugs.freebsd.org/bugzilla/> References: <bug-168411-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D168411 Andrey V. Elsukov <ae@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ae@FreeBSD.org --- Comment #1 from Andrey V. Elsukov <ae@FreeBSD.org> --- I can reliably get this panic. We are experimenting with using max_hdr variable to reserve leading space in mbufs allocated by network drivers. The goal is optimize the traffic flow on routers which do IPv4->IPv6 encapsulation or NAT46. We use this function to reserve leading space: #define M_RESERVE_ALIGN 128 /* * Set the m_data pointer of a mbuf to be able place an object of the * max_hdr bytes at the beginning of the mbuf's data, aligned to 128 bytes. * Also (re)initialize m_len and m_pkthdr.len fields. */ static __inline void m_reserve_hdr(struct mbuf *m) { int len; len =3D roundup2(max_hdr, M_RESERVE_ALIGN); if ((m->m_flags & M_PKTHDR) =3D=3D 0 || ((int)M_SIZE(m) - len) < 0) return; m->m_data =3D M_START(m) + len; m->m_len =3D m->m_pkthdr.len =3D M_SIZE(m) - len; } And how this function is used in ixgbe(4): --- a/sys/dev/ixgbe/ix_txrx.c +++ b/sys/dev/ixgbe/ix_txrx.c @@ -1319,13 +1319,10 @@ ixgbe_refresh_mbufs(struct rx_ring *rxr, int limit) M_PKTHDR, rxr->mbuf_sz); if (mp =3D=3D NULL) goto update; - if (adapter->max_frame_size <=3D (MCLBYTES - ETHER_ALIGN)) - m_adj(mp, ETHER_ALIGN); } else mp =3D rxbuf->buf; - mp->m_pkthdr.len =3D mp->m_len =3D rxr->mbuf_sz; - + m_reserve_hdr(mp); /* If we're dealing with an mbuf that was copied rather * than replaced, there's no need to go through busdma. */ @@ -1517,7 +1514,7 @@ ixgbe_setup_receive_ring(struct rx_ring *rxr) goto fail; } mp =3D rxbuf->buf; - mp->m_pkthdr.len =3D mp->m_len =3D rxr->mbuf_sz; + m_reserve_hdr(mp); /* Get the memory mapping */ error =3D bus_dmamap_load_mbuf_sg(rxr->ptag, rxbuf->pmap, mp, seg, How to reproduce the panic. Configure MTU greater than MJUMPAGESIZE, and se= nd several packets with size greater than MJUMPAGESIZE. The result: Fatal trap 9: general protection fault while in kernel mode cpuid =3D 10; apic id =3D 0a instruction pointer =3D 0x20:0xffffffff80cc192b stack pointer =3D 0x28:0xfffffe10466b6730 frame pointer =3D 0x28:0xfffffe10466b6750 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 12 (irq287: ix0:que 5) #8 0xffffffff80e390d2 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:235 #9 0xffffffff80cc192b in uma_find_refcnt (zone=3D<value optimized out>, item=3D<value optimized out>) at /usr/src/sys/vm/uma_core.c:3205 #10 0xffffffff809cd7fa in mb_ctor_clust (mem=3D0xfffff803394f6000, size=3D4= 096, arg=3D0xfffff80339469200, how=3D961499136) at /usr/src/sys/kern/kern_mbuf.c= :583 #11 0xffffffff80cbfed7 in uma_zalloc_arg (zone=3D<value optimized out>, udata=3D0xfffff80339469200, flags=3D1) at /usr/src/sys/vm/uma_core.c:2203 #12 0xffffffff80a6f966 in m_getjcl (how=3D1, type=3D<value optimized out>, flags=3D<value optimized out>, size=3D<value optimized out>) at /usr/src/sys/kern/uipc_mbuf.c:189 #13 0xffffffff805cf339 in ixgbe_refresh_mbufs (rxr=3D0xfffffe00017c0528, li= mit=3D4) at /usr/src/sys/dev/ixgbe/ix_txrx.c:1318 #14 0xffffffff805cf209 in ixgbe_rxeof (que=3D<value optimized out>) at /usr/src/sys/dev/ixgbe/ix_txrx.c:1984 #15 0xffffffff805c7b9b in ixgbe_msix_que (arg=3D0xfffff8000ef75230) at /usr/src/sys/dev/ixgbe/if_ix.c:1512 #16 0xffffffff809b13f8 in intr_event_execute_handlers (p=3D<value optimized= out>, ie=3D0xfffff8000ef58700) at /usr/src/sys/kern/kern_intr.c:1241 #17 0xffffffff809b1d6f in ithread_loop (arg=3D0xfffff8000ef3b3e0) at /usr/src/sys/kern/kern_intr.c:1254 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-168411-8-5f3uolPKhZ>