From owner-freebsd-bugs@freebsd.org Wed Feb 17 12:41:33 2016 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 98D4AAAABBD for ; Wed, 17 Feb 2016 12:41:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7D94E12AE for ; Wed, 17 Feb 2016 12:41:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u1HCfXnd029989 for ; Wed, 17 Feb 2016 12:41:33 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 168411] [vm] [panic] uma_find_refcnt(): zone possibly not UMA_ZONE_REFCNT Date: Wed, 17 Feb 2016 12:41:33 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: ae@FreeBSD.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Feb 2016 12:41:33 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D168411 Andrey V. Elsukov changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ae@FreeBSD.org --- Comment #1 from Andrey V. Elsukov --- I can reliably get this panic. We are experimenting with using max_hdr variable to reserve leading space in mbufs allocated by network drivers. The goal is optimize the traffic flow on routers which do IPv4->IPv6 encapsulation or NAT46. We use this function to reserve leading space: #define M_RESERVE_ALIGN 128 /* * Set the m_data pointer of a mbuf to be able place an object of the * max_hdr bytes at the beginning of the mbuf's data, aligned to 128 bytes. * Also (re)initialize m_len and m_pkthdr.len fields. */ static __inline void m_reserve_hdr(struct mbuf *m) { int len; len =3D roundup2(max_hdr, M_RESERVE_ALIGN); if ((m->m_flags & M_PKTHDR) =3D=3D 0 || ((int)M_SIZE(m) - len) < 0) return; m->m_data =3D M_START(m) + len; m->m_len =3D m->m_pkthdr.len =3D M_SIZE(m) - len; } And how this function is used in ixgbe(4): --- a/sys/dev/ixgbe/ix_txrx.c +++ b/sys/dev/ixgbe/ix_txrx.c @@ -1319,13 +1319,10 @@ ixgbe_refresh_mbufs(struct rx_ring *rxr, int limit) M_PKTHDR, rxr->mbuf_sz); if (mp =3D=3D NULL) goto update; - if (adapter->max_frame_size <=3D (MCLBYTES - ETHER_ALIGN)) - m_adj(mp, ETHER_ALIGN); } else mp =3D rxbuf->buf; - mp->m_pkthdr.len =3D mp->m_len =3D rxr->mbuf_sz; - + m_reserve_hdr(mp); /* If we're dealing with an mbuf that was copied rather * than replaced, there's no need to go through busdma. */ @@ -1517,7 +1514,7 @@ ixgbe_setup_receive_ring(struct rx_ring *rxr) goto fail; } mp =3D rxbuf->buf; - mp->m_pkthdr.len =3D mp->m_len =3D rxr->mbuf_sz; + m_reserve_hdr(mp); /* Get the memory mapping */ error =3D bus_dmamap_load_mbuf_sg(rxr->ptag, rxbuf->pmap, mp, seg, How to reproduce the panic. Configure MTU greater than MJUMPAGESIZE, and se= nd several packets with size greater than MJUMPAGESIZE. The result: Fatal trap 9: general protection fault while in kernel mode cpuid =3D 10; apic id =3D 0a instruction pointer =3D 0x20:0xffffffff80cc192b stack pointer =3D 0x28:0xfffffe10466b6730 frame pointer =3D 0x28:0xfffffe10466b6750 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 12 (irq287: ix0:que 5) #8 0xffffffff80e390d2 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:235 #9 0xffffffff80cc192b in uma_find_refcnt (zone=3D, item=3D) at /usr/src/sys/vm/uma_core.c:3205 #10 0xffffffff809cd7fa in mb_ctor_clust (mem=3D0xfffff803394f6000, size=3D4= 096, arg=3D0xfffff80339469200, how=3D961499136) at /usr/src/sys/kern/kern_mbuf.c= :583 #11 0xffffffff80cbfed7 in uma_zalloc_arg (zone=3D, udata=3D0xfffff80339469200, flags=3D1) at /usr/src/sys/vm/uma_core.c:2203 #12 0xffffffff80a6f966 in m_getjcl (how=3D1, type=3D, flags=3D, size=3D) at /usr/src/sys/kern/uipc_mbuf.c:189 #13 0xffffffff805cf339 in ixgbe_refresh_mbufs (rxr=3D0xfffffe00017c0528, li= mit=3D4) at /usr/src/sys/dev/ixgbe/ix_txrx.c:1318 #14 0xffffffff805cf209 in ixgbe_rxeof (que=3D) at /usr/src/sys/dev/ixgbe/ix_txrx.c:1984 #15 0xffffffff805c7b9b in ixgbe_msix_que (arg=3D0xfffff8000ef75230) at /usr/src/sys/dev/ixgbe/if_ix.c:1512 #16 0xffffffff809b13f8 in intr_event_execute_handlers (p=3D, ie=3D0xfffff8000ef58700) at /usr/src/sys/kern/kern_intr.c:1241 #17 0xffffffff809b1d6f in ithread_loop (arg=3D0xfffff8000ef3b3e0) at /usr/src/sys/kern/kern_intr.c:1254 --=20 You are receiving this mail because: You are the assignee for the bug.=