From nobody Wed Jun 21 01:21:57 2023 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qm5M9581wz4gTHq for ; Wed, 21 Jun 2023 01:21:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Qm5M947b0z3MYN for ; Wed, 21 Jun 2023 01:21:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687310517; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=r6geNBbb9Ld84MW2OcfvMlgJToQHkoDopA7o94BaUvg=; b=ELZ+SwufXWNVNixvtXypwHsVbRxXY/aPk4Ka0EWZgal8Fs50Nv956ttpgty4TLYct1xoin AaDhXtqjcxr4Kl8k/WTSGQB4AhTBvF5bo40aUBQTgM+PVC0UnFx8nU602mpDHIbCyWLgkI NN4rv1+cc6NZAWx0CULZHVvT/fBJJ52gpUzXi2+QGhD6KYqdy6bvHtkgULdz+Dv/TOC7mi CAcMCIo+rXUKu+jvQNnR5dPql5AHp6n5YLWLlTw0xtneV/HDBywCOqr31Gjhm+Tcp0wI8T AZpXBLv2aycEtLOZH4rnpE3EUQvfS2XKktssvmKHFjvi6taQ8s0a/6/R3e0HzA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687310517; a=rsa-sha256; cv=none; b=xYl5ekh4KS1lhgV8xvZoeTVfUT0oIniWA79F8Tm/PfR4EOBvBrYVG+yYxDGFIiJoukuyuO zShSHLq4aqQa8Xz/pYGJ+KV0tsySouTBXDC7eN1zXz3jDPbA8XeHQHdl2Ka5mN/N8U4PKj 8zwKtI1U1xa0GcFo6eoPvk/WBIxjDGIK7XZgVUnllkdJNHQFDRdHyK6MJ8qVAB/U9ePfJa O/ipPwMwIGFw4rYLzPiYIUJ4LiNPWbYul0JWXjX9nzyIdNPmKYBpCb/wAvG6TkenJZzB/w dX54LNUyS/JzzA0Gn7oWj1mWXwss64Pz2L+TOAblihPMzmYvXV1wMjyl2EFf2g== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Qm5M937p7zN2C for ; Wed, 21 Jun 2023 01:21:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 35L1LvXq010501 for ; Wed, 21 Jun 2023 01:21:57 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 35L1Lvv8010500 for bugs@FreeBSD.org; Wed, 21 Jun 2023 01:21:57 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 272117] bnxt: kernel crash with sysctl and jumbo frames Date: Wed, 21 Jun 2023 01:21:57 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: asomers@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272117 Bug ID: 272117 Summary: bnxt: kernel crash with sysctl and jumbo frames Product: Base System Version: 13.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: asomers@FreeBSD.org I can reliably crash the kernel just by doing "sysctl dev.bnxt.0" if the interface has been configured with jumbo frames. It seems that the trigger= is whether the interface has ever been configured with jumbo frames, not wheth= er it currently uses them. If I boot with jumbo frames, then do "ifconfig lag= g0 mtu 1500", I can still trigger the panic. This happens on a custom kernel build based on 13.1-RELEASE. /etc/rc.conf: ifconfig_bnxt0=3D"up" ifconfig_bnxt3=3D"up" cloned_interfaces=3D"lagg0" ifconfig_lagg0=3D"laggproto lacp -lacp_fast_timeout 10.2.172.79/23 laggport= bnxt0 laggport bnxt3" vlans_lagg0=3D"173" ifconfig_lagg0_173=3D"10.2.174.79/23" defaultrouter=3D"10.2.172.1" Steps to Reproduce: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D $ sysctl dev.bnxt.0 ... dev.bnxt.0.iflib.txq00.cpu: 0 Stack trace: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Fatal trap 12: page fault while in kernel mode cpuid =3D 21; apic id =3D 8a fault virtual address =3D 0xc00000148 fault code =3D supervisor read data, page not present instruction pointer =3D 0x20:0xffffffff80d6dffb stack pointer =3D 0x28:0xfffffe0d24c4ea90 frame pointer =3D 0x28:0xfffffe0d24c4ebd0 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 3220 (sysctl) trap number =3D 12 panic: page fault cpuid =3D 21 time =3D 1687302737 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0d24c4e= 850 vpanic() at vpanic+0x17f/frame 0xfffffe0d24c4e8a0 panic() at panic+0x43/frame 0xfffffe0d24c4e900 trap_fatal() at trap_fatal+0x385/frame 0xfffffe0d24c4e960 trap_pfault() at trap_pfault+0x4f/frame 0xfffffe0d24c4e9c0 calltrap() at calltrap+0x8/frame 0xfffffe0d24c4e9c0 --- trap 0xc, rip =3D 0xffffffff80d6dffb, rsp =3D 0xfffffe0d24c4ea90, rbp = =3D 0xfffffe0d24c4ebd0 --- mp_ndesc_handler() at mp_ndesc_handler+0x7b/frame 0xfffffe0d24c4ebd0 sysctl_root_handler_locked() at sysctl_root_handler_locked+0x90/frame 0xfffffe0d24c4ec20 sysctl_root() at sysctl_root+0x271/frame 0xfffffe0d24c4eca0 userland_sysctl() at userland_sysctl+0x173/frame 0xfffffe0d24c4ed50 sys___sysctl() at sys___sysctl+0x5c/frame 0xfffffe0d24c4ee00 amd64_syscall() at amd64_syscall+0x775/frame 0xfffffe0d24c4ef30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0d24c4ef30 --- syscall (202, FreeBSD ELF64, sys___sysctl), rip =3D 0x8011a11ca, rsp =3D 0x7fffffffc5a8, rbp =3D 0x7fffffffc5e0 --- KDB: enter: panic >From GDB, it seems that the sysctl that triggers the panic is dev.bnxt.0.iflib.override_nrxds. And in mp_ndesc_handler, the value of ctx->ifc_sctx is 0xc00000000 , which doesn't look right, because it ought t= o be a pointer. --=20 You are receiving this mail because: You are the assignee for the bug.=