From owner-freebsd-current@FreeBSD.ORG Wed Mar 9 15:47:00 2005 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D2A516A4CE for ; Wed, 9 Mar 2005 15:47:00 +0000 (GMT) Received: from hermes.oxyd.fr (hermes.oxyd.fr [195.137.249.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EAAC43D5A for ; Wed, 9 Mar 2005 15:46:59 +0000 (GMT) (envelope-from pcasidy@casidy.com) Received: from [212.43.253.140] (helo=smtp.casidy.net) by hermes.oxyd.fr with asmtp (Exim 4.20) id 1D93Ok-00019j-LF for freebsd-current@freebsd.org; Wed, 09 Mar 2005 16:46:58 +0100 Received: from casidy.com (unknown [192.168.1.5]) by smtp.casidy.net (Postfix) with ESMTP id DDFD7B86C for ; Wed, 9 Mar 2005 16:46:54 +0100 (CET) Date: Wed, 9 Mar 2005 16:56:05 +0100 (CET) From: pcasidy@casidy.com To: freebsd-current@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Message-Id: <20050309154654.DDFD7B86C@smtp.casidy.net> X-auth-smtp-user: postmaster@casidy.com X-abuse-contact: abuse@oxyd.fr X-Mailman-Approved-At: Thu, 10 Mar 2005 13:01:29 +0000 Subject: Panic: Use-after-free in bfe X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2005 15:47:00 -0000 Hi! I have been suggested to escalate my problem to this list. I have this problem both on -STABLE and -CURRENT. On stable@ the thread is titled 'if_bfe/uhci: storm interrupt Fatal trap 12' Here is a description of the problem: I have a new laptop: a DELL Inspiron 9100 with a builtin "Broadcom BCM4401 Fast Ethernet" which is attached to the bfe driver. As soon as I give this NIC an adress, the system panic. The laptop has a Pentium 4HT 3.2Ghz and 1.5Gb of memory. Here is a handwritten typescript of the panic while using february CURRENT-SNAP in Fixit-mode. 1- I boot with the snapshot miniinst 2- Selecting keymap (french accent) 3- Fixit mode 4- Emergency shell 5- using Alt-F4 to go to the terminal 6- typing: "ifconfig bfe0 192.168.1.1" => the shell freeze 7- using Alt-F1 to go back to the 1st terminal where there is a panic message: <<<<<<< handwritten typescript cpuid = 0 KDB: enter: panic [thread pid 29 tid 100030 ] Stopped at kdb_enter+0x2b: nop db> where -- command entered Tracing pid 29 tid 100030 td 0xc2ff1000 kdb_enter(c0823108) at kdb_enter+0x2b panic(c083ca28,deadc000,c07c9462,0,80000000) at panic+0x127 vm_fault(c1459000,deadc000,1,0,c2ff1000) at vm_fault+0x1e1 trap_pfault(e5e61c50,0,deadc0ee) at trap_pfault+0x13b trap(c0830018,10,10,c3105000,c3102400) at trap+0x335 calltrap() at calltrap+0x5 --- trap 0xc, eip = 0xc07a810, esp = 0xe5e61c90, ebp = 0xe5e61c98 --- _bus_dmamap_unload(c3102400,c3104540) at _bus_dmamap_unload+0x16 bfe_rx_ring_free(c3105000,c3105000,c3105000,e5e61cd8,c04dd0a3) at bfe_rx_ring_free+0x50 bfe_stop(c3105000,400,c3105000,e5e61cf4,c04dcae7) at bfe_stop+0x45 bfe_init_locked(c3105000) at bfe_init_locked+0x33 bfe_intr(c3105000) at bfe_intr+0x9f ithread_loop(c2fe9500,e5e61d48,c2fe9500,c0601a54,0) at ithread_loop+0x120 fork_exit(c0601a54,c2fe9500,e5e61d48) at fork_exit+0xa4 fork_trampoline() at fork_trampoline+0x8 --- trap 0x1, eip = 0, esp = 0xe5e61d7c, ebp = 0 --- db> >>>>>> On -STABLE the panic is preceded by a "storm interrupt" on "irq18: bfe0 uhci2" and dmesg reports: bfe0: mem 0xfaffe000-0xfaffffff irq 18 at device 0.0 on pci2 bfe0: Ethernet address: 00:11:43:65:ab:d1 miibus0: on bfe0 bmtphy0: on miibus0 bmtphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto For the moment, I use NDISulator to have this NIC working and I am compiling a new STABLE kernel with DDB and KDB. Do not hesitate to ask me more information as long as I can provide them using the fixit terminal on the miniinst SNAP. Thanks Phil.