From owner-freebsd-current@FreeBSD.ORG Fri Jan 10 08:37:35 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3ADFB465; Fri, 10 Jan 2014 08:37:35 +0000 (UTC) Received: from work.netasq.com (gwlille.netasq.com [91.212.116.1]) by mx1.freebsd.org (Postfix) with ESMTP id 900F113D1; Fri, 10 Jan 2014 08:37:33 +0000 (UTC) Received: from work.netasq.com (localhost [127.0.0.1]) by work.netasq.com (Postfix) with ESMTP id D47D0270521C; Fri, 10 Jan 2014 09:37:31 +0100 (CET) Received: from fabient.netasq.com (unknown [91.212.116.2]) by work.netasq.com (Postfix) with ESMTPSA id 73C7E2705205; Fri, 10 Jan 2014 09:37:31 +0100 (CET) Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) Subject: Re: FreeBSD 10-RC4: Got crash in igb driver From: Fabien Thomas In-Reply-To: <20140110012114.GA3103@michelle.cdnetworks.com> Date: Fri, 10 Jan 2014 09:37:33 +0100 Message-Id: <80AC5F96-BB64-4F81-BFE1-0392B7D7203A@netasq.com> References: <48005124.ny58tnLn4d@pc-alex> <20140110012114.GA3103@michelle.cdnetworks.com> To: pyunyh@gmail.com X-Mailer: Apple Mail (2.1827) Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: Jack F Vogel , Alexandre Martins , freebsd-current , Damien DEVILLE X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jan 2014 08:37:35 -0000 Le 10 janv. 2014 =E0 02:21, Yonghyeon PYUN a =E9crit = : > On Thu, Jan 09, 2014 at 04:06:09PM +0100, Alexandre Martins wrote: >> Dear, >>=20 >> I experience some troubles with the igb device driver on FreeBSD = 10-RC4. >>=20 >> The kernel make a pagefault in the igb_tx_ctx_setup function when = accessing to=20 >> a IPv6 header. >>=20 >> The network configuration is the following: >> - box acting as an IPv6 router >> - one interface with an IPv6 (igb0) >> - another interface with a vlan, and IPv6 on it (vlan0 on igb1) >>=20 >> Vlan Hardware tagging is set on both interfaces. >>=20 >> The packet that cause the crash come from igb0 and go to vlan0. >>=20 >> After investigation, i see that the mbuf is split in two. The first = one carry=20 >> the ethernet header, the second, the IPv6 header and data payload. >>=20 >> The split is due to the "m_copy" done in ip6_forward, that make the = mbuf not=20 >> writable and the "M_PREPEND" in ether_output that insert the new mbuf = before=20 >> the original one. >>=20 >> The kernel crashes only if the newly allocated mbuf is at the end of = a memory=20 >> page, and no page is available after this one. So, it's extremly = rare. >>=20 >> I inserted a "KASSERT" into the function (see attached patch) to = check this=20 >> behavior, and it raises on every IPv6 forwarded packet to the vlan. = The=20 >> problem disapear if i remove hardware tagging. >>=20 >> In the commit 256200, i see that pullups has been removed. May it be = related ? >>=20 >=20 > I think I introduced the header parsing code to meet controller > requirement in em(4) and Jack borrowed that code in the past but it > seems it was removed in r256200. It seems igb_tx_ctx_setup() > assumes it can access ethernet/IP/TCP/UDP headers in the first mbuf > of the chain. > This looks wrong to me. Instead of patching each driver with pullup code we can add a generic = pullup code ? - get the contiguous protocol requirement (L2, L3, L4) from underlying = driver. - do the pullup >=20 >> Can you confirm the problem ? >>=20 >=20 > Probably Jack can tell more about change made in r256200. It's not > easy for me to verify correctness of igb(4) at this moment. >=20 >> Best regards >>=20 >> --=20 >> Alexandre Martins >> NETASQ -- We secure IT