Date: Mon, 14 Mar 2005 21:25:37 +0800 (CST) From: Tai-hwa Liang <avatar@mmlab.cse.yzu.edu.tw> To: pcasidy@casidy.com Cc: freebsd-current@freebsd.org Subject: Re: Panic: Use-after-free in bfe Message-ID: <05031421154517.5336@www.mmlab.cse.yzu.edu.tw> In-Reply-To: <20050309154654.DDFD7B86C@smtp.casidy.net> References: <20050309154654.DDFD7B86C@smtp.casidy.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Hello Phil,
Would you please rebuild your if_bfe.ko with the attached patch and
tell me whether it fixes your problem or not? The attached patch is for
-CURRENT as of Mar-12-2005; however, you should be able to apply it to
5-STABLE as well.
--
Cheers,
Tai-hwa Liang
On Wed, 9 Mar 2005 pcasidy@casidy.com wrote:
[...]
> --- trap 0xc, eip = 0xc07a810, esp = 0xe5e61c90, ebp = 0xe5e61c98 ---
> _bus_dmamap_unload(c3102400,c3104540) at _bus_dmamap_unload+0x16
> bfe_rx_ring_free(c3105000,c3105000,c3105000,e5e61cd8,c04dd0a3) at
> bfe_rx_ring_free+0x50
> bfe_stop(c3105000,400,c3105000,e5e61cf4,c04dcae7) at bfe_stop+0x45
> bfe_init_locked(c3105000) at bfe_init_locked+0x33
> bfe_intr(c3105000) at bfe_intr+0x9f
> ithread_loop(c2fe9500,e5e61d48,c2fe9500,c0601a54,0) at
> ithread_loop+0x120
> fork_exit(c0601a54,c2fe9500,e5e61d48) at fork_exit+0xa4
> fork_trampoline() at fork_trampoline+0x8
> --- trap 0x1, eip = 0, esp = 0xe5e61d7c, ebp = 0 ---
> db>
> >>>>>>
>
> On -STABLE the panic is preceded by a "storm interrupt" on "irq18: bfe0
> uhci2" and dmesg reports:
>
> bfe0: <Broadcom BCM4401 Fast Ethernet> mem 0xfaffe000-0xfaffffff irq 18 at device 0.0 on pci2
> bfe0: Ethernet address: 00:11:43:65:ab:d1
> miibus0: <MII bus> on bfe0
> bmtphy0: <BCM4401 10/100baseTX PHY> on miibus0
> bmtphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
>
>
> For the moment, I use NDISulator to have this NIC working and I am
> compiling a new STABLE kernel with DDB and KDB.
>
> Do not hesitate to ask me more information as long as I can provide them
> using the fixit terminal on the miniinst SNAP.
>
> Thanks
>
> Phil.
[-- Attachment #2 --]
--- sys/dev/bfe/if_bfe.c.orig Mon Jan 10 03:57:55 2005
+++ sys/dev/bfe/if_bfe.c Sat Mar 12 23:52:10 2005
@@ -541,8 +541,6 @@
sc->bfe_tx_ring[i].bfe_mbuf = NULL;
bus_dmamap_unload(sc->bfe_tag,
sc->bfe_tx_ring[i].bfe_map);
- bus_dmamap_destroy(sc->bfe_tag,
- sc->bfe_tx_ring[i].bfe_map);
}
}
bzero(sc->bfe_tx_list, BFE_TX_LIST_SIZE);
@@ -560,15 +558,12 @@
sc->bfe_rx_ring[i].bfe_mbuf = NULL;
bus_dmamap_unload(sc->bfe_tag,
sc->bfe_rx_ring[i].bfe_map);
- bus_dmamap_destroy(sc->bfe_tag,
- sc->bfe_rx_ring[i].bfe_map);
}
}
bzero(sc->bfe_rx_list, BFE_RX_LIST_SIZE);
bus_dmamap_sync(sc->bfe_rx_tag, sc->bfe_rx_map, BUS_DMASYNC_PREREAD);
}
-
static int
bfe_list_rx_init(struct bfe_softc *sc)
{
@@ -975,6 +970,10 @@
for(i = 0; i < BFE_TX_LIST_CNT; i++) {
bus_dmamap_destroy(sc->bfe_tag,
sc->bfe_tx_ring[i].bfe_map);
+ }
+ for(i = 0; i < BFE_RX_LIST_CNT; i++) {
+ bus_dmamap_destroy(sc->bfe_tag,
+ sc->bfe_rx_ring[i].bfe_map);
}
bus_dma_tag_destroy(sc->bfe_tag);
sc->bfe_tag = NULL;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?05031421154517.5336>