FreeBSD 10-RC4: Got crash in igb driver
Alexandre Martins
alexandre.martins at netasq.com
Thu Jan 9 15:07:22 UTC 2014
Dear,
I experience some troubles with the igb device driver on FreeBSD 10-RC4.
The kernel make a pagefault in the igb_tx_ctx_setup function when accessing to
a IPv6 header.
The network configuration is the following:
- box acting as an IPv6 router
- one interface with an IPv6 (igb0)
- another interface with a vlan, and IPv6 on it (vlan0 on igb1)
Vlan Hardware tagging is set on both interfaces.
The packet that cause the crash come from igb0 and go to vlan0.
After investigation, i see that the mbuf is split in two. The first one carry
the ethernet header, the second, the IPv6 header and data payload.
The split is due to the "m_copy" done in ip6_forward, that make the mbuf not
writable and the "M_PREPEND" in ether_output that insert the new mbuf before
the original one.
The kernel crashes only if the newly allocated mbuf is at the end of a memory
page, and no page is available after this one. So, it's extremly rare.
I inserted a "KASSERT" into the function (see attached patch) to check this
behavior, and it raises on every IPv6 forwarded packet to the vlan. The
problem disapear if i remove hardware tagging.
In the commit 256200, i see that pullups has been removed. May it be related ?
Can you confirm the problem ?
Best regards
--
Alexandre Martins
NETASQ -- We secure IT
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bug.patch
Type: text/x-patch
Size: 488 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20140109/70961b13/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1853 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20140109/70961b13/attachment-0001.bin>
More information about the freebsd-current
mailing list