[Bug 259458] iflib_rxeof NULL pointer crash with vmxnet3 driver

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 259458] iflib_rxeof NULL pointer crash with vmxnet3 driver"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 26 Oct 2021 13:21:16 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259458

--- Comment #2 from Andriy Gapon <avg@FreeBSD.org> ---
(kgdb) fr 20  
#20 iflib_rxeof (rxq=<optimized out>, budget=<optimized out>) at
/usr/src/sys/net/iflib.c:2879
2879    in /usr/src/sys/net/iflib.c
(kgdb) i loc
ri = {iri_qsidx = 0, iri_vtag = 0, iri_len = 60, iri_cidx = 328, iri_ifp =
0xfffff80002d9e000, iri_frags = 0xfffffe00ea9f5180, iri_flowid = 0,
iri_csum_flags = 0, iri_csum_data = 0, iri_flags = 0 '\000', iri_nfrags = 1
'\001',
  iri_rsstype = 0 '\000', iri_pad = 0 '\000'}
ctx = 0xfffff80002dd2000
lro_possible = <error reading variable lro_possible (Cannot access memory at
address 0x0)>
v4_forwarding = <error reading variable v4_forwarding (Cannot access memory at
address 0x0)>
v6_forwarding = <error reading variable v6_forwarding (Cannot access memory at
address 0x0)>
retval = <error reading variable retval (Cannot access memory at address 0x0)>
scctx = <optimized out>
sctx = 0xffffffff810f1100 <vmxnet3_sctx_init>
rx_pkts = <error reading variable rx_pkts (Cannot access memory at address
0x0)>
rx_bytes = <error reading variable rx_bytes (Cannot access memory at address
0x0)>
mh = 0xfffff800b371d100
mt = 0xfffff800b371d100
ifp = 0xfffff80002d9e000
cidxp = 0xfffffe00ea9f5018
avail = 1
budget_left = 15
err = <optimized out>
m = <optimized out>
i = <optimized out>
fl = <optimized out>
mf = <optimized out>
lro_enabled = <optimized out>

(kgdb) p *cidxp
$4 = 328

(kgdb) p ri.iri_frags[0]
$5 = {irf_flid = 0 '\000', irf_idx = 327, irf_len = 60}

(kgdb) fr 19
#19 0xffffffff8084d049 in iflib_rxd_pkt_get (rxq=0xfffffe00ea9f5000,
ri=<optimized out>) at /usr/src/sys/net/iflib.c:2737
2737    /usr/src/sys/net/iflib.c: No such file or directory.
(kgdb) p *rxq
$6 = {ifr_ctx = 0xfffff80002dd2000, ifr_fl = 0xfffff80002d93400, ifr_rx_irq =
0, ifr_cq_cidx = 328, ifr_id = 0, ifr_nfl = 2 '\002', ifr_ntxqirq = 1 '\001',
ifr_txqid = "\000\000\000", ifr_fl_offset = 1 '\001', ifr_lc = {
    ifp = 0xfffff80002d9e000, lro_mbuf_data = 0xfffffe00ea9f1000, lro_queued =
0, lro_flushed = 0, lro_bad_csum = 0, lro_cnt = 8, lro_mbuf_count = 0,
lro_mbuf_max = 512, lro_ackcnt_lim = 65535, lro_length_lim = 65535,
    lro_hashsz = 509, lro_hash = 0xfffff8000410d000, lro_active = {lh_first =
0x0}, lro_free = {lh_first = 0xfffffe00ea9f33f0}}, ifr_task = {gt_task =
{ta_link = {stqe_next = 0x0}, ta_flags = 2, ta_priority = 0,
      ta_func = 0xffffffff8084cd90 <_task_fn_rx>, ta_context =
0xfffffe00ea9f5000}, gt_taskqueue = 0xfffff800020c7200, gt_list = {le_next =
0x0, le_prev = 0xfffffe00015f08a8}, gt_uniq = 0xfffffe00ea9f5000,
    gt_name = "rxq0", '\000' <repeats 27 times>, gt_irq = 257, gt_cpu = 0},
ifr_watchdog = {c_links = {le = {le_next = 0x0, le_prev = 0x0}, sle = {sle_next
= 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0x0}}, c_time = 0,
    c_precision = 0, c_arg = 0x0, c_func = 0x0, c_lock = 0x0, c_flags = 0,
c_iflags = 16, c_cpu = 0, c_exec_time = 0, c_lines = {u128 = 1528, u16 = {1528,
0, 0, 0, 0, 0, 0, 0}}}, ifr_filter_info = {
    ifi_filter = 0xffffffff80a3c580 <vmxnet3_rxq_intr>, ifi_filter_arg =
0xfffff80004110000, ifi_task = 0xfffffe00ea9f5088, ifi_ctx =
0xfffffe00ea9f5000}, ifr_ifdi = 0xfffff80002d99400, ifr_frags = {{irf_flid = 0
'\000',
      irf_idx = 327, irf_len = 60}, {irf_flid = 0 '\000', irf_idx = 0, irf_len
= 0} <repeats 63 times>}}


(kgdb) p rxq->ifr_fl[0]
$7 = {ifl_cidx = 328, ifl_pidx = 341, ifl_credits = 509, ifl_gen = 0 '\000',
ifl_rxd_size = 0 '\000', ifl_rx_bitmap = 0xfffff80002cb5ec0, ifl_fragidx = 142,
ifl_size = 512, ifl_buf_size = 2048, ifl_cltype = 1,
  ifl_zone = 0xfffff800029c6000, ifl_sds = {ifsd_map = 0xfffff80002d5f000,
ifsd_m = 0xfffff80002d62000, ifsd_cl = 0xfffff80002d61000, ifsd_ba =
0xfffff80002d60000}, ifl_rxq = 0xfffffe00ea9f5000, ifl_id = 0 '\000',
  ifl_buf_tag = 0xfffff80002d74400, ifl_ifdi = 0xfffff80002d99428,
ifl_bus_addrs = {4884103168, 4884094976, 4887971840, 4887965696, 4898656256,
4898662400, 4898660352, 4898617344, 4753053696, 4753018880, 4753020928,
4883597312,
    4898639872, 4898646016, 4898643968, 4898650112, 4884144128, 4884150272,
4884148224, 4884154368, 4884152320, 4884158464, 4884156416, 4884162560,
4884160512, 4884166656, 4884111360, 4884117504, 4884115456, 4884121600,
    4884119552, 4884125696}, ifl_rxd_idxs = {141, 137, 120, 121, 323, 324, 325,
326, 0, 1, 2, 3, 315, 316, 317, 318, 496, 497, 498, 499, 500, 501, 502, 503,
504, 505, 506, 507, 508, 509, 510, 511}}

(kgdb) p $7.ifl_sds.ifsd_cl[327]
$8 = (caddr_t) 0x0
(kgdb) p $7.ifl_sds.ifsd_cl[326]
$9 = (caddr_t) 0xfffff80123faf800 "\377\377\377\377\377\377"
(kgdb) p $7.ifl_sds.ifsd_cl[328]
$10 = (caddr_t) 0xfffff8012322b800 "\377\377\377\377\377\377"

-- 
You are receiving this mail because:
You are the assignee for the bug.