[Bug 259458] iflib_rxeof NULL pointer crash with vmxnet3 driver

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 259458] iflib_rxeof NULL pointer crash with vmxnet3 driver"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 26 Oct 2021 15:12:16 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259458

--- Comment #6 from Andriy Gapon <avg@FreeBSD.org> ---
I noticed a discrepancy between ifl_cidx / iri_cidx / ifr_cq_cidx that are
equal to 328 and irf_idx that's set to 327.

Initially, I thought that this could be a come back of an older problem:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=243126#c2
But in this case I do not see any zero-length packets near the current index.
In fact, given that vxcr_zero_length is zero, there hadn't been any zero-length
packets at all.

Looking at the code in vmxnet3_isc_rxd_pkt_get(), I think that iri_cidx !=
irf_idx is not a problem.  irf_idx is the last processed fragment's (packet's)
descriptor ID, while iri_cidx is the next one.  So, everything is correct
there.


(kgdb) p $20->ifc_softc 
$34 = (void *) 0xfffff80002d93800
(kgdb) p *(struct vmxnet3_softc *)$20->ifc_softc
$35 = {vmx_dev = 0xfffff80002db6300, vmx_ctx = 0xfffff80002dd2000, vmx_sctx =
0xffffffff810f1100 <vmxnet3_sctx_init>, vmx_scctx = 0xfffff80002dd2048, vmx_ifp
= 0xfffff80002d9e000, vmx_ds = 0xfffff80002d91400, vmx_flags = 2, 
  vmx_rxq = 0xfffff80004110000, vmx_txq = 0xfffff80004110800, vmx_res0 =
0xfffff80002d98b00, vmx_iot0 = 1, vmx_ioh0 = 18446735281866391552, vmx_res1 =
0xfffff80002d98a00, vmx_iot1 = 1, vmx_ioh1 = 18446735281866395648, 
  vmx_link_active = 1, vmx_intr_mask_mode = 0, vmx_event_intr_idx = 8,
vmx_event_intr_irq = {ii_res = 0xfffff80002d99d00, ii_rid = 9, ii_tag =
0xfffff80004413e80}, vmx_mcast = 0xfffff8000440bc00 "", 
  vmx_rss = 0xfffff8000440bb00, vmx_ds_dma = {idi_paddr = 47780864, idi_vaddr =
0xfffff80002d91400 "\341\376\276\272", idi_tag = 0xfffff8000440b900, idi_map =
0x0, idi_size = 720}, vmx_qs_dma = {idi_paddr = 68214784, 
    idi_vaddr = 0xfffff8000410e000 "", idi_tag = 0xfffff80002db4c00, idi_map =
0x0, idi_size = 4096}, vmx_mcast_dma = {idi_paddr = 71351296, idi_vaddr =
0xfffff8000440bc00 "", idi_tag = 0xfffff8000440b700, idi_map = 0x0, 
    idi_size = 192}, vmx_rss_dma = {idi_paddr = 71351040, idi_vaddr =
0xfffff8000440bb00 "\017", idi_tag = 0xfffff8000440b800, idi_map = 0x0,
idi_size = 176}, vmx_media = 0xfffff80002dd22f0, vmx_vlan_filter = {
    0 <repeats 128 times>}, vmx_lladdr = "\000PV\246\237\""}


(kgdb) p $35.vmx_rxq[0]
$36 = {vxrxq_sc = 0xfffff80002d93800, vxrxq_id = 0, vxrxq_intr_idx = 0,
vxrxq_irq = {ii_res = 0xfffff80002df8f00, ii_rid = 1, ii_tag =
0xfffff80002d99000}, vxrxq_cmd_ring = {{vxrxr_rxd = 0xfffffe00eaaf4000,
vxrxr_ndesc = 512, 
      vxrxr_gen = 0, vxrxr_paddr = 57622528, vxrxr_desc_skips = 1017,
vxrxr_refill_start = 142}, {vxrxr_rxd = 0xfffffe00eaaf6000, vxrxr_ndesc = 512,
vxrxr_gen = 1, vxrxr_paddr = 57630720, vxrxr_desc_skips = 0, 
      vxrxr_refill_start = 511}}, vxrxq_comp_ring = {vxcr_u = {txcd =
0xfffffe00eaaf0000, rxcd = 0xfffffe00eaaf0000}, vxcr_next = 0, vxcr_ndesc =
1024, vxcr_gen = 1, vxcr_paddr = 57606144, vxcr_zero_length = 0, 
    vxcr_pkt_errors = 0}, vxrxq_rs = 0xfffff8000410e800, vxrxq_sysctl =
0xfffff80004415480, vxrxq_name = "vmx0-rx0\000\000\000\000\000\000\000"}
(kgdb) p $36.vxrxq_comp_ring

$37 = {vxcr_u = {txcd = 0xfffffe00eaaf0000, rxcd = 0xfffffe00eaaf0000},
vxcr_next = 0, vxcr_ndesc = 1024, vxcr_gen = 1, vxcr_paddr = 57606144,
vxcr_zero_length = 0, vxcr_pkt_errors = 0}


(kgdb) p $37.vxcr_u.rxcd[325]
$38 = {rxd_idx = 325, pad1 = 0, eop = 1, sop = 1, qid = 0, rss_type = 0,
no_csum = 1, pad2 = 0, rss_hash = 0, len = 60, error = 0, vlan = 0, vtag = 0,
csum = 0, csum_ok = 0, udp = 0, tcp = 0, ipcsum_ok = 0, ipv6 = 0, ipv4 = 0, 
  fragment = 0, fcs = 0, type = 3, gen = 1}
(kgdb) p $37.vxcr_u.rxcd[326]
$39 = {rxd_idx = 326, pad1 = 0, eop = 1, sop = 1, qid = 0, rss_type = 0,
no_csum = 1, pad2 = 0, rss_hash = 0, len = 60, error = 0, vlan = 0, vtag = 0,
csum = 0, csum_ok = 0, udp = 0, tcp = 0, ipcsum_ok = 0, ipv6 = 0, ipv4 = 0, 
  fragment = 0, fcs = 0, type = 3, gen = 1}
(kgdb) p $37.vxcr_u.rxcd[327]
$40 = {rxd_idx = 327, pad1 = 0, eop = 1, sop = 1, qid = 0, rss_type = 0,
no_csum = 1, pad2 = 0, rss_hash = 0, len = 60, error = 0, vlan = 0, vtag = 0,
csum = 0, csum_ok = 0, udp = 0, tcp = 0, ipcsum_ok = 0, ipv6 = 0, ipv4 = 0, 
  fragment = 0, fcs = 0, type = 3, gen = 1}
(kgdb) p $37.vxcr_u.rxcd[328]
$41 = {rxd_idx = 328, pad1 = 0, eop = 1, sop = 1, qid = 0, rss_type = 0,
no_csum = 1, pad2 = 0, rss_hash = 0, len = 60, error = 0, vlan = 0, vtag = 0,
csum = 0, csum_ok = 0, udp = 0, tcp = 0, ipcsum_ok = 0, ipv6 = 0, ipv4 = 0, 
  fragment = 0, fcs = 0, type = 3, gen = 1}

-- 
You are receiving this mail because:
You are the assignee for the bug.