[Bug 215613] [panic] if if_ixl due to NULL pointer dereference

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Dec 27 16:44:16 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=215613

--- Comment #1 from Andrey V. Elsukov <ae at FreeBSD.org> ---
Another one:

Unread portion of the kernel message buffer:
frame pointer           = 0x28:0xfffffe1048520130
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 926 (bird6)

(kgdb) bt
#0  doadump (textdump=1213332256) at pcpu.h:222
#1  0xffffffff8038c596 in db_fncall (dummy1=<value optimized out>,
dummy2=<value optimized out>, dummy3=<value optimized out>, dummy4=<value
optimized out>)
    at /usr/src/sys/ddb/db_command.c:581
#2  0xffffffff8038c0f9 in db_command (cmd_table=<value optimized out>) at
/usr/src/sys/ddb/db_command.c:453
#3  0xffffffff8038be54 in db_command_loop () at
/usr/src/sys/ddb/db_command.c:506
#4  0xffffffff8038efbf in db_trap (type=<value optimized out>, code=<value
optimized out>) at /usr/src/sys/ddb/db_main.c:248
#5  0xffffffff80b32f33 in kdb_trap (type=<value optimized out>, code=<value
optimized out>, tf=<value optimized out>) at /usr/src/sys/kern/subr_kdb.c:654
#6  0xffffffff80fa25b1 in trap_fatal (frame=0xfffffe1048520050, eva=100) at
/usr/src/sys/amd64/amd64/trap.c:796
#7  0xffffffff80fa27e3 in trap_pfault (frame=0xfffffe1048520050, usermode=0) at
/usr/src/sys/amd64/amd64/trap.c:658
#8  0xffffffff80fa1de3 in trap (frame=0xfffffe1048520050) at
/usr/src/sys/amd64/amd64/trap.c:421
#9  0xffffffff80f84191 in calltrap () at
/usr/src/sys/amd64/amd64/exception.S:236
#10 0xffffffff80b44d79 in taskqueue_enqueue (queue=0x0,
task=0xfffffe0001a0e660) at pcpu.h:222
#11 0xffffffff8103f1ef in ixl_mq_start (ifp=<value optimized out>, m=<value
optimized out>) at /usr/src/sys/dev/ixl/ixl_txrx.c:135
#12 0xffffffff80c06894 in vlan_transmit (ifp=<value optimized out>, m=<value
optimized out>) at /usr/src/sys/net/if_vlan.c:1116
#13 0xffffffff80bfc5fe in ether_output (ifp=<value optimized out>, m=<value
optimized out>, dst=0xfffffe1048520420, ro=<value optimized out>)
    at /usr/src/sys/net/if_ethersubr.c:424
#14 0xffffffff80d49b51 in ip6_output (m0=<value optimized out>, opt=<value
optimized out>, ro=0xfffffe1048520408, flags=<value optimized out>,
im6o=0xfffff801d8a9e100, 
    ifpp=0xfffffe1048520590, inp=<value optimized out>) at
/usr/src/sys/netinet6/ip6_output.c:946
#15 0xffffffff80d5e7cf in rip6_output (m=<value optimized out>, so=<value
optimized out>) at /usr/src/sys/netinet6/raw_ip6.c:536
#16 0xffffffff80d5fa49 in rip6_send (so=0xfffff801e8cf2000, flags=<value
optimized out>, m=0xfffff802c4cea600, nam=<value optimized out>,
control=0xfffff802c483e700, 
    td=0xf) at /usr/src/sys/netinet6/raw_ip6.c:888
#17 0xffffffff80b86757 in sosend_generic (so=<value optimized out>, addr=<value
optimized out>, uio=<value optimized out>, top=<value optimized out>, 
    control=<value optimized out>, flags=<value optimized out>, td=<value
optimized out>) at /usr/src/sys/kern/uipc_socket.c:1359
#18 0xffffffff80b8e4c3 in kern_sendit (td=<value optimized out>, s=<value
optimized out>, mp=<value optimized out>, flags=0, control=<value optimized
out>, 
    segflg=UIO_USERSPACE) at /usr/src/sys/kern/uipc_syscalls.c:811
#19 0xffffffff80b8e8cf in sendit (td=0xfffff801d8a75000, s=<value optimized
out>, mp=0xfffffe10485208d8, flags=<value optimized out>)
    at /usr/src/sys/kern/uipc_syscalls.c:736
#20 0xffffffff80b8e981 in sys_sendmsg (td=0xfffff801d8a75000,
uap=0xfffffe10485209d0) at /usr/src/sys/kern/uipc_syscalls.c:912
#21 0xffffffff80fa2f9e in amd64_syscall (td=<value optimized out>, traced=0) at
subr_syscall.c:135
#22 0xffffffff80f8447b in Xfast_syscall () at
/usr/src/sys/amd64/amd64/exception.S:396
#23 0x0000000800c3286a in ?? ()
Previous frame inner to this frame (corrupt stack?)

(kgdb) f 11
#11 0xffffffff8103f1ef in ixl_mq_start (ifp=<value optimized out>, m=<value
optimized out>) at /usr/src/sys/dev/ixl/ixl_txrx.c:135
warning: Source file is more recent than executable.

135                     taskqueue_enqueue(que->tq, &que->tx_task);
(kgdb) i lo
vsi = <value optimized out>
txr = (struct tx_ring *) 0xfffffe0001a0e418
(kgdb) p *txr
$1 = {que = 0xfffffe0001a0e3e8, mtx = {lock_object = {lo_name =
0xfffffe0001a0e4c0 "ixl0:tx(7)", lo_flags = 16973824, lo_data = 0, lo_witness =
0x0}, mtx_lock = 4}, 
  tail = 1081372, base = 0xfffffe1045c5b000, dma = {va = 0xfffffe1045c5b000, pa
= 214282240, tag = 0xfffff8000ca4cc00, map = 0x0, seg = {ds_addr = 0, ds_len =
0}, 
    size = 16512, nseg = 1, flags = 0}, next_avail = 38, next_to_clean = 0,
atr_rate = 0, atr_count = 0, itr = 122, latency = 1, buffers =
0xfffffe0001b0f000, 
  avail = 986, cmd = 0, tx_tag = 0xfffff8000ca4cb00, tso_tag =
0xfffff8000ca4ca00, mtx_name = 0xfffffe0001a0e4c0 "ixl0:tx(7)", br =
0xfffffe0001b17000, packets = 0, 
  bytes = 0, tx_bytes = 0, no_desc = 0, total_packets = 38}
(kgdb) p *txr->que
$2 = {vsi = 0xfffffe000168e730, me = 7, msix = 0, eims = 0, res = 0x0, tag =
0x0, num_desc = 1024, busy = 1, txr = {que = 0xfffffe0001a0e3e8, mtx =
{lock_object = {
        lo_name = 0xfffffe0001a0e4c0 "ixl0:tx(7)", lo_flags = 16973824, lo_data
= 0, lo_witness = 0x0}, mtx_lock = 4}, tail = 1081372, base =
0xfffffe1045c5b000, dma = {
      va = 0xfffffe1045c5b000, pa = 214282240, tag = 0xfffff8000ca4cc00, map =
0x0, seg = {ds_addr = 0, ds_len = 0}, size = 16512, nseg = 1, flags = 0},
next_avail = 38, 
    next_to_clean = 0, atr_rate = 0, atr_count = 0, itr = 122, latency = 1,
buffers = 0xfffffe0001b0f000, avail = 986, cmd = 0, tx_tag =
0xfffff8000ca4cb00, 
    tso_tag = 0xfffff8000ca4ca00, mtx_name = 0xfffffe0001a0e4c0 "ixl0:tx(7)",
br = 0xfffffe0001b17000, packets = 0, bytes = 0, tx_bytes = 0, no_desc = 0, 
    total_packets = 38}, rxr = {que = 0xfffffe0001a0e3e8, mtx = {lock_object =
{lo_name = 0xfffffe0001a0e5dc "ixl0:rx(7)", lo_flags = 16973824, lo_data = 0, 
        lo_witness = 0x0}, mtx_lock = 4}, base = 0xfffffe1045c60000, dma = {va
= 0xfffffe1045c60000, pa = 214302720, tag = 0xfffff8000ca4c900, map = 0x0, seg
= {
        ds_addr = 0, ds_len = 0}, size = 32768, nseg = 1, flags = 0}, lro =
{ifp = 0xfffff8000c7ad800, lro_mbuf_data = 0xfffff801d818a800, lro_queued = 0, 
      lro_flushed = 0, lro_bad_csum = 0, lro_cnt = 8, lro_mbuf_count = 0,
lro_mbuf_max = 0, lro_ackcnt_lim = 65535, lro_length_lim = 65535, lro_hashsz =
1, 
      lro_hash = 0xfffff801d8cdf240, lro_active = {lh_first = 0x0}, lro_free =
{lh_first = 0xfffff801d818abf0}}, lro_enabled = false, hdr_split = false,
discard = false, 
    next_refresh = 0, next_check = 0, itr = 62, latency = 1, mtx_name =
0xfffffe0001a0e5dc "ixl0:rx(7)", buffers = 0xfffffe0001b27000, mbuf_sz = 4096,
tail = 1212444, 
    htag = 0xfffff8000ca4c800, ptag = 0xfffff8000ca4c700, packets = 0, bytes =
0, split = 0, rx_packets = 0, rx_bytes = 0, desc_errs = 0, not_done = 0}, task
= {
    ta_link = {stqe_next = 0x0}, ta_pending = 0, ta_priority = 0, ta_func = 0,
ta_context = 0x0}, tx_task = {ta_link = {stqe_next = 0x0}, ta_pending = 0, 
    ta_priority = 0, ta_func = 0, ta_context = 0x0}, tq = 0x0, irqs = 0, tso =
0, mbuf_defrag_failed = 0, mbuf_hdr_failed = 0, mbuf_pkt_failed = 0,
tx_dmamap_failed = 0, 
  dropped_pkts = 0}

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list