[Bug 168411] [vm] [panic] uma_find_refcnt(): zone possibly not UMA_ZONE_REFCNT
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Feb 17 12:41:33 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=168411
Andrey V. Elsukov <ae at FreeBSD.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ae at FreeBSD.org
--- Comment #1 from Andrey V. Elsukov <ae at FreeBSD.org> ---
I can reliably get this panic.
We are experimenting with using max_hdr variable to reserve leading space in
mbufs allocated by network drivers. The goal is optimize the traffic flow on
routers which do IPv4->IPv6 encapsulation or NAT46.
We use this function to reserve leading space:
#define M_RESERVE_ALIGN 128
/*
* Set the m_data pointer of a mbuf to be able place an object of the
* max_hdr bytes at the beginning of the mbuf's data, aligned to 128 bytes.
* Also (re)initialize m_len and m_pkthdr.len fields.
*/
static __inline void
m_reserve_hdr(struct mbuf *m)
{
int len;
len = roundup2(max_hdr, M_RESERVE_ALIGN);
if ((m->m_flags & M_PKTHDR) == 0 || ((int)M_SIZE(m) - len) < 0)
return;
m->m_data = M_START(m) + len;
m->m_len = m->m_pkthdr.len = M_SIZE(m) - len;
}
And how this function is used in ixgbe(4):
--- a/sys/dev/ixgbe/ix_txrx.c
+++ b/sys/dev/ixgbe/ix_txrx.c
@@ -1319,13 +1319,10 @@ ixgbe_refresh_mbufs(struct rx_ring *rxr, int limit)
M_PKTHDR, rxr->mbuf_sz);
if (mp == NULL)
goto update;
- if (adapter->max_frame_size <= (MCLBYTES -
ETHER_ALIGN))
- m_adj(mp, ETHER_ALIGN);
} else
mp = rxbuf->buf;
- mp->m_pkthdr.len = mp->m_len = rxr->mbuf_sz;
-
+ m_reserve_hdr(mp);
/* If we're dealing with an mbuf that was copied rather
* than replaced, there's no need to go through busdma.
*/
@@ -1517,7 +1514,7 @@ ixgbe_setup_receive_ring(struct rx_ring *rxr)
goto fail;
}
mp = rxbuf->buf;
- mp->m_pkthdr.len = mp->m_len = rxr->mbuf_sz;
+ m_reserve_hdr(mp);
/* Get the memory mapping */
error = bus_dmamap_load_mbuf_sg(rxr->ptag,
rxbuf->pmap, mp, seg,
How to reproduce the panic. Configure MTU greater than MJUMPAGESIZE, and send
several packets with size greater than MJUMPAGESIZE.
The result:
Fatal trap 9: general protection fault while in kernel mode
cpuid = 10; apic id = 0a
instruction pointer = 0x20:0xffffffff80cc192b
stack pointer = 0x28:0xfffffe10466b6730
frame pointer = 0x28:0xfffffe10466b6750
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 12 (irq287: ix0:que 5)
#8 0xffffffff80e390d2 in calltrap () at
/usr/src/sys/amd64/amd64/exception.S:235
#9 0xffffffff80cc192b in uma_find_refcnt (zone=<value optimized out>,
item=<value optimized out>) at /usr/src/sys/vm/uma_core.c:3205
#10 0xffffffff809cd7fa in mb_ctor_clust (mem=0xfffff803394f6000, size=4096,
arg=0xfffff80339469200, how=961499136) at /usr/src/sys/kern/kern_mbuf.c:583
#11 0xffffffff80cbfed7 in uma_zalloc_arg (zone=<value optimized out>,
udata=0xfffff80339469200, flags=1) at /usr/src/sys/vm/uma_core.c:2203
#12 0xffffffff80a6f966 in m_getjcl (how=1, type=<value optimized out>,
flags=<value optimized out>, size=<value optimized out>) at
/usr/src/sys/kern/uipc_mbuf.c:189
#13 0xffffffff805cf339 in ixgbe_refresh_mbufs (rxr=0xfffffe00017c0528, limit=4)
at /usr/src/sys/dev/ixgbe/ix_txrx.c:1318
#14 0xffffffff805cf209 in ixgbe_rxeof (que=<value optimized out>) at
/usr/src/sys/dev/ixgbe/ix_txrx.c:1984
#15 0xffffffff805c7b9b in ixgbe_msix_que (arg=0xfffff8000ef75230) at
/usr/src/sys/dev/ixgbe/if_ix.c:1512
#16 0xffffffff809b13f8 in intr_event_execute_handlers (p=<value optimized out>,
ie=0xfffff8000ef58700) at /usr/src/sys/kern/kern_intr.c:1241
#17 0xffffffff809b1d6f in ithread_loop (arg=0xfffff8000ef3b3e0) at
/usr/src/sys/kern/kern_intr.c:1254
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list