[Bug 240608] if_vmx(4): iflib - Panic with INVARIANTS: Memory modified after free (12.1-pre-QA)
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Jan 16 11:52:58 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240608
--- Comment #14 from Andriy Gapon <avg at FreeBSD.org> ---
As to why the hardware can exhaust all descriptors in a free list.
I think that there is a certain impedance mismatch. iflib_rxeof() takes its
budget in terms of full packets and also iflib_rxd_avail() works in the same
terms. __iflib_fl_refill_lt() is called with a limit equal to budget + 8.
But the descriptors are used by packet fragments and a single packet may have
many fragments. Also, a driver like vmx may waste some descriptors[*] for
reasons that are known only to vmware.
For example, in one crash dumps that I have here I see that iflib_rxeof() was
processing its 11th packet (rx_pkts = 11, avail = 7, budget = 16) and that
packet had iri_nfrags = 14.
It's conceivable that such a batch could exhaust all descriptors populated by
the last refill.
[*]
eop=1, sop=1, len=0 but a command descriptor 141 in rx queue 0 is "consumed":
(kgdb) p $19.vxcr_u.rxcd[475]
$22 = {rxd_idx = 141, pad1 = 0, eop = 1, sop = 1, qid = 0, rss_type = 0,
no_csum = 0, pad2 = 0, rss_hash = 0, len = 0, error = 0, vlan = 0, vtag = 0,
csum = 0, csum_ok = 0, udp = 0, tcp = 0, ipcsum_ok = 0, ipv6 = 0, ipv4 = 0,
fragment = 0, fcs = 0, type = 3, gen = 1}
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
More information about the freebsd-net
mailing list