if_bfe/uhci: storm interrupt Fatal trap 12

Doug White dwhite at gumbysoft.com
Tue Mar 8 03:15:28 GMT 2005 

On Mon, 7 Mar 2005 pcasidy at casidy.com wrote:

> On  4 Mar, Doug White wrote:
>
> >
> > Hm ... dunno. You might try one of the RELENG_5 snapshots that will be
> > coming out shortly as we get into the 5.4-R release cycle. There is some
> > improvements to interrupt routing in there.
> >
>
> In fact I have try the CURRENT SNAP (2005 february snap) because I can
> get a call stack.
>
> Here is the steps I perform to get to the call stack.
>
> 1- I boot with the snapshot miniinst
> 2- Selecting keymap (french accent)
> 3- Fixit mode
> 4- Emergency shell
> 5- using Alt-F4 to go to the terminal
> 6- typing: "ifconfig bfe0 192.168.1.1" => the shell freeze
> 7- using Alt-F1 to go back to the 1st terminal where there is a panic
>    message:
>    <<<<<<< handwritten typescript
> cpuid = 0
> KDB: enter: panic
> [thread pid 29 tid 100030 ]
> Stopped at      kdb_enter+0x2b: nop
> db> where  -- command entered
> Tracing pid 29 tid 100030 td 0xc2ff1000
> kdb_enter(c0823108) at kdb_enter+0x2b
> panic(c083ca28,deadc000,c07c9462,0,80000000) at panic+0x127
> vm_fault(c1459000,deadc000,1,0,c2ff1000) at vm_fault+0x1e1
> trap_pfault(e5e61c50,0,deadc0ee) at trap_pfault+0x13b
> trap(c0830018,10,10,c3105000,c3102400) at trap+0x335
> calltrap() at calltrap+0x5
> --- trap 0xc, eip = 0xc07a810, esp = 0xe5e61c90, ebp = 0xe5e61c98 ---
> _bus_dmamap_unload(c3102400,c3104540) at _bus_dmamap_unload+0x16
> bfe_rx_ring_free(c3105000,c3105000,c3105000,e5e61cd8,c04dd0a3) at
>    bfe_rx_ring_free+0x50
> bfe_stop(c3105000,400,c3105000,e5e61cf4,c04dcae7) at bfe_stop+0x45
> bfe_init_locked(c3105000) at bfe_init_locked+0x33
> bfe_intr(c3105000) at bfe_intr+0x9f
> ithread_loop(c2fe9500,e5e61d48,c2fe9500,c0601a54,0) at
>    ithread_loop+0x120
> fork_exit(c0601a54,c2fe9500,e5e61d48) at fork_exit+0xa4
> fork_trampoline() at fork_trampoline+0x8
> --- trap 0x1, eip = 0, esp = 0xe5e61d7c, ebp = 0 ---
> db>
>     >>>>>>
>

Thanks for the detailed message. I didn't realize that we'd enabled DDB in
the snapshot kernel :)

Anyway this looks like a bug in the bfe driver.  It appears to be trying
to free a DMA map that is either unallocated or got spammed.  You may want
to repost this to freebsd-current at freebsd.org and use a subject like
"Use-after-free in bfe" since I think the interrupt storm message is
secondary.

A capture of boot -v might also be useful, or at minumum anything the bfe
driver output during boot ('dmesg | grep bfe' might work with the fixit
disc). A crashdump would be nice too, but you'd likely need to find a
different network adapter.

-- 
Doug White                    |  FreeBSD: The Power to Serve
dwhite at gumbysoft.com          |  www.FreeBSD.org

More information about the freebsd-stable mailing list