RELENG_7 panic

[Pyun YongHyeon]

On Tue, Mar 25, 2008 at 02:44:58PM -0400, Mike Tancsa wrote:
 > I have a RELENG_7 box running in a netboot environment that is 
 > crashing every few days.  I dont have a disk on it yet, so I have no 
 > where to send the coredump.  But I hooked up a serial cable and made 
 > it drop to debugger.  We are going to try a USB connected disk and 
 > configure it as swap so that we can then try and drop the coredump to 
 > it.  Any other suggestions on how to track this down ?
 > 

I guess rl(4) hardware received too long/short frame such that
subsequent code in driver tried to copy recevied frame with invalid
length. I don't have data sheet for rl(4) hardwares so I'm not sure
how this can happen.
Anyway, try attached patch.

 > 
 > db> where
 > Tracing pid 24 tid 100023 td 0xc4cc4cc0
 > kdb_enter(c08587d4,e5301000,1,e5273a9c,e5273a8c,...) at kdb_enter+0x33
 > vm_fault(c1071000,e5301000,1,0,14990740,...) at vm_fault+0x178
 > trap_pfault(0,0,c1072d80,c1072d38,c4d50558,...) at trap_pfault+0x20e
 > trap(e5273bdc) at trap+0x3fa
 > calltrap() at calltrap+0x6
 > --- trap 0xc, eip = 0xc07f5cb6, esp = 0xe5273c1c, ebp = 0xe5273c54 ---
 > generic_bcopy(e5300836,7ac5,0,c4dacc00,0,...) at generic_bcopy+0x1a
 > rl_rxeof(c05c3466,c4cc4cc0,0,1,1273cbc,...) at rl_rxeof+0x139
 > rl_intr(c4d27000,0,c0841c05,46b,0,...) at rl_intr+0xba
 > ithread_loop(c4d809d0,e5273d38,0,0,0,...) at ithread_loop+0x1ab
 > fork_exit(c059da60,c4d809d0,e5273d38) at fork_exit+0x99
 > fork_trampoline() at fork_trampoline+0x8
 > --- trap 0, eip = 0, esp = 0xe5273d70, ebp = 0 ---
 > db> panic
 > panic: from debugger
 > cpuid = 1
 > KDB: stack backtrace:
 > db_trace_self_wrapper(c0845ff1,e52736cc,c05c3367,c4d97340,e52736c8,...) 
 > at db_trace_self_wrapper+0x26
 > kdb_backtrace(c4d97340,e52736c8,c05e1a92,c0830310,c4d97374,...) at 
 > kdb_backtrace+0x29
 > mi_switch(1,0,1,104,0,...) at mi_switch+0x47
 > sched_bind(c4cc4cc0,0,c0843f3c,10e,e527370c,...) at sched_bind+0x60
 > boot(c0844067,1,0,0,1,...) at boot+0x47
 > panic(c0829200,e5273810,c0467c95,c05e3cc3,0,...) at panic+0x13b
 > db_panic(c05e3cc3,0,ffffffff,e527377c,c0469c00,...) at db_panic+0x17
 > db_command_loop(c05e3cc3,0,86,1,0,...) at db_command_loop+0x2f5
 > db_trap(a,0,1,a,e5273924,...) at db_trap+0xc5
 > kdb_trap(a,0,e5273924,0,c4d50558,...) at kdb_trap+0x96
 > trap(e5273924) at trap+0x57b
 > calltrap() at calltrap+0x6
 > --- trap 0xa, eip = 0xc05e3cc3, esp = 0xe5273964, ebp = 0xe527398c ---
 > kdb_enter(c08587d4,e5301000,1,e5273a9c,e5273a8c,...) at kdb_enter+0x33
 > vm_fault(c1071000,e5301000,1,0,14990740,...) at vm_fault+0x178
 > trap_pfault(0,0,c1072d80,c1072d38,c4d50558,...) at trap_pfault+0x20e
 > trap(e5273bdc) at trap+0x3fa
 > calltrap() at calltrap+0x6
 > --- trap 0xc, eip = 0xc07f5cb6, esp = 0xe5273c1c, ebp = 0xe5273c54 ---
 > generic_bcopy(e5300836,7ac5,0,c4dacc00,0,...) at generic_bcopy+0x1a
 > rl_rxeof(c05c3466,c4cc4cc0,0,1,1273cbc,...) at rl_rxeof+0x139
 > rl_intr(c4d27000,0,c0841c05,46b,0,...) at rl_intr+0xba
 > ithread_loop(c4d809d0,e5273d38,0,0,0,...) at ithread_loop+0x1ab
 > fork_exit(c059da60,c4d809d0,e5273d38) at fork_exit+0x99
 > fork_trampoline() at fork_trampoline+0x8
 > --- trap 0, eip = 0, esp = 0xe5273d70, ebp = 0 ---
 > db>
 > 

-- 
Regards,
Pyun YongHyeon
-------------- next part --------------
--- sys/pci/if_rl.c.orig	2008-03-04 13:07:34.000000000 +0900
+++ sys/pci/if_rl.c	2008-03-26 09:35:49.000000000 +0900
@@ -1117,17 +1117,19 @@
 		 * datasheet makes absolutely no mention of this and
 		 * RealTek should be shot for this.
 		 */
-		if ((uint16_t)(rxstat >> 16) == RL_RXSTAT_UNFINISHED)
+		total_len = rxstat >> 16;
+		if (total_len == RL_RXSTAT_UNFINISHED)
 			break;
 
-		if (!(rxstat & RL_RXSTAT_RXOK)) {
+		if (!(rxstat & RL_RXSTAT_RXOK) ||
+		    total_len < ETHER_MIN_LEN ||
+		    total_len > ETHER_MAX_LEN + ETHER_VLAN_ENCAP_LEN) {
 			ifp->if_ierrors++;
 			rl_init_locked(sc);
 			return;
 		}
 
 		/* No errors; receive the packet. */
-		total_len = rxstat >> 16;
 		rx_bytes += total_len + 4;
 
 		/*