Date: Thu, 09 Jan 2014 16:06:09 +0100 From: Alexandre Martins <alexandre.martins@netasq.com> To: freebsd-current@freebsd.org Cc: jfv@freebsd.org, damien.deville@netasq.com, fabien.thomas@netasq.com Subject: FreeBSD 10-RC4: Got crash in igb driver Message-ID: <48005124.ny58tnLn4d@pc-alex>
next in thread | raw e-mail | index | archive | help
--nextPart1573738.aRmi9AzvI9
Content-Type: multipart/mixed; boundary="nextPart1535609.DhofbtuUmg"
Content-Transfer-Encoding: 7Bit
This is a multi-part message in MIME format.
--nextPart1535609.DhofbtuUmg
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Dear,
I experience some troubles with the igb device driver on FreeBSD 10-RC4.
The kernel make a pagefault in the igb_tx_ctx_setup function when accessing to
a IPv6 header.
The network configuration is the following:
- box acting as an IPv6 router
- one interface with an IPv6 (igb0)
- another interface with a vlan, and IPv6 on it (vlan0 on igb1)
Vlan Hardware tagging is set on both interfaces.
The packet that cause the crash come from igb0 and go to vlan0.
After investigation, i see that the mbuf is split in two. The first one carry
the ethernet header, the second, the IPv6 header and data payload.
The split is due to the "m_copy" done in ip6_forward, that make the mbuf not
writable and the "M_PREPEND" in ether_output that insert the new mbuf before
the original one.
The kernel crashes only if the newly allocated mbuf is at the end of a memory
page, and no page is available after this one. So, it's extremly rare.
I inserted a "KASSERT" into the function (see attached patch) to check this
behavior, and it raises on every IPv6 forwarded packet to the vlan. The
problem disapear if i remove hardware tagging.
In the commit 256200, i see that pullups has been removed. May it be related ?
Can you confirm the problem ?
Best regards
--
Alexandre Martins
NETASQ -- We secure IT
--nextPart1535609.DhofbtuUmg
Content-Disposition: attachment; filename="bug.patch"
Content-Transfer-Encoding: 7Bit
Content-Type: text/x-patch; charset="UTF-8"; name="bug.patch"
--- sys/dev/e1000/if_igb.c.orig 2014-01-09 16:33:39.000000000 +0100
+++ sys/dev/e1000/if_igb.c 2014-01-09 16:36:31.000000000 +0100
@@ -3883,6 +3883,7 @@
type_tucmd_mlhl |= E1000_ADVTXD_TUCMD_IPV4;
break;
case ETHERTYPE_IPV6:
+ KASSERT(ehdrlen + sizeof(struct ip6_hdr) <= mp->m_len, ("Ethernet and IPv6 header not contiguous"));
ip6 = (struct ip6_hdr *)(mp->m_data + ehdrlen);
ip_hlen = sizeof(struct ip6_hdr);
/* XXX-BZ this will go badly in case of ext hdrs. */
--nextPart1535609.DhofbtuUmg--
--nextPart1573738.aRmi9AzvI9
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIErzCCBKsw
ggOToAMCAQICCnDGsUgWa/KQbDQwDQYJKoZIhvcNAQEFBQAwgZExCzAJBgNVBAYTAkZSMQ0wCwYD
VQQIEwROb3JkMRowGAYDVQQHExFWaWxsZW5ldXZlIGQnQXNjcTEuMCwGA1UEChMlTkVUQVNRIC0g
U2VjdXJlIEludGVybmV0IENvbm5lY3Rpdml0eTEnMCUGA1UECxMeTkVUQVNRIENlcnRpZmljYXRp
b24gQXV0aG9yaXR5MB4XDTEzMDIxNTE1NDk1N1oXDTE0MDIxNTE1NDk1N1owgdoxCzAJBgNVBAYT
AkZSMQ0wCwYDVQQIEwROb3JkMRowGAYDVQQHExFWaWxsZW5ldXZlIGQnQXNjcTEuMCwGA1UEChMl
TkVUQVNRIC0gU2VjdXJlIEludGVybmV0IENvbm5lY3Rpdml0eTEnMCUGA1UECxMeTkVUQVNRIENl
cnRpZmljYXRpb24gQXV0aG9yaXR5MRowGAYDVQQDExFBbGV4YW5kcmUgTUFSVElOUzErMCkGCSqG
SIb3DQEJARYcYWxleGFuZHJlLm1hcnRpbnNAbmV0YXNxLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAL4/gp0+01ma1Hi1C9Zw7TY8nZPJTmB3HG5eX1e062tMm+0CrNcDwfMwmF8w
g47zuFzkzTYy/d6/waoHbbCLsj1AM2kRQcWfuqglpgnSu7FdnIAE0dSAOS9Ni0uWDsFhRr3UUHq5
qnDzQXOrPXRMzMz1W8nqiyqXYfykrDrq0sjzaIj20BYA/6AlDSWs+XKid1EM3wOe40Kyl+1HWLsA
MuY9CpQdAkQh4rJb6Sbgx57DXJ3INCSWjzZWYK0KAE0JF8XhP5zLGcvHI5Atm7gN8WiMZ+DFRM2z
HIOlZ6zhp1VHSSbs+c64UJtGgt+cq7QvuyaIoqBP6rDHsLMPbjNR0w8CAwEAAaOBuTCBtjAdBgNV
HQ4EFgQUyiEDfxLvYJqY+A8btt9sZFYPejYwHwYDVR0jBBgwFoAUJyrrHdlE2joXc2oJICDJJaj5
f7IwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCA+gwJwYDVR0RBCAwHoEcYWxleGFuZHJlLm1hcnRp
bnNAbmV0YXNxLmNvbTARBglghkgBhvhCAQEEBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsG
AQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQCaSZdSJKRujYP6KnfKcyYYlNNqRdIyQm16o4BIIeGG
qxQGxAO/dzcQziNVQcE+G8RHTcuivayhOX/NRhIlYxyvTN+wWAbC5NQuul4eQzGrz4OxWfrfpm9S
DnDbLfHf1qdjyvFkTM8Wgq21/oExphasFHdOxi/txN4099Be/BZpV8Fpqa0dKEirG2Wa3KfEn85A
WaKnNs/k3x95gr/eeTt1NdlT7OqVYqnUdUlRmQVNvEi29wIQbfYi2WeZIGlpNh0PBthWdBaXzMKU
U/pfjIzZhyP8E4ghUKz4uvmpA901Qj9LEhSYqOKWALRNOk/dCcNd0LV8S54te/vsFkDTHWvlMYIC
UDCCAkwCAQEwgaAwgZExCzAJBgNVBAYTAkZSMQ0wCwYDVQQIEwROb3JkMRowGAYDVQQHExFWaWxs
ZW5ldXZlIGQnQXNjcTEuMCwGA1UEChMlTkVUQVNRIC0gU2VjdXJlIEludGVybmV0IENvbm5lY3Rp
dml0eTEnMCUGA1UECxMeTkVUQVNRIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AgpwxrFIFmvykGw0
MAkGBSsOAwIaBQCggYcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTQwMTA5MTUwNjA5WjAjBgkqhkiG9w0BCQQxFgQUUQqZfEHLodZUaHhkio0QuKwS8gMwKAYJKoZI
hvcNAQkPMRswGTALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDQYJKoZIhvcNAQEBBQAEgf8q0xlG
VRGHNbkPjYAYbVoZ7MnpQCZW1oG33QKoRl7Wam5xkeXEEOn9gcnSk2Fdov7syUWXaEIQ1cZuA0Hf
HW+zpx3M+PLaNZUTVRcJ4QhmyQHN3QW3EJud5J5jpJOQJyeYyz0r5ENYEnKTfsD5a2VVpmuerq6h
tkqq2Ujm7ZWhHGNaUBk+Ht0IO4NysHKwZQERpYIWgtpUeqkPNitFe70Ddm3oxRRP8hk892tjj2tm
j5gzbbOYFRVlpiCBsvYfg+MEE4D0raI50v7ZZmE2tPQHbg9btqKV8NcTXYBoagnAkA8yjjNYC5Ur
sE00jVYT89UyOkJJAL4zpWspi+ZJj3oAAAAAAAA=
--nextPart1573738.aRmi9AzvI9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48005124.ny58tnLn4d>