[Bug 273152] cxgbe: panic in sousrsend() after enabling "toe"

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 273152] cxgbe: panic in sousrsend() after enabling "toe""
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 15 Aug 2023 21:47:27 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273152

            Bug ID: 273152
           Summary: cxgbe: panic in sousrsend() after enabling "toe"
           Product: Base System
           Version: CURRENT
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: greg@codeconcepts.com

If I enable "toe" on cc0 (sudo ifconfig cc0 toe), then mount an NFS file system
over cc0's network, I get a page fault in sousrsend() because the function
pointer so->so_proto->pr_sosend is NULL.

It turns out that this pointer is also NULL in the call to t4_tom_mod_load()
after bcopying tcp_protosw to toe_protosw (after line 1996 in t4_tom.c), and
it's not obvious to me that it gets set anywhere else...


FreeBSD sm2.cc.codeconcepts.com 14.0-ALPHA1 FreeBSD 14.0-ALPHA1 amd64 1400094
#7 main-n264750-081c22db8507-dirty: Tue Aug 15 19:20:35 CDT 2023    
greg@sm2.cc.codeconcepts.com:/usr/obj/usr/src/amd64.amd64/sys/SM2 amd64


$ ifconfig cc0
cc0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0
mtu 9000
       
options=66ec07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,HWRXTSTMP,MEXTPG,VXLAN_HWCSUM,VXLAN_HWTSO>
        ether 00:07:43:44:0c:c0
        inet 172.16.100.202 netmask 0xffffff00 broadcast 172.16.100.255
        media: Ethernet autoselect (100GBase-CR4 <full-duplex,rxpause,txpause>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>


#9  0x0000000000000000 in ?? ()
#10 0xffffffff80e3b85d in sousrsend (so=0xfffff8022b3e7b40, addr=0x0,
uio=0xfffffe0411e71dd8, control=0x0, flags=0, userproc=0x0)
    at /usr/src/sys/kern/uipc_socket.c:1894
#11 0xffffffff80df6d39 in soo_write (fp=0xfffff8013319dc80,
uio=0xfffffe0411e71dd8, active_cred=0xfffff810a3e7ca00, flags=0, 
    td=0xfffffe0284530ac0) at /usr/src/sys/kern/sys_socket.c:148
#12 0xffffffff80dec41c in fo_write (fp=0xfffff8013319dc80,
uio=0xfffffe0411e71dd8, active_cred=0xfffff810a3e7ca00, flags=0, 
    td=0xfffffe0284530ac0) at /usr/src/sys/sys/file.h:351
#13 0xffffffff80de7d48 in dofilewrite (td=0xfffffe0284530ac0, fd=3,
fp=0xfffff8013319dc80, auio=0xfffffe0411e71dd8, offset=-1, flags=0)
    at /usr/src/sys/kern/sys_generic.c:565
#14 0xffffffff80de7962 in kern_writev (td=0xfffffe0284530ac0, fd=3,
auio=0xfffffe0411e71dd8) at /usr/src/sys/kern/sys_generic.c:492
#15 0xffffffff80de78ea in sys_write (td=0xfffffe0284530ac0,
uap=0xfffffe0284530ec0) at /usr/src/sys/kern/sys_generic.c:407
#16 0xffffffff814f04cf in syscallenter (td=0xfffffe0284530ac0) at
/usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:190
#17 0xffffffff814efc1b in amd64_syscall (td=0xfffffe0284530ac0, traced=0) at
/usr/src/sys/amd64/amd64/trap.c:1199
--Type <RET> for more, q to quit, c to continue without paging--
#18 <signal handler called>
#19 0x000002e037f5958a in ?? ()
Backtrace stopped: Cannot access memory at address 0x2e03623fb68

(kgdb) f 10
#10 0xffffffff80e3b85d in sousrsend (so=0xfffff8022b3e7b40, addr=0x0,
uio=0xfffffe0411e71dd8, control=0x0, flags=0, userproc=0x0)
    at /usr/src/sys/kern/uipc_socket.c:1894
1894            error = so->so_proto->pr_sosend(so, addr, uio, NULL, control,
flags,

(kgdb) p *so
$1 = {so_lock = {lock_object = {lo_name = 0xffffffff81619f55 "socket", lo_flags
= 21168128, lo_data = 0, 
      lo_witness = 0xfffff8207fd86d00}, mtx_lock = 0}, so_count = 1, so_rdsel =
{si_tdlist = {tqh_first = 0x0, tqh_last = 0x0}, 
    si_note = {kl_list = {slh_first = 0x0}, kl_lock = 0xffffffff80e36500
<so_rdknl_lock>, 
      kl_unlock = 0xffffffff80e36620 <so_rdknl_unlock>, kl_assert_lock =
0xffffffff80e366f0 <so_rdknl_assert_lock>, 
      kl_lockarg = 0xfffff8022b3e7b40, kl_autodestroy = 0}, si_mtx = 0x0},
so_wrsel = {si_tdlist = {tqh_first = 0x0, tqh_last = 0x0}, 
    si_note = {kl_list = {slh_first = 0x0}, kl_lock = 0xffffffff80e36880
<so_wrknl_lock>, 
      kl_unlock = 0xffffffff80e369a0 <so_wrknl_unlock>, kl_assert_lock =
0xffffffff80e36a70 <so_wrknl_assert_lock>, 
      kl_lockarg = 0xfffff8022b3e7b40, kl_autodestroy = 0}, si_mtx = 0x0},
so_options = 0, so_type = 1, so_state = 2, 
  so_pcb = 0xfffff805ea45ca80, so_vnet = 0xfffff8010181ef80, so_proto =
0xffffffff834f9148 <toe_protosw>, so_linger = 0, so_timeo = 0, 
  so_error = 0, so_rerror = 0, so_sigio = 0x0, so_cred = 0xfffff810a3e7ca00,
so_label = 0x0, so_gencnt = 19473, so_emuldata = 0x0, 
  so_dtor = 0x0, osd = {osd_nslots = 0, osd_slots = 0x0, osd_next = {le_next =
0x0, le_prev = 0x0}}, so_fibnum = 0, so_user_cookie = 0, 
  so_ts_clock = 0, so_max_pacing_rate = 0, so_snd_sx = {lock_object = {lo_name
= 0xffffffff81633c20 "so_snd_sx", lo_flags = 36896768, 
      lo_data = 0, lo_witness = 0xfffff8207fd86d80}, sx_lock = 1}, so_snd_mtx =
{lock_object = {lo_name = 0xffffffff81748892 "so_snd", 
      lo_flags = 16973824, lo_data = 0, lo_witness = 0xfffff8207fd72780},
mtx_lock = 0}, so_rcv_sx = {lock_object = {
      lo_name = 0xffffffff816fa664 "so_rcv_sx", lo_flags = 36896768, lo_data =
0, lo_witness = 0xfffff8207fd86e00}, sx_lock = 1}, 
  so_rcv_mtx = {lock_object = {lo_name = 0xffffffff81676ddb "so_rcv", lo_flags
= 16973824, lo_data = 0, lo_witness = 0xfffff8207fd72800}, 
    mtx_lock = 0}, {{so_rcv = {sb_sel = 0xfffff8022b3e7b68, sb_state = 0,
sb_flags = 2560, sb_acc = 0, sb_ccc = 0, sb_mbcnt = 0, 
        sb_ctl = 0, sb_hiwat = 65536, sb_lowat = 1, sb_mbmax = 524288, sb_timeo
= 0, sb_upcall = 0x0, sb_upcallarg = 0x0, sb_aiojobq = {
          tqh_first = 0x0, tqh_last = 0xfffff8022b3e7d40}, sb_aiotask =
{ta_link = {stqe_next = 0x0}, ta_pending = 0, 
          ta_priority = 0 '\000', ta_flags = 0 '\000', ta_func =
0xffffffff80df81c0 <soaio_rcv>, ta_context = 0xfffff8022b3e7b40}, {{
            sb_mtx = 0xfffff8022b3e7ce0, sb_mb = 0x0, sb_mbtail = 0x0,
sb_lastrecord = 0x0, sb_sndptr = 0x0, sb_fnrdy = 0x0, 
            sb_sndptroff = 0, sb_tlscc = 0, sb_tlsdcc = 0, sb_mtls = 0x0,
sb_mtlstail = 0x0, sb_tls_seqno = 0, sb_tls_info = 0x0}, {
            uxdg_mb = {stqh_first = 0xfffff8022b3e7ce0, stqh_last = 0x0},
uxdg_peeked = 0x0, {uxdg_conns = {tqh_first = 0x0, 
--Type <RET> for more, q to quit, c to continue without paging--
                tqh_last = 0x0}, uxdg_clist = {tqe_next = 0x0, tqe_prev =
0x0}}, uxdg_cc = 0, uxdg_ctl = 0, uxdg_mbcnt = 0}}}, so_snd = {
        sb_sel = 0xfffff8022b3e7bb0, sb_state = 0, sb_flags = 2560, sb_acc = 0,
sb_ccc = 0, sb_mbcnt = 0, sb_ctl = 0, sb_hiwat = 32768, 
        sb_lowat = 2048, sb_mbmax = 262144, sb_timeo = 0, sb_upcall = 0x0,
sb_upcallarg = 0x0, sb_aiojobq = {tqh_first = 0x0, 
          tqh_last = 0xfffff8022b3e7e10}, sb_aiotask = {ta_link = {stqe_next =
0x0}, ta_pending = 0, ta_priority = 0 '\000', 
          ta_flags = 0 '\000', ta_func = 0xffffffff80df8570 <soaio_snd>,
ta_context = 0xfffff8022b3e7b40}, {{sb_mtx = 0xfffff8022b3e7ca0, 
            sb_mb = 0x0, sb_mbtail = 0x0, sb_lastrecord = 0x0, sb_sndptr = 0x0,
sb_fnrdy = 0x0, sb_sndptroff = 0, sb_tlscc = 0, 
            sb_tlsdcc = 0, sb_mtls = 0x0, sb_mtlstail = 0x0, sb_tls_seqno = 0,
sb_tls_info = 0x0}, {uxdg_mb = {
              stqh_first = 0xfffff8022b3e7ca0, stqh_last = 0x0}, uxdg_peeked =
0x0, {uxdg_conns = {tqh_first = 0x0, tqh_last = 0x0}, 
              uxdg_clist = {tqe_next = 0x0, tqe_prev = 0x0}}, uxdg_cc = 0,
uxdg_ctl = 0, uxdg_mbcnt = 0}}}, so_list = {tqe_next = 0x0, 
        tqe_prev = 0x0}, so_listen = 0x0, so_qstate = SQ_NONE, so_peerlabel =
0x0, so_oobmark = 0, so_ktls_rx_list = {stqe_next = 0x0}}, {
      sol_incomp = {tqh_first = 0xfffff8022b3e7b68, tqh_last = 0xa000000},
sol_comp = {tqh_first = 0x0, tqh_last = 0x1000000000000}, 
      sol_qlen = 1, sol_incqlen = 524288, sol_qlimit = 0, sol_accept_filter =
0x0, sol_accept_filter_arg = 0x0, 
      sol_accept_filter_str = 0x0, sol_upcall = 0xfffff8022b3e7d40,
sol_upcallarg = 0x0, sol_sbrcv_lowat = 0, sol_sbsnd_lowat = 0, 
      sol_sbrcv_hiwat = 2162131392, sol_sbsnd_hiwat = 4294967295,
sol_sbrcv_flags = 31552, sol_sbsnd_flags = 11070, 
      sol_sbrcv_timeo = -8786777572128, sol_sbsnd_timeo = 0, sol_lastover =
{tv_sec = 0, tv_usec = 0}, sol_overcount = 0}}}

(kgdb) p so->so_proto->pr_sosend
$2 = (pr_sosend_t *) 0x0

(kgdb) p *so->so_proto
$3 = {pr_type = 1, pr_protocol = 6, pr_flags = 172, pr_unused = 0, pr_domain =
0x0, pr_soreceive = 0x0, 
  pr_rcvd = 0xffffffff810619f0 <tcp_usr_rcvd>, pr_sosend = 0x0, pr_send =
0xffffffff81061bd0 <tcp_usr_send>, 
  pr_ready = 0xffffffff81062a20 <tcp_usr_ready>, pr_sopoll = 0x0, pr_attach =
0xffffffff81062ba0 <tcp_usr_attach>, 
  pr_detach = 0xffffffff81062dd0 <tcp_usr_detach>, pr_connect =
0xffffffff81062f50 <tcp_usr_connect>, 
  pr_disconnect = 0xffffffff810632a0 <tcp_usr_disconnect>, pr_close =
0xffffffff81063450 <tcp_usr_close>, 
  pr_shutdown = 0xffffffff81063630 <tcp_usr_shutdown>, pr_abort =
0xffffffff810637d0 <tcp_usr_abort>, 
  pr_aio_queue = 0xffffffff834f3220 <t4_aio_queue_tom>, pr_bind =
0xffffffff810639a0 <tcp_usr_bind>, pr_bindat = 0x0, 
  pr_listen = 0xffffffff81063c10 <tcp_usr_listen>, pr_accept =
0xffffffff81063ef0 <tcp_usr_accept>, pr_connectat = 0x0, 
  pr_connect2 = 0x0, pr_control = 0xffffffff80ff14e0 <in_control>, pr_rcvoob =
0xffffffff810640b0 <tcp_usr_rcvoob>, 
  pr_ctloutput = 0xffffffff81064300 <tcp_ctloutput>, pr_peeraddr =
0xffffffff81006240 <in_getpeeraddr>, 
  pr_sockaddr = 0xffffffff81006170 <in_getsockaddr>, pr_sense = 0x0, pr_flush =
0x0, 
  pr_sosetlabel = 0xffffffff81007590 <in_pcbsosetlabel>, pr_setsbopt = 0x0}
(kgdb)

-- 
You are receiving this mail because:
You are the assignee for the bug.