net: bnxt: Crash on 6.10 ioctl

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Breno Leitao <leitao@debian.org>
To: michael.chan@broadcom.com, kuba@kernel.org
Cc: netdev@vger.kernel.org
Subject: net: bnxt: Crash on 6.10 ioctl
Date: Fri, 12 Jul 2024 07:56:37 -0700	[thread overview]
Message-ID: <ZpFEJeNpwxW1aW9k@gmail.com> (raw)

Hello,

Testing commit 24ca36a562 ("Merge tag 'wq-for-6.10-rc5-fixes' of
git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq") I am getting the
following crash in bnxt driver:

	BUG: kernel NULL pointer dereference, address: 00000000000000b8
	#PF: supervisor read access in kernel mode
	#PF: error_code(0x0000) - not-present page
	PGD 0 P4D 0
	Oops: Oops: 0000 [#1] SMP
	Hardware name: ...
	RIP: 0010:bnxt_get_max_rss_ctx_ring (drivers/net/ethernet/broadcom/bnxt/bnxt.c:?)
	Code: e7 03 44 89 ca 83 e2 fc 31 c0 eb 19 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 4d 8b 12 4d 39 f2 0f 84 92 00 00 00 45 85 c9 74 ef <49> 8b b2 b8 00 00 00 31 db 49 83 f8 03 73 30 48 85 ff 74 db 48 8d
	All code
	========
	   0:	e7 03                	out    %eax,$0x3
	   2:	44 89 ca             	mov    %r9d,%edx
	   5:	83 e2 fc             	and    $0xfffffffc,%edx
	   8:	31 c0                	xor    %eax,%eax
	   a:	eb 19                	jmp    0x25
	   c:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
	  13:	00 00 00
	  16:	0f 1f 00             	nopl   (%rax)
	  19:	4d 8b 12             	mov    (%r10),%r10
	  1c:	4d 39 f2             	cmp    %r14,%r10
	  1f:	0f 84 92 00 00 00    	je     0xb7
	  25:	45 85 c9             	test   %r9d,%r9d
	  28:	74 ef                	je     0x19
	  2a:*	49 8b b2 b8 00 00 00 	mov    0xb8(%r10),%rsi		<-- trapping instruction
	  31:	31 db                	xor    %ebx,%ebx
	  33:	49 83 f8 03          	cmp    $0x3,%r8
	  37:	73 30                	jae    0x69
	  39:	48 85 ff             	test   %rdi,%rdi
	  3c:	74 db                	je     0x19
	  3e:	48                   	rex.W
	  3f:	8d                   	.byte 0x8d

	Code starting with the faulting instruction
	===========================================
	   0:	49 8b b2 b8 00 00 00 	mov    0xb8(%r10),%rsi
	   7:	31 db                	xor    %ebx,%ebx
	   9:	49 83 f8 03          	cmp    $0x3,%r8
	   d:	73 30                	jae    0x3f
	   f:	48 85 ff             	test   %rdi,%rdi
	  12:	74 db                	je     0xffffffffffffffef
	  14:	48                   	rex.W
	  15:	8d                   	.byte 0x8d
	RSP: 0018:ffffc900014d3cb8 EFLAGS: 00010202
	RAX: 0000000000000000 RBX: 0000000000000008 RCX: 0000000000000001
	RDX: 0000000000000080 RSI: 0000000000000206 RDI: 0000000000000000
	RBP: 00000000ffffffea R08: 000000000000007f R09: 0000000000000080
	R10: 0000000000000000 R11: 00000003246184b4 R12: 00007ffc260f65c0
	R13: ffff888103158000 R14: ffff888103158978 R15: ffff888103158840
	FS:  00007fbc65e3e940(0000) GS:ffff88903fe40000(0000) knlGS:0000000000000000
	CR2: 00000000000000b8 CR3: 0000000109c98003 CR4: 00000000007706f0
	05:56:10  PKRU: 55555554
	Call Trace:
	<TASK>
	? __die_body (arch/x86/kernel/dumpstack.c:421)
	? page_fault_oops (arch/x86/mm/fault.c:711)
	? schedule_hrtimeout_range_clock (kernel/time/hrtimer.c:1449 kernel/time/hrtimer.c:2293)
	? exc_page_fault (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:72 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
	? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)
	? bnxt_get_max_rss_ctx_ring (drivers/net/ethernet/broadcom/bnxt/bnxt.c:?)
	? bnxt_get_max_rss_ctx_ring (drivers/net/ethernet/broadcom/bnxt/bnxt.c:?)
	bnxt_set_channels
	ethtool_set_channels (net/ethtool/ioctl.c:1941)
	dev_ethtool (net/ethtool/ioctl.c:? net/ethtool/ioctl.c:3177)
	dev_ioctl (net/core/dev_ioctl.c:?)
	sock_do_ioctl (net/socket.c:1236)
	sock_ioctl (net/socket.c:1341)
	__se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907 fs/ioctl.c:893)
	do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)

Are you aware of this problem?
Unfortunately I don't have a reproducer at this time.

Thanks

next             reply	other threads:[~2024-07-12 14:56 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-07-12 14:56 Breno Leitao [this message]
2024-07-12 16:03 ` net: bnxt: Crash on 6.10 ioctl Michael Chan
2024-07-12 17:02   ` Michael Chan
2024-07-15 11:29     ` Breno Leitao

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZpFEJeNpwxW1aW9k@gmail.com \
    --to=leitao@debian.org \
    --cc=kuba@kernel.org \
    --cc=michael.chan@broadcom.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.