* net: bnxt: Crash on 6.10 ioctl
@ 2024-07-12 14:56 Breno Leitao
2024-07-12 16:03 ` Michael Chan
0 siblings, 1 reply; 4+ messages in thread
From: Breno Leitao @ 2024-07-12 14:56 UTC (permalink / raw)
To: michael.chan, kuba; +Cc: netdev
Hello,
Testing commit 24ca36a562 ("Merge tag 'wq-for-6.10-rc5-fixes' of
git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq") I am getting the
following crash in bnxt driver:
BUG: kernel NULL pointer dereference, address: 00000000000000b8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP
Hardware name: ...
RIP: 0010:bnxt_get_max_rss_ctx_ring (drivers/net/ethernet/broadcom/bnxt/bnxt.c:?)
Code: e7 03 44 89 ca 83 e2 fc 31 c0 eb 19 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 4d 8b 12 4d 39 f2 0f 84 92 00 00 00 45 85 c9 74 ef <49> 8b b2 b8 00 00 00 31 db 49 83 f8 03 73 30 48 85 ff 74 db 48 8d
All code
========
0: e7 03 out %eax,$0x3
2: 44 89 ca mov %r9d,%edx
5: 83 e2 fc and $0xfffffffc,%edx
8: 31 c0 xor %eax,%eax
a: eb 19 jmp 0x25
c: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
13: 00 00 00
16: 0f 1f 00 nopl (%rax)
19: 4d 8b 12 mov (%r10),%r10
1c: 4d 39 f2 cmp %r14,%r10
1f: 0f 84 92 00 00 00 je 0xb7
25: 45 85 c9 test %r9d,%r9d
28: 74 ef je 0x19
2a:* 49 8b b2 b8 00 00 00 mov 0xb8(%r10),%rsi <-- trapping instruction
31: 31 db xor %ebx,%ebx
33: 49 83 f8 03 cmp $0x3,%r8
37: 73 30 jae 0x69
39: 48 85 ff test %rdi,%rdi
3c: 74 db je 0x19
3e: 48 rex.W
3f: 8d .byte 0x8d
Code starting with the faulting instruction
===========================================
0: 49 8b b2 b8 00 00 00 mov 0xb8(%r10),%rsi
7: 31 db xor %ebx,%ebx
9: 49 83 f8 03 cmp $0x3,%r8
d: 73 30 jae 0x3f
f: 48 85 ff test %rdi,%rdi
12: 74 db je 0xffffffffffffffef
14: 48 rex.W
15: 8d .byte 0x8d
RSP: 0018:ffffc900014d3cb8 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 0000000000000008 RCX: 0000000000000001
RDX: 0000000000000080 RSI: 0000000000000206 RDI: 0000000000000000
RBP: 00000000ffffffea R08: 000000000000007f R09: 0000000000000080
R10: 0000000000000000 R11: 00000003246184b4 R12: 00007ffc260f65c0
R13: ffff888103158000 R14: ffff888103158978 R15: ffff888103158840
FS: 00007fbc65e3e940(0000) GS:ffff88903fe40000(0000) knlGS:0000000000000000
CR2: 00000000000000b8 CR3: 0000000109c98003 CR4: 00000000007706f0
05:56:10 PKRU: 55555554
Call Trace:
<TASK>
? __die_body (arch/x86/kernel/dumpstack.c:421)
? page_fault_oops (arch/x86/mm/fault.c:711)
? schedule_hrtimeout_range_clock (kernel/time/hrtimer.c:1449 kernel/time/hrtimer.c:2293)
? exc_page_fault (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:72 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)
? bnxt_get_max_rss_ctx_ring (drivers/net/ethernet/broadcom/bnxt/bnxt.c:?)
? bnxt_get_max_rss_ctx_ring (drivers/net/ethernet/broadcom/bnxt/bnxt.c:?)
bnxt_set_channels
ethtool_set_channels (net/ethtool/ioctl.c:1941)
dev_ethtool (net/ethtool/ioctl.c:? net/ethtool/ioctl.c:3177)
dev_ioctl (net/core/dev_ioctl.c:?)
sock_do_ioctl (net/socket.c:1236)
sock_ioctl (net/socket.c:1341)
__se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907 fs/ioctl.c:893)
do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
Are you aware of this problem?
Unfortunately I don't have a reproducer at this time.
Thanks
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: net: bnxt: Crash on 6.10 ioctl
2024-07-12 14:56 net: bnxt: Crash on 6.10 ioctl Breno Leitao
@ 2024-07-12 16:03 ` Michael Chan
2024-07-12 17:02 ` Michael Chan
0 siblings, 1 reply; 4+ messages in thread
From: Michael Chan @ 2024-07-12 16:03 UTC (permalink / raw)
To: Breno Leitao; +Cc: kuba, netdev
[-- Attachment #1: Type: text/plain, Size: 811 bytes --]
On Fri, Jul 12, 2024 at 7:56 AM Breno Leitao <leitao@debian.org> wrote:
>
> Hello,
>
> Testing commit 24ca36a562 ("Merge tag 'wq-for-6.10-rc5-fixes' of
> git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq") I am getting the
> following crash in bnxt driver:
>
> BUG: kernel NULL pointer dereference, address: 00000000000000b8
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: Oops: 0000 [#1] SMP
> Hardware name: ...
> RIP: 0010:bnxt_get_max_rss_ctx_ring (drivers/net/ethernet/broadcom/bnxt/bnxt.c:?)
Maybe bp->rss_ctx_list is not valid.
I think we can add this check:
(bp->rss_cap & BNXT_RSS_CAP_MULTI_RSS_CTX)
before proceeding in bnxt_get_max_rss_ctx_ring().
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4209 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: net: bnxt: Crash on 6.10 ioctl
2024-07-12 16:03 ` Michael Chan
@ 2024-07-12 17:02 ` Michael Chan
2024-07-15 11:29 ` Breno Leitao
0 siblings, 1 reply; 4+ messages in thread
From: Michael Chan @ 2024-07-12 17:02 UTC (permalink / raw)
To: Breno Leitao; +Cc: kuba, netdev
[-- Attachment #1: Type: text/plain, Size: 859 bytes --]
On Fri, Jul 12, 2024 at 9:03 AM Michael Chan <michael.chan@broadcom.com> wrote:
>
> On Fri, Jul 12, 2024 at 7:56 AM Breno Leitao <leitao@debian.org> wrote:
> > BUG: kernel NULL pointer dereference, address: 00000000000000b8
> > #PF: supervisor read access in kernel mode
> > #PF: error_code(0x0000) - not-present page
> > PGD 0 P4D 0
> > Oops: Oops: 0000 [#1] SMP
> > Hardware name: ...
> > RIP: 0010:bnxt_get_max_rss_ctx_ring (drivers/net/ethernet/broadcom/bnxt/bnxt.c:?)
>
> Maybe bp->rss_ctx_list is not valid.
>
> I think we can add this check:
>
> (bp->rss_cap & BNXT_RSS_CAP_MULTI_RSS_CTX)
>
> before proceeding in bnxt_get_max_rss_ctx_ring().
I've confirmed the issue on older NICs not supporting multi RSS
contexts and I will send out the patch very shortly. Thanks.
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4209 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: net: bnxt: Crash on 6.10 ioctl
2024-07-12 17:02 ` Michael Chan
@ 2024-07-15 11:29 ` Breno Leitao
0 siblings, 0 replies; 4+ messages in thread
From: Breno Leitao @ 2024-07-15 11:29 UTC (permalink / raw)
To: Michael Chan; +Cc: kuba, netdev
On Fri, Jul 12, 2024 at 10:02:06AM -0700, Michael Chan wrote:
> On Fri, Jul 12, 2024 at 9:03 AM Michael Chan <michael.chan@broadcom.com> wrote:
> >
> > On Fri, Jul 12, 2024 at 7:56 AM Breno Leitao <leitao@debian.org> wrote:
> > > BUG: kernel NULL pointer dereference, address: 00000000000000b8
> > > #PF: supervisor read access in kernel mode
> > > #PF: error_code(0x0000) - not-present page
> > > PGD 0 P4D 0
> > > Oops: Oops: 0000 [#1] SMP
> > > Hardware name: ...
> > > RIP: 0010:bnxt_get_max_rss_ctx_ring (drivers/net/ethernet/broadcom/bnxt/bnxt.c:?)
> >
> > Maybe bp->rss_ctx_list is not valid.
> >
> > I think we can add this check:
> >
> > (bp->rss_cap & BNXT_RSS_CAP_MULTI_RSS_CTX)
> >
> > before proceeding in bnxt_get_max_rss_ctx_ring().
>
> I've confirmed the issue on older NICs not supporting multi RSS
> contexts and I will send out the patch very shortly. Thanks.
Awesome. I've tested it and it fixed the problem.
Thanks!
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-07-15 11:29 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-12 14:56 net: bnxt: Crash on 6.10 ioctl Breno Leitao
2024-07-12 16:03 ` Michael Chan
2024-07-12 17:02 ` Michael Chan
2024-07-15 11:29 ` Breno Leitao
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).