On Thu, Feb 22, 2024 at 04:32:06PM +0200, [email protected] wrote:
> Hi Guys!
>
> I was experimenting and learning rdomains but got a kernel panic memory
> managent fault every time, a few seconds after issuing ifconfig(8):
>
> # ifconfig fxp0 rdomain 1
>
> fatal kernel trap:
>
> trap entry = 0x2 (memory management fault)
> a0 = 0x900000041
> ...
>
> After some debugging it seems like an array overflow when fxp_init() calls
> fxp_add_rfabuf() which in turn uses FXP_RXMAP_GET(sc) that will cause a read
> read beyond the end of the array - panic guaranteed!
>
> #define FXP_RXMAP_GET(sc) ((sc)->sc_rxmaps[(sc)->sc_rxfree++])
>
> This crash does NOT seem to happen if you try this with the interface down!
>
> I wonder if anybody with a better understanding of fxp(4) driver could
> work out why this happens?
>
> At the moment I am using this ugly hack as to prevent the panics. I have
> not noticed any side-effects. My laptop is behind fxp0 on rdomain 1 and this
> machine routes traffic elsewhere on rtable 0.
perhaps unrelated but the command test is wrong
the command is in the lower 3 bits, with flags in higher bits
the nop command is 0 so cb_command & 0 is always false
Index: sys/dev/ic/fxp.c
===================================================================
RCS file: /cvs/src/sys/dev/ic/fxp.c,v
diff -u -p -r1.133 fxp.c
--- sys/dev/ic/fxp.c 10 Nov 2023 15:51:20 -0000 1.133
+++ sys/dev/ic/fxp.c 22 Feb 2024 23:32:05 -0000
@@ -814,7 +814,7 @@ fxp_intr(void *arg)
while ((txcnt > 0) &&
((txs->tx_cb->cb_status & htole16(FXP_CB_STATUS_C))
||
- (txs->tx_cb->cb_command &
htole16(FXP_CB_COMMAND_NOP)))) {
+ ((txs->tx_cb->cb_command & htole16(7)) ==
htole16(FXP_CB_COMMAND_NOP)))) {
if (txs->tx_mbuf != NULL) {
FXP_MBUF_SYNC(sc, txs->tx_map,
BUS_DMASYNC_POSTWRITE);
