Dear, I experience some troubles with the igb device driver on FreeBSD 10-RC4.
The kernel make a pagefault in the igb_tx_ctx_setup function when accessing to a IPv6 header. The network configuration is the following: - box acting as an IPv6 router - one interface with an IPv6 (igb0) - another interface with a vlan, and IPv6 on it (vlan0 on igb1) Vlan Hardware tagging is set on both interfaces. The packet that cause the crash come from igb0 and go to vlan0. After investigation, i see that the mbuf is split in two. The first one carry the ethernet header, the second, the IPv6 header and data payload. The split is due to the "m_copy" done in ip6_forward, that make the mbuf not writable and the "M_PREPEND" in ether_output that insert the new mbuf before the original one. The kernel crashes only if the newly allocated mbuf is at the end of a memory page, and no page is available after this one. So, it's extremly rare. I inserted a "KASSERT" into the function (see attached patch) to check this behavior, and it raises on every IPv6 forwarded packet to the vlan. The problem disapear if i remove hardware tagging. In the commit 256200, i see that pullups has been removed. May it be related ? Can you confirm the problem ? Best regards -- Alexandre Martins NETASQ -- We secure IT
--- sys/dev/e1000/if_igb.c.orig 2014-01-09 16:33:39.000000000 +0100 +++ sys/dev/e1000/if_igb.c 2014-01-09 16:36:31.000000000 +0100 @@ -3883,6 +3883,7 @@ type_tucmd_mlhl |= E1000_ADVTXD_TUCMD_IPV4; break; case ETHERTYPE_IPV6: + KASSERT(ehdrlen + sizeof(struct ip6_hdr) <= mp->m_len, ("Ethernet and IPv6 header not contiguous")); ip6 = (struct ip6_hdr *)(mp->m_data + ehdrlen); ip_hlen = sizeof(struct ip6_hdr); /* XXX-BZ this will go badly in case of ext hdrs. */
Description: S/MIME cryptographic signature