I experience some troubles with the igb device driver on FreeBSD 10-RC4.

The kernel make a pagefault in the igb_tx_ctx_setup function when accessing to 
a IPv6 header.

The network configuration is the following:
 - box acting as an IPv6 router
 - one interface with an IPv6 (igb0)
 - another interface with a vlan, and IPv6 on it (vlan0 on igb1)

Vlan Hardware tagging is set on both interfaces.

The packet that cause the crash come from igb0 and go to vlan0.

After investigation, i see that the mbuf is split in two. The first one carry 
the ethernet header, the second, the IPv6 header and data payload.

The split is due to the "m_copy" done in ip6_forward, that make the mbuf not 
writable and the "M_PREPEND" in ether_output that insert the new mbuf before 
the original one.

The kernel crashes only if the newly allocated mbuf is at the end of a memory 
page, and no page is available after this one. So, it's extremly rare.

I inserted a "KASSERT" into the function (see attached patch) to check this 
behavior, and it raises on every IPv6 forwarded packet to the vlan. The 
problem disapear if i remove hardware tagging.

In the commit 256200, i see that pullups has been removed. May it be related ?

Can you confirm the problem ?

Best regards

Alexandre Martins
NETASQ -- We secure IT
--- sys/dev/e1000/if_igb.c.orig	2014-01-09 16:33:39.000000000 +0100
+++ sys/dev/e1000/if_igb.c	2014-01-09 16:36:31.000000000 +0100
@@ -3883,6 +3883,7 @@
 			type_tucmd_mlhl |= E1000_ADVTXD_TUCMD_IPV4;
+			KASSERT(ehdrlen + sizeof(struct ip6_hdr) <= mp->m_len, ("Ethernet and IPv6 header not contiguous"));
 			ip6 = (struct ip6_hdr *)(mp->m_data + ehdrlen);
 			ip_hlen = sizeof(struct ip6_hdr);
 			/* XXX-BZ this will go badly in case of ext hdrs. */

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to