Project

General

Profile

Actions
Copy link

Bug #8358

closed

NULL pointer dereference in iprb module

Added by Denis Kozadaev over 6 years ago. Updated about 2 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
-
Start date:
2017-06-09
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:
External Bug:

Description

> ::panicinfo
             cpu                0
          thread ffffff0007ae9c40
         message BAD TRAP: type=e (#pf Page fault) rp=ffffff0007ae99d0 addr=18 occurred in module "iprb" due to a NULL pointer dereference
             rdi ffffff024f5ca3c0
             rsi ffffff0201d71000
             rdx                c
             rcx                0
              r8 ffffff0245c7f1c0
              r9                0
             rax                0
             rbx ffffff025855c000
             rbp ffffff0007ae9ae0
             r10                1
             r11 fffffffffb800983
             r12                0
             r13 ffffff025855c048
             r14                0
             r15 ffffff0007ae9bc0
          fsbase fffffd7fff0a33c0
          gsbase fffffffffbc39700
              ds               4b
              es               4b
              fs                0
              gs                0
          trapno                e
             err                0
             rip fffffffff88ef07a
              cs               30
          rflags            10246
             rsp ffffff0007ae9ac0
              ss               38
          gdt_hi                0
          gdt_lo         e00001ef
          idt_hi                0
          idt_lo         d0000fff
             ldt                0
            task               70
             cr0         8005003b
             cr2               18
             cr3          cc00000
             cr4            406f8
> $C
ffffff0007ae9ae0 iprb_start+0x17a(ffffff025855c000)
ffffff0007ae9b20 iprb_periodic+0x115(ffffff025855c000)
ffffff0007ae9b60 periodic_execute+0xc9(ffffff024c694d28)
ffffff0007ae9c20 taskq_thread+0x2d0(ffffff0247a39468)
ffffff0007ae9c30 thread_start+8()
> ::regs
%rax = 0x0000000000000000                 %r9  = 0x0000000000000000 
%rbx = 0xffffff025855c000                 %r10 = 0x0000000000000001 
%rcx = 0x0000000000000000                 %r11 = 0xfffffffffb800983 fakesoftint_return
%rdx = 0x000000000000000c                 %r12 = 0x0000000000000000 
%rsi = 0xffffff0201d71000                 %r13 = 0xffffff025855c048 
%rdi = 0xffffff024f5ca3c0                 %r14 = 0x0000000000000000 
%r8  = 0xffffff0245c7f1c0                 %r15 = 0xffffff0007ae9bc0 

%rip = 0xfffffffff88ef07a iprb_start+0x17a
%rbp = 0xffffff0007ae9ae0
%rsp = 0xffffff0007ae9ac0
%rflags = 0x00010246
  id=0 vip=0 vif=0 ac=0 vm=0 rf=1 nt=0 iopl=0x0
  status=<of,df,IF,tf,sf,ZF,af,PF,cf>

                        %cs = 0x0030    %ds = 0x004b    %es = 0x004b
%trapno = 0xe           %fs = 0x0000    %gs = 0x0000
   %err = 0x0
> iprb_start::dis
iprb_start:                     pushq  %rbp
iprb_start+1:                   movl   $0x2,%edx
iprb_start+6:                   movq   %rsp,%rbp
iprb_start+9:                   subq   $0x20,%rsp
/* skipped */
iprb_start+0x105:               call   -0xa9a   <iprb_cmd_ready>
iprb_start+0x10a:               testl  %eax,%eax
iprb_start+0x10c:               jne    -0x5b    <iprb_start+0xb3>
iprb_start+0x10e:               movq   0x18(%rbx),%rsi
iprb_start+0x112:               movq   0x10(%rbx),%rdi
iprb_start+0x116:               xorl   %edx,%edx
iprb_start+0x118:               addq   $0x4,%rsi
iprb_start+0x11c:               call   +0x2f6d86f       <ddi_io_put32>
iprb_start+0x121:               movq   0x18(%rbx),%rsi
iprb_start+0x125:               movq   0x10(%rbx),%rdi
iprb_start+0x129:               movl   $0x60,%edx
iprb_start+0x12e:               addq   $0x2,%rsi
iprb_start+0x132:               call   +0x2f6d819       <ddi_io_put8>
iprb_start+0x137:               movq   0x18(%rbx),%rsi
iprb_start+0x13b:               movq   0x10(%rbx),%rdi
iprb_start+0x13f:               addq   $0x2,%rsi
iprb_start+0x143:               call   +0x2f6d788       <ddi_get8>
iprb_start+0x148:               movq   %rbx,%rdi
iprb_start+0x14b:               call   -0x730   <iprb_cmd_next>
iprb_start+0x150:               xorl   %esi,%esi
iprb_start+0x152:               movq   %rbx,%rdi
iprb_start+0x155:               movq   %rax,%r12
iprb_start+0x158:               call   -0x92d   <iprb_cmd_submit>
iprb_start+0x15d:               testl  %eax,%eax
iprb_start+0x15f:               jne    -0xb2    <iprb_start+0xb3>
iprb_start+0x165:               movq   %rbx,%rdi
iprb_start+0x168:               call   -0xafd   <iprb_cmd_ready>
iprb_start+0x16d:               testl  %eax,%eax
iprb_start+0x16f:               nop    
iprb_start+0x170:               jne    -0xc3    <iprb_start+0xb3>
iprb_start+0x176:               movq   0x18(%rbx),%rsi
iprb_start+0x17a:               movl   0x18(%r12),%edx
iprb_start+0x17f:               movq   0x10(%rbx),%rdi
iprb_start+0x183:               addq   $0x4,%rsi
iprb_start+0x187:               call   +0x2f6d804       <ddi_io_put32>

It is somewhere near this point: http://src.illumos.org/source/xref/illumos-gate/usr/src/uts/common/io/iprb/iprb.c#985
The dump is available here: http://witch.tambov.ru/illumos/vmdump.1
for about 400MB

That interface was configured manually, I did some testes and then the cable was disconnected.

Related issues

Is duplicate of illumos gate - Bug #5060: Assertion failure in iprb during watchdog resetClosedAndy Fiddaman2014-08-01

Actions
Actions
Copy link
 #1

Updated by Marcel Telka over 6 years ago

  • Related to Bug #5060: Assertion failure in iprb during watchdog reset added
Actions
Copy link
 #2

Updated by Marcel Telka over 6 years ago

This is probably a duplicate of #5060.

Actions
Copy link
 #3

Updated by Denis Kozadaev over 6 years ago

Evil Igor said you need also additional info:

wendy# uname -a
SunOS wendy 5.11 illumos-2d2f193a21 i86pc i386 i86pc

Device:

                pci8086,0, instance #0
                    Driver properties:
                        name='fm-errcb-capable' type=boolean dev=none
                    Hardware properties:
                        name='assigned-addresses' type=int items=15
                            value=82042010.00000000.fe503000.00000000.00001000.81042014.00000000.0000c0c0.00000000.00000040.82042018.00000000.fe400000.00000000.00100000
                        name='reg' type=int items=20
                            value=00042000.00000000.00000000.00000000.00000000.02042010.00000000.00000000.00000000.00001000.01042014.00000000.00000000.00000000.00000040.02042018.00000000.00000000.00000000.001000
00
                        name='compatible' type=string items=7
                            value='pci8086,1229.8086.0.8' + 'pci8086,1229.8086.0' + 'pci8086,0' + 'pci8086,1229.8' + 'pci8086,1229' + 'pciclass,020000' + 'pciclass,0200'
                        name='model' type=string items=1
                            value='Ethernet controller'
                        name='power-consumption' type=int items=2
                            value=00000001.00000001
                        name='fast-back-to-back' type=boolean
                        name='devsel-speed' type=int items=1
                            value=00000001
                        name='interrupts' type=int items=1
                            value=00000001
                        name='max-latency' type=int items=1
                            value=00000038
                        name='min-grant' type=int items=1
                            value=00000008
                        name='subsystem-vendor-id' type=int items=1
                            value=00008086
                        name='subsystem-id' type=int items=1
                            value=00000000
                        name='unit-address' type=string items=1
                            value='4'
                        name='class-code' type=int items=1
                            value=00020000
                        name='revision-id' type=int items=1
                            value=00000008
                        name='vendor-id' type=int items=1
                            value=00008086
                        name='device-id' type=int items=1
                            value=00001229
                        name='vendor-name' type=string items=1
                            value='Intel Corporation'
                        name='device-name' type=string items=1
                            value='82557/8/9/0/1 Ethernet Pro 100'
                        name='subsystem-name' type=string items=1
                            value='unknown subsystem'
                    Interrupt Specifications:
                        Interrupt Priority=0x6 (ipl 6), vector=0xa (10)
                    Device Minor Nodes:
                        dev=(102,1)
                            dev_path=/pci@0,0/pci1022,780f@14,4/pci8086,b154@6/pci8086,0@4:iprb0
                                spectype=chr type=minor
                                dev_link=/dev/iprb0

the system is OpenIndiana.

I hope, now that's all ;-)

Actions
Copy link
 #4

Updated by Marcel Telka about 2 years ago

  • Related to Bug #14078: null pointer dereference crashes from iprb nics added
Actions
Copy link
 #5

Updated by Andy Fiddaman about 2 years ago

  • Related to deleted (Bug #5060: Assertion failure in iprb during watchdog reset)
Actions
Copy link
 #6

Updated by Andy Fiddaman about 2 years ago

  • Is duplicate of Bug #5060: Assertion failure in iprb during watchdog reset added
Actions
Copy link
 #7

Updated by Andy Fiddaman about 2 years ago

  • Related to deleted (Bug #14078: null pointer dereference crashes from iprb nics)
Actions
Copy link
 #8

Updated by Andy Fiddaman about 2 years ago

  • Status changed from New to Duplicate
Actions
Copy link

Also available in: Atom PDF