[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZpFEJeNpwxW1aW9k@gmail.com>
Date: Fri, 12 Jul 2024 07:56:37 -0700
From: Breno Leitao <leitao@...ian.org>
To: michael.chan@...adcom.com, kuba@...nel.org
Cc: netdev@...r.kernel.org
Subject: net: bnxt: Crash on 6.10 ioctl
Hello,
Testing commit 24ca36a562 ("Merge tag 'wq-for-6.10-rc5-fixes' of
git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq") I am getting the
following crash in bnxt driver:
BUG: kernel NULL pointer dereference, address: 00000000000000b8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP
Hardware name: ...
RIP: 0010:bnxt_get_max_rss_ctx_ring (drivers/net/ethernet/broadcom/bnxt/bnxt.c:?)
Code: e7 03 44 89 ca 83 e2 fc 31 c0 eb 19 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 4d 8b 12 4d 39 f2 0f 84 92 00 00 00 45 85 c9 74 ef <49> 8b b2 b8 00 00 00 31 db 49 83 f8 03 73 30 48 85 ff 74 db 48 8d
All code
========
0: e7 03 out %eax,$0x3
2: 44 89 ca mov %r9d,%edx
5: 83 e2 fc and $0xfffffffc,%edx
8: 31 c0 xor %eax,%eax
a: eb 19 jmp 0x25
c: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
13: 00 00 00
16: 0f 1f 00 nopl (%rax)
19: 4d 8b 12 mov (%r10),%r10
1c: 4d 39 f2 cmp %r14,%r10
1f: 0f 84 92 00 00 00 je 0xb7
25: 45 85 c9 test %r9d,%r9d
28: 74 ef je 0x19
2a:* 49 8b b2 b8 00 00 00 mov 0xb8(%r10),%rsi <-- trapping instruction
31: 31 db xor %ebx,%ebx
33: 49 83 f8 03 cmp $0x3,%r8
37: 73 30 jae 0x69
39: 48 85 ff test %rdi,%rdi
3c: 74 db je 0x19
3e: 48 rex.W
3f: 8d .byte 0x8d
Code starting with the faulting instruction
===========================================
0: 49 8b b2 b8 00 00 00 mov 0xb8(%r10),%rsi
7: 31 db xor %ebx,%ebx
9: 49 83 f8 03 cmp $0x3,%r8
d: 73 30 jae 0x3f
f: 48 85 ff test %rdi,%rdi
12: 74 db je 0xffffffffffffffef
14: 48 rex.W
15: 8d .byte 0x8d
RSP: 0018:ffffc900014d3cb8 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 0000000000000008 RCX: 0000000000000001
RDX: 0000000000000080 RSI: 0000000000000206 RDI: 0000000000000000
RBP: 00000000ffffffea R08: 000000000000007f R09: 0000000000000080
R10: 0000000000000000 R11: 00000003246184b4 R12: 00007ffc260f65c0
R13: ffff888103158000 R14: ffff888103158978 R15: ffff888103158840
FS: 00007fbc65e3e940(0000) GS:ffff88903fe40000(0000) knlGS:0000000000000000
CR2: 00000000000000b8 CR3: 0000000109c98003 CR4: 00000000007706f0
05:56:10 PKRU: 55555554
Call Trace:
<TASK>
? __die_body (arch/x86/kernel/dumpstack.c:421)
? page_fault_oops (arch/x86/mm/fault.c:711)
? schedule_hrtimeout_range_clock (kernel/time/hrtimer.c:1449 kernel/time/hrtimer.c:2293)
? exc_page_fault (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:72 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)
? bnxt_get_max_rss_ctx_ring (drivers/net/ethernet/broadcom/bnxt/bnxt.c:?)
? bnxt_get_max_rss_ctx_ring (drivers/net/ethernet/broadcom/bnxt/bnxt.c:?)
bnxt_set_channels
ethtool_set_channels (net/ethtool/ioctl.c:1941)
dev_ethtool (net/ethtool/ioctl.c:? net/ethtool/ioctl.c:3177)
dev_ioctl (net/core/dev_ioctl.c:?)
sock_do_ioctl (net/socket.c:1236)
sock_ioctl (net/socket.c:1341)
__se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907 fs/ioctl.c:893)
do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
Are you aware of this problem?
Unfortunately I don't have a reproducer at this time.
Thanks
Powered by blists - more mailing lists