Subject: kern/22493: wm(4) may crash after interface down.
To: None <gnats-bugs@gnats.netbsd.org>
From: None <taca@kyoto.jone-system.com>
List: netbsd-bugs
Date: 08/15/2003 22:24:34
>Number:         22493
>Category:       kern
>Synopsis:       wm(4) may crash after interface down.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Aug 15 13:25:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Taca Takahiro Kambe
>Release:        NetBSD 1.6.1_STABLE
>Organization:
	
>Environment:
	
	

NetBSD 1.6.1_STABLE (SISBIC-INSTALL) #37: Fri Aug 15 20:31:07 JST 2003
    support@kyoto.jone-system.com:/d/obj/sys/arch/i386/compile/SISBIC-INSTALL
cpu0: Intel Pentium 4 (686-class), 2391.21 MHz
cpu0: D-cache 8 KB 64b/line 4-way
cpu0: L2 cache 512 KB 64b/line 8-way
cpu0: features ffffffffbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR>
cpu0: features ffffffffbfebfbff<PGE,MCA,CMOV,FGPAT,PSE36,CFLUSH,DS,ACPI,MMX>
cpu0: features ffffffffbfebfbff<FXSR,SSE,SSE2,SS,HTT,TM,B31>
total memory = 126 MB
avail memory = 112 MB
using 1645 buffers containing 6580 KB of memory
BIOS32 rev. 0 found at 0xfb9d0
PCI BIOS rev. 2.1 found at 0xfba00
PCI IRQ Routing Table rev. 1.0 found at 0xfdeb0, size 160 bytes (8 entries)
PCI Interrupt Router at 000:31:0 (vendor 0x8086 product 0x7000)
PCI Exclusive IRQs: 3 5 9 10 11
pci_addr_fixup: 000:31:1 0x8086 0x24cb new address 0x00005800
pci_addr_fixup: 000:31:1 0x8086 0x24cb new address 0x00005808
pci_addr_fixup: 000:31:1 0x8086 0x24cb new address 0x00005810
pci_addr_fixup: 000:31:1 0x8086 0x24cb new address 0x0000580c
pci_addr_fixup: 000:31:1 0x8086 0x24cb new address 0x07f00000
mainbus0 (root)
pci0 at mainbus0 bus 0: configuration mode 1
pci0: i/o space, memory space enabled, rd/line, rd/mult, wr/inv ok
pchb0 at pci0 dev 0 function 0
pchb0: vendor 0x8086 product 0x2560 (rev. 0x03)
vga0 at pci0 dev 2 function 0: vendor 0x8086 product 0x2562 (rev. 0x03)
wsdisplay0 at vga0 kbdmux 1: console (80x25, vt100 emulation)
wsmux1: connecting to wsdisplay0
uhci0 at pci0 dev 29 function 0: vendor 0x8086 product 0x24c2 (rev. 0x02)
uhci0: interrupting at irq 5
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: vendor 0x8086 UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1: vendor 0x8086 product 0x24c4 (rev. 0x02)
uhci1: interrupting at irq 11
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: vendor 0x8086 UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
vendor 0x8086 product 0x24cd (USB serial bus, interface 0x20, revision 0x02) at pci0 dev 29 function 7 not configured
ppb0 at pci0 dev 30 function 0: vendor 0x8086 product 0x244e (rev. 0x82)
pci1 at ppb0 bus 1
pci1: i/o space, memory space enabled
wm0 at pci1 dev 1 function 0: Intel i82540EM 1000BASE-T Ethernet, rev. 2
wm0: interrupting at irq 11
wm0: Ethernet address 00:07:e9:09:f0:bc
makphy0 at wm0 phy 1: Marvell 88E1011 Gigabit PHY, rev. 3
makphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto
fxp0 at pci1 dev 8 function 0: Intel PRO/100 VE Network Controller with 82562ET/EZ PHY, rev 130
fxp0: interrupting at irq 10
fxp0: Ethernet address 00:0a:e6:08:04:2d
inphy0 at fxp0 phy 1: i82562ET 10/100 media interface, rev. 0
inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
pcib0 at pci0 dev 31 function 0
pcib0: vendor 0x8086 product 0x24c0 (rev. 0x02)
pciide0 at pci0 dev 31 function 1: Intel 82801DB IDE Controller (ICH4) (rev. 0x02)
pciide0: bus-master DMA support present
pciide0: primary channel wired to compatibility mode
wd0 at pciide0 channel 0 drive 0: <SAMSUNG SP1203N>
wd0: drive supports 16-sector PIO transfers, LBA48 addressing
wd0: 111 GB, 232632 cyl, 16 head, 63 sec, 512 bytes/sect x 234493056 sectors
wd0: 32-bit data port
wd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 6 (Ultra/133)
pciide0: primary channel interrupting at irq 14
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 (Ultra/100) (using DMA data transfers)
pciide0: secondary channel wired to compatibility mode
atapibus0 at pciide0 channel 1: 2 targets
cd0 at atapibus0 drive 0: <GCR-8401B, , 1.02> type 5 cdrom removable
cd0: 32-bit data port
cd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 2 (Ultra/33)
pciide0: secondary channel interrupting at irq 15
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 (Ultra/33) (using DMA data transfers)
vendor 0x8086 product 0x24c3 (SMBus serial bus, revision 0x02) at pci0 dev 31 function 3 not configured
isa0 at pcib0
com0 at isa0 port 0x3f8-0x3ff irq 4: ns16550a, working fifo
pckbc0 at isa0 port 0x60-0x64
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0-0xff: using exception 16
fdc0 at isa0 port 0x3f0-0x3f7 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB, 80 cyl, 2 head, 18 sec


>Description:
	wm(4) may crash after interface down.

>How-To-Repeat:
	A is the machine which have wm(4).  B is another machine.

	1. On B, keep ping(8) to A.

		% ping A

	2. On A, up and down the interface.

		# ifconfig wm0 aaa.bbb.ccc.ddd
		(now B will success ping(8).)
		# ifconfig wm0 down delete
	
	3. After while, A will crash at wm_rxintr() in sys/dev/pci/if_wm.c,
	   on line 1640.

		WM_RXCHAIN_LINK(sc, m);

		m->m_len = len;			<== here

		DPRINTF(WM_DEBUG_RX,
		    ("%s: RX: buffer at %p len %d\n",
		    sc->sc_dev.dv_xname, m->m_data, len));

	   At this point m is NULL pointer.

	I don't know this is machine specific problem or wm(4) driver's
	problem.

>Fix:
	Unknown.

>Release-Note:
>Audit-Trail:
>Unformatted: