Re: Potential re(4) / netbsd-4 / i386 problem?

[David Young <dyoung%pobox.com@localhost>]

On Fri, Jul 23, 2010 at 12:12:24PM +0200, Manuel Bouyer wrote:
> On Wed, Jul 21, 2010 at 02:06:11PM +0200, Brad du Plessis wrote:
> > I've managed to reproduce this now in netbsd-5 too (source is about
> > 3 months old, not sure if there have been any changes since):
> > 
> > re0: discarding oversize frame (len=9041)
> > re0: discarding oversize frame (len=16158)
> > panic: kernel diagnostic assertion "pcg->pcg_avail == 0" failed:
> > file "../../../../kern_subr_pool.c", line 2580
> > 
> > 
> > As I think I've said before, the actual crash point is different
> > every time but the panic is always preceded by the discarding
> > oversize frame. Sometimes the len in the oversize frame message
> > is len=-1.
> 
> is it possible that the re device is writting past its buffer (via DMA) and
> overwriting random memory ?

Check for buffer overruns by reserving a "guard region" on each side of
a DMA buffer.  Write guard bytes (0xdeadbeefdeadbeef or something) in
each guard region.  Check whether any bytes in the guard region were
modified before you reclaim a DMA buffer.

If that doesn't detect any problems, consider reclaiming DMA buffers
lazily: don't reclaim a buffer immediately, put put it on a queue.  When
the queue grows N buffers deep, reclaim the first buffer you put on
it.  Maybe an errant DMA lands on the buffer it while it "rests" on the
queue?  Check a buffer's guard regions before you reclaim it.  Consider
comparing the whole buffer against a copy you make when you put it on
the queue.

Dave

-- 
David Young             OJC Technologies
dyoung%ojctech.com@localhost      Urbana, IL * (217) 278-3933