re: panic: kernel diagnostic assertion "offset < map->dm_maps" failed

To: Thomas Klausner <wiz%NetBSD.org@localhost>
Subject: re: panic: kernel diagnostic assertion "offset < map->dm_maps" failed
From: matthew green <mrg%eterna.com.au@localhost>
Date: Tue, 17 Oct 2023 15:10:22 +1100

> #3  0xffffffff80fe6e5f in kern_assert ()
> #4  0xffffffff8058be67 in bus_dmamap_sync ()
> #5  0xffffffff8044edc7 in rge_rxeof ()
> #6  0xffffffff804536fd in rge_intr ()

i'm pretty sure this is the 2nd bus_dmamap_sync() call, as that's
the only dma map that has load/unload applied at run time, vs the
init sequence only, and it implies to me that rx dma map has had
allocation failures to deplete the entire ring of mbufs, and then
there are no mappings in the dma map, which leaves the dm_mapsize
as 0, and triggers this bug.

if i'm right, what's happened is this:

1237         for (i = sc->rge_ldata.rge_rxq_considx; ; i = RGE_NEXT_RX_DESC(i)) {

1245                 if (RGE_OWN(cur_rx))
1246                         break;

1252                 rxq = &sc->rge_ldata.rge_rxq[i];
1253                 m = rxq->rxq_mbuf;

1257                 /* Invalidate the RX mbuf and unload its map. */
1258                 bus_dmamap_sync(sc->sc_dmat, rxq->rxq_dmamap, 0,
1259                     rxq->rxq_dmamap->dm_mapsize, BUS_DMASYNC_POSTREAD);
1260                 bus_dmamap_unload(sc->sc_dmat, rxq->rxq_dmamap);

1283                  * If allocating a replacement mbuf fails,
1284                  * reload the current one.

1287                 if (rge_newbuf(sc, i) != 0) {
1288                         if (sc->rge_head != NULL) {
1289                                 m_freem(sc->rge_head);
1290                                 sc->rge_head = sc->rge_tail = NULL;
1291                         }
1292                         rge_discard_rxbuf(sc, i);
1293                         continue;
1294                 }

loop 'i' has the ability to range between 0 and 1023, and
accesses each ring entries rge_rxq.  if, over time, each 
value between 0 and 1023 triggers the rge_newbuf() failure
path, each successive entry will be lost, never to be 
replaced unless an explicit ifconfig down/up occurs.

hmmm, but in thie case, no buffers would should be set to
be available for rx, so nowthing should pass RGE_OWN() at
L1245 i'd hope.  i still see the problem with everything
being depleted, but then it should just stop getting any
rx packets at all...

networking folks, am i missing something here?  i see the
same problem in wm(4) as well.  if wm_add_rxbuf() fails,
where will this ring entry's mbuf ever be replaced again?


.mrg.

Follow-Ups:
- re: panic: kernel diagnostic assertion "offset < map->dm_maps" failed
  - From: matthew green

References:
- Re: panic: kernel diagnostic assertion "offset < map->dm_maps" failed
  - From: Thomas Klausner

Prev by Date: daily CVS update output
Next by Date: re: panic: kernel diagnostic assertion "offset < map->dm_maps" failed
Previous by Thread: Re: panic: kernel diagnostic assertion "offset < map->dm_maps" failed
Next by Thread: re: panic: kernel diagnostic assertion "offset < map->dm_maps" failed
Indexes:

Home | Main Index | Thread Index | Old Index