NetBSD Problem Report #58068

From www@netbsd.org  Sat Mar 23 11:17:24 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 75AC11A923A
	for <gnats-bugs@gnats.NetBSD.org>; Sat, 23 Mar 2024 11:17:24 +0000 (UTC)
Message-Id: <20240323111722.F0B061A923B@mollari.NetBSD.org>
Date: Sat, 23 Mar 2024 11:17:22 +0000 (UTC)
From: als@thangorodrim.ch
Reply-To: als@thangorodrim.ch
To: gnats-bugs@NetBSD.org
Subject: "ifconfig qe0 mtu 512" causes kernel crash on NetBSD 10.0RC6
X-Send-Pr-Version: www-1.0

>Number:         58068
>Category:       port-vax
>Synopsis:       "ifconfig qe0 mtu 512" causes kernel crash on NetBSD 10.0RC6
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    mrg
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 23 11:20:00 +0000 2024
>Closed-Date:    Mon Mar 25 17:56:41 +0000 2024
>Last-Modified:  Mon Mar 25 17:56:41 +0000 2024
>Originator:     Alexander Schreiber
>Release:        NetBSD 10.0_RC6 (GENERIC)
>Organization:
Not Much
>Environment:
>Description:
While investigating a SIMH VAX simulator crash (simulator segfaults with certain network traffic), I wanted to test a theory and set a silly low MTU on the ethernet interface. Then this happened:

 ifconfig qe0 mtu 512
[ 401.0241561] r0=87fd9028 r1=00000000 r2=00000000 r3=87c6a780 r4=80692f34 r5=00000000 r6=87fd9028 r7=87e91a00
[ 401.0241561] r8=00000000 r9=87e91a00 r10=8090697f r11=00000000
[ 401.0241561] ap=8b87fc7c fp=8b87fc68 sp=7ffff50c pc=80259431
[ 401.0241561] panic: SEGV in kernel mode: pc 0x80259431 addr 0
[ 401.0241561] cpu0: Begin traceback...
[ 401.0241561] panic: SEGV in kernel mode: pc 0x80259431 addr 0
[ 401.0241561] Stack traceback : 
[ 401.0241561]   Process is executing in user space.
[ 401.0241561] cpu0: End traceback...

[ 401.0241561] dump to dev 9,1 not possible

HALT instruction, PC: 80013565 (PUSHAB 802A2F6B)

I posted to port-vax asking for replication on real metal and got
confirmation that it happens there too:

http://mail-index.netbsd.org/port-vax/2024/03/23/msg004969.html

There is also a patch provided to port-vax by Matthew Green:
http://mail-index.netbsd.org/port-vax/2024/03/23/msg004973.html





>How-To-Repeat:
Boot NetBSD on a VAX (or SIMH VAX) with the qe ethernet device, try to set
MTU to 512 byte, observe crash.

>Fix:
patch provided by Matthew Green (haven't gotten around to testing it):
http://mail-index.netbsd.org/port-vax/2024/03/23/msg004973.html

>Release-Note:

>Audit-Trail:
From: Alexander Schreiber <als@thangorodrim.ch>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: port-vax/58068: "ifconfig qe0 mtu 512" causes kernel crash on
 NetBSD 10.0RC6
Date: Sat, 23 Mar 2024 18:06:34 +0100

 One more observation: This only crashes if the interface is up.
 With the sequence:
  - interface is active
  - "ifconfig qe0 down"
  - "ifconfig qe0 mtu 512"
  - "ifconfig qe0 up"
  - "dhclient qe0"

 the kernel crashes within 1-2s after the invocation of dhclient.

Responsible-Changed-From-To: port-vax-maintainer->mrg
Responsible-Changed-By: mrg@NetBSD.org
Responsible-Changed-When: Sat, 23 Mar 2024 18:46:25 +0000
Responsible-Changed-Why:
pretty sure my patch fixes the problem.


State-Changed-From-To: open->analyzed
State-Changed-By: mrg@NetBSD.org
State-Changed-When: Sat, 23 Mar 2024 18:46:25 +0000
State-Changed-Why:
problem is understood.


From: "matthew green" <mrg@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/58068 CVS commit: src/sys/dev/qbus
Date: Mon, 25 Mar 2024 05:37:46 +0000

 Module Name:	src
 Committed By:	mrg
 Date:		Mon Mar 25 05:37:45 UTC 2024

 Modified Files:
 	src/sys/dev/qbus: if_qe.c

 Log Message:
 vax/qe(4): supply an ipf->if_init() so that if_init() doesn't crash.

 convert the existing qeinit() to one compatible with if_init.

 should fix PR#58068.


 To generate a diff of this commit:
 cvs rdiff -u -r1.81 -r1.82 src/sys/dev/qbus/if_qe.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: analyzed->pending-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Mon, 25 Mar 2024 15:01:16 +0000
State-Changed-Why:
pullup-10 #647
pullup-9 #1822
pullup-8 #1951


From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/58068 CVS commit: [netbsd-10] src/sys/dev/qbus
Date: Mon, 25 Mar 2024 15:26:04 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Mon Mar 25 15:26:04 UTC 2024

 Modified Files:
 	src/sys/dev/qbus [netbsd-10]: if_qe.c

 Log Message:
 Pull up following revision(s) (requested by riastradh in ticket #647):

 	sys/dev/qbus/if_qe.c: revision 1.82

 vax/qe(4): supply an ipf->if_init() so that if_init() doesn't crash.

 convert the existing qeinit() to one compatible with if_init.
 should fix PR#58068.


 To generate a diff of this commit:
 cvs rdiff -u -r1.81 -r1.81.28.1 src/sys/dev/qbus/if_qe.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/58068 CVS commit: [netbsd-9] src/sys/dev/qbus
Date: Mon, 25 Mar 2024 15:35:50 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Mon Mar 25 15:35:50 UTC 2024

 Modified Files:
 	src/sys/dev/qbus [netbsd-9]: if_qe.c

 Log Message:
 Pull up following revision(s) (requested by riastradh in ticket #1822):

 	sys/dev/qbus/if_qe.c: revision 1.82

 vax/qe(4): supply an ipf->if_init() so that if_init() doesn't crash.

 convert the existing qeinit() to one compatible with if_init.
 should fix PR#58068.


 To generate a diff of this commit:
 cvs rdiff -u -r1.81 -r1.81.2.1 src/sys/dev/qbus/if_qe.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/58068 CVS commit: [netbsd-8] src/sys/dev/qbus
Date: Mon, 25 Mar 2024 15:37:25 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Mon Mar 25 15:37:25 UTC 2024

 Modified Files:
 	src/sys/dev/qbus [netbsd-8]: if_qe.c

 Log Message:
 Pull up following revision(s) (requested by riastradh in ticket #1951):

 	sys/dev/qbus/if_qe.c: revision 1.82

 vax/qe(4): supply an ipf->if_init() so that if_init() doesn't crash.

 convert the existing qeinit() to one compatible with if_init.
 should fix PR#58068.


 To generate a diff of this commit:
 cvs rdiff -u -r1.77.2.1 -r1.77.2.2 src/sys/dev/qbus/if_qe.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: pending-pullups->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Mon, 25 Mar 2024 17:56:41 +0000
State-Changed-Why:
fixed in HEAD, pulled up to 10, 9, 8


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.