Hi Guys!
I was experimenting and learning rdomains but got a kernel panic memory
managent fault every time, a few seconds after issuing ifconfig(8):
# ifconfig fxp0 rdomain 1
fatal kernel trap:
trap entry = 0x2 (memory management fault)
a0 = 0x900000041
...
After some debugging it seems like an array overflow when fxp_init()
calls
fxp_add_rfabuf() which in turn uses FXP_RXMAP_GET(sc) that will cause a
read
read beyond the end of the array - panic guaranteed!
#define FXP_RXMAP_GET(sc)
((sc)->sc_rxmaps[(sc)->sc_rxfree++])
This crash does NOT seem to happen if you try this with the interface
down!
I wonder if anybody with a better understanding of fxp(4) driver could
work out why this happens?
At the moment I am using this ugly hack as to prevent the panics. I have
not noticed any side-effects. My laptop is behind fxp0 on rdomain 1 and
this
machine routes traffic elsewhere on rtable 0.
--- fxp.c.orig Thu Nov 5 11:32:07 2020
+++ fxp.c Thu Feb 22 14:45:54 2024
@@ -1489,6 +1491,11 @@
m->m_data = m->m_ext.ext_buf;
}
if (oldm == NULL) {
+ if (sc->sc_rxfree >= FXP_NRFABUFS_MAX) {
+ printf("%s: fxp_add_rfabuf: rxfree=%d exceeds max\n",
sc->sc_dev.dv_xname, sc->sc_rxfree);
+ m_freem(m);
+ return 2;
+ }
rxmap = FXP_RXMAP_GET(sc);
*((bus_dmamap_t *)m->m_ext.ext_buf) = rxmap;
bus_dmamap_load(sc->sc_dmat, rxmap,
This is my DS15/alpha system with the built-in fxp(4) adapters but by
nature
this code looks like it could cause problems on other platforms as well.
Hence I thought to do a "heads up" on this.
TIA,
Dennis Lindroos
OpenBSD alpha/x86/sparc64 since 2001
