Date: Mon, 19 Nov 2012 14:57:24 -0500 From: Karim Fodil-Lemelin <fodillemlinkarim@gmail.com> To: freebsd-net@freebsd.org Subject: igb diver crashes in head@241037 Message-ID: <50AA8F24.7080604@gmail.com>
index | next in thread | raw e-mail
[-- Attachment #1 --]
Hello -net,
While testing the latest igb driver in CURRENT I came across an issue
with igb_mq_start(). More specifically this code:
...
struct mbuf *pm = NULL;
/*
** Try to queue first to avoid
** out-of-order delivery, but
** settle for it if that fails
*/
if (m && drbr_enqueue(ifp, txr->br, m))
pm = m;
err = igb_mq_start_locked(ifp, txr, pm);
...
The problem comes from the fact that drbr_enqueue() can return an error
and delete the mbuf as seen in drbr_enqueue():
...
error = buf_ring_enqueue(br, m);
if (error)
m_freem(m);
...
When this happens pm is set to m then igb_mq_start_locked() will enqueue
an already freed mbuf with the outcome you can imagine.
When I reverted only that part of r241037 that problem disappeared. I
have attached a patch for those interested.
Best regards,
Karim.
[-- Attachment #2 --]
diff --git a/sys/dev/e1000/if_igb.c b/sys/dev/e1000/if_igb.c
index 1318910..be1719a 100644
--- a/sys/dev/e1000/if_igb.c
+++ b/sys/dev/e1000/if_igb.c
@@ -961,15 +961,7 @@ igb_mq_start(struct ifnet *ifp, struct mbuf *m)
que = &adapter->queues[i];
if (((txr->queue_status & IGB_QUEUE_DEPLETED) == 0) &&
IGB_TX_TRYLOCK(txr)) {
- struct mbuf *pm = NULL;
- /*
- ** Try to queue first to avoid
- ** out-of-order delivery, but
- ** settle for it if that fails
- */
- if (m && drbr_enqueue(ifp, txr->br, m))
- pm = m;
- err = igb_mq_start_locked(ifp, txr, pm);
+ err = igb_mq_start_locked(ifp, txr, m);
IGB_TX_UNLOCK(txr);
} else {
err = drbr_enqueue(ifp, txr->br, m);
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50AA8F24.7080604>