From owner-freebsd-net@FreeBSD.ORG Mon Nov 19 19:57:34 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B72D55FF for ; Mon, 19 Nov 2012 19:57:34 +0000 (UTC) (envelope-from fodillemlinkarim@gmail.com) Received: from mail-ia0-f182.google.com (mail-ia0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 763068FC14 for ; Mon, 19 Nov 2012 19:57:34 +0000 (UTC) Received: by mail-ia0-f182.google.com with SMTP id x2so4651410iad.13 for ; Mon, 19 Nov 2012 11:57:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type; bh=HeUZu3FgEwMPfPbfEXqwmcboCkrnMeNM2IVeY7x5G+U=; b=G57051HJuNkKeOXWols8hCEK6azvRkfkjAHh+p16Z7YBHuLXH2NJ83KA+bR0djWnxe Qx7MWlqjPFlYYzyMnIyCmtZDL6c8/2KyxSWS1H8nJV/1A3TPLU5YLAp/WesCAWuPvzL3 btrxvzC0X+YRb6xFw5nhT27qrd+Wx1cV/YeIq7fWy4u+Ra5qCTXNbNbIDeMGJGm7dTWa N4KE/Q2UZfadW8xjqxqtIl3ucAaeThUUaqioMJ5ob9J0O0kwUtKh8RovjH3mJJVhFF3l Sb1X/sExxK18xK5jDjTxAIWAJpG8VsbGixLsFpduEE4E3O8ANkjXtkfOEhFmM6PI86Xs JB9w== Received: by 10.50.185.230 with SMTP id ff6mr7746798igc.7.1353355054008; Mon, 19 Nov 2012 11:57:34 -0800 (PST) Received: from [192.168.1.73] ([208.85.112.101]) by mx.google.com with ESMTPS id xn10sm7727530igb.4.2012.11.19.11.57.33 (version=SSLv3 cipher=OTHER); Mon, 19 Nov 2012 11:57:33 -0800 (PST) Message-ID: <50AA8F24.7080604@gmail.com> Date: Mon, 19 Nov 2012 14:57:24 -0500 From: Karim Fodil-Lemelin User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20121026 Thunderbird/16.0.2 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: igb diver crashes in head@241037 Content-Type: multipart/mixed; boundary="------------060400040902030200040703" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Nov 2012 19:57:34 -0000 This is a multi-part message in MIME format. --------------060400040902030200040703 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hello -net, While testing the latest igb driver in CURRENT I came across an issue with igb_mq_start(). More specifically this code: ... struct mbuf *pm = NULL; /* ** Try to queue first to avoid ** out-of-order delivery, but ** settle for it if that fails */ if (m && drbr_enqueue(ifp, txr->br, m)) pm = m; err = igb_mq_start_locked(ifp, txr, pm); ... The problem comes from the fact that drbr_enqueue() can return an error and delete the mbuf as seen in drbr_enqueue(): ... error = buf_ring_enqueue(br, m); if (error) m_freem(m); ... When this happens pm is set to m then igb_mq_start_locked() will enqueue an already freed mbuf with the outcome you can imagine. When I reverted only that part of r241037 that problem disappeared. I have attached a patch for those interested. Best regards, Karim. --------------060400040902030200040703 Content-Type: text/plain; charset=windows-1252; name="igb.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="igb.patch" diff --git a/sys/dev/e1000/if_igb.c b/sys/dev/e1000/if_igb.c index 1318910..be1719a 100644 --- a/sys/dev/e1000/if_igb.c +++ b/sys/dev/e1000/if_igb.c @@ -961,15 +961,7 @@ igb_mq_start(struct ifnet *ifp, struct mbuf *m) que = &adapter->queues[i]; if (((txr->queue_status & IGB_QUEUE_DEPLETED) == 0) && IGB_TX_TRYLOCK(txr)) { - struct mbuf *pm = NULL; - /* - ** Try to queue first to avoid - ** out-of-order delivery, but - ** settle for it if that fails - */ - if (m && drbr_enqueue(ifp, txr->br, m)) - pm = m; - err = igb_mq_start_locked(ifp, txr, pm); + err = igb_mq_start_locked(ifp, txr, m); IGB_TX_UNLOCK(txr); } else { err = drbr_enqueue(ifp, txr->br, m); --------------060400040902030200040703--