Date: Mon, 19 Nov 2012 12:01:45 -0800 From: Jack Vogel <jfvogel@gmail.com> To: Karim Fodil-Lemelin <fodillemlinkarim@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: igb diver crashes in head@241037 Message-ID: <CAFOYbcm9ySK051=Pu09WVSt_m%2BEnmwPdpz=sf6pm0V=OgViwvA@mail.gmail.com> In-Reply-To: <50AA8F24.7080604@gmail.com> References: <50AA8F24.7080604@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Indeed, I found this very same problem in internal testing, I took it out, but then have been working on the best way to keep the idea without the problems, I have code that will do that coming soon. Thanks for the report! Jack On Mon, Nov 19, 2012 at 11:57 AM, Karim Fodil-Lemelin < fodillemlinkarim@gmail.com> wrote: > Hello -net, > > While testing the latest igb driver in CURRENT I came across an issue with > igb_mq_start(). More specifically this code: > > ... > > struct mbuf *pm = NULL; > /* > ** Try to queue first to avoid > ** out-of-order delivery, but > ** settle for it if that fails > */ > if (m && drbr_enqueue(ifp, txr->br, m)) > pm = m; > err = igb_mq_start_locked(ifp, txr, pm); > > ... > > > The problem comes from the fact that drbr_enqueue() can return an error > and delete the mbuf as seen in drbr_enqueue(): > > ... > error = buf_ring_enqueue(br, m); > if (error) > m_freem(m); > ... > > When this happens pm is set to m then igb_mq_start_locked() will enqueue > an already freed mbuf with the outcome you can imagine. > > When I reverted only that part of r241037 that problem disappeared. I have > attached a patch for those interested. > > Best regards, > > Karim. > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFOYbcm9ySK051=Pu09WVSt_m%2BEnmwPdpz=sf6pm0V=OgViwvA>