From owner-svn-src-head@FreeBSD.ORG Wed Feb 24 01:44:41 2010 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 08E9E1065729; Wed, 24 Feb 2010 01:44:40 +0000 (UTC) (envelope-from np@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 2DC568FC0A; Wed, 24 Feb 2010 01:44:40 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o1O1iepI041477; Wed, 24 Feb 2010 01:44:40 GMT (envelope-from np@svn.freebsd.org) Received: (from np@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id o1O1ieXn041475; Wed, 24 Feb 2010 01:44:40 GMT (envelope-from np@svn.freebsd.org) Message-Id: <201002240144.o1O1ieXn041475@svn.freebsd.org> From: Navdeep Parhar Date: Wed, 24 Feb 2010 01:44:40 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r204271 - head/sys/dev/cxgb X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Feb 2010 01:44:41 -0000 Author: np Date: Wed Feb 24 01:44:39 2010 New Revision: 204271 URL: http://svn.freebsd.org/changeset/base/204271 Log: Accessing an mbuf after it has been handed off to the hardware is a bad race as it could already have been tx'd and freed by that time. Place the bpf tap just _before_ writing the gen bit. This fixes a panic when running tcpdump on a cxgb interface. Modified: head/sys/dev/cxgb/cxgb_sge.c Modified: head/sys/dev/cxgb/cxgb_sge.c ============================================================================== --- head/sys/dev/cxgb/cxgb_sge.c Wed Feb 24 01:27:36 2010 (r204270) +++ head/sys/dev/cxgb/cxgb_sge.c Wed Feb 24 01:44:39 2010 (r204271) @@ -1477,6 +1477,7 @@ t3_encap(struct sge_qset *qs, struct mbu V_WR_GEN(txqs.gen)) | htonl(V_WR_TID(txq->token)); set_wr_hdr(wrp, wr_hi, wr_lo); wmb(); + ETHER_BPF_MTAP(pi->ifp, m0); wr_gen2(txd, txqs.gen); check_ring_tx_db(sc, txq); return (0); @@ -1549,8 +1550,10 @@ t3_encap(struct sge_qset *qs, struct mbu V_WR_GEN(txqs.gen) | V_WR_TID(txq->token)); set_wr_hdr(&hdr->wr, wr_hi, wr_lo); wmb(); + ETHER_BPF_MTAP(pi->ifp, m0); wr_gen2(txd, txqs.gen); check_ring_tx_db(sc, txq); + m_freem(m0); return (0); } flits = 3; @@ -1578,8 +1581,10 @@ t3_encap(struct sge_qset *qs, struct mbu V_WR_GEN(txqs.gen) | V_WR_TID(txq->token)); set_wr_hdr(&cpl->wr, wr_hi, wr_lo); wmb(); + ETHER_BPF_MTAP(pi->ifp, m0); wr_gen2(txd, txqs.gen); check_ring_tx_db(sc, txq); + m_freem(m0); return (0); } flits = 2; @@ -1590,12 +1595,14 @@ t3_encap(struct sge_qset *qs, struct mbu sgl_flits = sgl_len(nsegs); + ETHER_BPF_MTAP(pi->ifp, m0); + KASSERT(ndesc <= 4, ("ndesc too large %d", ndesc)); wr_hi = htonl(V_WR_OP(FW_WROPCODE_TUNNEL_TX_PKT) | txqs.compl); wr_lo = htonl(V_WR_TID(txq->token)); write_wr_hdr_sgl(ndesc, txd, &txqs, txq, sgl, flits, sgl_flits, wr_hi, wr_lo); - check_ring_tx_db(pi->adapter, txq); + check_ring_tx_db(sc, txq); return (0); } @@ -1674,16 +1681,6 @@ cxgb_start_locked(struct sge_qset *qs) */ if (t3_encap(qs, &m_head) || m_head == NULL) break; - - /* Send a copy of the frame to the BPF listener */ - ETHER_BPF_MTAP(ifp, m_head); - - /* - * We sent via PIO, no longer need a copy - */ - if (m_head->m_nextpkt == NULL && - m_head->m_pkthdr.len <= PIO_LEN) - m_freem(m_head); m_head = NULL; } @@ -1726,17 +1723,6 @@ cxgb_transmit_locked(struct ifnet *ifp, */ txq->txq_direct_packets++; txq->txq_direct_bytes += m->m_pkthdr.len; - /* - ** Send a copy of the frame to the BPF - ** listener and set the watchdog on. - */ - ETHER_BPF_MTAP(ifp, m); - /* - * We sent via PIO, no longer need a copy - */ - if (m->m_pkthdr.len <= PIO_LEN) - m_freem(m); - } } else if ((error = drbr_enqueue(ifp, br, m)) != 0) return (error);