Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 19 Nov 2012 14:57:24 -0500
From:      Karim Fodil-Lemelin <fodillemlinkarim@gmail.com>
To:        freebsd-net@freebsd.org
Subject:   igb diver crashes in head@241037
Message-ID:  <50AA8F24.7080604@gmail.com>
next in thread | raw e-mail | index | archive | help 
This is a multi-part message in MIME format.
--------------060400040902030200040703
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hello -net,

While testing the latest igb driver in CURRENT I came across an issue 
with igb_mq_start(). More specifically this code:

...

         struct mbuf *pm = NULL;
         /*
         ** Try to queue first to avoid
         ** out-of-order delivery, but
         ** settle for it if that fails
         */
         if (m && drbr_enqueue(ifp, txr->br, m))
             pm = m;
         err = igb_mq_start_locked(ifp, txr, pm);

...


The problem comes from the fact that drbr_enqueue() can return an error 
and delete the mbuf as seen in drbr_enqueue():

...
error = buf_ring_enqueue(br, m);
     if (error)
         m_freem(m);
...

When this happens pm is set to m then igb_mq_start_locked() will enqueue 
an already freed mbuf with the outcome you can imagine.

When I reverted only that part of r241037 that problem disappeared. I 
have attached a patch for those interested.

Best regards,

Karim.

--------------060400040902030200040703
Content-Type: text/plain; charset=windows-1252;
 name="igb.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="igb.patch"

diff --git a/sys/dev/e1000/if_igb.c b/sys/dev/e1000/if_igb.c
index 1318910..be1719a 100644
--- a/sys/dev/e1000/if_igb.c
+++ b/sys/dev/e1000/if_igb.c
@@ -961,15 +961,7 @@ igb_mq_start(struct ifnet *ifp, struct mbuf *m)
 	que = &adapter->queues[i];
 	if (((txr->queue_status & IGB_QUEUE_DEPLETED) == 0) &&
 	    IGB_TX_TRYLOCK(txr)) {
-		struct mbuf *pm = NULL;
-		/*
-		** Try to queue first to avoid
-		** out-of-order delivery, but 
-		** settle for it if that fails
-		*/
-		if (m && drbr_enqueue(ifp, txr->br, m))
-			pm = m;
-		err = igb_mq_start_locked(ifp, txr, pm);
+		err = igb_mq_start_locked(ifp, txr, m);
 		IGB_TX_UNLOCK(txr);
 	} else {
 		err = drbr_enqueue(ifp, txr->br, m);

--------------060400040902030200040703--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50AA8F24.7080604>