igb diver crashes in head at 241037
Jack Vogel
jfvogel at gmail.com
Mon Nov 19 20:01:47 UTC 2012
Indeed, I found this very same problem in internal testing, I took it out,
but then
have been working on the best way to keep the idea without the problems, I
have
code that will do that coming soon.
Thanks for the report!
Jack
On Mon, Nov 19, 2012 at 11:57 AM, Karim Fodil-Lemelin <
fodillemlinkarim at gmail.com> wrote:
> Hello -net,
>
> While testing the latest igb driver in CURRENT I came across an issue with
> igb_mq_start(). More specifically this code:
>
> ...
>
> struct mbuf *pm = NULL;
> /*
> ** Try to queue first to avoid
> ** out-of-order delivery, but
> ** settle for it if that fails
> */
> if (m && drbr_enqueue(ifp, txr->br, m))
> pm = m;
> err = igb_mq_start_locked(ifp, txr, pm);
>
> ...
>
>
> The problem comes from the fact that drbr_enqueue() can return an error
> and delete the mbuf as seen in drbr_enqueue():
>
> ...
> error = buf_ring_enqueue(br, m);
> if (error)
> m_freem(m);
> ...
>
> When this happens pm is set to m then igb_mq_start_locked() will enqueue
> an already freed mbuf with the outcome you can imagine.
>
> When I reverted only that part of r241037 that problem disappeared. I have
> attached a patch for those interested.
>
> Best regards,
>
> Karim.
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
More information about the freebsd-net
mailing list