The ixgbe and igb drivers have *_rx_discard methods which attempt to reuse mbufs in the rx_ring. They fail to check whether the mbuf pointers are valid before dereferencing them, though. This causes a panic when header split is disabled, because the rbuf->m_head pointer will always be NULL. Fix: Check for NULL pointers before dereferencing mh and mp in ixgbe_rx_discard() and igb_rx_discard(). I don't see any other places where m_head is used without being checked. How-To-Repeat: Found by adding a failure point in ixgbe_rxeof() right before the staterr check. The first packet that's rejected causes a panic.
Responsible Changed From-To: freebsd-bugs->freebsd-net Over to maintainer(s).
This problem seems to be fixed in sys/dev/e1000/if_igb.c,v1.60 but not in STABLE (there were no MFC yet). By the way, I'm experiencing kernel panics in em(4) for two distinct very loaded routers based on em-supported NICs (no crashdumps collected yet, sorry). And I see very similar code in if_em.c without a check for NULL pointer before dereferencing, this time without a fix even in HEAD. Eugene Grosbein
igb was fixed here: r213234 | jfv | 2010-09-27 17:13:15 -0700 (Mon, 27 Sep 2010) | 13 lines Update code from Intel: - Sync shared code with Intel internal - New client chipset support added - em driver - fixes to 82574, limit queues to 1 but use MSIX - em driver - large changes in TX checksum offload and tso code, thanks to yongari. - some small changes for watchdog issues. - igb driver - local timer watchdog code was missing locking this and a couple other watchdog related fixes. - bug in rx discard found by Andrew Boyer, check for null pointer MFC: a week em was fixed here: r216172 | jfv | 2010-12-03 17:59:58 -0800 (Fri, 03 Dec 2010) | 7 lines Small cut and paste bug in flow control string fixed. Second, correct the discard/refresh_mbufs code to behave more like igb, there have been panics due to discards and this should fix them. MFC after: 3 days