Created attachment 166768 [details] Patch to illustrate the problem In the QEMU workaround code in if_ixv.c, the ixv driver calls pci_find_cap(dev, PCIY_MSIX, &rid). It is not checking the return code from that function and the function appears to always be failing. This then causes the driver to use the rid variable uninitialized, which will mean setting a bit at an arbitrary offset in pci config space. For now, this seems to have no adverse impact, but it could easily cause very subtle problems. Also the QEMU workaround is probably non-functional because of this. I've attached a patch for a partial solution that checks the error code and skips PCI write if it fails. This avoid the erroneous PCI accesses, but it would be better if we could figure out why finding the capability is failing (I have not debugged it that far).
Seems to be still relevant.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b87b3696c973ef0a9df70143cd89f6b488531e93 commit b87b3696c973ef0a9df70143cd89f6b488531e93 Author: Jeremiah Lott <jlott@averesystems.com> AuthorDate: 2024-10-27 07:18:54 +0000 Commit: Kevin Bowling <kbowling@FreeBSD.org> CommitDate: 2024-10-27 07:18:54 +0000 ixv: Check cap return before MSI-X enable write In the QEMU workaround code in if_ixv.c, the ixv driver calls pci_find_cap(dev, PCIY_MSIX, &rid). It is not checking the return code from that function and the function appears to always be failing. This then causes the driver to use the rid variable uninitialized, which will mean setting a bit at an arbitrary offset in pci config space. For now, this seems to have no adverse impact, but it could easily cause very subtle problems. PR: 207037 MFC after: 3 days Sponsored by: BBOX.io sys/dev/ixgbe/if_ixv.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=86efff54916bba7b7543699fe5922d8363f16c11 commit 86efff54916bba7b7543699fe5922d8363f16c11 Author: Jeremiah Lott <jlott@averesystems.com> AuthorDate: 2024-10-27 07:18:54 +0000 Commit: Kevin Bowling <kbowling@FreeBSD.org> CommitDate: 2024-10-30 01:01:04 +0000 ixv: Check cap return before MSI-X enable write In the QEMU workaround code in if_ixv.c, the ixv driver calls pci_find_cap(dev, PCIY_MSIX, &rid). It is not checking the return code from that function and the function appears to always be failing. This then causes the driver to use the rid variable uninitialized, which will mean setting a bit at an arbitrary offset in pci config space. For now, this seems to have no adverse impact, but it could easily cause very subtle problems. PR: 207037 Sponsored by: BBOX.io (cherry picked from commit b87b3696c973ef0a9df70143cd89f6b488531e93) sys/dev/ixgbe/if_ixv.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=453f85caa93a431911b66b2cd781595e4ebd59ec commit 453f85caa93a431911b66b2cd781595e4ebd59ec Author: Jeremiah Lott <jlott@averesystems.com> AuthorDate: 2024-10-27 07:18:54 +0000 Commit: Kevin Bowling <kbowling@FreeBSD.org> CommitDate: 2024-10-30 01:02:46 +0000 ixv: Check cap return before MSI-X enable write In the QEMU workaround code in if_ixv.c, the ixv driver calls pci_find_cap(dev, PCIY_MSIX, &rid). It is not checking the return code from that function and the function appears to always be failing. This then causes the driver to use the rid variable uninitialized, which will mean setting a bit at an arbitrary offset in pci config space. For now, this seems to have no adverse impact, but it could easily cause very subtle problems. PR: 207037 Sponsored by: BBOX.io (cherry picked from commit b87b3696c973ef0a9df70143cd89f6b488531e93) sys/dev/ixgbe/if_ixv.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)