Bug 195924

Summary: [patch] IXGBE watchdog bug causes crash.
Product: Base System Reporter: liangyi571
Component: kernAssignee: freebsd-net (Nobody) <net>
Status: Closed Overcome By Events    
Severity: Affects Many People CC: erj, jfv, sbruno
Priority: --- Keywords: IntelNetworking
Version: 10.1-STABLE   
Hardware: Any   
OS: Any   

Description liangyi571 2014-12-12 17:26:37 UTC 
When ixgbe driver reset hardware in timer function, it will crash sometime. In ixgbe.c ixgbe_local_timer function. The code before goto watchdog segment:

	for (int i = 0; i < adapter->num_queues; i++, que++, txr++) {
		if ((txr->queue_status == IXGBE_QUEUE_HUNG) &&
		    (paused == 0))
			++hung;
		else if (txr->queue_status == IXGBE_QUEUE_WORKING)
			taskqueue_enqueue(que->tq, &txr->txq_task);
        }
	/* Only truely watchdog if all queues show hung */
        if (hung == adapter->num_queues)
                goto watchdog;
 
Before goto watchdog, pointer tar is out of bounds, so any access to pointer txr will cause a buffer overflow problem. The bug exists in Release 9 and Release 10. To fix this problem, I suggest reset txr in watchdog segment.

watchdog:
+	txr = adapter->tx_rings;

The same bug maybe exists in if_igb.c.
Comment 1 Hiren Panchasara freebsd_committer 2015-03-11 23:48:26 UTC 
Adding ixgbe(4) maintainers.
Comment 2 Sean Bruno freebsd_committer 2015-06-30 18:12:39 UTC 
txr is no longer refenced directly in the watchdog: handler.  It is indirectly referenced via the que structure.  

None of the watchdog: calls access the que data structure in an out of bounds condition.