Bug 195924
| Summary: | [patch] IXGBE watchdog bug causes crash. | ||
|---|---|---|---|
| Product: | Base System | Reporter: | liangyi571 |
| Component: | kern | Assignee: | freebsd-net (Nobody) <net> |
| Status: | Closed Overcome By Events | ||
| Severity: | Affects Many People | CC: | erj, jfv, sbruno |
| Priority: | --- | Keywords: | IntelNetworking |
| Version: | 10.1-STABLE | ||
| Hardware: | Any | ||
| OS: | Any | ||
Adding ixgbe(4) maintainers. txr is no longer refenced directly in the watchdog: handler. It is indirectly referenced via the que structure. None of the watchdog: calls access the que data structure in an out of bounds condition. |
When ixgbe driver reset hardware in timer function, it will crash sometime. In ixgbe.c ixgbe_local_timer function. The code before goto watchdog segment: for (int i = 0; i < adapter->num_queues; i++, que++, txr++) { if ((txr->queue_status == IXGBE_QUEUE_HUNG) && (paused == 0)) ++hung; else if (txr->queue_status == IXGBE_QUEUE_WORKING) taskqueue_enqueue(que->tq, &txr->txq_task); } /* Only truely watchdog if all queues show hung */ if (hung == adapter->num_queues) goto watchdog; Before goto watchdog, pointer tar is out of bounds, so any access to pointer txr will cause a buffer overflow problem. The bug exists in Release 9 and Release 10. To fix this problem, I suggest reset txr in watchdog segment. watchdog: + txr = adapter->tx_rings; The same bug maybe exists in if_igb.c.