Bug 195924 - [patch] IXGBE watchdog bug causes crash.
Summary: [patch] IXGBE watchdog bug causes crash.
Status: Closed Overcome By Events
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 10.1-STABLE
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-net mailing list
URL:
Keywords: IntelNetworking
Depends on:
Blocks:
 
Reported: 2014-12-12 17:26 UTC by liangyi571
Modified: 2015-06-30 18:12 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description liangyi571 2014-12-12 17:26:37 UTC
When ixgbe driver reset hardware in timer function, it will crash sometime. In ixgbe.c ixgbe_local_timer function. The code before goto watchdog segment:

	for (int i = 0; i < adapter->num_queues; i++, que++, txr++) {
		if ((txr->queue_status == IXGBE_QUEUE_HUNG) &&
		    (paused == 0))
			++hung;
		else if (txr->queue_status == IXGBE_QUEUE_WORKING)
			taskqueue_enqueue(que->tq, &txr->txq_task);
        }
	/* Only truely watchdog if all queues show hung */
        if (hung == adapter->num_queues)
                goto watchdog;
 
Before goto watchdog, pointer tar is out of bounds, so any access to pointer txr will cause a buffer overflow problem. The bug exists in Release 9 and Release 10. To fix this problem, I suggest reset txr in watchdog segment.

watchdog:
+	txr = adapter->tx_rings;

The same bug maybe exists in if_igb.c.
Comment 1 Hiren Panchasara freebsd_committer 2015-03-11 23:48:26 UTC
Adding ixgbe(4) maintainers.
Comment 2 Sean Bruno freebsd_committer 2015-06-30 18:12:39 UTC
txr is no longer refenced directly in the watchdog: handler.  It is indirectly referenced via the que structure.  

None of the watchdog: calls access the que data structure in an out of bounds condition.