195924 – [patch] IXGBE watchdog bug causes crash.

Bug 195924 - [patch] IXGBE watchdog bug causes crash.

Summary: [patch] IXGBE watchdog bug causes crash.

Status:	Closed Overcome By Events

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	10.1-STABLE
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	freebsd-net (Nobody)

URL:
Keywords:	IntelNetworking

Depends on:
Blocks:

Reported:	2014-12-12 17:26 UTC by liangyi571
Modified:	2015-06-30 18:12 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description liangyi571 2014-12-12 17:26:37 UTC

When ixgbe driver reset hardware in timer function, it will crash sometime. In ixgbe.c ixgbe_local_timer function. The code before goto watchdog segment:

	for (int i = 0; i < adapter->num_queues; i++, que++, txr++) {
		if ((txr->queue_status == IXGBE_QUEUE_HUNG) &&
		    (paused == 0))
			++hung;
		else if (txr->queue_status == IXGBE_QUEUE_WORKING)
			taskqueue_enqueue(que->tq, &txr->txq_task);
        }
	/* Only truely watchdog if all queues show hung */
        if (hung == adapter->num_queues)
                goto watchdog;
 
Before goto watchdog, pointer tar is out of bounds, so any access to pointer txr will cause a buffer overflow problem. The bug exists in Release 9 and Release 10. To fix this problem, I suggest reset txr in watchdog segment.

watchdog:
+	txr = adapter->tx_rings;

The same bug maybe exists in if_igb.c.

Comment 1 Hiren Panchasara freebsd_committer

2015-03-11 23:48:26 UTC

Adding ixgbe(4) maintainers.

Comment 2 Sean Bruno freebsd_committer

2015-06-30 18:12:39 UTC

txr is no longer refenced directly in the watchdog: handler.  It is indirectly referenced via the que structure.  

None of the watchdog: calls access the que data structure in an out of bounds condition.