Date: Fri, 12 Dec 2014 17:26:37 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 195924] New: IXGBE watchdog bug causes crash. Message-ID: <bug-195924-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195924 Bug ID: 195924 Summary: IXGBE watchdog bug causes crash. Product: Base System Version: 10.1-STABLE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: liangyi571@163.com When ixgbe driver reset hardware in timer function, it will crash sometime. In ixgbe.c ixgbe_local_timer function. The code before goto watchdog segment: for (int i = 0; i < adapter->num_queues; i++, que++, txr++) { if ((txr->queue_status == IXGBE_QUEUE_HUNG) && (paused == 0)) ++hung; else if (txr->queue_status == IXGBE_QUEUE_WORKING) taskqueue_enqueue(que->tq, &txr->txq_task); } /* Only truely watchdog if all queues show hung */ if (hung == adapter->num_queues) goto watchdog; Before goto watchdog, pointer tar is out of bounds, so any access to pointer txr will cause a buffer overflow problem. The bug exists in Release 9 and Release 10. To fix this problem, I suggest reset txr in watchdog segment. watchdog: + txr = adapter->tx_rings; The same bug maybe exists in if_igb.c. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-195924-8>