Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 01 Dec 2022 02:04:53 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 268092] ixgbe: if_ixv driver have mismatched Rx buffer size and rx_mbuf_sz
Message-ID:  <bug-268092-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268092

            Bug ID: 268092
           Summary: ixgbe: if_ixv driver have mismatched Rx buffer size
                    and rx_mbuf_sz
           Product: Base System
           Version: 12.2-STABLE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: nkumarababu@gmail.com

If MTU of the if_ixv VF driver is configured between 1501 and 2030, and if a
peer box have bigger MTU and sends a packet bigger than MTU into this guest,
kernel could crashes.=20

Here is my understanding :
There are 2 buffers involved for Rx process. One for the DMA(bufsz) and
another(rx_mbuf_sz) for sending that packet to netstack.

In if_ixv driver, bufsz is set to 4096 if MTU is more than the default
MTU: 1500. Whereas rx_mbuf_sz is set to 2048, for upto MTU 2030
(Calculation is based on frame size: 18). Because of this, for MTU upto
1500, both rx_mbuf_sz & bufsz is 2048. And for MTU above 2031,  both=20
rx_mbuf_sz & bufsz is 4096. Whereas for MTU 1501 to 2030, rx_mbuf_sz=20
will be 2048 and bufsz is 4096.=20

So for MTU between 1501 and 2030, if the peer box have bigger MTU and=20
sends a bigger packet, there is a mismatch between what's written to=20
the Rx buffers and what's sent to netstack. And when that memory beyond
allocated 2048 is accessed, kernel crashes.=20

Ideally, bufsz should be based on rx_mbuf_sz (This is calculated right
before configuring Rx settings).=20

I could crash the box my setting MTU between 1501 and 2030 and sending send=
ing
8k sized ping packet very consistently and with this below fix to match
bufsz & rx_mbuf_sz, could verify that no crash occurred.=20


--- a/sys/dev/ixgbe/if_ixv.c
+++ b/sys/dev/ixgbe/if_ixv.c
@@ -1368,7 +1376,7 @@ ixv_initialize_receive_units(if_ctx_t ctx)
        struct ix_rx_queue *que =3D adapter->rx_queues;
        u32                bufsz, psrtype;

-       if (if_getmtu(ifp) > ETHERMTU)
+       if (adapter->rx_mbuf_sz > 2048)
                bufsz =3D 4096 >> IXGBE_SRRCTL_BSIZEPKT_SHIFT;
        else
                bufsz =3D 2048 >> IXGBE_SRRCTL_BSIZEPKT_SHIFT;

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-268092-227>