Page MenuHomeFreeBSD
Differential D57240

aq(4): Fix RSS indirection table OOB write and queue distribution
ClosedPublic
Actions

Authored by nick_spun.io on Mon, May 25, 5:35 PM.
Tags
Referenced Files
Unknown Object (File)
Wed, Jun 17, 3:47 AM
Unknown Object (File)
Sun, Jun 7, 8:22 AM
Unknown Object (File)
Sun, Jun 7, 8:18 AM
Unknown Object (File)
Sat, Jun 6, 4:03 PM
Unknown Object (File)
Sat, Jun 6, 4:00 PM
Unknown Object (File)
Sat, Jun 6, 1:14 PM
Unknown Object (File)
Sat, Jun 6, 1:11 PM
Unknown Object (File)
Sat, Jun 6, 6:35 AM
View All 39 Files
Subscribers
imp

Details

Reviewers
adrian
emaste
Group Reviewers
drivers
Commits
rG57f5252ff8a1: aq(4): Fix RSS indirection table OOB write and queue distribution
Summary

Two related fixes to aq(4)'s RSS indirection table handling:

  1. Fix an out-of-bounds stack write in aq_hw_rss_set(). RSS table entries are 3 bits (8 queues max), but with more than 8 RX rings rss_table[] holds larger values; the 32-bit write then spills one uint16_t past bitary[] and corrupts the stack, so the NIC never links or the kernel panics. Mask each value to 3 bits and pack 16 bits at a time to keep the write in bounds.
  1. Build the indirection table in aq_if_attach_post() with a modulo over min(rx_rings_count, HW_ATL_RSS_INDIRECTION_QUEUES_MAX) instead of i & (rx_rings_count - 1), which assumed a power-of-two ring count.
Test Plan

Confirmed on AQC107 (firmware 3.1.88) under FreeBSD 15.0-RELEASE: with the OOB write the interface attached but stayed "no carrier"; with the fix the link negotiates 1000baseT full-duplex and passes traffic.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

nick_spun.io created this revision.Mon, May 25, 5:35 PM
nick_spun.io held this revision as a draft.
Herald added a subscriber: imp. · View Herald TranscriptMon, May 25, 5:35 PM
Harbormaster completed remote builds in B73429: Diff 178572.Mon, May 25, 5:35 PM
nick_spun.io retitled this revision from aq(4): Fix RSS indirection table for non-power-of-two ring counts to aq(4): Fix RSS indirection table OOB write and queue distribution.Mon, May 25, 5:36 PM
nick_spun.io edited the summary of this revision. (Show Details)
nick_spun.io edited the test plan for this revision. (Show Details)
nick_spun.io edited the summary of this revision. (Show Details)Mon, May 25, 5:40 PM
nick_spun.io edited the test plan for this revision. (Show Details)
nick_spun.io updated this revision to Diff 178573.Mon, May 25, 5:46 PM
nick_spun.io edited the test plan for this revision. (Show Details)
This comment was removed by nick_spun.io.
Harbormaster completed remote builds in B73430: Diff 178573.Mon, May 25, 5:46 PM
nick_spun.io edited the summary of this revision. (Show Details)Mon, May 25, 5:46 PM
nick_spun.io edited the summary of this revision. (Show Details)Mon, May 25, 5:53 PM
nick_spun.io edited the summary of this revision. (Show Details)
nick_spun.io updated this revision to Diff 178575.Mon, May 25, 6:13 PM
This comment was removed by nick_spun.io.
Harbormaster completed remote builds in B73431: Diff 178575.Mon, May 25, 6:13 PM
nick_spun.io updated this revision to Diff 178576.Mon, May 25, 6:40 PM
This comment was removed by nick_spun.io.
Harbormaster completed remote builds in B73432: Diff 178576.Mon, May 25, 6:40 PM
nick_spun.io published this revision for review.Mon, May 25, 7:02 PM

Think this is in a pretty reasonable state now.

nick_spun.io added reviewers: adrian, emaste.Mon, May 25, 7:06 PM
nick_spun.io added a project: drivers.
nick_spun.io added a comment.Mon, May 25, 7:58 PM

sys/dev/qlxge/qls_hw.c:1004 also seems to use the incorrect RSS queue pattern - may be worth specifically mentioning that anti-pattern in the iflib man page or in the rss comments somewhere

adrian added a comment.Tue, May 26, 4:11 AM

oh, hm, how's 8 RSS queues but > 8 RX queues work? In any case, good catch!

adrian accepted this revision.Tue, May 26, 4:50 AM
This revision is now accepted and ready to land.Tue, May 26, 4:50 AM
nick_spun.io added a comment.EditedTue, May 26, 2:17 PM

The default pattern is to repeat the RSS queues across the RX queues so if there are 4 RSS queues but 8 RX queues you end up with 1 2 3 4 1 2 3 4 but this is actually configurable at runtime for traffic steering and whatnot

There are actually 64 RX queues on this card (traffic lands in them via hashing) so even with the maximum of 8 RSS queues you still end up duplicating them several times

adrian mentioned this in D57253: qlxge(4): Distribute RSS over num_rx_rings with a modulo.Tue, May 26, 5:31 PM
nick_spun.io added a child revision: D57434: aq(4): interrupt model and queue-count correctness.Thu, Jun 4, 11:30 AM
adrian added a reviewer: drivers.Sun, Jun 14, 4:23 PM
Closed by commit rG57f5252ff8a1: aq(4): Fix RSS indirection table OOB write and queue distribution (authored by nick_spun.io, committed by adrian). · Explain WhySat, Jun 20, 7:10 PM
This revision was automatically updated to reflect the committed changes.
adrian added a commit: rG57f5252ff8a1: aq(4): Fix RSS indirection table OOB write and queue distribution.

Revision Contents
Changeset List

PathSize
sys/
dev/
aq/
2 lines
12 lines
3 lines

Diff 180186

View Options

sys/dev/aq/aq_hw.h

Loading...
View Options

sys/dev/aq/aq_hw.c

Loading...
View Options

sys/dev/aq/aq_main.c

Loading...