-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                  ESB-2008.0230 -- [UNIX/Linux][Solaris]
         Solaris 10 x86 Systems Using Marvell HBA Controllers May
                         Experience Panic or Hang
                                19 May 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Marvell 88SX6081
                      Marvell 88SX6041
Publisher:            Sun Microsystems
Operating System:     Solaris 10
                      UNIX variants (UNIX, Linux, OSX)
Impact:               Denial of Service
Access:               Existing Account

Comment: This advisory references vulnerabilities in products which run on
         platforms other than Solaris. It is recommended that administrators
         running Marvell 88SX6081 and 88SX6041 HBA controllers check for an
         updated version of the software for their operating system.
         
         The controllers are SATA 4-port and 8-port PCI-X host controllers.

Revision History:       May 19 2008: Updated Resolution Section to list the 
                                     patches now available.
                       March 4 2008: Removed Windows from OS List.
                      March  4 2008: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Solution Type: Sun Alert
   Solution  233341 :   Solaris 10 x86 Systems Using Marvell HBA
   Controllers May Experience Panic or Hang          
   Bug ID: 6579855

   Product
Solaris 10 Operating System

   Date of Workaround Release: 21-Feb-2008

   Date of Resolved Release: 16-May-2008

   SA Document Body
Solaris 10 x86 Systems Using Marvell HBA Controllers May Experience Panic or Ha
ng

1. Impact

   Solaris 10 x86 systems using Marvell 88SX6081 and 88SX6041 HBA
   controllers which support NCQ may experience a system panic or
   application hang due to multiple issues with the marvell88sx(7D)
   driver. Sun Fire X4500 systems use the 88SX6081 Controller. Some
   non-Sun hardware uses the affected Controllers 88SX6081 and 88SX6041.
   This issue results from a race condition in the Marvell driver which
   occurs when systems perform sequential writes.  zfs(1M) file systems
   make heavy use of sequential writes, and systems using ZFS with the
   affected Marvell controller are likely to experience this issue.
   The race nature of this issue means it is not possible to predict when
   the issue will occur. However, it is known that higher loads will
   increase the likelihood of a panic or hang occurring.

2. Contributing Factors

   This issue can occur in the following release:
   x86 Platform
     * Solaris 10 6/06, 11/06 or 8/07 with both patches 118855-20 or
       later AND 125205-03 or later and without patch 127128-04

   Notes:
    1. Solaris 8 and 9 are not impacted by this issue and Solaris 10 on
       the SPARC platform is not impacted by this issue.
    2. Solaris 10 3/05 and 1/06 are not impacted by this issue as the
       affected Marvell driver was first shipped in Solaris 10 6/06.
    3. Solaris 10 8/07 shipped with the affected patches 125205-05 and
       118855-20 already included.
    4. Only systems performing sequential writes will encounter this
       issue. Sequential writes are used by zfs(1M) file systems and will
       provoke this issue when used with sufficient load.
    5. SVM may also invoke this issue, but SVM is unlikely to expose it
       as it does not generate the required load to expose this race
       condition.

   To determine if a system is using ZFS, the following command can be
   run:
$ zfs list

   If any pools are listed, ZFS is being used on the system.
   In addition, performance enhancements to ZFS will also make the issue
   more likely with lower loads. These performance enhancements were
   delivered in patch 120011-03 or later which was included with Solaris
   10 8/07.
   If Marvell driver patch 125205-07 is installed, the likelihood of
   seeing this issue increases yet further.
   Note: Systems will only experience this issue if they use a Marvell
   88SX6081 or 88SX6041HBA Controller. Other Marvell Controllers which do
   not support NCQ are not impacted by this issue.
   To determine if a system is using the affected 88SX6081 Marvell HBA
   Controller, execute the following command (as 'root' user):
# /usr/X11/bin/scanpci | /usr/sfw/bin/ggrep -A1 "vendor 0x11ab device 0x6081"
pci bus 0x0001 cardnum 0x01 function 0x00: vendor 0x11ab device 0x6081
Marvell Technology Group Ltd. MV88SX6081 8-port SATA II PCI-X Controller

   Sun Fire X4500 is the only Sun system which uses an affected Marvell
   HBA Controller. It uses the 88SX6081. There are also non-Sun systems
   which include the affected Marvell controllers 88SX6081 and 88SX6041
   which may be impacted by this issue.

3. Symptoms

   There are two symptoms related to this issue:
   1. Commands that access filesystems resident on disks connected to the
   Marvell sata controller can hang indefinitely.
   A typical stack when the application /usr/lib/nfs/nfsd was hung is
   given below:
swtch+0x110()
cv_wait+0x68()
zil_commit+0x7b()
zfs_putpage+0x1c5()
fop_putpage+0x28()
rfs3_commit+0x1a8()
common_dispatch+0x34c()
rfs_dispatch+0x21()
svc_getreq+0x209()
svc_run+0x124()
svc_do_run+0x88()
nfssys+0x208()
sys_syscall32+0x101()

   2. There can be a panic with a stack frame that resembles the
   following:
unix:real_mode_end+7051 ()
unix:trap+c57 ()
unix:cmntrap+140 ()
sd:sd_initpkt_for_buf+70 ()
sd:sd_start_cmds+a5 ()
sd:sd_return_command+d3 ()
sd:sdintr+187 ()
sata:sata_txlt_rw_completion+13c ()
marvell88sx:mv_do_completed_pkts+4c ()
unix:av_dispatch_softvect+62 ()
unix:intr_thread+a5 ()

   Also seen will be messages as shown below, however, these messages may
   also be seen in response to other issues and are not unique to this
   issue. The stacks above are required to confirm that the issue being
   seen is the one described by this Sun Alert.
Jan  5 15:15:02 x4501 marvell88sx: [ID 670675 kern.info] NOTICE: marvell88sx0: 
device on port 0 reset: DMA command timeout
Jan  5 15:15:02 x4501 sata: [ID 801593 kern.notice] NOTICE:/pci@0,0/pci1022,745
8@1/pci11ab,11ab@1:
Jan  5 15:15:02 x4501  port 0: device reset
Jan  5 15:15:02 x4501 marvell88sx: [ID 670675 kern.info] NOTICE: marvell88sx0: 
device on port 0 reset: device disconnected or device error
Jan  5 15:15:03 x4501 sata: [ID 801593 kern.notice] NOTICE:/pci@0,0/pci1022,745
8@1/pci11ab,11ab@1:
Jan  5 15:15:03 x4501  port 0: device reset
Jan  5 15:15:03 x4501 sata: [ID 801593 kern.notice] NOTICE:/pci@0,0/pci1022,745
8@1/pci11ab,11ab@1:
Jan  5 15:15:03 x4501  port 0: link lost
Jan  5 15:15:03 x4501 sata: [ID 801593 kern.notice] NOTICE:/pci@0,0/pci1022,745
8@1/pci11ab,11ab@1:
Jan  5 15:15:03 x4501  port 0: link established
Jan  5 15:15:03 x4501 marvell88sx: [ID 812950 kern.warning] WARNING: marvell88s
x0: error on port 0:
Jan  5 15:15:03 x4501 marvell88sx: [ID 517869 kern.info]    device disconnected
Jan  5 15:15:03 x4501 marvell88sx: [ID 517869 kern.info]    device connected
Jan  5 15:15:03 x4501 scsi: [ID 107833 kern.warning] WARNING: 
/pci@0,0/pci1022,7458@1/pci11ab,11ab@1/disk@0,0 (sd5):
Jan  5 15:15:03 x4501     Error for Command: write   Error Level: Retryable
Jan  5 15:15:03 x4501 scsi: [ID 107833 kern.notice] Requested Block: 414429   E
rror Block: 414429
Jan  5 15:15:03 x4501 scsi: [ID 107833 kern.notice] Vendor: ATA      Serial Num
ber:
Jan  5 15:15:03 x4501 scsi: [ID 107833 kern.notice] Sense Key: No Additional Se
nse
Jan  5 15:15:03 x4501 scsi: [ID 107833 kern.notice] ASC: 0x0 (no additional sen
se info), ASCQ: 0x0, FRU: 0x0
Jan  5 18:20:27 x4501 marvell88sx: [ID 670675 kern.info] NOTICE: marvell88sx0: 
device on port 0 reset: DMA command timeout
Jan  5 18:20:27 x4501 sata: [ID 801593 kern.notice] NOTICE: /pci@0,0/pci1022,74
58@1/pci11ab,11ab@1:
Jan  5 18:20:27 x4501  port 0: device reset

4. Workaround

   There is no workaround for this issue. Please see the Resolution
   section below.

5. Resolution

   This issue is addressed in the following release:
   x86 Platform
     * Solaris 10 with patch 127128-04 or later

   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.
   Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSDDLESh9+71yA2DNAQIcigP+OsBkfCBVEgMoHthwzUtiazBfD5bNC1oV
fXlM2QXbWn3cHAuzbj/PuV8Km9mphMYWOb8E9E4jKvb8GDIY1L9h3OCQq392Mbns
2l8Zj+bB1YZfXuFcslZE7oGnjzMGcA+vPWndGWAVcJ60o1XntapJipIMYqaeXQY0
EtP7oy2/rpo=
=xgNL
-----END PGP SIGNATURE-----