Date: Mon, 15 Aug 2016 09:09:01 +0000 (UTC) From: Hans Petter Selasky <hselasky@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r304134 - stable/10/sys/dev/mlx5/mlx5_en Message-ID: <201608150909.u7F991Yk061546@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: hselasky Date: Mon Aug 15 09:09:01 2016 New Revision: 304134 URL: https://svnweb.freebsd.org/changeset/base/304134 Log: MFC r303870: Fix for use after free. Clear the device description to avoid use after free because the bsddev is not destroyed when the mlx5en module is unloaded. Only when the parent mlx5 module is unloaded the bsddev is destroyed. This fixes a panic on listing sysctls which refer strings in the bsddev after the mlx5en module has been unloaded. Sponsored by: Mellanox Technologies Modified: stable/10/sys/dev/mlx5/mlx5_en/mlx5_en_main.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/dev/mlx5/mlx5_en/mlx5_en_main.c ============================================================================== --- stable/10/sys/dev/mlx5/mlx5_en/mlx5_en_main.c Mon Aug 15 09:07:26 2016 (r304133) +++ stable/10/sys/dev/mlx5/mlx5_en/mlx5_en_main.c Mon Aug 15 09:09:01 2016 (r304134) @@ -3114,6 +3114,13 @@ mlx5e_destroy_ifp(struct mlx5_core_dev * /* don't allow more IOCTLs */ priv->gone = 1; + /* + * Clear the device description to avoid use after free, + * because the bsddev is not destroyed when this module is + * unloaded: + */ + device_set_desc(mdev->pdev->dev.bsddev, NULL); + /* XXX wait a bit to allow IOCTL handlers to complete */ pause("W", hz);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201608150909.u7F991Yk061546>