Date: Mon, 2 Nov 2009 18:35:06 +0000 (UTC) From: Pyun YongHyeon <yongari@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r198814 - head/sys/dev/re Message-ID: <200911021835.nA2IZ6WI065996@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: yongari Date: Mon Nov 2 18:35:05 2009 New Revision: 198814 URL: http://svn.freebsd.org/changeset/base/198814 Log: Add a check to know whether driver is still running after reacquiring driver lock in Rx handler. re(4) drops a driver lock before passing received frame to upper stack and reacquire the lock. During the time window ioctl calls could be executed and if the ioctl was interface down request, driver will stop the controller and free allocated mbufs. After that when driver comes back to Rx handler again it does not know what was happend so it could access free mbufs which in turn cause panic. Reported by: Norbert Papke < npapk <> acm dot org > Tested by: Norbert Papke < npapk <> acm dot org > Modified: head/sys/dev/re/if_re.c Modified: head/sys/dev/re/if_re.c ============================================================================== --- head/sys/dev/re/if_re.c Mon Nov 2 18:15:11 2009 (r198813) +++ head/sys/dev/re/if_re.c Mon Nov 2 18:35:05 2009 (r198814) @@ -1817,6 +1817,8 @@ re_rxeof(struct rl_softc *sc, int *rx_np for (i = sc->rl_ldata.rl_rx_prodidx; maxpkt > 0; i = RL_RX_DESC_NXT(sc, i)) { + if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0) + break; cur_rx = &sc->rl_ldata.rl_rx_list[i]; rxstat = le32toh(cur_rx->rl_cmdstat); if ((rxstat & RL_RDESC_STAT_OWN) != 0)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200911021835.nA2IZ6WI065996>