Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 29 Nov 2009 19:49:21 +0000 (UTC)
From:      Pyun YongHyeon <yongari@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
Subject:   svn commit: r199930 - stable/8/sys/dev/re
Message-ID:  <200911291949.nATJnLk3006689@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: yongari
Date: Sun Nov 29 19:49:21 2009
New Revision: 199930
URL: http://svn.freebsd.org/changeset/base/199930

Log:
  MFC 198814.
    Add a check to know whether driver is still running after
    reacquiring driver lock in Rx handler. re(4) drops a driver lock
    before passing received frame to upper stack and reacquire the
    lock. During the time window ioctl calls could be executed and if
    the ioctl was interface down request, driver will stop the
    controller and free allocated mbufs. After that when driver comes
    back to Rx handler again it does not know what was happend so it
    could access free mbufs which in turn cause panic.
  
    Reported by:	Norbert Papke < npapk <> acm dot org >
    Tested by:	Norbert Papke < npapk <> acm dot org >

Modified:
  stable/8/sys/dev/re/if_re.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)
  stable/8/sys/dev/xen/xenpci/   (props changed)

Modified: stable/8/sys/dev/re/if_re.c
==============================================================================
--- stable/8/sys/dev/re/if_re.c	Sun Nov 29 19:47:31 2009	(r199929)
+++ stable/8/sys/dev/re/if_re.c	Sun Nov 29 19:49:21 2009	(r199930)
@@ -1817,6 +1817,8 @@ re_rxeof(struct rl_softc *sc, int *rx_np
 
 	for (i = sc->rl_ldata.rl_rx_prodidx; maxpkt > 0;
 	    i = RL_RX_DESC_NXT(sc, i)) {
+		if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
+			break;
 		cur_rx = &sc->rl_ldata.rl_rx_list[i];
 		rxstat = le32toh(cur_rx->rl_cmdstat);
 		if ((rxstat & RL_RDESC_STAT_OWN) != 0)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200911291949.nATJnLk3006689>