Date: Fri, 20 Jan 2017 17:16:48 +0000 (UTC) From: Ryan Stone <rstone@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r312544 - in head/sys: dev/ixgbe net Message-ID: <201701201716.v0KHGmSF039161@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rstone Date: Fri Jan 20 17:16:48 2017 New Revision: 312544 URL: https://svnweb.freebsd.org/changeset/base/312544 Log: Fix reference to free memory in ixgbe/if_media.c When ixgbe receives an interrupt indicating that a new optical module may have been inserted, it discards all of its current media types by calling ifmedia_removeall() and then creates a new set of media types for the supported media on the new module. However, ifmedia_removeall() was maintaining a pointer to whatever the current media type was before the call to ifmedia_removealL(). The result of this was that any attempt to read the current media type of the interface (e.g. via ifconfig) would return potentially garbage data from free memory (or if one were particularly unlucky on an architecture that does not malloc() from a direct map, page fault the kernel). Fix this by NULL'ing out the current media field in if_media.c, and have ixgbe update the current media type after recreating them. Submitted by: Matt Joras <matt.joras AT gmail DOT com> Reviewed by: sbruno, erj MFC after: 1 week Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D9164 Modified: head/sys/dev/ixgbe/if_ix.c head/sys/net/if_media.c Modified: head/sys/dev/ixgbe/if_ix.c ============================================================================== --- head/sys/dev/ixgbe/if_ix.c Fri Jan 20 17:14:10 2017 (r312543) +++ head/sys/dev/ixgbe/if_ix.c Fri Jan 20 17:16:48 2017 (r312544) @@ -3878,6 +3878,7 @@ ixgbe_handle_msf(void *context, int pend /* Adjust media types shown in ifconfig */ ifmedia_removeall(&adapter->media); ixgbe_add_media_types(adapter); + ifmedia_set(&adapter->media, IFM_ETHER | IFM_AUTO); IXGBE_CORE_UNLOCK(adapter); return; } Modified: head/sys/net/if_media.c ============================================================================== --- head/sys/net/if_media.c Fri Jan 20 17:14:10 2017 (r312543) +++ head/sys/net/if_media.c Fri Jan 20 17:16:48 2017 (r312544) @@ -107,6 +107,7 @@ ifmedia_removeall(ifm) LIST_REMOVE(entry, ifm_list); free(entry, M_IFADDR); } + ifm->ifm_cur = NULL; } /*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201701201716.v0KHGmSF039161>