From owner-svn-src-head@freebsd.org Fri Jan 20 17:16:49 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BF00ECB9C04; Fri, 20 Jan 2017 17:16:49 +0000 (UTC) (envelope-from rstone@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7228E1FBE; Fri, 20 Jan 2017 17:16:49 +0000 (UTC) (envelope-from rstone@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v0KHGm8D039163; Fri, 20 Jan 2017 17:16:48 GMT (envelope-from rstone@FreeBSD.org) Received: (from rstone@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v0KHGmSF039161; Fri, 20 Jan 2017 17:16:48 GMT (envelope-from rstone@FreeBSD.org) Message-Id: <201701201716.v0KHGmSF039161@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rstone set sender to rstone@FreeBSD.org using -f From: Ryan Stone Date: Fri, 20 Jan 2017 17:16:48 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r312544 - in head/sys: dev/ixgbe net X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jan 2017 17:16:49 -0000 Author: rstone Date: Fri Jan 20 17:16:48 2017 New Revision: 312544 URL: https://svnweb.freebsd.org/changeset/base/312544 Log: Fix reference to free memory in ixgbe/if_media.c When ixgbe receives an interrupt indicating that a new optical module may have been inserted, it discards all of its current media types by calling ifmedia_removeall() and then creates a new set of media types for the supported media on the new module. However, ifmedia_removeall() was maintaining a pointer to whatever the current media type was before the call to ifmedia_removealL(). The result of this was that any attempt to read the current media type of the interface (e.g. via ifconfig) would return potentially garbage data from free memory (or if one were particularly unlucky on an architecture that does not malloc() from a direct map, page fault the kernel). Fix this by NULL'ing out the current media field in if_media.c, and have ixgbe update the current media type after recreating them. Submitted by: Matt Joras Reviewed by: sbruno, erj MFC after: 1 week Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D9164 Modified: head/sys/dev/ixgbe/if_ix.c head/sys/net/if_media.c Modified: head/sys/dev/ixgbe/if_ix.c ============================================================================== --- head/sys/dev/ixgbe/if_ix.c Fri Jan 20 17:14:10 2017 (r312543) +++ head/sys/dev/ixgbe/if_ix.c Fri Jan 20 17:16:48 2017 (r312544) @@ -3878,6 +3878,7 @@ ixgbe_handle_msf(void *context, int pend /* Adjust media types shown in ifconfig */ ifmedia_removeall(&adapter->media); ixgbe_add_media_types(adapter); + ifmedia_set(&adapter->media, IFM_ETHER | IFM_AUTO); IXGBE_CORE_UNLOCK(adapter); return; } Modified: head/sys/net/if_media.c ============================================================================== --- head/sys/net/if_media.c Fri Jan 20 17:14:10 2017 (r312543) +++ head/sys/net/if_media.c Fri Jan 20 17:16:48 2017 (r312544) @@ -107,6 +107,7 @@ ifmedia_removeall(ifm) LIST_REMOVE(entry, ifm_list); free(entry, M_IFADDR); } + ifm->ifm_cur = NULL; } /*