From owner-svn-src-stable@FreeBSD.ORG Sun Nov 29 19:49:21 2009 Return-Path: Delivered-To: svn-src-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CBC4E1065676; Sun, 29 Nov 2009 19:49:21 +0000 (UTC) (envelope-from yongari@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id BB57B8FC16; Sun, 29 Nov 2009 19:49:21 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id nATJnL9A006691; Sun, 29 Nov 2009 19:49:21 GMT (envelope-from yongari@svn.freebsd.org) Received: (from yongari@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id nATJnLk3006689; Sun, 29 Nov 2009 19:49:21 GMT (envelope-from yongari@svn.freebsd.org) Message-Id: <200911291949.nATJnLk3006689@svn.freebsd.org> From: Pyun YongHyeon Date: Sun, 29 Nov 2009 19:49:21 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r199930 - stable/8/sys/dev/re X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Nov 2009 19:49:21 -0000 Author: yongari Date: Sun Nov 29 19:49:21 2009 New Revision: 199930 URL: http://svn.freebsd.org/changeset/base/199930 Log: MFC 198814. Add a check to know whether driver is still running after reacquiring driver lock in Rx handler. re(4) drops a driver lock before passing received frame to upper stack and reacquire the lock. During the time window ioctl calls could be executed and if the ioctl was interface down request, driver will stop the controller and free allocated mbufs. After that when driver comes back to Rx handler again it does not know what was happend so it could access free mbufs which in turn cause panic. Reported by: Norbert Papke < npapk <> acm dot org > Tested by: Norbert Papke < npapk <> acm dot org > Modified: stable/8/sys/dev/re/if_re.c Directory Properties: stable/8/sys/ (props changed) stable/8/sys/amd64/include/xen/ (props changed) stable/8/sys/cddl/contrib/opensolaris/ (props changed) stable/8/sys/contrib/dev/acpica/ (props changed) stable/8/sys/contrib/pf/ (props changed) stable/8/sys/dev/xen/xenpci/ (props changed) Modified: stable/8/sys/dev/re/if_re.c ============================================================================== --- stable/8/sys/dev/re/if_re.c Sun Nov 29 19:47:31 2009 (r199929) +++ stable/8/sys/dev/re/if_re.c Sun Nov 29 19:49:21 2009 (r199930) @@ -1817,6 +1817,8 @@ re_rxeof(struct rl_softc *sc, int *rx_np for (i = sc->rl_ldata.rl_rx_prodidx; maxpkt > 0; i = RL_RX_DESC_NXT(sc, i)) { + if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0) + break; cur_rx = &sc->rl_ldata.rl_rx_list[i]; rxstat = le32toh(cur_rx->rl_cmdstat); if ((rxstat & RL_RDESC_STAT_OWN) != 0)