Date: Sun, 29 Nov 2009 19:50:39 +0000 (UTC) From: Pyun YongHyeon <yongari@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org Subject: svn commit: r199931 - stable/7/sys/dev/re Message-ID: <200911291950.nATJodsM006764@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: yongari Date: Sun Nov 29 19:50:39 2009 New Revision: 199931 URL: http://svn.freebsd.org/changeset/base/199931 Log: MFC 198814. Add a check to know whether driver is still running after reacquiring driver lock in Rx handler. re(4) drops a driver lock before passing received frame to upper stack and reacquire the lock. During the time window ioctl calls could be executed and if the ioctl was interface down request, driver will stop the controller and free allocated mbufs. After that when driver comes back to Rx handler again it does not know what was happend so it could access free mbufs which in turn cause panic. Reported by: Norbert Papke < npapk <> acm dot org > Tested by: Norbert Papke < npapk <> acm dot org > Modified: stable/7/sys/dev/re/if_re.c Directory Properties: stable/7/sys/ (props changed) stable/7/sys/contrib/pf/ (props changed) Modified: stable/7/sys/dev/re/if_re.c ============================================================================== --- stable/7/sys/dev/re/if_re.c Sun Nov 29 19:49:21 2009 (r199930) +++ stable/7/sys/dev/re/if_re.c Sun Nov 29 19:50:39 2009 (r199931) @@ -1814,6 +1814,8 @@ re_rxeof(struct rl_softc *sc) for (i = sc->rl_ldata.rl_rx_prodidx; maxpkt > 0; i = RL_RX_DESC_NXT(sc, i)) { + if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0) + break; cur_rx = &sc->rl_ldata.rl_rx_list[i]; rxstat = le32toh(cur_rx->rl_cmdstat); if ((rxstat & RL_RDESC_STAT_OWN) != 0)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200911291950.nATJodsM006764>