From owner-svn-src-all@FreeBSD.ORG  Sun Nov 29 19:50:39 2009
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 743FC1065679;
	Sun, 29 Nov 2009 19:50:39 +0000 (UTC)
	(envelope-from yongari@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 63D8D8FC0C;
	Sun, 29 Nov 2009 19:50:39 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id nATJod1a006766;
	Sun, 29 Nov 2009 19:50:39 GMT (envelope-from yongari@svn.freebsd.org)
Received: (from yongari@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id nATJodsM006764;
	Sun, 29 Nov 2009 19:50:39 GMT (envelope-from yongari@svn.freebsd.org)
Message-Id: <200911291950.nATJodsM006764@svn.freebsd.org>
From: Pyun YongHyeon <yongari@FreeBSD.org>
Date: Sun, 29 Nov 2009 19:50:39 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
X-SVN-Group: stable-7
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r199931 - stable/7/sys/dev/re
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Nov 2009 19:50:39 -0000

Author: yongari
Date: Sun Nov 29 19:50:39 2009
New Revision: 199931
URL: http://svn.freebsd.org/changeset/base/199931

Log:
  MFC 198814.
    Add a check to know whether driver is still running after
    reacquiring driver lock in Rx handler. re(4) drops a driver lock
    before passing received frame to upper stack and reacquire the
    lock. During the time window ioctl calls could be executed and if
    the ioctl was interface down request, driver will stop the
    controller and free allocated mbufs. After that when driver comes
    back to Rx handler again it does not know what was happend so it
    could access free mbufs which in turn cause panic.
  
    Reported by:	Norbert Papke < npapk <> acm dot org >
    Tested by:	Norbert Papke < npapk <> acm dot org >

Modified:
  stable/7/sys/dev/re/if_re.c
Directory Properties:
  stable/7/sys/   (props changed)
  stable/7/sys/contrib/pf/   (props changed)

Modified: stable/7/sys/dev/re/if_re.c
==============================================================================
--- stable/7/sys/dev/re/if_re.c	Sun Nov 29 19:49:21 2009	(r199930)
+++ stable/7/sys/dev/re/if_re.c	Sun Nov 29 19:50:39 2009	(r199931)
@@ -1814,6 +1814,8 @@ re_rxeof(struct rl_softc *sc)
 
 	for (i = sc->rl_ldata.rl_rx_prodidx; maxpkt > 0;
 	    i = RL_RX_DESC_NXT(sc, i)) {
+		if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
+			break;
 		cur_rx = &sc->rl_ldata.rl_rx_list[i];
 		rxstat = le32toh(cur_rx->rl_cmdstat);
 		if ((rxstat & RL_RDESC_STAT_OWN) != 0)