From owner-svn-src-all@FreeBSD.ORG  Mon Nov  2 18:35:07 2009
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4681B106568F;
	Mon,  2 Nov 2009 18:35:06 +0000 (UTC)
	(envelope-from yongari@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 34F588FC1A;
	Mon,  2 Nov 2009 18:35:06 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id nA2IZ6e9065998;
	Mon, 2 Nov 2009 18:35:06 GMT (envelope-from yongari@svn.freebsd.org)
Received: (from yongari@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id nA2IZ6WI065996;
	Mon, 2 Nov 2009 18:35:06 GMT (envelope-from yongari@svn.freebsd.org)
Message-Id: <200911021835.nA2IZ6WI065996@svn.freebsd.org>
From: Pyun YongHyeon <yongari@FreeBSD.org>
Date: Mon, 2 Nov 2009 18:35:06 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r198814 - head/sys/dev/re
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2009 18:35:07 -0000

Author: yongari
Date: Mon Nov  2 18:35:05 2009
New Revision: 198814
URL: http://svn.freebsd.org/changeset/base/198814

Log:
  Add a check to know whether driver is still running after
  reacquiring driver lock in Rx handler. re(4) drops a driver lock
  before passing received frame to upper stack and reacquire the
  lock. During the time window ioctl calls could be executed and if
  the ioctl was interface down request, driver will stop the
  controller and free allocated mbufs. After that when driver comes
  back to Rx handler again it does not know what was happend so it
  could access free mbufs which in turn cause panic.
  
  Reported by:	 Norbert Papke < npapk <> acm dot org >
  Tested by:	 Norbert Papke < npapk <> acm dot org >

Modified:
  head/sys/dev/re/if_re.c

Modified: head/sys/dev/re/if_re.c
==============================================================================
--- head/sys/dev/re/if_re.c	Mon Nov  2 18:15:11 2009	(r198813)
+++ head/sys/dev/re/if_re.c	Mon Nov  2 18:35:05 2009	(r198814)
@@ -1817,6 +1817,8 @@ re_rxeof(struct rl_softc *sc, int *rx_np
 
 	for (i = sc->rl_ldata.rl_rx_prodidx; maxpkt > 0;
 	    i = RL_RX_DESC_NXT(sc, i)) {
+		if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0)
+			break;
 		cur_rx = &sc->rl_ldata.rl_rx_list[i];
 		rxstat = le32toh(cur_rx->rl_cmdstat);
 		if ((rxstat & RL_RDESC_STAT_OWN) != 0)