From owner-svn-src-head@freebsd.org Tue Aug 9 07:43:16 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D7782BB3E20; Tue, 9 Aug 2016 07:43:16 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9CD6E1E1D; Tue, 9 Aug 2016 07:43:16 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u797hFmC000217; Tue, 9 Aug 2016 07:43:15 GMT (envelope-from hselasky@FreeBSD.org) Received: (from hselasky@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u797hF8l000216; Tue, 9 Aug 2016 07:43:15 GMT (envelope-from hselasky@FreeBSD.org) Message-Id: <201608090743.u797hF8l000216@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: hselasky set sender to hselasky@FreeBSD.org using -f From: Hans Petter Selasky Date: Tue, 9 Aug 2016 07:43:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r303870 - head/sys/dev/mlx5/mlx5_en X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2016 07:43:17 -0000 Author: hselasky Date: Tue Aug 9 07:43:15 2016 New Revision: 303870 URL: https://svnweb.freebsd.org/changeset/base/303870 Log: Fix for use after free. Clear the device description to avoid use after free because the bsddev is not destroyed when the mlx5en module is unloaded. Only when the parent mlx5 module is unloaded the bsddev is destroyed. This fixes a panic on listing sysctls which refer strings in the bsddev after the mlx5en module has been unloaded. Sponsored by: Mellanox Technologies MFC after: 1 week Modified: head/sys/dev/mlx5/mlx5_en/mlx5_en_main.c Modified: head/sys/dev/mlx5/mlx5_en/mlx5_en_main.c ============================================================================== --- head/sys/dev/mlx5/mlx5_en/mlx5_en_main.c Tue Aug 9 06:11:24 2016 (r303869) +++ head/sys/dev/mlx5/mlx5_en/mlx5_en_main.c Tue Aug 9 07:43:15 2016 (r303870) @@ -3108,6 +3108,13 @@ mlx5e_destroy_ifp(struct mlx5_core_dev * /* don't allow more IOCTLs */ priv->gone = 1; + /* + * Clear the device description to avoid use after free, + * because the bsddev is not destroyed when this module is + * unloaded: + */ + device_set_desc(mdev->pdev->dev.bsddev, NULL); + /* XXX wait a bit to allow IOCTL handlers to complete */ pause("W", hz);