From owner-svn-src-head@FreeBSD.ORG  Thu Apr 12 01:07:17 2012
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E5C89106566B;
	Thu, 12 Apr 2012 01:07:17 +0000 (UTC)
	(envelope-from thompsa@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id B74398FC0A;
	Thu, 12 Apr 2012 01:07:17 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q3C17H26003746;
	Thu, 12 Apr 2012 01:07:17 GMT (envelope-from thompsa@svn.freebsd.org)
Received: (from thompsa@localhost)
	by svn.freebsd.org (8.14.4/8.14.4/Submit) id q3C17H42003743;
	Thu, 12 Apr 2012 01:07:17 GMT (envelope-from thompsa@svn.freebsd.org)
Message-Id: <201204120107.q3C17H42003743@svn.freebsd.org>
From: Andrew Thompson <thompsa@FreeBSD.org>
Date: Thu, 12 Apr 2012 01:07:17 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r234163 - head/sys/net
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
	<svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2012 01:07:18 -0000

Author: thompsa
Date: Thu Apr 12 01:07:17 2012
New Revision: 234163
URL: http://svn.freebsd.org/changeset/base/234163

Log:
  Set the proto to LAGG_PROTO_NONE before calling the detach routine so packets
  are discarded, this is an issue because lacp drops the lock which may allow
  network threads to access freed memory. Expand the lock coverage so the
  detach/attach happen atomically.
  
  Submitted by:	Andrew Boyer (earlier version)

Modified:
  head/sys/net/if_lagg.c

Modified: head/sys/net/if_lagg.c
==============================================================================
--- head/sys/net/if_lagg.c	Thu Apr 12 00:59:30 2012	(r234162)
+++ head/sys/net/if_lagg.c	Thu Apr 12 01:07:17 2012	(r234163)
@@ -950,11 +950,11 @@ lagg_ioctl(struct ifnet *ifp, u_long cmd
 			error = EPROTONOSUPPORT;
 			break;
 		}
+		LAGG_WLOCK(sc);
 		if (sc->sc_proto != LAGG_PROTO_NONE) {
-			LAGG_WLOCK(sc);
-			error = sc->sc_detach(sc);
-			/* Reset protocol and pointers */
+			/* Reset protocol first in case detach unlocks */
 			sc->sc_proto = LAGG_PROTO_NONE;
+			error = sc->sc_detach(sc);
 			sc->sc_detach = NULL;
 			sc->sc_start = NULL;
 			sc->sc_input = NULL;
@@ -966,10 +966,14 @@ lagg_ioctl(struct ifnet *ifp, u_long cmd
 			sc->sc_lladdr = NULL;
 			sc->sc_req = NULL;
 			sc->sc_portreq = NULL;
-			LAGG_WUNLOCK(sc);
+		} else if (sc->sc_input != NULL) {
+			/* Still detaching */
+			error = EBUSY;
 		}
-		if (error != 0)
+		if (error != 0) {
+			LAGG_WUNLOCK(sc);
 			break;
+		}
 		for (int i = 0; i < (sizeof(lagg_protos) /
 		    sizeof(lagg_protos[0])); i++) {
 			if (lagg_protos[i].ti_proto == ra->ra_proto) {
@@ -977,7 +981,6 @@ lagg_ioctl(struct ifnet *ifp, u_long cmd
 					printf("%s: using proto %u\n",
 					    sc->sc_ifname,
 					    lagg_protos[i].ti_proto);
-				LAGG_WLOCK(sc);
 				sc->sc_proto = lagg_protos[i].ti_proto;
 				if (sc->sc_proto != LAGG_PROTO_NONE)
 					error = lagg_protos[i].ti_attach(sc);
@@ -985,6 +988,7 @@ lagg_ioctl(struct ifnet *ifp, u_long cmd
 				return (error);
 			}
 		}
+		LAGG_WUNLOCK(sc);
 		error = EPROTONOSUPPORT;
 		break;
 	case SIOCGLAGGFLAGS: