From owner-svn-src-all@freebsd.org Tue Aug 9 17:31:09 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4576BB3073; Tue, 9 Aug 2016 17:31:09 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [IPv6:2001:470:1f11:75::1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9B2E61DCF; Tue, 9 Aug 2016 17:31:09 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from ralph.baldwin.cx (c-73-231-226-104.hsd1.ca.comcast.net [73.231.226.104]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id 94B82B922; Tue, 9 Aug 2016 13:31:07 -0400 (EDT) From: John Baldwin To: Hans Petter Selasky Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r303870 - head/sys/dev/mlx5/mlx5_en Date: Tue, 09 Aug 2016 10:25:45 -0700 Message-ID: <1815980.zoyFBGqzV5@ralph.baldwin.cx> User-Agent: KMail/4.14.3 (FreeBSD/10.3-STABLE; KDE/4.14.3; amd64; ; ) In-Reply-To: <201608090743.u797hF8l000216@repo.freebsd.org> References: <201608090743.u797hF8l000216@repo.freebsd.org> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Tue, 09 Aug 2016 13:31:08 -0400 (EDT) X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2016 17:31:10 -0000 On Tuesday, August 09, 2016 07:43:15 AM Hans Petter Selasky wrote: > Author: hselasky > Date: Tue Aug 9 07:43:15 2016 > New Revision: 303870 > URL: https://svnweb.freebsd.org/changeset/base/303870 > > Log: > Fix for use after free. > > Clear the device description to avoid use after free because the > bsddev is not destroyed when the mlx5en module is unloaded. Only when > the parent mlx5 module is unloaded the bsddev is destroyed. This fixes > a panic on listing sysctls which refer strings in the bsddev after the > mlx5en module has been unloaded. > > Sponsored by: Mellanox Technologies > MFC after: 1 week Hmmm, this seems like it is working around a bug somewhere else. device_detach() calls device_set_driver(dev, NULL) which in turn calls device_set_desc(dev, NULL) which should be clearing the description. You can only be leaking a desc pointer if you aren't detaching the device. Not detaching a device but unloading the module containing part (but apparently not all) of its driver would seem to be fraught with peril. Why are you not detaching the mlx5en0 device when unloading this module? -- John Baldwin