FreeBSD Bugzilla – Attachment 221501 Details for
Bug 252608
[panic] [usb] [if_ure] Kernel fault on ure disconnect
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for second issue - please test
if.diff (text/plain), 3.29 KB, created by
Hans Petter Selasky
on 2021-01-12 18:03:35 UTC
(
hide
)
Description:
Patch for second issue - please test
Filename:
MIME Type:
Creator:
Hans Petter Selasky
Created:
2021-01-12 18:03:35 UTC
Size:
3.29 KB
patch
obsolete
>commit ea7d71dfa833755abd143a877bb9b5d1945c4661 >Author: Hans Petter Selasky <hselasky@FreeBSD.org> >Date: Tue Jan 12 18:51:09 2021 +0100 > > Fix for use-after-free by if_ioctl callback in USB drivers. > > PR: 252608 > MFC after: 1 week > Sponsored by: Mellanox Technologies // NVIDIA Networking > >diff --git a/sys/dev/usb/net/if_usie.c b/sys/dev/usb/net/if_usie.c >index 8c64ad71be4..45f0621bec4 100644 >--- a/sys/dev/usb/net/if_usie.c >+++ b/sys/dev/usb/net/if_usie.c >@@ -483,7 +483,7 @@ usie_detach(device_t self) > usbd_transfer_unsetup(sc->sc_if_xfer, USIE_IF_N_XFER); > bpfdetach(sc->sc_ifp); > if_detach(sc->sc_ifp); >- if_free(sc->sc_ifp); >+ if_free_sync(sc->sc_ifp); > sc->sc_ifp = NULL; > } > /* detach ucom */ >diff --git a/sys/dev/usb/net/uhso.c b/sys/dev/usb/net/uhso.c >index c72fa8d7a36..9d964b3c144 100644 >--- a/sys/dev/usb/net/uhso.c >+++ b/sys/dev/usb/net/uhso.c >@@ -693,8 +693,8 @@ uhso_detach(device_t self) > uhso_if_stop(sc); > bpfdetach(sc->sc_ifp); > if_detach(sc->sc_ifp); >- if_free(sc->sc_ifp); > mtx_unlock(&sc->sc_mtx); >+ if_free_sync(sc->sc_ifp); > usbd_transfer_unsetup(sc->sc_if_xfer, UHSO_IFNET_MAX); > } > >diff --git a/sys/dev/usb/net/usb_ethernet.c b/sys/dev/usb/net/usb_ethernet.c >index e1eb2c247b5..b8c8c82b96c 100644 >--- a/sys/dev/usb/net/usb_ethernet.c >+++ b/sys/dev/usb/net/usb_ethernet.c >@@ -292,7 +292,7 @@ ue_attach_post_task(struct usb_proc_msg *_task) > /* free unit */ > free_unr(ueunit, ue->ue_unit); > if (ue->ue_ifp != NULL) { >- if_free(ue->ue_ifp); >+ if_free_sync(ue->ue_ifp); > ue->ue_ifp = NULL; > } > UE_LOCK(ue); >@@ -330,7 +330,7 @@ uether_ifdetach(struct usb_ether *ue) > ether_ifdetach(ifp); > > /* free interface instance */ >- if_free(ifp); >+ if_free_sync(ifp); > > /* free sysctl */ > sysctl_ctx_free(&ue->ue_sysctl_ctx); >diff --git a/sys/dev/usb/usb_pf.c b/sys/dev/usb/usb_pf.c >index 6ccb5ebbc62..a0f0ec62fb0 100644 >--- a/sys/dev/usb/usb_pf.c >+++ b/sys/dev/usb/usb_pf.c >@@ -232,7 +232,7 @@ usbpf_clone_destroy(struct if_clone *ifc, struct ifnet *ifp) > USB_BUS_UNLOCK(ubus); > bpfdetach(ifp); > if_detach(ifp); >- if_free(ifp); >+ if_free_sync(ifp); > ifc_free_unit(ifc, unit); > > return (0); >diff --git a/sys/net/if.c b/sys/net/if.c >index 68ed4cf65dc..b312feab42f 100644 >--- a/sys/net/if.c >+++ b/sys/net/if.c >@@ -753,6 +753,24 @@ if_rele(struct ifnet *ifp) > NET_EPOCH_CALL(if_destroy, &ifp->if_epoch_ctx); > } > >+/* This function blocks until all refcounts are gone on the network interface structure. */ >+void >+if_free_sync(struct ifnet *ifp) >+{ >+ /* get our refcount */ >+ if_ref(ifp); >+ >+ /* kick freeing of network interface */ >+ if_free(ifp); >+ >+ /* wait until all refs are gone */ >+ while (refcount_load(&ifp->if_refcount) != 1) >+ pause("W", hz); >+ >+ /* drop the final reference */ >+ if_rele(ifp); >+} >+ > void > ifq_init(struct ifaltq *ifq, struct ifnet *ifp) > { >diff --git a/sys/net/if_var.h b/sys/net/if_var.h >index beb9596895e..76822d9a616 100644 >--- a/sys/net/if_var.h >+++ b/sys/net/if_var.h >@@ -653,6 +653,7 @@ struct ifmultiaddr * > if_findmulti(struct ifnet *, const struct sockaddr *); > void if_freemulti(struct ifmultiaddr *ifma); > void if_free(struct ifnet *); >+void if_free_sync(struct ifnet *); > void if_initname(struct ifnet *, const char *, int); > void if_link_state_change(struct ifnet *, int); > int if_printf(struct ifnet *, const char *, ...) __printflike(2, 3);
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 252608
:
221491
|
221501
|
221506