Page MenuHomeFreeBSD
Differential D10255

Fix a double free in ixgbe_rxeof()
ClosedPublic
Actions

Authored by rstone on Apr 3 2017, 7:00 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Feb 10, 2:14 PM
Unknown Object (File)
Wed, Jan 29, 9:16 PM
Unknown Object (File)
Sun, Jan 19, 7:49 PM
Unknown Object (File)
Sun, Jan 19, 7:45 PM
Unknown Object (File)
Jan 1 2025, 10:10 AM
Unknown Object (File)
Dec 31 2024, 9:20 AM
Unknown Object (File)
Dec 30 2024, 10:01 AM
Unknown Object (File)
Dec 29 2024, 10:30 AM
View All 57 Files
Subscribers
None

Details

Reviewers
sbruno
Group Reviewers
Intel Networking
Commits
rS316541: Fix a double free in ixgbe_rxeof()
Summary

When a packet is longer than PAGE_SIZE bytes, ixgbe has to
split it across multiple descriptors. As it build up the
mbuf chain representing the packet, it saves the mbuf chain
in the rxbuf struct for the next descriptor index. If the
interface is disabled while ixgbe is doing this, a stale mbuf
chain will be left in the rxbuf.

When the interface is brought back up, the init routine ignores
the built-up mbuf chain, but it does free the mbuf associated with
the descriptor. This means that the mbuf chain is left in a state
where the final mbuf in the chain is now free. When receive starts
again, once it processes that descriptor rxeof will encounter the
stale mbuf chain and begin processing it, eventually passing it up
the stack. Eventually the chain is freed and the final mbuf in
the chain is freed a second time, leading to all the hilarity that
a double free in the kernel can cause.

Also correct an error case that did not perform proper locking
before touching an rx ring.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

rstone created this revision.Apr 3 2017, 7:00 PM
Herald added a reviewer: sbruno. · View Herald TranscriptApr 3 2017, 7:00 PM
Herald added a reviewer: Intel Networking. · View Herald Transcript
Harbormaster completed remote builds in B8465: Diff 26979.Apr 3 2017, 7:00 PM
rstone added a comment.Apr 3 2017, 7:02 PM

I'm not sure what we want to do with this fix given the imminent iflib conversion, but at least this should go into stable branches.

rstone updated this revision to Diff 26980.Apr 3 2017, 7:04 PM

Add the locking mentioned the description but omitted from the
actual revision.

sbruno accepted this revision.Apr 5 2017, 7:49 PM

I'm going to commit this to head and then mfc it next week to stable/11 and whatnot. This shouldn't be blocked due to iflib-ification.

This revision is now accepted and ready to land.Apr 5 2017, 7:49 PM
Closed by commit rS316541: Fix a double free in ixgbe_rxeof() (authored by sbruno). · Explain WhyApr 5 2017, 7:53 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
head/
sys/
dev/
ixgbe/
30 lines

Diff 27110

View Options

head/sys/dev/ixgbe/ix_txrx.c

Loading...