Page MenuHomeFreeBSD

ng_eiface: fix kernel panic due to the racecondition in ng_eiface shutdown
ClosedPublic

Authored by afedorov on Apr 24 2020, 1:08 PM.
Tags
None
Referenced Files
F108542189: D24557.id70977.diff
Sun, Jan 26, 3:11 AM
Unknown Object (File)
Sat, Jan 11, 11:30 PM
Unknown Object (File)
Fri, Jan 3, 10:52 AM
Unknown Object (File)
Thu, Jan 2, 3:04 AM
Unknown Object (File)
Dec 17 2024, 2:38 PM
Unknown Object (File)
Dec 15 2024, 1:01 AM
Unknown Object (File)
Dec 14 2024, 2:39 PM
Unknown Object (File)
Dec 14 2024, 2:37 PM

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

Looks good to me (with the suggested change). If I understand correctly, the crash happens when ng_eiface_mediastatus (which dereferences ifm->ifm_cur) is called after ifmedia_removeall (which sets ifm->ifm_cur = NULL, but before ether_ifdetach.

sys/netgraph/ng_eiface.c
628 ↗(On Diff #70940)

Move the ifmedia_removeall before if_free, because the ifmedia callbacks need to access ifp, and so in theory the callbacks may be called after if_free and before ifmedia_removeall, resulting in a crash (if lucky).
Moreover, ifdetach --> ifmedia_removeall --> if_free is the same sequence used in all the other drivers.

This revision now requires changes to proceed.Apr 24 2020, 8:32 PM
afedorov marked an inline comment as done.
This revision is now accepted and ready to land.Apr 25 2020, 12:14 PM