git: dc569c894207 - main - miibus: Use a bus_child_deleted method to free ivars for children

From: John Baldwin <jhb_at_FreeBSD.org>
Date: Fri, 01 Nov 2024 14:13:09 UTC
The branch main has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=dc569c894207a524b0cb542040b35b0edd57d1c8

commit dc569c894207a524b0cb542040b35b0edd57d1c8
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2024-11-01 14:10:01 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2024-11-01 14:10:01 +0000

    miibus: Use a bus_child_deleted method to free ivars for children
    
    If a device was detached (e.g. via devctl) and then re-attached, the
    ivars would be freed by the previous bus_child_detached method during
    detach, but device_get_ivars during the subsequent attach would return
    a stale pointer resulting in a use after free.
    
    Reviewed by:    imp
    Differential Revision:  https://reviews.freebsd.org/D47371
---
 sys/dev/mii/mii.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sys/dev/mii/mii.c b/sys/dev/mii/mii.c
index 48bbf0d506ce..dde79c189322 100644
--- a/sys/dev/mii/mii.c
+++ b/sys/dev/mii/mii.c
@@ -58,7 +58,7 @@ MODULE_VERSION(miibus, 1);
 
 #include "miibus_if.h"
 
-static bus_child_detached_t miibus_child_detached;
+static bus_child_deleted_t miibus_child_deleted;
 static bus_child_location_t miibus_child_location;
 static bus_child_pnpinfo_t miibus_child_pnpinfo;
 static device_detach_t miibus_detach;
@@ -84,7 +84,7 @@ static device_method_t miibus_methods[] = {
 	/* bus interface */
 	DEVMETHOD(bus_print_child,	miibus_print_child),
 	DEVMETHOD(bus_read_ivar,	miibus_read_ivar),
-	DEVMETHOD(bus_child_detached,	miibus_child_detached),
+	DEVMETHOD(bus_child_deleted,	miibus_child_deleted),
 	DEVMETHOD(bus_child_pnpinfo,	miibus_child_pnpinfo),
 	DEVMETHOD(bus_child_location,	miibus_child_location),
 	DEVMETHOD(bus_hinted_child,	miibus_hinted_child),
@@ -167,7 +167,7 @@ miibus_detach(device_t dev)
 }
 
 static void
-miibus_child_detached(device_t dev, device_t child)
+miibus_child_deleted(device_t dev, device_t child)
 {
 	struct mii_attach_args *args;