svn commit: r303870 - head/sys/dev/mlx5/mlx5_en
Hans Petter Selasky
hselasky at FreeBSD.org
Tue Aug 9 07:43:17 UTC 2016
Author: hselasky
Date: Tue Aug 9 07:43:15 2016
New Revision: 303870
URL: https://svnweb.freebsd.org/changeset/base/303870
Log:
Fix for use after free.
Clear the device description to avoid use after free because the
bsddev is not destroyed when the mlx5en module is unloaded. Only when
the parent mlx5 module is unloaded the bsddev is destroyed. This fixes
a panic on listing sysctls which refer strings in the bsddev after the
mlx5en module has been unloaded.
Sponsored by: Mellanox Technologies
MFC after: 1 week
Modified:
head/sys/dev/mlx5/mlx5_en/mlx5_en_main.c
Modified: head/sys/dev/mlx5/mlx5_en/mlx5_en_main.c
==============================================================================
--- head/sys/dev/mlx5/mlx5_en/mlx5_en_main.c Tue Aug 9 06:11:24 2016 (r303869)
+++ head/sys/dev/mlx5/mlx5_en/mlx5_en_main.c Tue Aug 9 07:43:15 2016 (r303870)
@@ -3108,6 +3108,13 @@ mlx5e_destroy_ifp(struct mlx5_core_dev *
/* don't allow more IOCTLs */
priv->gone = 1;
+ /*
+ * Clear the device description to avoid use after free,
+ * because the bsddev is not destroyed when this module is
+ * unloaded:
+ */
+ device_set_desc(mdev->pdev->dev.bsddev, NULL);
+
/* XXX wait a bit to allow IOCTL handlers to complete */
pause("W", hz);
More information about the svn-src-head
mailing list