git: 24069f0dc073 - stable/12 - infiniband: Widen NET_EPOCH coverage
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 10 Apr 2023 05:08:03 UTC
The branch stable/12 has been updated by zlei:
URL: https://cgit.FreeBSD.org/src/commit/?id=24069f0dc0730248bd5b09e50b12e37645d57c31
commit 24069f0dc0730248bd5b09e50b12e37645d57c31
Author: Zhenlei Huang <zlei@FreeBSD.org>
AuthorDate: 2023-04-02 16:51:49 +0000
Commit: Zhenlei Huang <zlei@FreeBSD.org>
CommitDate: 2023-04-10 05:06:22 +0000
infiniband: Widen NET_EPOCH coverage
From static code analysis, some device drivers (cxgbe, mlx4, mthca, and qlnx)
do not enter net epoch before lagg_input_infiniband(). If IPoIB interface is a
member of lagg(4) interface, and after returning from lagg_input_infiniband()
the receiving interface of mbuf is set to lagg(4) interface, then when
concurrently destroying the lagg(4) interface, there is a small window that the
interface gets destroyed and becomes invalid before infiniband_input() re-enter
net epoch, thus leading use-after-free.
Widen NET_EPOCH coverage to prevent use-after-free.
Thanks hselasky@ for testing with mlx5 devices.
Reviewed by: hselasky
Tested by: hselasky
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D39275
(cherry picked from commit 90820ef121b38479f2479c03c12c69f940f5fa33)
(cherry picked from commit 5d45e09d50e648a75667c9b12b204eb62fa60ed2)
---
sys/net/if_infiniband.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys/net/if_infiniband.c b/sys/net/if_infiniband.c
index b644f91f2cda..3fe4fb0616e8 100644
--- a/sys/net/if_infiniband.c
+++ b/sys/net/if_infiniband.c
@@ -407,6 +407,7 @@ infiniband_input(struct ifnet *ifp, struct mbuf *m)
int isr;
CURVNET_SET_QUIET(ifp->if_vnet);
+ NET_EPOCH_ENTER_ET(et);
if ((ifp->if_flags & IFF_UP) == 0) {
if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
@@ -494,10 +495,9 @@ infiniband_input(struct ifnet *ifp, struct mbuf *m)
mac_ifnet_create_mbuf(ifp, m);
#endif
/* Allow monitor mode to claim this frame, after stats are updated. */
- NET_EPOCH_ENTER_ET(et);
netisr_dispatch(isr, m);
- NET_EPOCH_EXIT_ET(et);
done:
+ NET_EPOCH_EXIT_ET(et);
CURVNET_RESTORE();
}