git: 7126da66e484 - stable/14 - lagg: Fix a teardown race

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Sun, 14 Jul 2024 16:43:18 UTC
The branch stable/14 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=7126da66e4848e89ac29fd7b9da9e6fdb3b52f17

commit 7126da66e4848e89ac29fd7b9da9e6fdb3b52f17
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-06-24 14:47:29 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-07-14 16:16:01 +0000

    lagg: Fix a teardown race
    
    When a lagg interface is destroyed, it destroys all of the lagg ports,
    which triggers an asynchronous link state change handler.  This in turn
    may generate a netlink message, a portion of which requires netlink to
    invoke the SIOCGIFMEDIA ioctl of the lagg interface, which involves
    scanning the list of interface media.  This list is not internally
    locked, it requires the interface driver to provide some kind of
    synchronization.
    
    Shortly after the link state notification has been raised, the lagg
    interface detaches itself from the network stack.  As a part of this, it
    blocks in order to wait for link state handlers to drain, but before
    that it destroys the interface media list.  Reverse this order of
    operations so that the link state change handlers drain first, avoiding
    a use-after-free that is very occasionally triggered by lagg stress
    tests.  This matches other ethernet drivers in the tree.
    
    MFC after:      2 weeks
    
    (cherry picked from commit 02cbf9ebf110c94ec9e60f0801716ff0a75e55e5)
---
 sys/net/if_lagg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/net/if_lagg.c b/sys/net/if_lagg.c
index e55b46a047df..baf2643ff871 100644
--- a/sys/net/if_lagg.c
+++ b/sys/net/if_lagg.c
@@ -636,8 +636,8 @@ lagg_clone_destroy(struct if_clone *ifc, struct ifnet *ifp, uint32_t flags)
 
 	switch (ifp->if_type) {
 	case IFT_ETHER:
-		ifmedia_removeall(&sc->sc_media);
 		ether_ifdetach(ifp);
+		ifmedia_removeall(&sc->sc_media);
 		break;
 	case IFT_INFINIBAND:
 		infiniband_ifdetach(ifp);