Panic: Use-after-free in bfe

Tai-hwa Liang avatar at mmlab.cse.yzu.edu.tw
Mon Mar 14 05:25:40 PST 2005 

Hello Phil,

   Would you please rebuild your if_bfe.ko with the attached patch and
tell me whether it fixes your problem or not?  The attached patch is for 
-CURRENT as of Mar-12-2005; however, you should be able to apply it to 
5-STABLE as well.

-- 
Cheers,
Tai-hwa Liang

On Wed, 9 Mar 2005 pcasidy at casidy.com wrote:
[...]
> --- trap 0xc, eip = 0xc07a810, esp = 0xe5e61c90, ebp = 0xe5e61c98 ---
> _bus_dmamap_unload(c3102400,c3104540) at _bus_dmamap_unload+0x16
> bfe_rx_ring_free(c3105000,c3105000,c3105000,e5e61cd8,c04dd0a3) at
>    bfe_rx_ring_free+0x50
> bfe_stop(c3105000,400,c3105000,e5e61cf4,c04dcae7) at bfe_stop+0x45
> bfe_init_locked(c3105000) at bfe_init_locked+0x33
> bfe_intr(c3105000) at bfe_intr+0x9f
> ithread_loop(c2fe9500,e5e61d48,c2fe9500,c0601a54,0) at
>    ithread_loop+0x120
> fork_exit(c0601a54,c2fe9500,e5e61d48) at fork_exit+0xa4
> fork_trampoline() at fork_trampoline+0x8
> --- trap 0x1, eip = 0, esp = 0xe5e61d7c, ebp = 0 ---
> db>
>     >>>>>>
>
> On -STABLE the panic is preceded by a "storm interrupt" on "irq18: bfe0
> uhci2" and dmesg reports:
>
> bfe0: <Broadcom BCM4401 Fast Ethernet> mem 0xfaffe000-0xfaffffff irq 18 at device 0.0 on pci2
> bfe0: Ethernet address: 00:11:43:65:ab:d1
> miibus0: <MII bus> on bfe0
> bmtphy0: <BCM4401 10/100baseTX PHY> on miibus0
> bmtphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
>
>
> For the moment, I use NDISulator to have this NIC working and I am
> compiling a new STABLE kernel with DDB and KDB.
>
> Do not hesitate to ask me more information as long as I can provide them
> using the fixit terminal on the miniinst SNAP.
>
> Thanks
>
> Phil.
-------------- next part --------------
--- sys/dev/bfe/if_bfe.c.orig	Mon Jan 10 03:57:55 2005
+++ sys/dev/bfe/if_bfe.c	Sat Mar 12 23:52:10 2005
@@ -541,8 +541,6 @@
 			sc->bfe_tx_ring[i].bfe_mbuf = NULL;
 			bus_dmamap_unload(sc->bfe_tag,
 					sc->bfe_tx_ring[i].bfe_map);
-			bus_dmamap_destroy(sc->bfe_tag,
-					sc->bfe_tx_ring[i].bfe_map);
 		}
 	}
 	bzero(sc->bfe_tx_list, BFE_TX_LIST_SIZE);
@@ -560,15 +558,12 @@
 			sc->bfe_rx_ring[i].bfe_mbuf = NULL;
 			bus_dmamap_unload(sc->bfe_tag,
 					sc->bfe_rx_ring[i].bfe_map);
-			bus_dmamap_destroy(sc->bfe_tag,
-					sc->bfe_rx_ring[i].bfe_map);
 		}
 	}
 	bzero(sc->bfe_rx_list, BFE_RX_LIST_SIZE);
 	bus_dmamap_sync(sc->bfe_rx_tag, sc->bfe_rx_map, BUS_DMASYNC_PREREAD);
 }
 
-
 static int
 bfe_list_rx_init(struct bfe_softc *sc)
 {
@@ -975,6 +970,10 @@
 		for(i = 0; i < BFE_TX_LIST_CNT; i++) {
 			bus_dmamap_destroy(sc->bfe_tag,
 			    sc->bfe_tx_ring[i].bfe_map);
+		}
+		for(i = 0; i < BFE_RX_LIST_CNT; i++) {
+			bus_dmamap_destroy(sc->bfe_tag,
+			    sc->bfe_rx_ring[i].bfe_map);
 		}
 		bus_dma_tag_destroy(sc->bfe_tag);
 		sc->bfe_tag = NULL;

More information about the freebsd-current mailing list