svn commit: r287543 - head/sys/dev/netmap

Mon Sep 7 23:16:40 UTC 2015

Author: adrian
Date: Mon Sep  7 23:16:39 2015
New Revision: 287543
URL: https://svnweb.freebsd.org/changeset/base/287543

Log:
  Don't call enable_all_rings if the adapter has been freed.
  
  This is a subtle use-after-free race that results in some very undesirable
  hang behaviour.
  
  Reviewed by:	pkelsey
  Obtained from:	Kip Macy, NextBSD (https://github.com/NextBSD/NextBSD/commit/91a9bd1dbb33dafb41684d054e59d73976de9654)

Modified:
  head/sys/dev/netmap/netmap.c

Modified: head/sys/dev/netmap/netmap.c
==============================================================================

--- head/sys/dev/netmap/netmap.c	Mon Sep  7 21:59:11 2015	(r287542)
+++ head/sys/dev/netmap/netmap.c	Mon Sep  7 23:16:39 2015	(r287543)
@@ -2841,10 +2841,12 @@ void
 netmap_detach(struct ifnet *ifp)
 {
 	struct netmap_adapter *na = NA(ifp);
+	int skip;
 
 	if (!na)
 		return;
 
+	skip = 0;
 	NMG_LOCK();
 	netmap_disable_all_rings(ifp);
 	na->ifp = NULL;
@@ -2856,10 +2858,11 @@ netmap_detach(struct ifnet *ifp)
 	 * the driver is gone.
 	 */
 	if (na->na_flags & NAF_NATIVE) {
-	        netmap_adapter_put(na);
+		skip = netmap_adapter_put(na);
 	}
 	/* give them a chance to notice */
-	netmap_enable_all_rings(ifp);
+	if (skip == 0)
+		netmap_enable_all_rings(ifp);
 	NMG_UNLOCK();
 }
 
