From 15b1492c9b09c465f5e13deb85292c0f2173c7fc Mon Sep 17 00:00:00 2001 From: Adrian Chadd Date: Mon, 7 Sep 2015 23:16:39 +0000 Subject: [PATCH] Don't call enable_all_rings if the adapter has been freed. This is a subtle use-after-free race that results in some very undesirable hang behaviour. Reviewed by: pkelsey Obtained from: Kip Macy, NextBSD (https://github.com/NextBSD/NextBSD/commit/91a9bd1dbb33dafb41684d054e59d73976de9654) --- sys/dev/netmap/netmap.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/sys/dev/netmap/netmap.c b/sys/dev/netmap/netmap.c index 8094fe35256c..56bbf120caff 100644 --- a/sys/dev/netmap/netmap.c +++ b/sys/dev/netmap/netmap.c @@ -2841,10 +2841,12 @@ void netmap_detach(struct ifnet *ifp) { struct netmap_adapter *na = NA(ifp); + int skip; if (!na) return; + skip = 0; NMG_LOCK(); netmap_disable_all_rings(ifp); na->ifp = NULL; @@ -2856,10 +2858,11 @@ netmap_detach(struct ifnet *ifp) * the driver is gone. */ if (na->na_flags & NAF_NATIVE) { - netmap_adapter_put(na); + skip = netmap_adapter_put(na); } /* give them a chance to notice */ - netmap_enable_all_rings(ifp); + if (skip == 0) + netmap_enable_all_rings(ifp); NMG_UNLOCK(); }