Fix reference to free memory in ixgbe/if_media.c

When ixgbe receives an interrupt indicating that a new optical module
may have been inserted, it discards all of its current media types
by calling ifmedia_removeall() and then creates a new set of media
types for the supported media on the new module.  However,
ifmedia_removeall() was maintaining a pointer to whatever the
current media type was before the call to ifmedia_removealL().
The result of this was that any attempt to read the current media
type of the interface (e.g. via ifconfig) would return potentially
garbage data from free memory (or if one were particularly unlucky
on an architecture that does not malloc() from a direct map, page
fault the kernel).

Fix this by NULL'ing out the current media field in if_media.c,
and have ixgbe update the current media type after recreating
them.

Submitted by:	Matt Joras <matt.joras AT gmail DOT com>
Reviewed by:	sbruno, erj
MFC after:	1 week
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D9164
This commit is contained in:
Ryan Stone 2017-01-20 17:16:48 +00:00
parent 625571de20
commit 7d309e8e40
2 changed files with 2 additions and 0 deletions

View File

@ -3878,6 +3878,7 @@ ixgbe_handle_msf(void *context, int pending)
/* Adjust media types shown in ifconfig */
ifmedia_removeall(&adapter->media);
ixgbe_add_media_types(adapter);
ifmedia_set(&adapter->media, IFM_ETHER | IFM_AUTO);
IXGBE_CORE_UNLOCK(adapter);
return;
}

View File

@ -107,6 +107,7 @@ ifmedia_removeall(ifm)
LIST_REMOVE(entry, ifm_list);
free(entry, M_IFADDR);
}
ifm->ifm_cur = NULL;
}
/*