From nobody@FreeBSD.org  Thu May 12 13:49:33 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 556A4106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 12 May 2011 13:49:33 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 454758FC14
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 12 May 2011 13:49:33 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p4CDnXU4079504
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 12 May 2011 13:49:33 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p4CDnXMU079503;
	Thu, 12 May 2011 13:49:33 GMT
	(envelope-from nobody)
Message-Id: <201105121349.p4CDnXMU079503@red.freebsd.org>
Date: Thu, 12 May 2011 13:49:33 GMT
From: Andrew Boyer <aboyer@averesystems.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [lagg][patch] Take lagg rlock before checking flags
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         156978
>Category:       kern
>Synopsis:       [lagg][patch] Take lagg rlock before checking flags
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-net
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 12 13:50:09 UTC 2011
>Closed-Date:    Wed Jul 27 07:03:11 UTC 2011
>Last-Modified:  Wed Jul 27 07:03:11 UTC 2011
>Originator:     Andrew Boyer
>Release:        8.2-RELEASE
>Organization:
Avere Systems
>Environment:
N/A
>Description:
lagg_input() tests flags in the lagg data structures without a lock.  If the flags check passes it then takes the rlock.  It is safer to take the rlock before testing the flags.

When interfaces are changing it is possible to get kernel panics without this change.
>How-To-Repeat:
Rebooting a system with laggs configured sometimes panics with a NULL pointer dereference.
>Fix:
Take the rlock before testing the flags.

Patch attached with submission follows:

Index: sys/net/if_lagg.c
===================================================================
--- sys/net/if_lagg.c	(revision 221809)
+++ sys/net/if_lagg.c	(working copy)
@@ -1221,14 +1221,15 @@
 	struct lagg_softc *sc = lp->lp_softc;
 	struct ifnet *scifp = sc->sc_ifp;
 
+	LAGG_RLOCK(sc);
 	if ((scifp->if_drv_flags & IFF_DRV_RUNNING) == 0 ||
 	    (lp->lp_flags & LAGG_PORT_DISABLED) ||
 	    sc->sc_proto == LAGG_PROTO_NONE) {
+		LAGG_RUNLOCK(sc);
 		m_freem(m);
 		return (NULL);
 	}
 
-	LAGG_RLOCK(sc);
 	ETHER_BPF_MTAP(scifp, m);
 
 	m = (*sc->sc_input)(sc, lp, m);


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu May 12 14:36:20 UTC 2011 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=156978 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/156978: commit references a PR
Date: Thu,  7 Jul 2011 20:02:22 +0000 (UTC)

 Author: thompsa
 Date: Thu Jul  7 20:02:09 2011
 New Revision: 223846
 URL: http://svn.freebsd.org/changeset/base/223846
 
 Log:
   Grab the rlock before checking if our interface is enabled, it could be
   possible to hit a dead pointer when changing interfaces.
   
   PR:		kern/156978
   Submitted by:	Andrew Boyer
   MFC after:	1 week
 
 Modified:
   head/sys/net/if_lagg.c
 
 Modified: head/sys/net/if_lagg.c
 ==============================================================================
 --- head/sys/net/if_lagg.c	Thu Jul  7 18:07:03 2011	(r223845)
 +++ head/sys/net/if_lagg.c	Thu Jul  7 20:02:09 2011	(r223846)
 @@ -1221,14 +1221,15 @@ lagg_input(struct ifnet *ifp, struct mbu
  	struct lagg_softc *sc = lp->lp_softc;
  	struct ifnet *scifp = sc->sc_ifp;
  
 +	LAGG_RLOCK(sc);
  	if ((scifp->if_drv_flags & IFF_DRV_RUNNING) == 0 ||
  	    (lp->lp_flags & LAGG_PORT_DISABLED) ||
  	    sc->sc_proto == LAGG_PROTO_NONE) {
 +		LAGG_RUNLOCK(sc);
  		m_freem(m);
  		return (NULL);
  	}
  
 -	LAGG_RLOCK(sc);
  	ETHER_BPF_MTAP(scifp, m);
  
  	m = (*sc->sc_input)(sc, lp, m);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: maxim 
State-Changed-When: Tue Jul 26 14:52:18 UTC 2011 
State-Changed-Why:  
thompsa@ has committed the patch to HEAD in r223846. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=156978 
State-Changed-From-To: patched->closed 
State-Changed-By: maxim 
State-Changed-When: Wed Jul 27 07:02:47 UTC 2011 
State-Changed-Why:  
Merged to RELENG_8. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=156978 
>Unformatted:
