diff options
| author | hselasky <hselasky@FreeBSD.org> | 2016-03-24 09:22:58 +0000 |
|---|---|---|
| committer | hselasky <hselasky@FreeBSD.org> | 2016-03-24 09:22:58 +0000 |
| commit | eeaebf709773790b28a42a2f0fc59b8b552e178f (patch) | |
| tree | b90853e4274e9b1ab7ff0afbb6ddf8737e294c7b | |
| parent | 4716ebf81e8935d76031fbdf0f9807f86570295a (diff) | |
| download | FreeBSD-src-eeaebf709773790b28a42a2f0fc59b8b552e178f.zip FreeBSD-src-eeaebf709773790b28a42a2f0fc59b8b552e178f.tar.gz | |
MFC r292254:
Properly drain callouts in the IPFW subsystem to avoid use after free
panics when unloading the dummynet and IPFW modules:
- The callout drain function can sleep and should not be called having
a non-sleepable lock locked. Remove locks around "ipfw_dyn_uninit(0)".
- Add a new "dn_gone" variable to prevent asynchronous restart of
dummynet callouts when unloading the dummynet kernel module.
- Call "dn_reschedule()" locked so that "dn_gone" can be set and
checked atomically with regard to starting a new callout.
PR: 208171
Requested by: Franco Fichtner (opnsense.org)
Differential Revision: https://reviews.freebsd.org/D3855
| -rw-r--r-- | sys/netpfil/ipfw/ip_dn_io.c | 2 | ||||
| -rw-r--r-- | sys/netpfil/ipfw/ip_dummynet.c | 11 | ||||
| -rw-r--r-- | sys/netpfil/ipfw/ip_fw2.c | 4 |
3 files changed, 11 insertions, 6 deletions
diff --git a/sys/netpfil/ipfw/ip_dn_io.c b/sys/netpfil/ipfw/ip_dn_io.c index 9a4b486..fb75198 100644 --- a/sys/netpfil/ipfw/ip_dn_io.c +++ b/sys/netpfil/ipfw/ip_dn_io.c @@ -619,8 +619,8 @@ dummynet_task(void *context, int pending) dn_drain_queue(); } - DN_BH_WUNLOCK(); dn_reschedule(); + DN_BH_WUNLOCK(); if (q.head != NULL) dummynet_send(q.head); CURVNET_RESTORE(); diff --git a/sys/netpfil/ipfw/ip_dummynet.c b/sys/netpfil/ipfw/ip_dummynet.c index 4de2156..3a12120 100644 --- a/sys/netpfil/ipfw/ip_dummynet.c +++ b/sys/netpfil/ipfw/ip_dummynet.c @@ -74,6 +74,7 @@ struct schk_new_arg { /*---- callout hooks. ----*/ static struct callout dn_timeout; +static int dn_gone; static struct task dn_task; static struct taskqueue *dn_tq = NULL; @@ -89,6 +90,8 @@ void dn_reschedule(void) { + if (dn_gone != 0) + return; callout_reset_sbt(&dn_timeout, tick_sbt, 0, dummynet, NULL, C_HARDCLOCK | C_DIRECT_EXEC); } @@ -2175,9 +2178,11 @@ ip_dn_init(void) static void ip_dn_destroy(int last) { - callout_drain(&dn_timeout); - DN_BH_WLOCK(); + /* ensure no more callouts are started */ + dn_gone = 1; + + /* check for last */ if (last) { ND("removing last instance\n"); ip_dn_ctl_ptr = NULL; @@ -2186,6 +2191,8 @@ ip_dn_destroy(int last) dummynet_flush(); DN_BH_WUNLOCK(); + + callout_drain(&dn_timeout); taskqueue_drain(dn_tq, &dn_task); taskqueue_free(dn_tq); diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c index 712c675..1a5b699 100644 --- a/sys/netpfil/ipfw/ip_fw2.c +++ b/sys/netpfil/ipfw/ip_fw2.c @@ -2704,12 +2704,10 @@ vnet_ipfw_uninit(const void *unused) V_ip_fw_ctl_ptr = NULL; IPFW_UH_WLOCK(chain); IPFW_UH_WUNLOCK(chain); - IPFW_UH_WLOCK(chain); - IPFW_WLOCK(chain); ipfw_dyn_uninit(0); /* run the callout_drain */ - IPFW_WUNLOCK(chain); + IPFW_UH_WLOCK(chain); ipfw_destroy_tables(chain); reap = NULL; IPFW_WLOCK(chain); |
