On Thu, May 28, 2020 at 12:14:43PM +0200, Martin Pieuchot wrote:
> On 26/05/20(Tue) 16:12, Vitaliy Makkoveev wrote:
> > `pppx_if' has `pxi_ready' field used to prevent access to incomplete
> > `pxi'. But we don't prevent access to `pxi' which we destroy.
> > pppx_if_destroy() can sleep so we can grab `pxi' which we already
> > destroying by concurrent thread and cause use-after-free issue. I guess
> > to use `pxi_ready' to prevent access to `pxi' at destroy stage too.
>
> What about setting this field as first step in pppx_if_destroy()?
This time it's makes sences.
Index: sys/net/if_pppx.c
===================================================================
RCS file: /cvs/src/sys/net/if_pppx.c,v
retrieving revision 1.86
diff -u -p -r1.86 if_pppx.c
--- sys/net/if_pppx.c 26 May 2020 08:02:54 -0000 1.86
+++ sys/net/if_pppx.c 28 May 2020 12:06:41 -0000
@@ -1004,6 +1004,7 @@ pppx_if_destroy(struct pppx_dev *pxd, st
struct pipex_session *session;
NET_ASSERT_LOCKED();
+ pxi->pxi_ready = 0;
session = &pxi->pxi_session;
ifp = &pxi->pxi_if;
