NetBSD Problem Report #51081

From www@NetBSD.org  Thu Apr 21 05:21:47 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 075BC7A221
	for <gnats-bugs@gnats.NetBSD.org>; Thu, 21 Apr 2016 05:21:47 +0000 (UTC)
Message-Id: <20160421052141.64D327AA95@mollari.NetBSD.org>
Date: Thu, 21 Apr 2016 05:21:41 +0000 (UTC)
From: coypu@sdf.org
Reply-To: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Subject: calling ioctl while attaching wifi device causes a jump to NULL
X-Send-Pr-Version: www-1.0

>Number:         51081
>Category:       kern
>Synopsis:       calling ioctl while attaching wifi device causes a jump to NULL
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Apr 21 05:25:00 +0000 2016
>Closed-Date:    Mon May 02 10:59:12 +0000 2016
>Last-Modified:  Mon May 02 10:59:12 +0000 2016
>Originator:     coypu
>Release:        NetBSD 7.99.27
>Organization:
>Environment:
NetBSD net.Home 7.99.27 NetBSD 7.99.27 (GENERIC) #3: Wed Apr 20 00:08:35 IDT 2016  fly@net.Home:/usr/obj.wip/sys/arch/amd64/compile/GENERIC amd64
>Description:
device is exposed before it is completely initialized.
if users try to use it, some stuff may be undefined still.

calling ioctl can induce calls like (sys/net/if_media.c:322)
(*ifm->ifm_status)(ifp, ifmr);

*ifm->ifm_status may not be defined at this point, so it becomes a jump to NULL.
>How-To-Repeat:
Attach a wifi device and be really unlucky, or while running this (may require a few attempts):

#include <sys/ioctl.h>
#include <sys/socket.h>
#include <string.h>

struct ifmediareq {
        char    ifm_name[16];             /* if name, e.g. "en0" */
        int     ifm_current;                    /* current media options */
        int     ifm_mask;                       /* don't care mask */
        int     ifm_status;                     /* media status */
        int     ifm_active;                     /* active options */
        int     ifm_count;                      /* # entries in ifm_ulist
                                                   array */
        int     *ifm_ulist;                     /* media words */
};


void main() {
        struct ifmediareq *ifmr;
        int fd;
        strlcpy(ifmr->ifm_name, "urtwn0", sizeof(ifmr->ifm_name));
        fd = socket(AF_UNSPEC,SOCK_RAW, 0);
        for (;;)
                ioctl(fd, SIOCGIFMEDIA, &ifmr);
}

>Fix:
magically make ieee80211_media_init happen before if_attach / if_register (not possible right now?)

this probably affects all wifi devices and not just urtwn, but not all of them can be attached as easily while the machine is running.

>Release-Note:

>Audit-Trail:
From: coypu@SDF.ORG
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: kern/51081: calling ioctl while attaching wifi device causes a
 jump to NULL
Date: Thu, 21 Apr 2016 15:12:27 +0000

 This seems to do the trick:

 diff --git a/sys/net/if_media.c b/sys/net/if_media.c
 index 3b1df50..6d42ada 100644
 --- a/sys/net/if_media.c
 +++ b/sys/net/if_media.c
 @@ -237,7 +237,7 @@ ifmedia_ioctl(struct ifnet *ifp, struct ifreq *ifr, struct ifmedia *ifm,
         struct oifreq *oifr = (struct oifreq *)ifr;
  #endif

 -       if (ifp == NULL || ifr == NULL || ifm == NULL)
 +       if (ifp == NULL || ifr == NULL || ifm == NULL || ifm->ifm_status == NULL)
                 return (EINVAL);

         switch (cmd) {

From: "Nick Hudson" <skrll@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/51081 CVS commit: src/sys/dev/usb
Date: Thu, 21 Apr 2016 15:42:56 +0000

 Module Name:	src
 Committed By:	skrll
 Date:		Thu Apr 21 15:42:56 UTC 2016

 Modified Files:
 	src/sys/dev/usb: usb_subr.c

 Log Message:
 autoconf(9) requires the kernel_lock so take it while discovering new
 devices.

 PR/51081: calling ioctl while attaching wifi device causes a jump to NULL


 To generate a diff of this commit:
 cvs rdiff -u -r1.208 -r1.209 src/sys/dev/usb/usb_subr.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: skrll@NetBSD.org
State-Changed-When: Mon, 02 May 2016 10:59:12 +0000
State-Changed-Why:
Fixed


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.