Date: Wed, 04 Feb 2026 22:07:25 +0000 From: Gleb Smirnoff <glebius@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 5937e1cdc991 - main - bpf: don't clear pointer from descriptor to the tap on descriptor close Message-ID: <6983c31d.19fab.6a4635ed@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by glebius: URL: https://cgit.FreeBSD.org/src/commit/?id=5937e1cdc99180b4adae2cf20cabd75dd9f45546 commit 5937e1cdc99180b4adae2cf20cabd75dd9f45546 Author: Gleb Smirnoff <glebius@FreeBSD.org> AuthorDate: 2026-02-04 22:07:11 +0000 Commit: Gleb Smirnoff <glebius@FreeBSD.org> CommitDate: 2026-02-04 22:07:11 +0000 bpf: don't clear pointer from descriptor to the tap on descriptor close During packet processing the descriptor is looked up using epoch(9) and it can be accessed after bpf_detachd(). In scenario of descriptor close the tap point is alive (it actually produces packets) and thus the pointer can be legitimately dereferenced. This fixes a race on a bpf(4) device close that would otherwise result in panic. Differential Revision: https://reviews.freebsd.org/D55064 --- sys/net/bpf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/net/bpf.c b/sys/net/bpf.c index 9f0b57728e88..228ac9867bd7 100644 --- a/sys/net/bpf.c +++ b/sys/net/bpf.c @@ -678,8 +678,8 @@ bpf_detachd(struct bpf_d *d, bool detached_ifp) BPFD_LOCK(d); CK_LIST_REMOVE(d, bd_next); writer = (d->bd_writer > 0); - d->bd_bif = NULL; if (detached_ifp) { + d->bd_bif = NULL; /* * Notify descriptor as it's detached, so that any * sleepers wake up and get ENXIO.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6983c31d.19fab.6a4635ed>