From owner-svn-src-head@freebsd.org Wed May 29 00:10:50 2019 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CAD6C15B0CDB; Wed, 29 May 2019 00:10:50 +0000 (UTC) (envelope-from glebius@freebsd.org) Received: from cell.glebi.us (glebi.us [162.251.186.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "cell.glebi.us", Issuer "cell.glebi.us" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id ECC5670DF5; Wed, 29 May 2019 00:10:49 +0000 (UTC) (envelope-from glebius@freebsd.org) Received: from cell.glebi.us (localhost [127.0.0.1]) by cell.glebi.us (8.15.2/8.15.2) with ESMTPS id x4T0Ak9t023556 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Tue, 28 May 2019 17:10:47 -0700 (PDT) (envelope-from glebius@freebsd.org) Received: (from glebius@localhost) by cell.glebi.us (8.15.2/8.15.2/Submit) id x4T0AkWA023555; Tue, 28 May 2019 17:10:46 -0700 (PDT) (envelope-from glebius@freebsd.org) X-Authentication-Warning: cell.glebi.us: glebius set sender to glebius@freebsd.org using -f Date: Tue, 28 May 2019 17:10:46 -0700 From: Gleb Smirnoff To: "Andrey V. Elsukov" , kib@freebsd.org Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r348303 - head/sys/net Message-ID: <20190529001046.GC21836@FreeBSD.org> References: <201905271241.x4RCffTm047128@repo.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201905271241.x4RCffTm047128@repo.freebsd.org> User-Agent: Mutt/1.11.4 (2019-03-13) X-Rspamd-Queue-Id: ECC5670DF5 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.96)[-0.955,0]; ASN(0.00)[asn:27348, ipnet:162.251.186.0/24, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 May 2019 00:10:51 -0000 Hi Andrey, I made a different change to mitigate this panic: don't clear the pointer. --- a/FreeBSD/sys/net/bpf.c +++ b/FreeBSD/sys/net/bpf.c @@ -857,7 +857,6 @@ bpf_detachd_locked(struct bpf_d *d, bool detached_ifp) /* Save bd_writer value */ error = d->bd_writer; ifp = bp->bif_ifp; - d->bd_bif = NULL; if (detached_ifp) { /* * Notify descriptor as it's detached, so that any Since every bpf_d holds a reference on bpf_if until delayed free happens, the the bpf_if is going to be valid. This allows not to use epoch_wait and run fully async. The patch above is a minimal patch: with NULL assignment removed, several more pieces of code can be removed in bpf.c Of course your patch also is going to work, but what do you think: are there any landmines with fully async approach? On Mon, May 27, 2019 at 12:41:41PM +0000, Andrey V. Elsukov wrote: A> Author: ae A> Date: Mon May 27 12:41:41 2019 A> New Revision: 348303 A> URL: https://svnweb.freebsd.org/changeset/base/348303 A> A> Log: A> Fix possible NULL pointer dereference. A> A> bpf_mtap() can invoke catchpacket() for already detached descriptor. A> And this can lead to NULL pointer dereference, since bd_bif pointer A> was reset to NULL in bpf_detachd_locked(). To avoid this, use A> NET_EPOCH_WAIT() when descriptor is removed from interface's descriptors A> list. After the wait it is safe to modify descriptor's content. A> A> Submitted by: kib A> Reported by: slavash A> MFC after: 1 week A> A> Modified: A> head/sys/net/bpf.c A> A> Modified: head/sys/net/bpf.c A> ============================================================================== A> --- head/sys/net/bpf.c Mon May 27 06:37:23 2019 (r348302) A> +++ head/sys/net/bpf.c Mon May 27 12:41:41 2019 (r348303) A> @@ -850,10 +850,15 @@ bpf_detachd_locked(struct bpf_d *d, bool detached_ifp) A> /* Check if descriptor is attached */ A> if ((bp = d->bd_bif) == NULL) A> return; A> + /* A> + * Remove d from the interface's descriptor list. A> + * And wait until bpf_[m]tap*() will finish their possible work A> + * with descriptor. A> + */ A> + CK_LIST_REMOVE(d, bd_next); A> + NET_EPOCH_WAIT(); A> A> BPFD_LOCK(d); A> - /* Remove d from the interface's descriptor list. */ A> - CK_LIST_REMOVE(d, bd_next); A> /* Save bd_writer value */ A> error = d->bd_writer; A> ifp = bp->bif_ifp; A> -- Gleb Smirnoff