Date: Fri, 20 Apr 2018 09:57:31 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r332812 - head/sys/net Message-ID: <201804200957.w3K9vVed020972@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Fri Apr 20 09:57:31 2018 New Revision: 332812 URL: https://svnweb.freebsd.org/changeset/base/332812 Log: Add dead_bpf_if structure, that should be used as fake bpf_if during ifnet detach. Since destroying interface is not atomic operation and due to the lack of synhronization during destroy, it is possible, that in the time between bpfdetach() and if_free() some queued on destroying interface mbuf will be used by ether_input_internal() and bpf_peers_present() can dereference NULL bpf_if pointer. To protect from this, assign pointer to empty bpf_if_ext structure instead of NULL pointer after bpfdetach(). Reviewed by: melifaro, eugen Obtained from: Yandex LLC MFC after: 1 week Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D15083 Modified: head/sys/net/bpf.c Modified: head/sys/net/bpf.c ============================================================================== --- head/sys/net/bpf.c Fri Apr 20 09:54:06 2018 (r332811) +++ head/sys/net/bpf.c Fri Apr 20 09:57:31 2018 (r332812) @@ -98,6 +98,10 @@ __FBSDID("$FreeBSD$"); MALLOC_DEFINE(M_BPF, "BPF", "BPF data"); +static struct bpf_if_ext dead_bpf_if = { + .bif_dlist = LIST_HEAD_INITIALIZER() +}; + struct bpf_if { #define bif_next bif_ext.bif_next #define bif_dlist bif_ext.bif_dlist @@ -2659,7 +2663,7 @@ bpfdetach(struct ifnet *ifp) */ BPFIF_WLOCK(bp); bp->bif_flags |= BPFIF_FLAG_DYING; - *bp->bif_bpf = NULL; + *bp->bif_bpf = (struct bpf_if *)&dead_bpf_if;; BPFIF_WUNLOCK(bp); CTR4(KTR_NET, "%s: sheduling free for encap %d (%p) for if %p",
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201804200957.w3K9vVed020972>