bpf: don't clear pointer from descriptor to the tap on descriptor close
Needs ReviewPublic
Actions

Authored by glebius on Mon, Feb 2, 9:59 PM.

Details

Reviewers

Group Reviewers

network

Summary

During packet processing the descriptor is looked up using epoch(9) and it
can be accessed after bpf_detachd(). In scenario of descriptor close the
tap point is alive (it actually produces packets) and thus the pointer can
be legitimately dereferenced. This fixes a race on a bpf(4) device close
that would otherwise result in panic.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 70353
Build 67236: arc lint + arc unit

Event Timeline

glebius created this revision.Mon, Feb 2, 9:59 PM

Herald added subscribers: melifaro, imp. · View Herald TranscriptMon, Feb 2, 9:59 PM

glebius requested review of this revision.Mon, Feb 2, 9:59 PM

Harbormaster completed remote builds in B70353: Diff 171024.Mon, Feb 2, 9:59 PM

Is bpf_chkdir() dereferencing a NULL d->bd_bif in net epoch ?

bpfwrite() is locked checking d->bd_bif == NULL and returns ENXIO incase true, and if not, will bpfwrite() then possibly reference a freed bpf_if ?

Revision Contents
Changeset List

Path

Size

sys/

net/

bpf.c

2 lines

Diff 171024

View Options

bpf: don't clear pointer from descriptor to the tap on descriptor closeNeeds ReviewPublicActions