bpf: don't clear pointer from descriptor to the tap on descriptor close
During packet processing the descriptor is looked up using epoch(9) and it can be accessed after bpf_detachd(). In scenario of descriptor close the tap point is alive (it actually produces packets) and thus the pointer can be legitimately dereferenced. This fixes a race on a bpf(4) device close that would otherwise result in panic. Differential Revision: https://reviews.freebsd.org/D55064
This commit is contained in:
+1
-1
@@ -678,8 +678,8 @@ bpf_detachd(struct bpf_d *d, bool detached_ifp)
|
||||
BPFD_LOCK(d);
|
||||
CK_LIST_REMOVE(d, bd_next);
|
||||
writer = (d->bd_writer > 0);
|
||||
d->bd_bif = NULL;
|
||||
if (detached_ifp) {
|
||||
d->bd_bif = NULL;
|
||||
/*
|
||||
* Notify descriptor as it's detached, so that any
|
||||
* sleepers wake up and get ENXIO.
|
||||
|
||||
Reference in New Issue
Block a user