bpf: don't clear pointer from descriptor to the tap on descriptor close

During packet processing the descriptor is looked up using epoch(9) and it
can be accessed after bpf_detachd().  In scenario of descriptor close the
tap point is alive (it actually produces packets) and thus the pointer can
be legitimately dereferenced.  This fixes a race on a bpf(4) device close
that would otherwise result in panic.

Differential Revision:	https://reviews.freebsd.org/D55064
This commit is contained in:
Gleb Smirnoff
2026-02-04 14:07:11 -08:00
parent e40817302e
commit 5937e1cdc9
+1 -1
View File
@@ -678,8 +678,8 @@ bpf_detachd(struct bpf_d *d, bool detached_ifp)
BPFD_LOCK(d);
CK_LIST_REMOVE(d, bd_next);
writer = (d->bd_writer > 0);
d->bd_bif = NULL;
if (detached_ifp) {
d->bd_bif = NULL;
/*
* Notify descriptor as it's detached, so that any
* sleepers wake up and get ENXIO.