diff options
| author | Gleb Smirnoff <glebius@FreeBSD.org> | 2026-02-04 22:07:11 +0000 |
|---|---|---|
| committer | Gleb Smirnoff <glebius@FreeBSD.org> | 2026-02-04 22:07:11 +0000 |
| commit | 5937e1cdc99180b4adae2cf20cabd75dd9f45546 (patch) | |
| tree | 61741d83b1b769cd941e130b76ad1072d5bd5701 | |
| parent | e40817302ebdf89df2f3bcd679fb7f2a18c244dc (diff) | |
bpf: don't clear pointer from descriptor to the tap on descriptor close
During packet processing the descriptor is looked up using epoch(9) and it
can be accessed after bpf_detachd(). In scenario of descriptor close the
tap point is alive (it actually produces packets) and thus the pointer can
be legitimately dereferenced. This fixes a race on a bpf(4) device close
that would otherwise result in panic.
Differential Revision: https://reviews.freebsd.org/D55064
| -rw-r--r-- | sys/net/bpf.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/net/bpf.c b/sys/net/bpf.c index 9f0b57728e88..228ac9867bd7 100644 --- a/sys/net/bpf.c +++ b/sys/net/bpf.c @@ -678,8 +678,8 @@ bpf_detachd(struct bpf_d *d, bool detached_ifp) BPFD_LOCK(d); CK_LIST_REMOVE(d, bd_next); writer = (d->bd_writer > 0); - d->bd_bif = NULL; if (detached_ifp) { + d->bd_bif = NULL; /* * Notify descriptor as it's detached, so that any * sleepers wake up and get ENXIO. |