MFC r286799:

Fix race in USB PF which can happen if we stop tracing exactly when the kernel is tapping an USB transfer. This leads to a NULL pointer access. The solution is to only trace while the USB bus lock is locked.
author: hselasky <hselasky@FreeBSD.org> 2015-08-29 06:11:50 +0000
committer: hselasky <hselasky@FreeBSD.org> 2015-08-29 06:11:50 +0000
commit: 6323991c32b50145b2410f193aa0685e74466053 (patch)
tree: b7513c6af1748f611077171dd75c2e98f5d02b87 /sys/dev/usb/usb_pf.c
parent: 10823346a0096906e1c338f89ef960c36b5eae01 (diff)
download: FreeBSD-src-6323991c32b50145b2410f193aa0685e74466053.zip
FreeBSD-src-6323991c32b50145b2410f193aa0685e74466053.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/sys/dev/usb/usb_pf.c b/sys/dev/usb/usb_pf.c
index 27ab5f7..8c47e79 100644
--- a/sys/dev/usb/usb_pf.c
+++ b/sys/dev/usb/usb_pf.c
@@ -220,7 +220,13 @@ usbpf_clone_destroy(struct if_clone *ifc, struct ifnet *ifp)
 	ubus = ifp->if_softc;
 	unit = ifp->if_dunit;
 
+	/*
+	 * Lock USB before clearing the "ifp" pointer, to avoid
+	 * clearing the pointer in the middle of a TAP operation:
+	 */
+	USB_BUS_LOCK(ubus);
 	ubus->ifp = NULL;
+	USB_BUS_UNLOCK(ubus);
 	bpfdetach(ifp);
 	if_detach(ifp);
 	if_free(ifp);
author	hselasky <hselasky@FreeBSD.org>	2015-08-29 06:11:50 +0000
committer	hselasky <hselasky@FreeBSD.org>	2015-08-29 06:11:50 +0000
commit	6323991c32b50145b2410f193aa0685e74466053 (patch)
tree	b7513c6af1748f611077171dd75c2e98f5d02b87 /sys/dev/usb/usb_pf.c
parent	10823346a0096906e1c338f89ef960c36b5eae01 (diff)
download	FreeBSD-src-6323991c32b50145b2410f193aa0685e74466053.zip FreeBSD-src-6323991c32b50145b2410f193aa0685e74466053.tar.gz