diff options
author | csjp <csjp@FreeBSD.org> | 2008-07-05 20:11:28 +0000 |
---|---|---|
committer | csjp <csjp@FreeBSD.org> | 2008-07-05 20:11:28 +0000 |
commit | 4f71d026f8087303d3275d6eb52644273d89fa85 (patch) | |
tree | 74143742684e31feda258eda605fa03ea431ec16 /sys/net/bpf.c | |
parent | f53bcee721b132e008c9544f7d685a087fbe6f06 (diff) | |
download | FreeBSD-src-4f71d026f8087303d3275d6eb52644273d89fa85.zip FreeBSD-src-4f71d026f8087303d3275d6eb52644273d89fa85.tar.gz |
Make sure we are clearing the ZBUF_FLAG_IMMUTABLE any time a free buffer
is reclaimed by the kernel. This fixes a bug resulted in the kernel
over writing packet data while user-space was still processing it when
zerocopy is enabled. (Or a panic if invariants was enabled).
Discussed with: rwatson
Diffstat (limited to 'sys/net/bpf.c')
-rw-r--r-- | sys/net/bpf.c | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/sys/net/bpf.c b/sys/net/bpf.c index cb83eba..e03f30e 100644 --- a/sys/net/bpf.c +++ b/sys/net/bpf.c @@ -200,6 +200,28 @@ bpf_append_mbuf(struct bpf_d *d, caddr_t buf, u_int offset, void *src, } /* + * This function gets called when the free buffer is re-assigned. + */ +static void +bpf_buf_reclaimed(struct bpf_d *d) +{ + + BPFD_LOCK_ASSERT(d); + + switch (d->bd_bufmode) { + case BPF_BUFMODE_BUFFER: + return; + + case BPF_BUFMODE_ZBUF: + bpf_zerocopy_buf_reclaimed(d); + return; + + default: + panic("bpf_buf_reclaimed"); + } +} + +/* * If the buffer mechanism has a way to decide that a held buffer can be made * free, then it is exposed via the bpf_canfreebuf() interface. (1) is * returned if the buffer can be discarded, (0) is returned if it cannot. @@ -744,6 +766,7 @@ bpfread(struct cdev *dev, struct uio *uio, int ioflag) d->bd_fbuf = d->bd_hbuf; d->bd_hbuf = NULL; d->bd_hlen = 0; + bpf_buf_reclaimed(d); BPFD_UNLOCK(d); return (error); @@ -887,6 +910,7 @@ reset_d(struct bpf_d *d) /* Free the hold buffer. */ d->bd_fbuf = d->bd_hbuf; d->bd_hbuf = NULL; + bpf_buf_reclaimed(d); } d->bd_slen = 0; d->bd_hlen = 0; @@ -1717,6 +1741,7 @@ catchpacket(struct bpf_d *d, u_char *pkt, u_int pktlen, u_int snaplen, d->bd_fbuf = d->bd_hbuf; d->bd_hbuf = NULL; d->bd_hlen = 0; + bpf_buf_reclaimed(d); } /* |