Add dead_bpf_if structure, that should be used as fake bpf_if

during ifnet detach. Since destroying interface is not atomic operation and due to the lack of synhronization during destroy, it is possible, that in the time between bpfdetach() and if_free() some queued on destroying interface mbuf will be used by ether_input_internal() and bpf_peers_present() can dereference NULL bpf_if pointer. To protect from this, assign pointer to empty bpf_if_ext structure instead of NULL pointer after bpfdetach(). Reviewed by: melifaro, eugen Obtained from: Yandex LLC MFC after: 1 week Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D15083
svn path=/head/; revision=332812
2024-07-22 10:48:02 +00:00 · 2018-04-20 09:57:31 +00:00 · 2018-04-20 09:57:31 +00:00 · 2b9600b449 · 2020-12-20 02:59:44 +00:00
parent d83f17e5f9
commit 2b9600b449
1 changed files with 5 additions and 1 deletions
--- a/sys/net/bpf.c
+++ b/sys/net/bpf.c
@ -98,6 +98,10 @@ __FBSDID("$FreeBSD$");

 MALLOC_DEFINE(M_BPF, "BPF", "BPF data");

+static struct bpf_if_ext dead_bpf_if = {
+	.bif_dlist = LIST_HEAD_INITIALIZER()
+};
+
 struct bpf_if {
 #define	bif_next	bif_ext.bif_next
 #define	bif_dlist	bif_ext.bif_dlist
@ -2659,7 +2663,7 @@ bpfdetach(struct ifnet *ifp)
 		 */
 		BPFIF_WLOCK(bp);
 		bp->bif_flags |= BPFIF_FLAG_DYING;
-		*bp->bif_bpf = NULL;
+		*bp->bif_bpf = (struct bpf_if *)&dead_bpf_if;;
 		BPFIF_WUNLOCK(bp);

 		CTR4(KTR_NET, "%s: sheduling free for encap %d (%p) for if %p",