Author: hselasky
Date: Sat Aug 15 09:00:36 2015
New Revision: 286799
URL: https://svnweb.freebsd.org/changeset/base/286799
Log:
Fix race in USB PF which can happen if we stop tracing exactly when
the kernel is tapping an USB transfer. This leads to a NULL pointer
access. The solution is to only trace while the USB bus lock is
locked.
MFC after: 2 weeks
Modified:
head/sys/dev/usb/usb_pf.c
head/sys/dev/usb/usb_transfer.c
Modified: head/sys/dev/usb/usb_pf.c
==============================================================================
--- head/sys/dev/usb/usb_pf.c Sat Aug 15 08:42:33 2015 (r286798)
+++ head/sys/dev/usb/usb_pf.c Sat Aug 15 09:00:36 2015 (r286799)
@@ -221,7 +221,13 @@ usbpf_clone_destroy(struct if_clone *ifc
ubus = ifp->if_softc;
unit = ifp->if_dunit;
+ /*
+ * Lock USB before clearing the "ifp" pointer, to avoid
+ * clearing the pointer in the middle of a TAP operation:
+ */
+ USB_BUS_LOCK(ubus);
ubus->ifp = NULL;
+ USB_BUS_UNLOCK(ubus);
bpfdetach(ifp);
if_detach(ifp);
if_free(ifp);
Modified: head/sys/dev/usb/usb_transfer.c
==============================================================================
--- head/sys/dev/usb/usb_transfer.c Sat Aug 15 08:42:33 2015
(r286798)
+++ head/sys/dev/usb/usb_transfer.c Sat Aug 15 09:00:36 2015
(r286799)
@@ -2398,8 +2398,11 @@ usbd_callback_wrapper(struct usb_xfer_qu
}
#if USB_HAVE_PF
- if (xfer->usb_state != USB_ST_SETUP)
+ if (xfer->usb_state != USB_ST_SETUP) {
+ USB_BUS_LOCK(info->bus);
usbpf_xfertap(xfer, USBPF_XFERTAP_DONE);
+ USB_BUS_UNLOCK(info->bus);
+ }
#endif
/* call processing routine */
(xfer->callback) (xfer, xfer->error);
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
