git: 5937e1cdc991 - main - bpf: don't clear pointer from descriptor to the tap on descriptor close
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 04 Feb 2026 22:07:25 UTC
The branch main has been updated by glebius:
URL: https://cgit.FreeBSD.org/src/commit/?id=5937e1cdc99180b4adae2cf20cabd75dd9f45546
commit 5937e1cdc99180b4adae2cf20cabd75dd9f45546
Author: Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2026-02-04 22:07:11 +0000
Commit: Gleb Smirnoff <glebius@FreeBSD.org>
CommitDate: 2026-02-04 22:07:11 +0000
bpf: don't clear pointer from descriptor to the tap on descriptor close
During packet processing the descriptor is looked up using epoch(9) and it
can be accessed after bpf_detachd(). In scenario of descriptor close the
tap point is alive (it actually produces packets) and thus the pointer can
be legitimately dereferenced. This fixes a race on a bpf(4) device close
that would otherwise result in panic.
Differential Revision: https://reviews.freebsd.org/D55064
---
sys/net/bpf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/net/bpf.c b/sys/net/bpf.c
index 9f0b57728e88..228ac9867bd7 100644
--- a/sys/net/bpf.c
+++ b/sys/net/bpf.c
@@ -678,8 +678,8 @@ bpf_detachd(struct bpf_d *d, bool detached_ifp)
BPFD_LOCK(d);
CK_LIST_REMOVE(d, bd_next);
writer = (d->bd_writer > 0);
- d->bd_bif = NULL;
if (detached_ifp) {
+ d->bd_bif = NULL;
/*
* Notify descriptor as it's detached, so that any
* sleepers wake up and get ENXIO.