svn commit: r286799 - head/sys/dev/usb
Hans Petter Selasky
hselasky at FreeBSD.org
Sat Aug 15 09:00:37 UTC 2015
Author: hselasky
Date: Sat Aug 15 09:00:36 2015
New Revision: 286799
URL: https://svnweb.freebsd.org/changeset/base/286799
Log:
Fix race in USB PF which can happen if we stop tracing exactly when
the kernel is tapping an USB transfer. This leads to a NULL pointer
access. The solution is to only trace while the USB bus lock is
locked.
MFC after: 2 weeks
Modified:
head/sys/dev/usb/usb_pf.c
head/sys/dev/usb/usb_transfer.c
Modified: head/sys/dev/usb/usb_pf.c
==============================================================================
--- head/sys/dev/usb/usb_pf.c Sat Aug 15 08:42:33 2015 (r286798)
+++ head/sys/dev/usb/usb_pf.c Sat Aug 15 09:00:36 2015 (r286799)
@@ -221,7 +221,13 @@ usbpf_clone_destroy(struct if_clone *ifc
ubus = ifp->if_softc;
unit = ifp->if_dunit;
+ /*
+ * Lock USB before clearing the "ifp" pointer, to avoid
+ * clearing the pointer in the middle of a TAP operation:
+ */
+ USB_BUS_LOCK(ubus);
ubus->ifp = NULL;
+ USB_BUS_UNLOCK(ubus);
bpfdetach(ifp);
if_detach(ifp);
if_free(ifp);
Modified: head/sys/dev/usb/usb_transfer.c
==============================================================================
--- head/sys/dev/usb/usb_transfer.c Sat Aug 15 08:42:33 2015 (r286798)
+++ head/sys/dev/usb/usb_transfer.c Sat Aug 15 09:00:36 2015 (r286799)
@@ -2398,8 +2398,11 @@ usbd_callback_wrapper(struct usb_xfer_qu
}
#if USB_HAVE_PF
- if (xfer->usb_state != USB_ST_SETUP)
+ if (xfer->usb_state != USB_ST_SETUP) {
+ USB_BUS_LOCK(info->bus);
usbpf_xfertap(xfer, USBPF_XFERTAP_DONE);
+ USB_BUS_UNLOCK(info->bus);
+ }
#endif
/* call processing routine */
(xfer->callback) (xfer, xfer->error);
More information about the svn-src-all
mailing list