svn commit: r332812 - head/sys/net

[Andrey V. Elsukov]

Author: ae
Date: Fri Apr 20 09:57:31 2018
New Revision: 332812
URL: https://svnweb.freebsd.org/changeset/base/332812

Log:
  Add dead_bpf_if structure, that should be used as fake bpf_if
  during ifnet detach.
  
  Since destroying interface is not atomic operation and due to the
  lack of synhronization during destroy, it is possible, that in the
  time between bpfdetach() and if_free() some queued on destroying
  interface mbuf will be used by ether_input_internal() and
  bpf_peers_present() can dereference NULL bpf_if pointer. To protect
  from this, assign pointer to empty bpf_if_ext structure instead of
  NULL pointer after bpfdetach().
  
  Reviewed by:	melifaro, eugen
  Obtained from:	Yandex LLC
  MFC after:	1 week
  Sponsored by:	Yandex LLC
  Differential Revision:	https://reviews.freebsd.org/D15083

Modified:
  head/sys/net/bpf.c

Modified: head/sys/net/bpf.c
==============================================================================
--- head/sys/net/bpf.c	Fri Apr 20 09:54:06 2018	(r332811)
+++ head/sys/net/bpf.c	Fri Apr 20 09:57:31 2018	(r332812)
@@ -98,6 +98,10 @@ __FBSDID("$FreeBSD$");
 
 MALLOC_DEFINE(M_BPF, "BPF", "BPF data");
 
+static struct bpf_if_ext dead_bpf_if = {
+	.bif_dlist = LIST_HEAD_INITIALIZER()
+};
+
 struct bpf_if {
 #define	bif_next	bif_ext.bif_next
 #define	bif_dlist	bif_ext.bif_dlist
@@ -2659,7 +2663,7 @@ bpfdetach(struct ifnet *ifp)
 		 */
 		BPFIF_WLOCK(bp);
 		bp->bif_flags |= BPFIF_FLAG_DYING;
-		*bp->bif_bpf = NULL;
+		*bp->bif_bpf = (struct bpf_if *)&dead_bpf_if;;
 		BPFIF_WUNLOCK(bp);
 
 		CTR4(KTR_NET, "%s: sheduling free for encap %d (%p) for if %p",