svn commit: r287272 - stable/10/sys/dev/usb
Hans Petter Selasky
hselasky at FreeBSD.org
Sat Aug 29 06:11:51 UTC 2015
Author: hselasky
Date: Sat Aug 29 06:11:50 2015
New Revision: 287272
URL: https://svnweb.freebsd.org/changeset/base/287272
Log:
MFC r286799:
Fix race in USB PF which can happen if we stop tracing exactly when
the kernel is tapping an USB transfer. This leads to a NULL pointer
access. The solution is to only trace while the USB bus lock is
locked.
Modified:
stable/10/sys/dev/usb/usb_pf.c
stable/10/sys/dev/usb/usb_transfer.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/sys/dev/usb/usb_pf.c
==============================================================================
--- stable/10/sys/dev/usb/usb_pf.c Sat Aug 29 06:07:55 2015 (r287271)
+++ stable/10/sys/dev/usb/usb_pf.c Sat Aug 29 06:11:50 2015 (r287272)
@@ -220,7 +220,13 @@ usbpf_clone_destroy(struct if_clone *ifc
ubus = ifp->if_softc;
unit = ifp->if_dunit;
+ /*
+ * Lock USB before clearing the "ifp" pointer, to avoid
+ * clearing the pointer in the middle of a TAP operation:
+ */
+ USB_BUS_LOCK(ubus);
ubus->ifp = NULL;
+ USB_BUS_UNLOCK(ubus);
bpfdetach(ifp);
if_detach(ifp);
if_free(ifp);
Modified: stable/10/sys/dev/usb/usb_transfer.c
==============================================================================
--- stable/10/sys/dev/usb/usb_transfer.c Sat Aug 29 06:07:55 2015 (r287271)
+++ stable/10/sys/dev/usb/usb_transfer.c Sat Aug 29 06:11:50 2015 (r287272)
@@ -2381,8 +2381,11 @@ usbd_callback_wrapper(struct usb_xfer_qu
}
#if USB_HAVE_PF
- if (xfer->usb_state != USB_ST_SETUP)
+ if (xfer->usb_state != USB_ST_SETUP) {
+ USB_BUS_LOCK(info->bus);
usbpf_xfertap(xfer, USBPF_XFERTAP_DONE);
+ USB_BUS_UNLOCK(info->bus);
+ }
#endif
/* call processing routine */
(xfer->callback) (xfer, xfer->error);
More information about the svn-src-stable-10
mailing list