Author: ghelmer
Date: Tue Nov 6 21:07:04 2012
New Revision: 242673
URL: http://svnweb.freebsd.org/changeset/base/242673
Log:
Work around a race in bpfread() by validating the hold buffer pointer
before freeing it. Otherwise, we can lose a buffer and cause a panic
in catchpacket().
Modified:
head/sys/net/bpf.c
Modified: head/sys/net/bpf.c
==============================================================================
--- head/sys/net/bpf.c Tue Nov 6 20:30:23 2012 (r242672)
+++ head/sys/net/bpf.c Tue Nov 6 21:07:04 2012 (r242673)
@@ -954,10 +954,13 @@ bpfread(struct cdev *dev, struct uio *ui
error = bpf_uiomove(d, d->bd_hbuf, d->bd_hlen, uio);
BPFD_LOCK(d);
- d->bd_fbuf = d->bd_hbuf;
- d->bd_hbuf = NULL;
- d->bd_hlen = 0;
- bpf_buf_reclaimed(d);
+ if (d->bd_hbuf != NULL) {
+ /* Free the hold buffer only if it is still valid. */
+ d->bd_fbuf = d->bd_hbuf;
+ d->bd_hbuf = NULL;
+ d->bd_hlen = 0;
+ bpf_buf_reclaimed(d);
+ }
BPFD_UNLOCK(d);
return (error);
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
