bpf: Fix the write filter for detached descriptors

A BPF descriptor only has an associated interface descriptor once it is attached to an interface, e.g., with BIOCSETIF. Avoid dereferencing a NULL pointer in filt_bpfwrite() if the BPF descriptor is not attached. Reviewed by: ae Reported by: syzbot+ae45d5166afe15a5a21d@syzkaller.appspotmail.com Fixes: ded77e0237a8 ("Allow the BPF to be select for write.") Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32561
2021-10-26 09:57:27 -04:00 · 2021-10-26 09:57:27 -04:00 · 426682b05a
commit 426682b05a
parent c0cf36bc02
2 changed files with 14 additions and 5 deletions
--- a/lib/libc/sys/kqueue.2
+++ b/lib/libc/sys/kqueue.2
@ -390,8 +390,8 @@ For eventfds,
 will contain the maximum value that can be added to the counter
 without blocking.
 .Pp
-For BPF devices, the filter always indicates that it is possible to
-write and
+For BPF devices, when the descriptor is attached to an interface the filter
+always indicates that it is possible to write and
 .Va data
 will contain the MTU size of the underlying interface.
 .It Dv EVFILT_EMPTY
--- a/sys/net/bpf.c
+++ b/sys/net/bpf.c
@ -763,6 +763,10 @@ bpf_attachd(struct bpf_d *d, struct bpf_if *bp)
 		CK_LIST_INSERT_HEAD(&bp->bif_dlist, d, bd_next);

 	reset_d(d);
+
+	/* Trigger EVFILT_WRITE events. */
+	bpf_wakeup(d);
+
 	BPFD_UNLOCK(d);
 	bpf_bpfd_cnt++;

@ -2229,11 +2233,16 @@ static int
 filt_bpfwrite(struct knote *kn, long hint)
 {
 	struct bpf_d *d = (struct bpf_d *)kn->kn_hook;
+
 	BPFD_LOCK_ASSERT(d);

-	kn->kn_data = d->bd_bif->bif_ifp->if_mtu;
-
-	return (1);
+	if (d->bd_bif == NULL) {
+		kn->kn_data = 0;
+		return (0);
+	} else {
+		kn->kn_data = d->bd_bif->bif_ifp->if_mtu;
+		return (1);
+	}
 }

 #define	BPF_TSTAMP_NONE		0