Work around a race in bpfread() by validating the hold buffer pointer
before freeing it. Otherwise, we can lose a buffer and cause a panic in catchpacket().
This commit is contained in:
parent
274b95d3ac
commit
0e8a1cb3c9
@ -954,10 +954,13 @@ bpfread(struct cdev *dev, struct uio *uio, int ioflag)
|
||||
error = bpf_uiomove(d, d->bd_hbuf, d->bd_hlen, uio);
|
||||
|
||||
BPFD_LOCK(d);
|
||||
d->bd_fbuf = d->bd_hbuf;
|
||||
d->bd_hbuf = NULL;
|
||||
d->bd_hlen = 0;
|
||||
bpf_buf_reclaimed(d);
|
||||
if (d->bd_hbuf != NULL) {
|
||||
/* Free the hold buffer only if it is still valid. */
|
||||
d->bd_fbuf = d->bd_hbuf;
|
||||
d->bd_hbuf = NULL;
|
||||
d->bd_hlen = 0;
|
||||
bpf_buf_reclaimed(d);
|
||||
}
|
||||
BPFD_UNLOCK(d);
|
||||
|
||||
return (error);
|
||||
|
Loading…
Reference in New Issue
Block a user