Fix race in USB PF which can happen if we stop tracing exactly when

the kernel is tapping an USB transfer. This leads to a NULL pointer access. The solution is to only trace while the USB bus lock is locked. MFC after: 2 weeks
2015-08-15 09:00:36 +00:00 · 2015-08-15 09:00:36 +00:00 · e9dde83ce2
commit e9dde83ce2
parent 682db8a814
2 changed files with 10 additions and 1 deletions
--- a/sys/dev/usb/usb_pf.c
+++ b/sys/dev/usb/usb_pf.c
@ -221,7 +221,13 @@ usbpf_clone_destroy(struct if_clone *ifc, struct ifnet *ifp)
 	ubus = ifp->if_softc;
 	unit = ifp->if_dunit;

+	/*
+	 * Lock USB before clearing the "ifp" pointer, to avoid
+	 * clearing the pointer in the middle of a TAP operation:
+	 */
+	USB_BUS_LOCK(ubus);
 	ubus->ifp = NULL;
+	USB_BUS_UNLOCK(ubus);
 	bpfdetach(ifp);
 	if_detach(ifp);
 	if_free(ifp);
--- a/sys/dev/usb/usb_transfer.c
+++ b/sys/dev/usb/usb_transfer.c
@ -2398,8 +2398,11 @@ usbd_callback_wrapper(struct usb_xfer_queue *pq)
 	}

 #if USB_HAVE_PF
-	if (xfer->usb_state != USB_ST_SETUP)
+	if (xfer->usb_state != USB_ST_SETUP) {
+		USB_BUS_LOCK(info->bus);
 		usbpf_xfertap(xfer, USBPF_XFERTAP_DONE);
+		USB_BUS_UNLOCK(info->bus);
+	}
 #endif
 	/* call processing routine */
 	(xfer->callback) (xfer, xfer->error);