freebsd-skq/sys/net80211
csjp 2c4f67981e Fix the following bpf(4) race condition which can result in a panic:
(1) bpf peer attaches to interface netif0
	(2) Packet is received by netif0
	(3) ifp->if_bpf pointer is checked and handed off to bpf
	(4) bpf peer detaches from netif0 resulting in ifp->if_bpf being
	    initialized to NULL.
	(5) ifp->if_bpf is dereferenced by bpf machinery
	(6) Kaboom

This race condition likely explains the various different kernel panics
reported around sending SIGINT to tcpdump or dhclient processes. But really
this race can result in kernel panics anywhere you have frequent bpf attach
and detach operations with high packet per second load.

Summary of changes:

- Remove the bpf interface's "driverp" member
- When we attach bpf interfaces, we now set the ifp->if_bpf member to the
  bpf interface structure. Once this is done, ifp->if_bpf should never be
  NULL. [1]
- Introduce bpf_peers_present function, an inline operation which will do
  a lockless read bpf peer list associated with the interface. It should
  be noted that the bpf code will pickup the bpf_interface lock before adding
  or removing bpf peers. This should serialize the access to the bpf descriptor
  list, removing the race.
- Expose the bpf_if structure in bpf.h so that the bpf_peers_present function
  can use it. This also removes the struct bpf_if; hack that was there.
- Adjust all consumers of the raw if_bpf structure to use bpf_peers_present

Now what happens is:

	(1) Packet is received by netif0
	(2) Check to see if bpf descriptor list is empty
	(3) Pickup the bpf interface lock
	(4) Hand packet off to process

From the attach/detach side:

	(1) Pickup the bpf interface lock
	(2) Add/remove from bpf descriptor list

Now that we are storing the bpf interface structure with the ifnet, there is
is no need to walk the bpf interface list to locate the correct bpf interface.
We now simply look up the interface, and initialize the pointer. This has a
nice side effect of changing a bpf interface attach operation from O(N) (where
N is the number of bpf interfaces), to O(1).

[1] From now on, we can no longer check ifp->if_bpf to tell us whether or
    not we have any bpf peers that might be interested in receiving packets.

In collaboration with:	sam@
MFC after:	1 month
2006-06-02 19:59:33 +00:00
..
_ieee80211.h add some useful definitions that'll be used soon 2005-12-12 17:57:00 +00:00
ieee80211_acl.c Extend acl support to pass ioctl requests through and use this to 2005-08-13 17:31:48 +00:00
ieee80211_crypto_ccmp.c disallow module unload when there are dynamic references 2005-12-12 19:07:48 +00:00
ieee80211_crypto_none.c o fix wpa w/ wme: don't strip the QoS header on recv as tkip requires 2005-06-10 16:11:24 +00:00
ieee80211_crypto_tkip.c disallow module unload when there are dynamic references 2005-12-12 19:07:48 +00:00
ieee80211_crypto_wep.c disallow module unload when there are dynamic references 2005-12-12 19:07:48 +00:00
ieee80211_crypto.c Split crypto tx+rx key indices and add a key index -> node mapping table: 2005-08-08 18:46:36 +00:00
ieee80211_crypto.h Split crypto tx+rx key indices and add a key index -> node mapping table: 2005-08-08 18:46:36 +00:00
ieee80211_freebsd.c Add ieee80211_beacon_miss for processing sta mode beacon miss events 2005-12-12 18:04:44 +00:00
ieee80211_freebsd.h Split crypto tx+rx key indices and add a key index -> node mapping table: 2005-08-08 18:46:36 +00:00
ieee80211_input.c Fix the following bpf(4) race condition which can result in a panic: 2006-06-02 19:59:33 +00:00
ieee80211_ioctl.c implement set(IEEE80211_IOC_STA_STATS) for hostapd; for 2006-03-27 05:22:35 +00:00
ieee80211_ioctl.h Rev ioctl to get scan results: 2006-01-18 22:17:50 +00:00
ieee80211_node.c Move conditional preprocessing out from the IEEE80211_DPRINTF macro 2006-06-01 14:06:32 +00:00
ieee80211_node.h when scanning channels marked passive defer probe request until 2006-03-06 17:23:26 +00:00
ieee80211_output.c when doing s/w crypto make sure work is done w/ a writable mbuf chain; 2006-03-15 21:27:08 +00:00
ieee80211_proto.c fix switching between agressive and non-agressive wmm modes 2006-03-10 06:18:03 +00:00
ieee80211_proto.h update erp information element in the beacon frame to reflect 2006-01-02 16:57:20 +00:00
ieee80211_radiotap.h add flag to tag frames w/ a known bad FCS 2006-01-09 17:04:56 +00:00
ieee80211_var.h when scanning channels marked passive defer probe request until 2006-03-06 17:23:26 +00:00
ieee80211_xauth.c bump copyright for 2005 2004-12-31 22:42:38 +00:00
ieee80211.c back out public safety-specific channel number mapping; we can't do 2006-04-26 16:00:37 +00:00
ieee80211.h o add IEEE80211_FRAG_DEFAULT 2005-07-22 16:55:27 +00:00