Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 29 Aug 2015 06:11:51 +0000 (UTC)
From:      Hans Petter Selasky <hselasky@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r287272 - stable/10/sys/dev/usb
Message-ID:  <201508290611.t7T6Bpto027107@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: hselasky
Date: Sat Aug 29 06:11:50 2015
New Revision: 287272
URL: https://svnweb.freebsd.org/changeset/base/287272

Log:
  MFC r286799:
  Fix race in USB PF which can happen if we stop tracing exactly when
  the kernel is tapping an USB transfer. This leads to a NULL pointer
  access. The solution is to only trace while the USB bus lock is
  locked.

Modified:
  stable/10/sys/dev/usb/usb_pf.c
  stable/10/sys/dev/usb/usb_transfer.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/dev/usb/usb_pf.c
==============================================================================
--- stable/10/sys/dev/usb/usb_pf.c	Sat Aug 29 06:07:55 2015	(r287271)
+++ stable/10/sys/dev/usb/usb_pf.c	Sat Aug 29 06:11:50 2015	(r287272)
@@ -220,7 +220,13 @@ usbpf_clone_destroy(struct if_clone *ifc
 	ubus = ifp->if_softc;
 	unit = ifp->if_dunit;
 
+	/*
+	 * Lock USB before clearing the "ifp" pointer, to avoid
+	 * clearing the pointer in the middle of a TAP operation:
+	 */
+	USB_BUS_LOCK(ubus);
 	ubus->ifp = NULL;
+	USB_BUS_UNLOCK(ubus);
 	bpfdetach(ifp);
 	if_detach(ifp);
 	if_free(ifp);

Modified: stable/10/sys/dev/usb/usb_transfer.c
==============================================================================
--- stable/10/sys/dev/usb/usb_transfer.c	Sat Aug 29 06:07:55 2015	(r287271)
+++ stable/10/sys/dev/usb/usb_transfer.c	Sat Aug 29 06:11:50 2015	(r287272)
@@ -2381,8 +2381,11 @@ usbd_callback_wrapper(struct usb_xfer_qu
 	}
 
 #if USB_HAVE_PF
-	if (xfer->usb_state != USB_ST_SETUP)
+	if (xfer->usb_state != USB_ST_SETUP) {
+		USB_BUS_LOCK(info->bus);
 		usbpf_xfertap(xfer, USBPF_XFERTAP_DONE);
+		USB_BUS_UNLOCK(info->bus);
+	}
 #endif
 	/* call processing routine */
 	(xfer->callback) (xfer, xfer->error);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201508290611.t7T6Bpto027107>