From 0a9fbec04c53531854fcb7a397b21ec39234c322 Mon Sep 17 00:00:00 2001 From: hselasky Date: Sat, 29 Aug 2015 06:28:48 +0000 Subject: [PATCH] MFC r286799: Fix race in USB PF which can happen if we stop tracing exactly when the kernel is tapping an USB transfer. This leads to a NULL pointer access. The solution is to only trace while the USB bus lock is locked. git-svn-id: svn://svn.freebsd.org/base/stable/8@287275 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- sys/dev/usb/usb_pf.c | 5 ++++- sys/dev/usb/usb_transfer.c | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/sys/dev/usb/usb_pf.c b/sys/dev/usb/usb_pf.c index 1032a4fb1..265f649ae 100644 --- a/sys/dev/usb/usb_pf.c +++ b/sys/dev/usb/usb_pf.c @@ -103,13 +103,16 @@ usbpf_detach(struct usb_bus *ubus) { struct ifnet *ifp = ubus->ifp; + USB_BUS_LOCK(ubus); + ubus->ifp = NULL; + USB_BUS_UNLOCK(ubus); + if (ifp != NULL) { bpfdetach(ifp); if_down(ifp); if_detach(ifp); if_free(ifp); } - ubus->ifp = NULL; } static uint32_t diff --git a/sys/dev/usb/usb_transfer.c b/sys/dev/usb/usb_transfer.c index a7c61f9ba..3fe4ff4c1 100644 --- a/sys/dev/usb/usb_transfer.c +++ b/sys/dev/usb/usb_transfer.c @@ -2291,8 +2291,11 @@ usbd_callback_wrapper(struct usb_xfer_queue *pq) } #if USB_HAVE_PF - if (xfer->usb_state != USB_ST_SETUP) + if (xfer->usb_state != USB_ST_SETUP) { + USB_BUS_LOCK(info->bus); usbpf_xfertap(xfer, USBPF_XFERTAP_DONE); + USB_BUS_UNLOCK(info->bus); + } #endif /* call processing routine */ (xfer->callback) (xfer, xfer->error); -- 2.42.0