Alexander Bluhm wrote: > Hi, > > When running some scapy regression tests, a current i386 machine > triggered this panic.
dunno if this is best. maybe. the refcounting of units implies that they can last longer than close(). therefore, if open() is expecting close() to remove the unit from the list, we must make sure close does that. dangling refs then will be freed when the refcount drops. The bpfilter_destory function is obfuscation at this point. Alas, no time to test right now. Index: bpf.c =================================================================== RCS file: /cvs/src/sys/net/bpf.c,v retrieving revision 1.142 diff -u -p -r1.142 bpf.c --- bpf.c 10 Jun 2016 20:33:29 -0000 1.142 +++ bpf.c 24 Jul 2016 13:30:29 -0000 @@ -117,7 +117,6 @@ int bpf_sysctl_locked(int *, u_int, void struct bpf_d *bpfilter_lookup(int); struct bpf_d *bpfilter_create(int); -void bpfilter_destroy(struct bpf_d *); /* * Reference count access to descriptor buffers @@ -368,6 +367,7 @@ bpfclose(dev_t dev, int flag, int mode, if (d->bd_bif) bpf_detachd(d); bpf_wakeup(d); + LIST_REMOVE(d, bd_list); D_PUT(d); splx(s); @@ -1494,7 +1494,7 @@ bpf_freed(struct bpf_d *d) srp_update_locked(&bpf_insn_gc, &d->bd_rfilter, NULL); srp_update_locked(&bpf_insn_gc, &d->bd_wfilter, NULL); - bpfilter_destroy(d); + free(d, M_DEVBUF, sizeof(*d)); } /* @@ -1651,12 +1651,6 @@ bpfilter_create(int unit) return (bd); } -void -bpfilter_destroy(struct bpf_d *bd) -{ - LIST_REMOVE(bd, bd_list); - free(bd, M_DEVBUF, sizeof(*bd)); -} /* * Get a list of available data link type of the interface.