Forget please about previous diff.
Except ppppac_ioctl() the only function which can have race with
pppacclose() is pppacopen(), but since `sc' is still linked to
`pppac_devs' list we can't reopen dying `sc'. So the only race is
pppacopen() vs pppacopen().
We only need to malloc(9) before pppac_lookup() to fix this race.
Index: sys/net/if_pppx.c
===================================================================
RCS file: /cvs/src/sys/net/if_pppx.c,v
retrieving revision 1.95
diff -u -p -r1.95 if_pppx.c
--- sys/net/if_pppx.c 10 Jul 2020 13:26:42 -0000 1.95
+++ sys/net/if_pppx.c 13 Jul 2020 23:35:20 -0000
@@ -1062,11 +1062,12 @@ pppacopen(dev_t dev, int flags, int mode
struct pppac_softc *sc;
struct ifnet *ifp;
- sc = pppac_lookup(dev);
- if (sc != NULL)
+ sc = malloc(sizeof(*sc), M_DEVBUF, M_WAITOK|M_ZERO);
+ if (pppac_lookup(dev) != NULL) {
+ free(sc, M_DEVBUF, sizeof(*sc));
return (EBUSY);
+ }
- sc = malloc(sizeof(*sc), M_DEVBUF, M_WAITOK|M_ZERO);
sc->sc_dev = dev;
mtx_init(&sc->sc_rsel_mtx, IPL_SOFTNET);
