255879 2021-05-14 14:13:40 +0000 [PATCH] netpfil/ipfw: Fix a double free in codel_enqueue 2021-05-25 23:24:42 +0000 1 1 1 Unclassified Base System kern CURRENT Any Any Closed FIXED --- Affects Many People --- 1 lylgood markj freebsd.68fba ipfw markj oldest_to_newest 1161336 0 224942 lylgood 2021-05-14 14:13:40 +0000 Created attachment 224942 removes the redundant m_freem() in drop branch. Bug File: sys/netpfil/ipfw/dn_sched_fq_codel.c In function codel_enqueue, m is freed via m_freem() at line 193. But the freed m is freed again in the drop branch via m_freem() at line 205, which is a double free bug. My patch removes the redundant m_freem() in drop branch. 1162010 1 commit-hook 2021-05-18 19:44:53 +0000 A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=c4a6258d70f73c27d8f0c6233edbcc609791806b commit c4a6258d70f73c27d8f0c6233edbcc609791806b Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-05-18 19:22:21 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-05-18 19:25:16 +0000 dummynet: Fix mbuf tag allocation failure handling PR: 255875, 255878, 255879, 255880 Reviewed by: donner, kp MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D30318 sys/netpfil/ipfw/dn_aqm_codel.c | 4 +--- sys/netpfil/ipfw/dn_aqm_pie.c | 6 +++--- sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +--- sys/netpfil/ipfw/dn_sched_fq_pie.c | 6 +++--- 4 files changed, 8 insertions(+), 12 deletions(-) 1163053 2 commit-hook 2021-05-25 13:28:51 +0000 A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b14db362bbd20e5a3d97d121c403b72473fdc733 commit b14db362bbd20e5a3d97d121c403b72473fdc733 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-05-18 19:22:21 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-05-25 13:26:09 +0000 dummynet: Fix mbuf tag allocation failure handling PR: 255875, 255878, 255879, 255880 Reviewed by: donner, kp Sponsored by: The FreeBSD Foundation (cherry picked from commit c4a6258d70f73c27d8f0c6233edbcc609791806b) sys/netpfil/ipfw/dn_aqm_codel.c | 4 +--- sys/netpfil/ipfw/dn_aqm_pie.c | 6 +++--- sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +--- sys/netpfil/ipfw/dn_sched_fq_pie.c | 6 +++--- 4 files changed, 8 insertions(+), 12 deletions(-) 1163058 3 commit-hook 2021-05-25 13:29:55 +0000 A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=419a11681c22ce12d3b9a4ab9ab45ff6b7c4ce83 commit 419a11681c22ce12d3b9a4ab9ab45ff6b7c4ce83 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-05-18 19:22:21 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-05-25 13:29:00 +0000 dummynet: Fix mbuf tag allocation failure handling PR: 255875, 255878, 255879, 255880 Reviewed by: donner, kp Sponsored by: The FreeBSD Foundation (cherry picked from commit c4a6258d70f73c27d8f0c6233edbcc609791806b) sys/netpfil/ipfw/dn_aqm_codel.c | 4 +--- sys/netpfil/ipfw/dn_aqm_pie.c | 6 +++--- sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +--- sys/netpfil/ipfw/dn_sched_fq_pie.c | 6 +++--- 4 files changed, 8 insertions(+), 12 deletions(-) 224942 2021-05-14 14:13:40 +0000 2021-05-14 14:13:40 +0000 removes the redundant m_freem() in drop branch. 0001-netpfil-ipfw-double-free-codel_enqueue.patch text/plain 388 lylgood ZGlmZiAtLWdpdCBhL3N5cy9uZXRwZmlsL2lwZncvZG5fc2NoZWRfZnFfY29kZWwuYyBiL3N5cy9u ZXRwZmlsL2lwZncvZG5fc2NoZWRfZnFfY29kZWwuYwppbmRleCA1NTgwZGQ5MWJiZmUuLmY5OTJm MGQ4Y2VkZSAxMDA2NDQKLS0tIGEvc3lzL25ldHBmaWwvaXBmdy9kbl9zY2hlZF9mcV9jb2RlbC5j CisrKyBiL3N5cy9uZXRwZmlsL2lwZncvZG5fc2NoZWRfZnFfY29kZWwuYwpAQCAtMjAyLDcgKzIw Miw2IEBAIGNvZGVsX2VucXVldWUoc3RydWN0IGZxX2NvZGVsX2Zsb3cgKnEsIHN0cnVjdCBtYnVm ICptLCBzdHJ1Y3QgZnFfY29kZWxfc2kgKnNpKQogCiBkcm9wOgogCWZxX3VwZGF0ZV9zdGF0cyhx LCBzaSwgbGVuLCAxKTsKLQltX2ZyZWVtKG0pOwogCXJldHVybiAxOwogfQogCg==