Summary: | [PATCH] dev/core: Fix a double free in oce_tx | ||||||
---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | lylgood | ||||
Component: | kern | Assignee: | Mark Johnston <markj> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Only Me | CC: | markj | ||||
Priority: | --- | ||||||
Version: | CURRENT | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
Seems reasonable. We can simplify further: m = m_pullup(m, total_len); *mpp = m; return m; A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b22150dadd231a84886b2a078dfbe02f9c6d87cc commit b22150dadd231a84886b2a078dfbe02f9c6d87cc Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-05-26 13:49:49 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-06-02 13:33:16 +0000 oce: Fix handling of m_pullup() errors in oce_tso_setup() m_pullup() frees the input mbuf chain upon a failure. Set *mpp to NULL in this case to ensure that the caller does not free the chain again. PR: 255864 Submitted by: Lv Yunlong <lylgood@foxmail.com> (original version) MFC after: 1 week (cherry picked from commit 71776d67198fadd7d96937c9bdd22063636b132b) sys/dev/oce/oce_if.c | 3 --- 1 file changed, 3 deletions(-) Thanks for the report. |
Created attachment 224928 [details] set *mpp to NULL Bug File: sys/dev/oce/oce_if.c In function oce_tx, it calls oce_tso_setup(..,mpp) at line 1,087. Inside oce_tso_setup, m is assigned with *mpp, and then m is freed by the bad branch of callee m_pullup() at line 1,332 and returns NULL. Now, *mpp points to a freed memory object. After oce_tso_setup() returns NULL, the execution comes to the free_ret branch of oce_tx. Then, *mpp is freed again via m_freem() at line 1,229. As m_pullup() returns NULL if *mpp is freed, my patch set *mpp to NULL by "*mpp = m" to avoid the double free.