Bug 255878
| Summary: | [PATCH] netpfil/ipfw: Fix a double free in aqm_pie_enqueue | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | lylgood | ||||||
| Component: | kern | Assignee: | Mark Johnston <markj> | ||||||
| Status: | Closed FIXED | ||||||||
| Severity: | Affects Many People | CC: | freebsd.68fba, markj | ||||||
| Priority: | --- | ||||||||
| Version: | CURRENT | ||||||||
| Hardware: | Any | ||||||||
| OS: | Any | ||||||||
| Attachments: |
|
||||||||
Probably we still want to call update_stats() in the allocation failure case. Created attachment 225051 [details]
V2: avoid the double free while keep orignal function unchanged
(In reply to Mark Johnston from comment #1) Thanks for your reminder. I corrected my patch by calling update_stats(q, 0, 1) and reset accu_prob after the allocation failed, to keep the original logic unchanged. Please review this new patch again. Thanks. A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=c4a6258d70f73c27d8f0c6233edbcc609791806b commit c4a6258d70f73c27d8f0c6233edbcc609791806b Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-05-18 19:22:21 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-05-18 19:25:16 +0000 dummynet: Fix mbuf tag allocation failure handling PR: 255875, 255878, 255879, 255880 Reviewed by: donner, kp MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D30318 sys/netpfil/ipfw/dn_aqm_codel.c | 4 +--- sys/netpfil/ipfw/dn_aqm_pie.c | 6 +++--- sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +--- sys/netpfil/ipfw/dn_sched_fq_pie.c | 6 +++--- 4 files changed, 8 insertions(+), 12 deletions(-) A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b14db362bbd20e5a3d97d121c403b72473fdc733 commit b14db362bbd20e5a3d97d121c403b72473fdc733 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-05-18 19:22:21 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-05-25 13:26:09 +0000 dummynet: Fix mbuf tag allocation failure handling PR: 255875, 255878, 255879, 255880 Reviewed by: donner, kp Sponsored by: The FreeBSD Foundation (cherry picked from commit c4a6258d70f73c27d8f0c6233edbcc609791806b) sys/netpfil/ipfw/dn_aqm_codel.c | 4 +--- sys/netpfil/ipfw/dn_aqm_pie.c | 6 +++--- sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +--- sys/netpfil/ipfw/dn_sched_fq_pie.c | 6 +++--- 4 files changed, 8 insertions(+), 12 deletions(-) A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=419a11681c22ce12d3b9a4ab9ab45ff6b7c4ce83 commit 419a11681c22ce12d3b9a4ab9ab45ff6b7c4ce83 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-05-18 19:22:21 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-05-25 13:29:00 +0000 dummynet: Fix mbuf tag allocation failure handling PR: 255875, 255878, 255879, 255880 Reviewed by: donner, kp Sponsored by: The FreeBSD Foundation (cherry picked from commit c4a6258d70f73c27d8f0c6233edbcc609791806b) sys/netpfil/ipfw/dn_aqm_codel.c | 4 +--- sys/netpfil/ipfw/dn_aqm_pie.c | 6 +++--- sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +--- sys/netpfil/ipfw/dn_sched_fq_pie.c | 6 +++--- 4 files changed, 8 insertions(+), 12 deletions(-) |
Created attachment 224941 [details] avoid the double free Bug File: sys/netpfil/ipfw/dn_aqm_pie.c In function aqm_pie_enqueue, m is freed via m_freem(m) at line 545. But the freed m is freed again by FREE_PKT(m) at line 561. My patch returns the error right away when m_tag_alloc() allocate memory failed, rather than continues to free the m again.