Created attachment 224928 [details] set *mpp to NULL Bug File: sys/dev/oce/oce_if.c In function oce_tx, it calls oce_tso_setup(..,mpp) at line 1,087. Inside oce_tso_setup, m is assigned with *mpp, and then m is freed by the bad branch of callee m_pullup() at line 1,332 and returns NULL. Now, *mpp points to a freed memory object. After oce_tso_setup() returns NULL, the execution comes to the free_ret branch of oce_tx. Then, *mpp is freed again via m_freem() at line 1,229. As m_pullup() returns NULL if *mpp is freed, my patch set *mpp to NULL by "*mpp = m" to avoid the double free.
Seems reasonable. We can simplify further: m = m_pullup(m, total_len); *mpp = m; return m;
Fixed by https://cgit.freebsd.org/src/commit/?id=71776d67198fadd7d96937c9bdd22063636b132b
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b22150dadd231a84886b2a078dfbe02f9c6d87cc commit b22150dadd231a84886b2a078dfbe02f9c6d87cc Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-05-26 13:49:49 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-06-02 13:33:16 +0000 oce: Fix handling of m_pullup() errors in oce_tso_setup() m_pullup() frees the input mbuf chain upon a failure. Set *mpp to NULL in this case to ensure that the caller does not free the chain again. PR: 255864 Submitted by: Lv Yunlong <lylgood@foxmail.com> (original version) MFC after: 1 week (cherry picked from commit 71776d67198fadd7d96937c9bdd22063636b132b) sys/dev/oce/oce_if.c | 3 --- 1 file changed, 3 deletions(-)
Thanks for the report.