Bug 255879 - [PATCH] netpfil/ipfw: Fix a double free in codel_enqueue
Summary: [PATCH] netpfil/ipfw: Fix a double free in codel_enqueue
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: Mark Johnston
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-14 14:13 UTC by lylgood
Modified: 2021-05-25 23:24 UTC (History)
3 users (show)

See Also:

Attachments
removes the redundant m_freem() in drop branch. (388 bytes, patch)
2021-05-14 14:13 UTC, lylgood 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description lylgood 2021-05-14 14:13:40 UTC 
Created attachment 224942 [details]
removes the redundant m_freem() in drop branch.

Bug File: sys/netpfil/ipfw/dn_sched_fq_codel.c

In function codel_enqueue, m is freed via m_freem() at line 193.
But the freed m is freed again in the drop branch via m_freem() at line 205, which is a double free bug.

My patch removes the redundant m_freem() in drop branch.
Comment 1 commit-hook freebsd_committer freebsd_triage 2021-05-18 19:44:53 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=c4a6258d70f73c27d8f0c6233edbcc609791806b

commit c4a6258d70f73c27d8f0c6233edbcc609791806b
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-18 19:22:21 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-18 19:25:16 +0000

    dummynet: Fix mbuf tag allocation failure handling

    PR:             255875, 255878, 255879, 255880
    Reviewed by:    donner, kp
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D30318

 sys/netpfil/ipfw/dn_aqm_codel.c      | 4 +---
 sys/netpfil/ipfw/dn_aqm_pie.c        | 6 +++---
 sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +---
 sys/netpfil/ipfw/dn_sched_fq_pie.c   | 6 +++---
 4 files changed, 8 insertions(+), 12 deletions(-)
Comment 2 commit-hook freebsd_committer freebsd_triage 2021-05-25 13:28:51 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=b14db362bbd20e5a3d97d121c403b72473fdc733

commit b14db362bbd20e5a3d97d121c403b72473fdc733
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-18 19:22:21 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-25 13:26:09 +0000

    dummynet: Fix mbuf tag allocation failure handling

    PR:             255875, 255878, 255879, 255880
    Reviewed by:    donner, kp
    Sponsored by:   The FreeBSD Foundation

    (cherry picked from commit c4a6258d70f73c27d8f0c6233edbcc609791806b)

 sys/netpfil/ipfw/dn_aqm_codel.c      | 4 +---
 sys/netpfil/ipfw/dn_aqm_pie.c        | 6 +++---
 sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +---
 sys/netpfil/ipfw/dn_sched_fq_pie.c   | 6 +++---
 4 files changed, 8 insertions(+), 12 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2021-05-25 13:29:55 UTC 
A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=419a11681c22ce12d3b9a4ab9ab45ff6b7c4ce83

commit 419a11681c22ce12d3b9a4ab9ab45ff6b7c4ce83
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-18 19:22:21 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-25 13:29:00 +0000

    dummynet: Fix mbuf tag allocation failure handling

    PR:             255875, 255878, 255879, 255880
    Reviewed by:    donner, kp
    Sponsored by:   The FreeBSD Foundation

    (cherry picked from commit c4a6258d70f73c27d8f0c6233edbcc609791806b)

 sys/netpfil/ipfw/dn_aqm_codel.c      | 4 +---
 sys/netpfil/ipfw/dn_aqm_pie.c        | 6 +++---
 sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +---
 sys/netpfil/ipfw/dn_sched_fq_pie.c   | 6 +++---
 4 files changed, 8 insertions(+), 12 deletions(-)