255880 – [PATCH] netpfil/ipfw: Fix a double free in pie_enqueue

Bug 255880 - [PATCH] netpfil/ipfw: Fix a double free in pie_enqueue

Summary: [PATCH] netpfil/ipfw: Fix a double free in pie_enqueue

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	Mark Johnston

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-05-14 14:19 UTC by lylgood
Modified:	2021-05-25 23:25 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
avoid the m been freed again (477 bytes, patch) 2021-05-14 14:19 UTC, lylgood	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description lylgood 2021-05-14 14:19:39 UTC

Created attachment 224943 [details]
avoid the m been freed again

Bug File: sys/netpfil/ipfw/dn_sched_fq_pie.c

In function pie_enqueue, m is freed via m_freem() at line 737.
But the freed m is freed again via FREE_PKT() at line 751, which is a double free bug.

My patch returns the allocation error of m_tag_alloc() after m_freem(m), to avoid the m been freed again.

Comment 1 commit-hook freebsd_committer

2021-05-18 19:44:54 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=c4a6258d70f73c27d8f0c6233edbcc609791806b

commit c4a6258d70f73c27d8f0c6233edbcc609791806b
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-18 19:22:21 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-18 19:25:16 +0000

    dummynet: Fix mbuf tag allocation failure handling

    PR:             255875, 255878, 255879, 255880
    Reviewed by:    donner, kp
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D30318

 sys/netpfil/ipfw/dn_aqm_codel.c      | 4 +---
 sys/netpfil/ipfw/dn_aqm_pie.c        | 6 +++---
 sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +---
 sys/netpfil/ipfw/dn_sched_fq_pie.c   | 6 +++---
 4 files changed, 8 insertions(+), 12 deletions(-)

Comment 2 commit-hook freebsd_committer

2021-05-25 13:28:49 UTC

A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=b14db362bbd20e5a3d97d121c403b72473fdc733

commit b14db362bbd20e5a3d97d121c403b72473fdc733
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-18 19:22:21 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-25 13:26:09 +0000

    dummynet: Fix mbuf tag allocation failure handling

    PR:             255875, 255878, 255879, 255880
    Reviewed by:    donner, kp
    Sponsored by:   The FreeBSD Foundation

    (cherry picked from commit c4a6258d70f73c27d8f0c6233edbcc609791806b)

 sys/netpfil/ipfw/dn_aqm_codel.c      | 4 +---
 sys/netpfil/ipfw/dn_aqm_pie.c        | 6 +++---
 sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +---
 sys/netpfil/ipfw/dn_sched_fq_pie.c   | 6 +++---
 4 files changed, 8 insertions(+), 12 deletions(-)

Comment 3 commit-hook freebsd_committer

2021-05-25 13:29:52 UTC

A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=419a11681c22ce12d3b9a4ab9ab45ff6b7c4ce83

commit 419a11681c22ce12d3b9a4ab9ab45ff6b7c4ce83
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-18 19:22:21 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-25 13:29:00 +0000

    dummynet: Fix mbuf tag allocation failure handling

    PR:             255875, 255878, 255879, 255880
    Reviewed by:    donner, kp
    Sponsored by:   The FreeBSD Foundation

    (cherry picked from commit c4a6258d70f73c27d8f0c6233edbcc609791806b)

 sys/netpfil/ipfw/dn_aqm_codel.c      | 4 +---
 sys/netpfil/ipfw/dn_aqm_pie.c        | 6 +++---
 sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +---
 sys/netpfil/ipfw/dn_sched_fq_pie.c   | 6 +++---
 4 files changed, 8 insertions(+), 12 deletions(-)