Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 19 May 2026 16:46:45 +0000
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 51fcd5ddf016 - stable/14 - igmp: Avoid leaving dangling pointers in the state-change queue
Message-ID:  <6a0c93f5.1cca8.3116540e@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch stable/14 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=51fcd5ddf016835619c94f4dbdc5b29150fc2e48

commit 51fcd5ddf016835619c94f4dbdc5b29150fc2e48
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-05-12 17:53:49 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-05-19 16:46:29 +0000

    igmp: Avoid leaving dangling pointers in the state-change queue
    
    When igmp_v3_merge_state_changes() is iterating over state-change
    packets, there is a case where it'll free a queued packet but will fail
    to remove it from the queue.  Fix that.
    
    Reported by:    Yuxiang Yang, Yizhou Zhao, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM5.1 from Z.ai
    Reviewed by:    pouria, glebius
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D56947
    
    (cherry picked from commit beab4a237a45aea809e81802b9e1e9ff30f3d929)
---
 sys/netinet/igmp.c | 8 +++++---
 sys/sys/mbuf.h     | 8 ++++++++
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/sys/netinet/igmp.c b/sys/netinet/igmp.c
index ae58dc0b8b04..3c4909ba5591 100644
--- a/sys/netinet/igmp.c
+++ b/sys/netinet/igmp.c
@@ -3312,10 +3312,12 @@ igmp_v3_merge_state_changes(struct in_multi *inm, struct mbufq *scq)
 			CTR2(KTR_IGMPV3,
 			    "%s: outbound queue full, skipping whole packet %p",
 			    __func__, m);
-			mt = m->m_nextpkt;
-			if (!docopy)
+			m0 = m->m_nextpkt;
+			if (!docopy) {
+				mbufq_remove(gq, m);
 				m_freem(m);
-			m = mt;
+			}
+			m = m0;
 			continue;
 		}
 
diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h
index 6966e03cc319..2ba2836f84ac 100644
--- a/sys/sys/mbuf.h
+++ b/sys/sys/mbuf.h
@@ -1647,6 +1647,14 @@ mbufq_enqueue(struct mbufq *mq, struct mbuf *m)
 	return (0);
 }
 
+static inline void
+mbufq_remove(struct mbufq *mq, struct mbuf *m)
+{
+
+	STAILQ_REMOVE(&mq->mq_head, m, mbuf, m_stailqpkt);
+	mq->mq_len--;
+}
+
 static inline struct mbuf *
 mbufq_dequeue(struct mbufq *mq)
 {
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a0c93f5.1cca8.3116540e>