Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 12 May 2026 20:06:10 +0000
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: beab4a237a45 - main - igmp: Avoid leaving dangling pointers in the state-change queue
Message-ID:  <6a038832.22e04.6ba24256@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=beab4a237a45aea809e81802b9e1e9ff30f3d929

commit beab4a237a45aea809e81802b9e1e9ff30f3d929
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-05-12 17:53:49 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-05-12 20:05:19 +0000

    igmp: Avoid leaving dangling pointers in the state-change queue
    
    When igmp_v3_merge_state_changes() is iterating over state-change
    packets, there is a case where it'll free a queued packet but will fail
    to remove it from the queue.  Fix that.
    
    Reported by:    Yuxiang Yang, Yizhou Zhao, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM5.1 from Z.ai
    Reviewed by:    pouria, glebius
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D56947
---
 sys/netinet/igmp.c | 8 +++++---
 sys/sys/mbuf.h     | 8 ++++++++
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/sys/netinet/igmp.c b/sys/netinet/igmp.c
index 00288356cb1f..226f38a035fb 100644
--- a/sys/netinet/igmp.c
+++ b/sys/netinet/igmp.c
@@ -3326,10 +3326,12 @@ igmp_v3_merge_state_changes(struct in_multi *inm, struct mbufq *scq)
 			CTR2(KTR_IGMPV3,
 			    "%s: outbound queue full, skipping whole packet %p",
 			    __func__, m);
-			mt = m->m_nextpkt;
-			if (!docopy)
+			m0 = m->m_nextpkt;
+			if (!docopy) {
+				mbufq_remove(gq, m);
 				m_freem(m);
-			m = mt;
+			}
+			m = m0;
 			continue;
 		}
 
diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h
index c5072cec904b..fb1a0a5b81d0 100644
--- a/sys/sys/mbuf.h
+++ b/sys/sys/mbuf.h
@@ -1656,6 +1656,14 @@ mbufq_enqueue(struct mbufq *mq, struct mbuf *m)
 	return (0);
 }
 
+static inline void
+mbufq_remove(struct mbufq *mq, struct mbuf *m)
+{
+
+	STAILQ_REMOVE(&mq->mq_head, m, mbuf, m_stailqpkt);
+	mq->mq_len--;
+}
+
 static inline struct mbuf *
 mbufq_dequeue(struct mbufq *mq)
 {
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a038832.22e04.6ba24256>