Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 Aug 2018 15:55:26 +0000 (UTC)
From:      Stephen Hurd <shurd@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r338372 - head/sys/net
Message-ID:  <201808291555.w7TFtQKM065591@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: shurd
Date: Wed Aug 29 15:55:25 2018
New Revision: 338372
URL: https://svnweb.freebsd.org/changeset/base/338372

Log:
  Fix potential data corruption in iflib
  
  The MP ring may have txq pointers enqueued.  Previously, these were
  passed to m_free() when IFC_QFLUSH was set.  This patch checks for
  the value and doesn't call m_free().
  
  Reviewed by:	gallatin
  Approved by:	re (gjb)
  Sponsored by:	Limelight Networks
  Differential Revision:	https://reviews.freebsd.org/D16882

Modified:
  head/sys/net/iflib.c

Modified: head/sys/net/iflib.c
==============================================================================
--- head/sys/net/iflib.c	Wed Aug 29 14:01:27 2018	(r338371)
+++ head/sys/net/iflib.c	Wed Aug 29 15:55:25 2018	(r338372)
@@ -3636,7 +3636,8 @@ iflib_txq_drain(struct ifmp_ring *r, uint32_t cidx, ui
 	if (__predict_false(ctx->ifc_flags & IFC_QFLUSH)) {
 		DBG_COUNTER_INC(txq_drain_flushing);
 		for (i = 0; i < avail; i++) {
-			m_free(r->items[(cidx + i) & (r->size-1)]);
+			if (__predict_true(r->items[(cidx + i) & (r->size-1)] != (void *)txq)
+				m_free(r->items[(cidx + i) & (r->size-1)]);
 			r->items[(cidx + i) & (r->size-1)] = NULL;
 		}
 		return (avail);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201808291555.w7TFtQKM065591>