From a520f8b6febebde86aef71045a013bfa9fa5c295 Mon Sep 17 00:00:00 2001 From: Stephen Hurd Date: Wed, 29 Aug 2018 15:55:25 +0000 Subject: [PATCH] Fix potential data corruption in iflib The MP ring may have txq pointers enqueued. Previously, these were passed to m_free() when IFC_QFLUSH was set. This patch checks for the value and doesn't call m_free(). Reviewed by: gallatin Approved by: re (gjb) Sponsored by: Limelight Networks Differential Revision: https://reviews.freebsd.org/D16882 --- sys/net/iflib.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/net/iflib.c b/sys/net/iflib.c index bf361955ddf..b71da1fdfc8 100644 --- a/sys/net/iflib.c +++ b/sys/net/iflib.c @@ -3636,7 +3636,8 @@ iflib_txq_drain(struct ifmp_ring *r, uint32_t cidx, uint32_t pidx) if (__predict_false(ctx->ifc_flags & IFC_QFLUSH)) { DBG_COUNTER_INC(txq_drain_flushing); for (i = 0; i < avail; i++) { - m_free(r->items[(cidx + i) & (r->size-1)]); + if (__predict_true(r->items[(cidx + i) & (r->size-1)] != (void *)txq) + m_free(r->items[(cidx + i) & (r->size-1)]); r->items[(cidx + i) & (r->size-1)] = NULL; } return (avail); -- 2.45.0