if_vxlan: Update *m0 after a pullup
ClosedPublic
Actions

Authored by markj on Mon, May 11, 3:11 PM.

Details

Reviewers

zlei
pouria

Group Reviewers

network

Commits

rGa6c4fe2d1a38: if_vxlan: Update *m0 after a pullup

Summary

vxlan_input()'s caller is supposed to free *m0 if it is non-NULL after
the function returns. vxlan_input() failed to free *m0 after the pullup
however, so if m_pullup() fails or we hit an error case, we'd free the
mbuf twice.

Reported by: Yuxiang Yang, Yizhou Zhao, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM5.1 from Z.ai

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.Mon, May 11, 3:11 PM

Herald added subscribers: glebius, melifaro, ae, imp. · View Herald TranscriptMon, May 11, 3:11 PM

markj requested review of this revision.Mon, May 11, 3:11 PM

Harbormaster completed remote builds in B72983: Diff 177586.Mon, May 11, 3:11 PM

Oops ! My stupid mistake.

vxlan_input() failed to free *m0 after the pullup
however, so if m_pullup() fails or we hit an error case, we'd free the
mbuf twice.

The description is not accurate.

m_pullup() can end up three cases:

It fails. Then the original mbuf is freed, and *m0 is set to NULL. The caller will not free a NULL mbuf. Nothing bad will happen.
It succeeds, but no new mbuf allocated. In this case the m == *m0; Nothing bad will happen.
It succeeds with new mbuf allocated. In this case m != *m0, thus will leak memory and free a freed mbuf.

This revision is now accepted and ready to land.Mon, May 11, 4:17 PM

In D56944#1304377, @zlei wrote:

Oops ! My stupid mistake.

vxlan_input() failed to free *m0 after the pullup
however, so if m_pullup() fails or we hit an error case, we'd free the
mbuf twice.

The description is not accurate.

m_pullup() can end up three cases:

It fails. Then the original mbuf is freed, and *m0 is set to NULL. The caller will not free a NULL mbuf. Nothing bad will happen.

Yes, my mistake.

It succeeds, but no new mbuf allocated. In this case the m == *m0; Nothing bad will happen.

Right.

It succeeds with new mbuf allocated. In this case m != *m0, thus will leak memory and free a freed mbuf.

If an error occurs, yes.

Emm, the if_vxlan(4) is not virtualized yet. @hrs attempted the first, me the second, and @kp the third. It is better to proceed to have tests for it.

In D56944#1304393, @zlei wrote:

Emm, the if_vxlan(4) is not virtualized yet. @hrs attempted the first, me the second, and @kp the third. It is better to proceed to have tests for it.

Sorry, I don't quite follow what you're asking for?

pouria accepted this revision as: pouria.Mon, May 11, 8:50 PM

In D56944#1304407, @markj wrote:

In D56944#1304393, @zlei wrote:

Emm, the if_vxlan(4) is not virtualized yet. @hrs attempted the first, me the second, and @kp the third. It is better to proceed to have tests for it.

Sorry, I don't quite follow what you're asking for?