git: 54e213d95ff5 - stable/15 - igmp: Avoid leaving dangling pointers in the state-change queue
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 19 May 2026 14:08:49 UTC
The branch stable/15 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=54e213d95ff554190359fb0ae07927eea8e55d1d
commit 54e213d95ff554190359fb0ae07927eea8e55d1d
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-05-12 17:53:49 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-05-19 14:08:32 +0000
igmp: Avoid leaving dangling pointers in the state-change queue
When igmp_v3_merge_state_changes() is iterating over state-change
packets, there is a case where it'll free a queued packet but will fail
to remove it from the queue. Fix that.
Reported by: Yuxiang Yang, Yizhou Zhao, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM5.1 from Z.ai
Reviewed by: pouria, glebius
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56947
(cherry picked from commit beab4a237a45aea809e81802b9e1e9ff30f3d929)
---
sys/netinet/igmp.c | 8 +++++---
sys/sys/mbuf.h | 8 ++++++++
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/sys/netinet/igmp.c b/sys/netinet/igmp.c
index 63a44bbcfb7a..5d52abd32c21 100644
--- a/sys/netinet/igmp.c
+++ b/sys/netinet/igmp.c
@@ -3327,10 +3327,12 @@ igmp_v3_merge_state_changes(struct in_multi *inm, struct mbufq *scq)
CTR2(KTR_IGMPV3,
"%s: outbound queue full, skipping whole packet %p",
__func__, m);
- mt = m->m_nextpkt;
- if (!docopy)
+ m0 = m->m_nextpkt;
+ if (!docopy) {
+ mbufq_remove(gq, m);
m_freem(m);
- m = mt;
+ }
+ m = m0;
continue;
}
diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h
index f9141bf70742..8a0a8e31d5b4 100644
--- a/sys/sys/mbuf.h
+++ b/sys/sys/mbuf.h
@@ -1652,6 +1652,14 @@ mbufq_enqueue(struct mbufq *mq, struct mbuf *m)
return (0);
}
+static inline void
+mbufq_remove(struct mbufq *mq, struct mbuf *m)
+{
+
+ STAILQ_REMOVE(&mq->mq_head, m, mbuf, m_stailqpkt);
+ mq->mq_len--;
+}
+
static inline struct mbuf *
mbufq_dequeue(struct mbufq *mq)
{