git: d91ae61f8fc2 - main - iflib: null out freed mbuf in iflib_txsd_free
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 19 Jan 2026 15:50:01 UTC
The branch main has been updated by gallatin:
URL: https://cgit.FreeBSD.org/src/commit/?id=d91ae61f8fc2dd4ab3c208f25570b91a0725e2e4
commit d91ae61f8fc2dd4ab3c208f25570b91a0725e2e4
Author: Andrew Gallatin <gallatin@FreeBSD.org>
AuthorDate: 2026-01-19 15:41:02 +0000
Commit: Andrew Gallatin <gallatin@FreeBSD.org>
CommitDate: 2026-01-19 15:45:49 +0000
iflib: null out freed mbuf in iflib_txsd_free
When adding the IFLIB_GET_MBUF/FLAGS, I neglected to NULL out the
mbuf in the descriptor ring. I didn't think this should matter as
the I thought this code was only used when the ring was about
to be freed. But I was wrong, and leaving a stale mbuf in there can
cause panics.
Reported by: Marek Zarychta (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=292547)
Fixes: 14d93f612f26
Sponsored by: Netflix
---
sys/net/iflib.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sys/net/iflib.c b/sys/net/iflib.c
index 5c37f199e84c..b0e4bb9470c9 100644
--- a/sys/net/iflib.c
+++ b/sys/net/iflib.c
@@ -1890,6 +1890,7 @@ iflib_txsd_free(if_ctx_t ctx, iflib_txq_t txq, int i)
bus_dmamap_unload(txq->ift_tso_buf_tag,
txq->ift_sds.ifsd_tso_map[i]);
}
+ txq->ift_sds.ifsd_m[i] = NULL;
m_freem(m);
DBG_COUNTER_INC(tx_frees);
}