altq codel: do not insert the same mtag twice

If we're called on an mbuf that's passed through codel before it may already contain the MTAG_CODEL tag. The code accounts for this and does not allocate a new mtag. However, it inserts the mtag unconditionally. That is, it inserts the existing mtag a second time. When the mbuf later gets freed we iterate over the list of mtags to fee them one by one, and we'll end up freeing an mtag that's already been freed. Only insert the mtag if we've allocated a new one. If we found one there's no need to insert it again. See also: https://redmine.pfsense.org/issues/14497 Sponsored by: Rubicon Communications, LLC ("Netgate")
2026-06-11 01:30:30 -04:00 · 2023-07-03 19:02:23 +02:00 · 2023-07-03 19:02:23 +02:00 · d0b0424fa0
commit d0b0424fa0
parent 3f21d3e0ba
1 changed files with 4 additions and 2 deletions
--- a/sys/net/altq/altq_codel.c
+++ b/sys/net/altq/altq_codel.c
@ -289,16 +289,18 @@ codel_addq(struct codel *c, class_queue_t *q, struct mbuf *m)

 	if (qlen(q) < qlimit(q)) {
 		mtag = m_tag_locate(m, MTAG_CODEL, 0, NULL);
-		if (mtag == NULL)
+		if (mtag == NULL) {
 			mtag = m_tag_alloc(MTAG_CODEL, 0, sizeof(uint64_t),
 			    M_NOWAIT);
+			if (mtag != NULL)
+				m_tag_prepend(m, mtag);
+		}
 		if (mtag == NULL) {
 			m_freem(m);
 			return (-1);
 		}
 		enqueue_time = (uint64_t *)(mtag + 1);
 		*enqueue_time = read_machclk();
-		m_tag_prepend(m, mtag);
 		_addq(q, m);
 		return (0);
 	}