From d0b0424fa0ca8fb239e00d6bdd5e6340b7a85e68 Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Mon, 3 Jul 2023 19:02:23 +0200 Subject: [PATCH] altq codel: do not insert the same mtag twice If we're called on an mbuf that's passed through codel before it may already contain the MTAG_CODEL tag. The code accounts for this and does not allocate a new mtag. However, it inserts the mtag unconditionally. That is, it inserts the existing mtag a second time. When the mbuf later gets freed we iterate over the list of mtags to fee them one by one, and we'll end up freeing an mtag that's already been freed. Only insert the mtag if we've allocated a new one. If we found one there's no need to insert it again. See also: https://redmine.pfsense.org/issues/14497 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/net/altq/altq_codel.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sys/net/altq/altq_codel.c b/sys/net/altq/altq_codel.c index be16a5aef3e..5006920ca68 100644 --- a/sys/net/altq/altq_codel.c +++ b/sys/net/altq/altq_codel.c @@ -289,16 +289,18 @@ codel_addq(struct codel *c, class_queue_t *q, struct mbuf *m) if (qlen(q) < qlimit(q)) { mtag = m_tag_locate(m, MTAG_CODEL, 0, NULL); - if (mtag == NULL) + if (mtag == NULL) { mtag = m_tag_alloc(MTAG_CODEL, 0, sizeof(uint64_t), M_NOWAIT); + if (mtag != NULL) + m_tag_prepend(m, mtag); + } if (mtag == NULL) { m_freem(m); return (-1); } enqueue_time = (uint64_t *)(mtag + 1); *enqueue_time = read_machclk(); - m_tag_prepend(m, mtag); _addq(q, m); return (0); }