Fix potential data corruption in iflib

The MP ring may have txq pointers enqueued.  Previously, these were
passed to m_free() when IFC_QFLUSH was set.  This patch checks for
the value and doesn't call m_free().

Reviewed by:	gallatin
Approved by:	re (gjb)
Sponsored by:	Limelight Networks
Differential Revision:	https://reviews.freebsd.org/D16882
This commit is contained in:
shurd 2018-08-29 15:55:25 +00:00
parent 2a0d911790
commit ab689463dd

View File

@ -3636,7 +3636,8 @@ iflib_txq_drain(struct ifmp_ring *r, uint32_t cidx, uint32_t pidx)
if (__predict_false(ctx->ifc_flags & IFC_QFLUSH)) { if (__predict_false(ctx->ifc_flags & IFC_QFLUSH)) {
DBG_COUNTER_INC(txq_drain_flushing); DBG_COUNTER_INC(txq_drain_flushing);
for (i = 0; i < avail; i++) { for (i = 0; i < avail; i++) {
m_free(r->items[(cidx + i) & (r->size-1)]); if (__predict_true(r->items[(cidx + i) & (r->size-1)] != (void *)txq)
m_free(r->items[(cidx + i) & (r->size-1)]);
r->items[(cidx + i) & (r->size-1)] = NULL; r->items[(cidx + i) & (r->size-1)] = NULL;
} }
return (avail); return (avail);