From a6c4fe2d1a38885914b1c3e85508b965ccdb7874 Mon Sep 17 00:00:00 2001 From: Mark Johnston Date: Tue, 12 May 2026 17:50:15 +0000 Subject: [PATCH] if_vxlan: Update *m0 after a pullup vxlan_input()'s caller is supposed to free *m0 if it is non-NULL after the function returns. vxlan_input() failed to update *m0 after the pullup however, so if it hits an error case after the pullup, we'll free the mbuf twice. Currently this can happen only if the interface is brought down or due to a packet loop. Reported by: Yuxiang Yang, Yizhou Zhao, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM5.1 from Z.ai Reviewed by: pouria, zlei MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D56944 --- sys/net/if_vxlan.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sys/net/if_vxlan.c b/sys/net/if_vxlan.c index 3d51c3c421f..da219217480 100644 --- a/sys/net/if_vxlan.c +++ b/sys/net/if_vxlan.c @@ -2876,8 +2876,7 @@ vxlan_input(struct vxlan_socket *vso, uint32_t vni, struct mbuf **m0, ifp = sc->vxl_ifp; if (m->m_len < ETHER_HDR_LEN && - (m = m_pullup(m, ETHER_HDR_LEN)) == NULL) { - *m0 = NULL; + (m = *m0 = m_pullup(m, ETHER_HDR_LEN)) == NULL) { error = ENOBUFS; goto out; }