The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=a6c4fe2d1a38885914b1c3e85508b965ccdb7874
commit a6c4fe2d1a38885914b1c3e85508b965ccdb7874 Author: Mark Johnston <[email protected]> AuthorDate: 2026-05-12 17:50:15 +0000 Commit: Mark Johnston <[email protected]> CommitDate: 2026-05-12 20:05:19 +0000 if_vxlan: Update *m0 after a pullup vxlan_input()'s caller is supposed to free *m0 if it is non-NULL after the function returns. vxlan_input() failed to update *m0 after the pullup however, so if it hits an error case after the pullup, we'll free the mbuf twice. Currently this can happen only if the interface is brought down or due to a packet loop. Reported by: Yuxiang Yang, Yizhou Zhao, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM5.1 from Z.ai Reviewed by: pouria, zlei MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D56944 --- sys/net/if_vxlan.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sys/net/if_vxlan.c b/sys/net/if_vxlan.c index 3d51c3c421ff..da219217480f 100644 --- a/sys/net/if_vxlan.c +++ b/sys/net/if_vxlan.c @@ -2876,8 +2876,7 @@ vxlan_input(struct vxlan_socket *vso, uint32_t vni, struct mbuf **m0, ifp = sc->vxl_ifp; if (m->m_len < ETHER_HDR_LEN && - (m = m_pullup(m, ETHER_HDR_LEN)) == NULL) { - *m0 = NULL; + (m = *m0 = m_pullup(m, ETHER_HDR_LEN)) == NULL) { error = ENOBUFS; goto out; }
