From owner-freebsd-bugs@FreeBSD.ORG  Sun Mar 26 03:17:10 2006
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@freebsd.org
Delivered-To: freebsd-bugs@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7E9D216A401
	for <freebsd-bugs@freebsd.org>; Sun, 26 Mar 2006 03:17:10 +0000 (UTC)
	(envelope-from zhouyi04@ios.cn)
Received: from abyss.iscas.cn (abyss.iscas.cn [159.226.5.55])
	by mx1.FreeBSD.org (Postfix) with SMTP id 107D643D45
	for <freebsd-bugs@freebsd.org>; Sun, 26 Mar 2006 03:17:08 +0000 (GMT)
	(envelope-from zhouyi04@ios.cn)
Received: (qmail 30366 invoked by uid 502); 26 Mar 2006 02:59:34 -0000
Received: from zhouyi04@ios.cn by abyss.iscas.cn by uid 0 with
	qmail-scanner-1.22 (hbedv: 6.24.0.7/6.24.0.69. spamassassin: 2.63.
	Clear:RC:0(159.226.5.225):SA:0(-99.1/9.0):. 
	Processed in 1.147311 secs); 26 Mar 2006 02:59:34 -0000
Received: from unknown (HELO zzy.H.qngy.gscas) (zhouyi04@159.226.5.225)
	by abyss.iscas.cn with SMTP; 26 Mar 2006 02:59:33 -0000
Date: Sun, 26 Mar 2006 11:10:31 +0800
From: zhouyi zhou <zhouyi04@ios.cn>
To: freebsd-bugs@freebsd.org
Message-Id: <20060326111031.5139a951.zhouyi04@ios.cn>
Organization: Institute of Software
X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd5.4)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on abyss.iscas.cn
X-Spam-Status: No, hits=-99.1 required=9.0 tests=FROM_ENDS_IN_NUMS,
	USER_IN_WHITELIST autolearn=no version=2.63
X-Spam-Level: 
Subject: m_tag_delete_chain do something bad in FreeBSD MAC Framework and
 IPSEC confliction
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2006 03:17:10 -0000

Dear Colleques:

I reexamined the cause of the conflict between MAC and IPSEC.
The reason is the perform of m_tag_delete_chain(to, NULL) in functions
 m_move_pkthdr and m_dup_pkthdr will
cause IPSEC to do something bad to mbuf's label.

And you can  comments out the m_tag_delete_chain in
 function m_move_pkthdr and m_dup_pkthdr.
And do follows to not allocate MAC label to the mbufs act as "to" in m_move_pkthdr
, and m_dup_pkthdr:

static int
mb_ctor_mbuf(void *mem, int size, void *arg, int how)
{
        struct mbuf *m;
        struct mb_args *args;
#ifdef MAC
        int error;
#endif
        int flags;
        short type;

#ifdef INVARIANTS
        trash_ctor(mem, size, arg, how);
#endif
        m = (struct mbuf *)mem;
        args = (struct mb_args *)arg;
        flags = args->flags;
        type = args->type;

        m->m_type = type;
        m->m_next = NULL;
        m->m_nextpkt = NULL;
        m->m_flags = flags;
        if (flags & M_PKTHDR) {
                m->m_data = m->m_pktdat;
                m->m_pkthdr.rcvif = NULL;
                m->m_pkthdr.csum_flags = 0;
               SLIST_INIT(&m->m_pkthdr.tags);
#ifdef MAC
                /* If the label init fails, fail the alloc */
                if(!(flags&M_PROTO1)){
                error = mac_init_mbuf(m, how);
                if (error)
                        return (error);
                }
#endif
        } else
                m->m_data = m->m_dat;
        mbstat.m_mbufs += 1;    /* XXX */
        return (0);
}

and 

mb_ctor_pack(void *mem, int size, void *arg, int how)
{
        struct mbuf *m;
        struct mb_args *args;
#ifdef MAC
        int error;
#endif
        int flags;
        short type;

        m = (struct mbuf *)mem;
        args = (struct mb_args *)arg;
        flags = args->flags;
        type = args->type;

#ifdef INVARIANTS
        trash_ctor(m->m_ext.ext_buf, MCLBYTES, arg, how);
#endif
        m->m_type = type;
        m->m_next = NULL;
        m->m_nextpkt = NULL;
        m->m_data = m->m_ext.ext_buf;
        m->m_flags = flags|M_EXT;
        m->m_ext.ext_free = NULL;
        m->m_ext.ext_args = NULL;
        m->m_ext.ext_size = MCLBYTES;
        m->m_ext.ext_type = EXT_PACKET;
        m->m_ext.ref_cnt = NULL;        /* Lazy counter assign. */

        if (flags & M_PKTHDR) {
                m->m_pkthdr.rcvif = NULL;
                m->m_pkthdr.csum_flags = 0;
                SLIST_INIT(&m->m_pkthdr.tags);
#ifdef MAC
                /* If the label init fails, fail the alloc */
                if(!(flags&M_PROTO1)){
                error = mac_init_mbuf(m, how);
                if (error)
                        return (error);
                }

#endif
        }
        mbstat.m_mbufs += 1;    /* XXX */
        mbstat.m_mclusts += 1;  /* XXX */
        return (0);
}

And in very place there is a m_move_pkthdr or m_dup_pkthdr:
For example in function m_defrag in uipc_mbuf.c 
        if (m0->m_pkthdr.len > MHLEN)
                m_final = m_getcl(how, MT_DATA, M_PKTHDR|M_PROTO1);
        else
                m_final = m_gethdrnolabel(how, MT_DATA);

        if (m_final == NULL)
                goto nospace;

        if (m_dup_pkthdr(m_final, m0, how) == 0)
                goto nospace;
// The definition of m_gethdrnolabel is as follows:
struct mbuf *
m_gethdrnolabel(int how, short type)
{
        struct mb_args args;

        args.flags = M_PKTHDR|M_PROTO1;
        args.type = type;
        return (uma_zalloc_arg(zone_mbuf, &args, how));
}

Sincerely 
Zhouyi Zhou
Institute of Software
Chinese Academy of Sciences