From owner-freebsd-net@freebsd.org Fri Oct 13 21:10:34 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 37888E2CF0D for ; Fri, 13 Oct 2017 21:10:34 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebi.us (glebi.us [96.95.210.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "cell.glebi.us", Issuer "cell.glebi.us" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 037DB750D1 for ; Fri, 13 Oct 2017 21:10:33 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebi.us (localhost [127.0.0.1]) by cell.glebi.us (8.15.2/8.15.2) with ESMTPS id v9DLAQWH045337 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 13 Oct 2017 14:10:26 -0700 (PDT) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebi.us (8.15.2/8.15.2/Submit) id v9DLAQuG045336; Fri, 13 Oct 2017 14:10:26 -0700 (PDT) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebi.us: glebius set sender to glebius@FreeBSD.org using -f Date: Fri, 13 Oct 2017 14:10:26 -0700 From: Gleb Smirnoff To: Karim Fodil-Lemelin Cc: Adrian Chadd , "Andrey V. Elsukov" , FreeBSD Net Subject: Re: m_move_pkthdr leaves m_nextpkt 'dangling' Message-ID: <20171013211026.GB1055@FreeBSD.org> References: <59567148.1020902@xiplink.com> <31535133-f95a-5db6-a04c-acc0175fa287@yandex.ru> <59DFD3CC.2000401@xiplink.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.8.3 (2017-05-23) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2017 21:10:34 -0000 On Fri, Oct 13, 2017 at 12:59:47AM -0700, Adrian Chadd wrote: A> >>>> When doing so m_move_pkthdr is called to copy the current PKTHDR fields A> >>>> (tags and flags) to the mbuf that was prepended. The function also does: A> >>>> A> >>>> to->m_pkthdr = from->m_pkthdr; A> >>>> A> >>>> This, for the case I am interested in, essentially leaves the 'from' A> >>>> mbuf A> >>>> with a dangling pointer m_nextpkt pointing to the next fragment. While A> >>>> this A> >>>> is mostly harmless because only mbufs of pkthdr types are supposed to A> >>>> have A> >>>> m_nextpkt it triggers some panics when running with INVARIANTS in A> >>>> NetGraph A> >>>> (see ng_base.c :: CHECK_DATA_MBUF(m)): A> >>>> A> >>>> ... A> >>>> if (n->m_nextpkt != NULL) A> >>>> \ A> >>>> panic("%s: m_nextpkt", __func__); A> >>>> \ A> >>>> } A> >>>> ... A> >>>> A> >>>> So I would like to propose the following patch: A> >>>> A> >>>> @@ -442,10 +442,11 @@ m_move_pkthdr(struct mbuf *to, struct mbuf *from) A> >>>> if ((to->m_flags & M_EXT) == 0) A> >>>> to->m_data = to->m_pktdat; A> >>>> to->m_pkthdr = from->m_pkthdr; /* especially tags */ A> >>>> SLIST_INIT(&from->m_pkthdr.tags); /* purge tags from src A> >>>> */ A> >>>> from->m_flags &= ~M_PKTHDR; A> >>>> + from->m_nextpkt = NULL; A> >>>> } Not only mbufs of M_PKTHDR may have m_nextpkt set. However, I tend to agree with the patch. But shouldn't we first copy the m_nextpkt to the new mbuf: + to->m_nextpkt = from->m_nextpkt; + from->m_nextpkt = NULL; Same way as we deal with tags. -- Gleb Smirnoff