From owner-svn-src-all@freebsd.org Tue May 12 17:18:45 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7E5912F52B5; Tue, 12 May 2020 17:18:45 +0000 (UTC) (envelope-from gallatin@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49M4K12kRlz4Wln; Tue, 12 May 2020 17:18:45 +0000 (UTC) (envelope-from gallatin@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 58B65B6A5; Tue, 12 May 2020 17:18:45 +0000 (UTC) (envelope-from gallatin@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 04CHIjMB076603; Tue, 12 May 2020 17:18:45 GMT (envelope-from gallatin@FreeBSD.org) Received: (from gallatin@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 04CHIjRh076602; Tue, 12 May 2020 17:18:45 GMT (envelope-from gallatin@FreeBSD.org) Message-Id: <202005121718.04CHIjRh076602@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gallatin set sender to gallatin@FreeBSD.org using -f From: Andrew Gallatin Date: Tue, 12 May 2020 17:18:45 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r360982 - head/sys/netinet6 X-SVN-Group: head X-SVN-Commit-Author: gallatin X-SVN-Commit-Paths: head/sys/netinet6 X-SVN-Commit-Revision: 360982 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 May 2020 17:18:45 -0000 Author: gallatin Date: Tue May 12 17:18:44 2020 New Revision: 360982 URL: https://svnweb.freebsd.org/changeset/base/360982 Log: IPv6: Fix a panic in the nd6 code with unmapped mbufs. If the neighbor entry for an IPv6 TCP session using unmapped mbufs times out, IPv6 will send an icmp6 dest. unreachable message. In doing this, it will try to do a software checksum on the reflected packet. If this is a TCP session using unmapped mbufs, then there will be a kernel panic. To fix this, just free packets with unmapped mbufs, rather than sending the icmp. Reviewed by: np, rrs Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D24821 Modified: head/sys/netinet6/nd6.c Modified: head/sys/netinet6/nd6.c ============================================================================== --- head/sys/netinet6/nd6.c Tue May 12 17:07:28 2020 (r360981) +++ head/sys/netinet6/nd6.c Tue May 12 17:18:44 2020 (r360982) @@ -821,9 +821,27 @@ nd6_llinfo_timer(void *arg) clear_llinfo_pqueue(ln); } nd6_free(&ln, 0); - if (m != NULL) - icmp6_error2(m, ICMP6_DST_UNREACH, - ICMP6_DST_UNREACH_ADDR, 0, ifp); + if (m != NULL) { + struct mbuf *n = m; + + /* + * if there are any ummapped mbufs, we + * must free them, rather than using + * them for an ICMP, as they cannot be + * checksummed. + */ + while ((n = n->m_next) != NULL) { + if (n->m_flags & M_EXTPG) + break; + } + if (n != NULL) { + m_freem(m); + m = NULL; + } else { + icmp6_error2(m, ICMP6_DST_UNREACH, + ICMP6_DST_UNREACH_ADDR, 0, ifp); + } + } } break; case ND6_LLINFO_REACHABLE: