From owner-svn-src-all@freebsd.org Tue Feb 18 00:44:33 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D797324BD1B; Tue, 18 Feb 2020 00:44:33 +0000 (UTC) (envelope-from glebius@freebsd.org) Received: from cell.glebi.us (glebi.us [162.251.186.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "cell.glebi.us", Issuer "cell.glebi.us" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 48M2Dd3BBhz4PbW; Tue, 18 Feb 2020 00:44:33 +0000 (UTC) (envelope-from glebius@freebsd.org) Received: from cell.glebi.us (localhost [127.0.0.1]) by cell.glebi.us (8.15.2/8.15.2) with ESMTPS id 01I0iNTQ035569 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Mon, 17 Feb 2020 16:44:23 -0800 (PST) (envelope-from glebius@freebsd.org) Received: (from glebius@localhost) by cell.glebi.us (8.15.2/8.15.2/Submit) id 01I0iNas035568; Mon, 17 Feb 2020 16:44:23 -0800 (PST) (envelope-from glebius@freebsd.org) X-Authentication-Warning: cell.glebi.us: glebius set sender to glebius@freebsd.org using -f Date: Mon, 17 Feb 2020 16:44:23 -0800 From: Gleb Smirnoff To: Hans Petter Selasky , bz@freebsd.org Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r358013 - in head/sys: net netinet netinet6 Message-ID: <20200218004423.GG5741@FreeBSD.org> References: <202002170946.01H9kWAh078738@repo.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202002170946.01H9kWAh078738@repo.freebsd.org> X-Rspamd-Queue-Id: 48M2Dd3BBhz4PbW X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-5.99 / 15.00]; NEURAL_HAM_MEDIUM(-0.99)[-0.992,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Feb 2020 00:44:34 -0000 On Mon, Feb 17, 2020 at 09:46:32AM +0000, Hans Petter Selasky wrote: H> Author: hselasky H> Date: Mon Feb 17 09:46:32 2020 H> New Revision: 358013 H> URL: https://svnweb.freebsd.org/changeset/base/358013 H> H> Log: H> Fix kernel panic while trying to read multicast stream. H> H> When VIMAGE is enabled make sure the "m_pkthdr.rcvif" pointer is set H> for all mbufs being input by the IGMP/MLD6 code. Else there will be a H> NULL-pointer dereference in the netisr code when trying to set the H> VNET based on the incoming mbuf. Add an assert to catch this when H> queueing mbufs on a netisr to make debugging of similar cases easier. H> H> Found by: Vladislav V. Prodan H> PR: 244002 H> Reviewed by: bz@ H> MFC after: 1 week H> Sponsored by: Mellanox Technologies H> H> Modified: H> head/sys/net/netisr.c H> head/sys/netinet/igmp.c H> head/sys/netinet6/mld6.c H> H> Modified: head/sys/net/netisr.c H> ============================================================================== H> --- head/sys/net/netisr.c Mon Feb 17 01:59:55 2020 (r358012) H> +++ head/sys/net/netisr.c Mon Feb 17 09:46:32 2020 (r358013) H> @@ -1056,6 +1056,8 @@ netisr_queue_src(u_int proto, uintptr_t source, struct H> if (m != NULL) { H> KASSERT(!CPU_ABSENT(cpuid), ("%s: CPU %u absent", __func__, H> cpuid)); H> + VNET_ASSERT(m->m_pkthdr.rcvif != NULL, H> + ("%s:%d rcvif == NULL: m=%p", __func__, __LINE__, m)); H> error = netisr_queue_internal(proto, m, cpuid); H> } else H> error = ENOBUFS; H> H> Modified: head/sys/netinet/igmp.c H> ============================================================================== H> --- head/sys/netinet/igmp.c Mon Feb 17 01:59:55 2020 (r358012) H> +++ head/sys/netinet/igmp.c Mon Feb 17 09:46:32 2020 (r358013) H> @@ -303,6 +303,7 @@ igmp_save_context(struct mbuf *m, struct ifnet *ifp) H> #ifdef VIMAGE H> m->m_pkthdr.PH_loc.ptr = ifp->if_vnet; H> #endif /* VIMAGE */ H> + m->m_pkthdr.rcvif = ifp; H> m->m_pkthdr.flowid = ifp->if_index; H> } H> H> H> Modified: head/sys/netinet6/mld6.c H> ============================================================================== H> --- head/sys/netinet6/mld6.c Mon Feb 17 01:59:55 2020 (r358012) H> +++ head/sys/netinet6/mld6.c Mon Feb 17 09:46:32 2020 (r358013) H> @@ -283,6 +283,7 @@ mld_save_context(struct mbuf *m, struct ifnet *ifp) H> #ifdef VIMAGE H> m->m_pkthdr.PH_loc.ptr = ifp->if_vnet; H> #endif /* VIMAGE */ H> + m->m_pkthdr.rcvif = ifp; H> m->m_pkthdr.flowid = ifp->if_index; H> } This functions igmp_save_context() and mld_save_context() were clearly designed to avoid dereferencing an ifnet pointer after a packet has been queued and dequeued on IGMP/MLD internal queue. This patch now replicates the exactly same problem but with netisr queue. Of course netisr not always queues, sometimes dispatches directly, but it may do queue. I think same thing needs to be done to netisr internally - don't dereference m->m_pkthdr.rcvif on dequeued packets, but store the vnet info in the m->m_pkthdr.PH_loc.ptr before queueing. -- Gleb Smirnoff