From owner-svn-src-all@freebsd.org Tue Feb 18 11:38:39 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A4C0C25D36F; Tue, 18 Feb 2020 11:38:39 +0000 (UTC) (envelope-from hps@selasky.org) Received: from mail.turbocat.net (turbocat.net [88.99.82.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48MJlK5YYxz4KZV; Tue, 18 Feb 2020 11:38:37 +0000 (UTC) (envelope-from hps@selasky.org) Received: from hps2020.home.selasky.org (unknown [62.141.129.235]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by mail.turbocat.net (Postfix) with ESMTPSA id D2EAD260057; Tue, 18 Feb 2020 12:38:29 +0100 (CET) Subject: Re: svn commit: r358013 - in head/sys: net netinet netinet6 To: Gleb Smirnoff , bz@freebsd.org Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org References: <202002170946.01H9kWAh078738@repo.freebsd.org> <20200218004423.GG5741@FreeBSD.org> From: Hans Petter Selasky Message-ID: <6bbdea0e-c42e-6296-2a13-3dbae1d1cdc7@selasky.org> Date: Tue, 18 Feb 2020 12:37:49 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2 MIME-Version: 1.0 In-Reply-To: <20200218004423.GG5741@FreeBSD.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 48MJlK5YYxz4KZV X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of hps@selasky.org designates 88.99.82.50 as permitted sender) smtp.mailfrom=hps@selasky.org X-Spamd-Result: default: False [-5.42 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+a:mail.turbocat.net]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[selasky.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_FIVE(0.00)[5]; IP_SCORE(-3.12)[ip: (-9.32), ipnet: 88.99.0.0/16(-4.71), asn: 24940(-1.55), country: DE(-0.02)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:88.99.0.0/16, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Feb 2020 11:38:39 -0000 On 2020-02-18 01:44, Gleb Smirnoff wrote: > On Mon, Feb 17, 2020 at 09:46:32AM +0000, Hans Petter Selasky wrote: > H> Author: hselasky > H> Date: Mon Feb 17 09:46:32 2020 > H> New Revision: 358013 > H> URL: https://svnweb.freebsd.org/changeset/base/358013 > H> > H> Log: > H> Fix kernel panic while trying to read multicast stream. > H> > H> When VIMAGE is enabled make sure the "m_pkthdr.rcvif" pointer is set > H> for all mbufs being input by the IGMP/MLD6 code. Else there will be a > H> NULL-pointer dereference in the netisr code when trying to set the > H> VNET based on the incoming mbuf. Add an assert to catch this when > H> queueing mbufs on a netisr to make debugging of similar cases easier. > H> > H> Found by: Vladislav V. Prodan > H> PR: 244002 > H> Reviewed by: bz@ > H> MFC after: 1 week > H> Sponsored by: Mellanox Technologies > H> > H> Modified: > H> head/sys/net/netisr.c > H> head/sys/netinet/igmp.c > H> head/sys/netinet6/mld6.c > H> > H> Modified: head/sys/net/netisr.c > H> ============================================================================== > H> --- head/sys/net/netisr.c Mon Feb 17 01:59:55 2020 (r358012) > H> +++ head/sys/net/netisr.c Mon Feb 17 09:46:32 2020 (r358013) > H> @@ -1056,6 +1056,8 @@ netisr_queue_src(u_int proto, uintptr_t source, struct > H> if (m != NULL) { > H> KASSERT(!CPU_ABSENT(cpuid), ("%s: CPU %u absent", __func__, > H> cpuid)); > H> + VNET_ASSERT(m->m_pkthdr.rcvif != NULL, > H> + ("%s:%d rcvif == NULL: m=%p", __func__, __LINE__, m)); > H> error = netisr_queue_internal(proto, m, cpuid); > H> } else > H> error = ENOBUFS; > H> > H> Modified: head/sys/netinet/igmp.c > H> ============================================================================== > H> --- head/sys/netinet/igmp.c Mon Feb 17 01:59:55 2020 (r358012) > H> +++ head/sys/netinet/igmp.c Mon Feb 17 09:46:32 2020 (r358013) > H> @@ -303,6 +303,7 @@ igmp_save_context(struct mbuf *m, struct ifnet *ifp) > H> #ifdef VIMAGE > H> m->m_pkthdr.PH_loc.ptr = ifp->if_vnet; > H> #endif /* VIMAGE */ > H> + m->m_pkthdr.rcvif = ifp; > H> m->m_pkthdr.flowid = ifp->if_index; > H> } > H> > H> > H> Modified: head/sys/netinet6/mld6.c > H> ============================================================================== > H> --- head/sys/netinet6/mld6.c Mon Feb 17 01:59:55 2020 (r358012) > H> +++ head/sys/netinet6/mld6.c Mon Feb 17 09:46:32 2020 (r358013) > H> @@ -283,6 +283,7 @@ mld_save_context(struct mbuf *m, struct ifnet *ifp) > H> #ifdef VIMAGE > H> m->m_pkthdr.PH_loc.ptr = ifp->if_vnet; > H> #endif /* VIMAGE */ > H> + m->m_pkthdr.rcvif = ifp; > H> m->m_pkthdr.flowid = ifp->if_index; > H> } > > This functions igmp_save_context() and mld_save_context() were clearly > designed to avoid dereferencing an ifnet pointer after a packet has been > queued and dequeued on IGMP/MLD internal queue. > > This patch now replicates the exactly same problem but with netisr > queue. Of course netisr not always queues, sometimes dispatches > directly, but it may do queue. > > I think same thing needs to be done to netisr internally - don't > dereference m->m_pkthdr.rcvif on dequeued packets, but store the > vnet info in the m->m_pkthdr.PH_loc.ptr before queueing. > Hi, I agree the if_vnet could be de-referenced in general when queueing a packet for the netisr. Are we certain that m->m_pkthdr.PH_loc.ptr is always available? Should then the netisr clear the rcvif? Or is this too dangerous? Then further, overriding the VNET inside the IGMP/MLD6 packet handler should be removed, because this is done inside the netisr. --HPS