Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 27 Dec 2017 23:59:37 +0300
From:      "Andrey V. Elsukov" <bu7cher@yandex.ru>
To:        Navdeep Parhar <np@FreeBSD.org>, Harsh Jain <harsh@chelsio.com>, freebsd-net@freebsd.org
Subject:   Re: [freebsd-current]Who should reset M_PKTHDR flag in m_buf when IP packets are fragmented. m_unshare panic throw when IPSec is enabled
Message-ID:  <edc841d1-d895-f834-1462-1fb454dd8304@yandex.ru>
In-Reply-To: <c70e3596-89c2-67e8-e635-06789c2697be@FreeBSD.org>
References:  <73302ead-b2e9-c25b-4d11-475f38dec1a1@chelsio.com> <993c58bb-3bf2-d6a3-9a05-13e1631aec87@yandex.ru> <fdb72f54-efdd-c54b-c8f7-c53057d24adf@chelsio.com> <c7513431-202e-55e4-e8be-2e3dffb897e9@yandex.ru> <c70e3596-89c2-67e8-e635-06789c2697be@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--4gb4mTbdfBpwBtocIOKKlUdGpAlv3kQBm
Content-Type: multipart/mixed; boundary="qlGvXlWklCDPqffVLVvgcWBHH5qkfvQ1n";
 protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: Navdeep Parhar <np@FreeBSD.org>, Harsh Jain <harsh@chelsio.com>,
 freebsd-net@freebsd.org
Message-ID: <edc841d1-d895-f834-1462-1fb454dd8304@yandex.ru>
Subject: Re: [freebsd-current]Who should reset M_PKTHDR flag in m_buf when IP
 packets are fragmented. m_unshare panic throw when IPSec is enabled
References: <73302ead-b2e9-c25b-4d11-475f38dec1a1@chelsio.com>
 <993c58bb-3bf2-d6a3-9a05-13e1631aec87@yandex.ru>
 <fdb72f54-efdd-c54b-c8f7-c53057d24adf@chelsio.com>
 <c7513431-202e-55e4-e8be-2e3dffb897e9@yandex.ru>
 <c70e3596-89c2-67e8-e635-06789c2697be@FreeBSD.org>
In-Reply-To: <c70e3596-89c2-67e8-e635-06789c2697be@FreeBSD.org>

--qlGvXlWklCDPqffVLVvgcWBHH5qkfvQ1n
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 27.12.2017 23:09, Navdeep Parhar wrote:
>> It is not clear to me why it helps. The panic happens on outbound path=
,
>> where mbuf should be allocated by network stack and should be writeabl=
e.
>> ip_reass() usually used on inbound path. I think the patch just hides
>> the problem in another place.
>> Do you mean that cxgbe can produce !WRITEABLE mbuf for received packet=

>> and then pass it to the network stack?
>=20
> Yes, cxgbe does that.  But I think the real bug here is in ip_reass
> because it doesn't properly get rid of the pkthdr of the fragments whil=
e
> creating the reassembled datagram.  cxgbe happens to trip on this easil=
y
> because it often creates !WRITEABLE mbufs.

=46rom the quick look, I don't see the code in netipsec and in crypto,
that does check mbuf is WRITEABLE. It is expected that in most cases for
received mbuf the data will be decrypted and copied back into the given
buffer. Can this lead to memory corruption?

> This should fix it:
> https://people.freebsd.org/~np/ip_reass_demotehdr.diff
>=20
> It will also fix leaks in configurations where mbuf tags are in use by
> default (for example with MAC), ip_reass is involved during rx, and the=

> mbuf chain never gets m_demote'd elsewhere (meaning ip_reass should hav=
e
> freed the tags itself).

I think such chain with several mbufs with M_PKTHDR flag is created with
m_cat() due to !WRITEABLE mbufs. And when mbuf chain will be freed, the
tags chain will be also destroyed by mbuf zone destructor.

If you think it solves the problem, the IPv6 fragment reassembly
probably needs the same code. But I think that M_WRITEABLE flag is not
properly handled is the problem too.

--=20
WBR, Andrey V. Elsukov


--qlGvXlWklCDPqffVLVvgcWBHH5qkfvQ1n--

--4gb4mTbdfBpwBtocIOKKlUdGpAlv3kQBm
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlpECbkACgkQAcXqBBDI
oXrwZwf+L14Z5JAVa9WsIE7eZIU7gPHoC8z1mm5W6K7CLVDCYVrVPmveO1fCUGyB
y+yQYhprKjQFZX1WzXJ5kcaIJBswSNdZFZqWpQ/N6lDSiUaRt0sh7lbssNsw3Dai
+XLdmPsjGsYPlFzWI/TFhaDm0oU5qbjz1O0xFSkuUQZR4Jv46fKcJsZ4FjCD50HX
kTxjT//EImaS+Fs33+eTvoddvXUpiDIC2CzRnr7nK6TUJ+Ef/f98Rbw4f9CTXwPh
cAU2TyBLTst9L5YrpbvgofpDCOSkZBDivsujx+c2mNpW0LjBNeLwLAR/mcnAoP8E
iFi94U+szBoo061obcUn2a/FKx0mXA==
=JOZM
-----END PGP SIGNATURE-----

--4gb4mTbdfBpwBtocIOKKlUdGpAlv3kQBm--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?edc841d1-d895-f834-1462-1fb454dd8304>