Date: Wed, 27 Dec 2017 23:59:37 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Navdeep Parhar <np@FreeBSD.org>, Harsh Jain <harsh@chelsio.com>, freebsd-net@freebsd.org Subject: Re: [freebsd-current]Who should reset M_PKTHDR flag in m_buf when IP packets are fragmented. m_unshare panic throw when IPSec is enabled Message-ID: <edc841d1-d895-f834-1462-1fb454dd8304@yandex.ru> In-Reply-To: <c70e3596-89c2-67e8-e635-06789c2697be@FreeBSD.org> References: <73302ead-b2e9-c25b-4d11-475f38dec1a1@chelsio.com> <993c58bb-3bf2-d6a3-9a05-13e1631aec87@yandex.ru> <fdb72f54-efdd-c54b-c8f7-c53057d24adf@chelsio.com> <c7513431-202e-55e4-e8be-2e3dffb897e9@yandex.ru> <c70e3596-89c2-67e8-e635-06789c2697be@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --4gb4mTbdfBpwBtocIOKKlUdGpAlv3kQBm Content-Type: multipart/mixed; boundary="qlGvXlWklCDPqffVLVvgcWBHH5qkfvQ1n"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Navdeep Parhar <np@FreeBSD.org>, Harsh Jain <harsh@chelsio.com>, freebsd-net@freebsd.org Message-ID: <edc841d1-d895-f834-1462-1fb454dd8304@yandex.ru> Subject: Re: [freebsd-current]Who should reset M_PKTHDR flag in m_buf when IP packets are fragmented. m_unshare panic throw when IPSec is enabled References: <73302ead-b2e9-c25b-4d11-475f38dec1a1@chelsio.com> <993c58bb-3bf2-d6a3-9a05-13e1631aec87@yandex.ru> <fdb72f54-efdd-c54b-c8f7-c53057d24adf@chelsio.com> <c7513431-202e-55e4-e8be-2e3dffb897e9@yandex.ru> <c70e3596-89c2-67e8-e635-06789c2697be@FreeBSD.org> In-Reply-To: <c70e3596-89c2-67e8-e635-06789c2697be@FreeBSD.org> --qlGvXlWklCDPqffVLVvgcWBHH5qkfvQ1n Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 27.12.2017 23:09, Navdeep Parhar wrote: >> It is not clear to me why it helps. The panic happens on outbound path= , >> where mbuf should be allocated by network stack and should be writeabl= e. >> ip_reass() usually used on inbound path. I think the patch just hides >> the problem in another place. >> Do you mean that cxgbe can produce !WRITEABLE mbuf for received packet= >> and then pass it to the network stack? >=20 > Yes, cxgbe does that. But I think the real bug here is in ip_reass > because it doesn't properly get rid of the pkthdr of the fragments whil= e > creating the reassembled datagram. cxgbe happens to trip on this easil= y > because it often creates !WRITEABLE mbufs. =46rom the quick look, I don't see the code in netipsec and in crypto, that does check mbuf is WRITEABLE. It is expected that in most cases for received mbuf the data will be decrypted and copied back into the given buffer. Can this lead to memory corruption? > This should fix it: > https://people.freebsd.org/~np/ip_reass_demotehdr.diff >=20 > It will also fix leaks in configurations where mbuf tags are in use by > default (for example with MAC), ip_reass is involved during rx, and the= > mbuf chain never gets m_demote'd elsewhere (meaning ip_reass should hav= e > freed the tags itself). I think such chain with several mbufs with M_PKTHDR flag is created with m_cat() due to !WRITEABLE mbufs. And when mbuf chain will be freed, the tags chain will be also destroyed by mbuf zone destructor. If you think it solves the problem, the IPv6 fragment reassembly probably needs the same code. But I think that M_WRITEABLE flag is not properly handled is the problem too. --=20 WBR, Andrey V. Elsukov --qlGvXlWklCDPqffVLVvgcWBHH5qkfvQ1n-- --4gb4mTbdfBpwBtocIOKKlUdGpAlv3kQBm Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlpECbkACgkQAcXqBBDI oXrwZwf+L14Z5JAVa9WsIE7eZIU7gPHoC8z1mm5W6K7CLVDCYVrVPmveO1fCUGyB y+yQYhprKjQFZX1WzXJ5kcaIJBswSNdZFZqWpQ/N6lDSiUaRt0sh7lbssNsw3Dai +XLdmPsjGsYPlFzWI/TFhaDm0oU5qbjz1O0xFSkuUQZR4Jv46fKcJsZ4FjCD50HX kTxjT//EImaS+Fs33+eTvoddvXUpiDIC2CzRnr7nK6TUJ+Ef/f98Rbw4f9CTXwPh cAU2TyBLTst9L5YrpbvgofpDCOSkZBDivsujx+c2mNpW0LjBNeLwLAR/mcnAoP8E iFi94U+szBoo061obcUn2a/FKx0mXA== =JOZM -----END PGP SIGNATURE----- --4gb4mTbdfBpwBtocIOKKlUdGpAlv3kQBm--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?edc841d1-d895-f834-1462-1fb454dd8304>