From owner-freebsd-net@freebsd.org  Wed Dec 27 21:05:24 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0FE50EAD1C3
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Wed, 27 Dec 2017 21:05:24 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from forward105o.mail.yandex.net (forward105o.mail.yandex.net
 [IPv6:2a02:6b8:0:1a2d::608])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id A4510784BD;
 Wed, 27 Dec 2017 21:05:23 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from mxback10j.mail.yandex.net (mxback10j.mail.yandex.net
 [IPv6:2a02:6b8:0:1619::113])
 by forward105o.mail.yandex.net (Yandex) with ESMTP id 40267444345D;
 Thu, 28 Dec 2017 00:02:31 +0300 (MSK)
Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net
 [2a02:6b8:0:1a2d::27])
 by mxback10j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id EPMgVBINFL-2Ui09Co6;
 Thu, 28 Dec 2017 00:02:31 +0300
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1514408551; bh=ZITsc3IV6t0hoZRsE7WvnCX/gkkcjomONo/4tQy15mY=;
 h=Subject:To:References:From:Message-ID:Date:In-Reply-To;
 b=nlX9vSUPaYlp58lCe23XlnMD72/9or+qrqywVq9i1sCyNx++3XQLRn80GJg4ymlUz
 jrqTwp9OLPWy6PgGfsOHpLotNLWJrcNTs819QILKW1beo++pbPnLTGfEjt1ZPHg8L1
 dte13WJEEumqJB3IYgV7IGqnxHtiGRAkZRaUGfr8=
Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id
 BWG64avJIB-2URS7KoQ; Thu, 28 Dec 2017 00:02:30 +0300
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client certificate not present)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1514408550; bh=ZITsc3IV6t0hoZRsE7WvnCX/gkkcjomONo/4tQy15mY=;
 h=Subject:To:References:From:Message-ID:Date:In-Reply-To;
 b=lG78gMsP6Nu92RRBGjjypjn/kpW9MWUyA9bOCo3x8cp9fHicCrgj6lYVE/VWaMB9A
 QzmHk7lIZf+qv2S6KY971LhaV5gCUwsst6mtVJ1HLMf0dx52Qa4KTGI3Kpg80YUVjI
 TWOHCCvhn5kQm66d0VZbm/AYwZmrvS7n09ui1BVc=
Authentication-Results: smtp3o.mail.yandex.net; dkim=pass header.i=@yandex.ru
Subject: Re: [freebsd-current]Who should reset M_PKTHDR flag in m_buf when IP
 packets are fragmented. m_unshare panic throw when IPSec is enabled
To: Navdeep Parhar <np@FreeBSD.org>, Harsh Jain <harsh@chelsio.com>,
 freebsd-net@freebsd.org
References: <73302ead-b2e9-c25b-4d11-475f38dec1a1@chelsio.com>
 <993c58bb-3bf2-d6a3-9a05-13e1631aec87@yandex.ru>
 <fdb72f54-efdd-c54b-c8f7-c53057d24adf@chelsio.com>
 <c7513431-202e-55e4-e8be-2e3dffb897e9@yandex.ru>
 <c70e3596-89c2-67e8-e635-06789c2697be@FreeBSD.org>
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A
Message-ID: <edc841d1-d895-f834-1462-1fb454dd8304@yandex.ru>
Date: Wed, 27 Dec 2017 23:59:37 +0300
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <c70e3596-89c2-67e8-e635-06789c2697be@FreeBSD.org>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="4gb4mTbdfBpwBtocIOKKlUdGpAlv3kQBm"
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Dec 2017 21:05:24 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--4gb4mTbdfBpwBtocIOKKlUdGpAlv3kQBm
Content-Type: multipart/mixed; boundary="qlGvXlWklCDPqffVLVvgcWBHH5qkfvQ1n";
 protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: Navdeep Parhar <np@FreeBSD.org>, Harsh Jain <harsh@chelsio.com>,
 freebsd-net@freebsd.org
Message-ID: <edc841d1-d895-f834-1462-1fb454dd8304@yandex.ru>
Subject: Re: [freebsd-current]Who should reset M_PKTHDR flag in m_buf when IP
 packets are fragmented. m_unshare panic throw when IPSec is enabled
References: <73302ead-b2e9-c25b-4d11-475f38dec1a1@chelsio.com>
 <993c58bb-3bf2-d6a3-9a05-13e1631aec87@yandex.ru>
 <fdb72f54-efdd-c54b-c8f7-c53057d24adf@chelsio.com>
 <c7513431-202e-55e4-e8be-2e3dffb897e9@yandex.ru>
 <c70e3596-89c2-67e8-e635-06789c2697be@FreeBSD.org>
In-Reply-To: <c70e3596-89c2-67e8-e635-06789c2697be@FreeBSD.org>

--qlGvXlWklCDPqffVLVvgcWBHH5qkfvQ1n
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 27.12.2017 23:09, Navdeep Parhar wrote:
>> It is not clear to me why it helps. The panic happens on outbound path=
,
>> where mbuf should be allocated by network stack and should be writeabl=
e.
>> ip_reass() usually used on inbound path. I think the patch just hides
>> the problem in another place.
>> Do you mean that cxgbe can produce !WRITEABLE mbuf for received packet=

>> and then pass it to the network stack?
>=20
> Yes, cxgbe does that.  But I think the real bug here is in ip_reass
> because it doesn't properly get rid of the pkthdr of the fragments whil=
e
> creating the reassembled datagram.  cxgbe happens to trip on this easil=
y
> because it often creates !WRITEABLE mbufs.

=46rom the quick look, I don't see the code in netipsec and in crypto,
that does check mbuf is WRITEABLE. It is expected that in most cases for
received mbuf the data will be decrypted and copied back into the given
buffer. Can this lead to memory corruption?

> This should fix it:
> https://people.freebsd.org/~np/ip_reass_demotehdr.diff
>=20
> It will also fix leaks in configurations where mbuf tags are in use by
> default (for example with MAC), ip_reass is involved during rx, and the=

> mbuf chain never gets m_demote'd elsewhere (meaning ip_reass should hav=
e
> freed the tags itself).

I think such chain with several mbufs with M_PKTHDR flag is created with
m_cat() due to !WRITEABLE mbufs. And when mbuf chain will be freed, the
tags chain will be also destroyed by mbuf zone destructor.

If you think it solves the problem, the IPv6 fragment reassembly
probably needs the same code. But I think that M_WRITEABLE flag is not
properly handled is the problem too.

--=20
WBR, Andrey V. Elsukov


--qlGvXlWklCDPqffVLVvgcWBHH5qkfvQ1n--

--4gb4mTbdfBpwBtocIOKKlUdGpAlv3kQBm
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlpECbkACgkQAcXqBBDI
oXrwZwf+L14Z5JAVa9WsIE7eZIU7gPHoC8z1mm5W6K7CLVDCYVrVPmveO1fCUGyB
y+yQYhprKjQFZX1WzXJ5kcaIJBswSNdZFZqWpQ/N6lDSiUaRt0sh7lbssNsw3Dai
+XLdmPsjGsYPlFzWI/TFhaDm0oU5qbjz1O0xFSkuUQZR4Jv46fKcJsZ4FjCD50HX
kTxjT//EImaS+Fs33+eTvoddvXUpiDIC2CzRnr7nK6TUJ+Ef/f98Rbw4f9CTXwPh
cAU2TyBLTst9L5YrpbvgofpDCOSkZBDivsujx+c2mNpW0LjBNeLwLAR/mcnAoP8E
iFi94U+szBoo061obcUn2a/FKx0mXA==
=JOZM
-----END PGP SIGNATURE-----

--4gb4mTbdfBpwBtocIOKKlUdGpAlv3kQBm--