Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 24 Jan 2018 05:09:22 +0000 (UTC)
From:      Navdeep Parhar <np@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r328314 - in head/sys: netinet netinet6
Message-ID:  <201801240509.w0O59MXg079010@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: np
Date: Wed Jan 24 05:09:21 2018
New Revision: 328314
URL: https://svnweb.freebsd.org/changeset/base/328314

Log:
  Do not generate illegal mbuf chains during IP fragment reassembly.  Only
  the first mbuf of the reassembled datagram should have a pkthdr.
  
  This was discovered with cxgbe(4) + IPSEC + ping with payload more than
  interface MTU.  cxgbe can generate !M_WRITEABLE mbufs and this results
  in m_unshare being called on the reassembled datagram, and it complains:
  
  panic: m_unshare: m0 0xfffff80020f82600, m 0xfffff8005d054100 has M_PKTHDR
  
  PR:		224922
  Reviewed by:	ae@
  MFC after:	1 week
  Sponsored by:	Chelsio Communications
  Differential Revision:	https://reviews.freebsd.org/D14009

Modified:
  head/sys/netinet/ip_reass.c
  head/sys/netinet6/frag6.c

Modified: head/sys/netinet/ip_reass.c
==============================================================================
--- head/sys/netinet/ip_reass.c	Wed Jan 24 04:29:16 2018	(r328313)
+++ head/sys/netinet/ip_reass.c	Wed Jan 24 05:09:21 2018	(r328314)
@@ -377,6 +377,7 @@ ip_reass(struct mbuf *m)
 		q->m_nextpkt = NULL;
 		m->m_pkthdr.csum_flags &= q->m_pkthdr.csum_flags;
 		m->m_pkthdr.csum_data += q->m_pkthdr.csum_data;
+		m_demote_pkthdr(q);
 		m_cat(m, q);
 	}
 	/*

Modified: head/sys/netinet6/frag6.c
==============================================================================
--- head/sys/netinet6/frag6.c	Wed Jan 24 04:29:16 2018	(r328313)
+++ head/sys/netinet6/frag6.c	Wed Jan 24 05:09:21 2018	(r328314)
@@ -541,6 +541,7 @@ insert:
 		while (t->m_next)
 			t = t->m_next;
 		m_adj(IP6_REASS_MBUF(af6), af6->ip6af_offset);
+		m_demote_pkthdr(IP6_REASS_MBUF(af6));
 		m_cat(t, IP6_REASS_MBUF(af6));
 		free(af6, M_FTABLE);
 		af6 = af6dwn;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201801240509.w0O59MXg079010>