From owner-dev-commits-src-main@freebsd.org  Fri Jun 11 15:40:38 2021
Return-Path: <owner-dev-commits-src-main@freebsd.org>
Delivered-To: dev-commits-src-main@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 27E4D660CC8;
 Fri, 11 Jun 2021 15:40:38 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4G1lRV0QFsz3mbQ;
 Fri, 11 Jun 2021 15:40:38 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id EAA84255AF;
 Fri, 11 Jun 2021 15:40:37 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 15BFebi1038938;
 Fri, 11 Jun 2021 15:40:37 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 15BFebVe038937;
 Fri, 11 Jun 2021 15:40:37 GMT (envelope-from git)
Date: Fri, 11 Jun 2021 15:40:37 GMT
Message-Id: <202106111540.15BFebVe038937@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-main@FreeBSD.org
From: Randall Stewart <rrs@FreeBSD.org>
Subject: git: ba1b3e48f5be - main - tcp: Missing mfree in rack and bbr
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: rrs
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: ba1b3e48f5be320f0590bc357ea53fdc3e4edc65
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-src-main@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commit messages for the main branch of the src repository
 <dev-commits-src-main.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-main>, 
 <mailto:dev-commits-src-main-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-main/>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Help: <mailto:dev-commits-src-main-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main>, 
 <mailto:dev-commits-src-main-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2021 15:40:38 -0000

The branch main has been updated by rrs:

URL: https://cgit.FreeBSD.org/src/commit/?id=ba1b3e48f5be320f0590bc357ea53fdc3e4edc65

commit ba1b3e48f5be320f0590bc357ea53fdc3e4edc65
Author:     Randall Stewart <rrs@FreeBSD.org>
AuthorDate: 2021-06-11 15:38:08 +0000
Commit:     Randall Stewart <rrs@FreeBSD.org>
CommitDate: 2021-06-11 15:38:08 +0000

    tcp: Missing mfree in rack and bbr
    
    Recently (Nov) we added logic that protects against a peer negotiating a timestamp, and
    then not including a timestamp. This involved in the input path doing a goto done_with_input
    label. Now I suspect the code was cribbed from one in Rack that has to do with the SYN.
    This had a bug, i.e. it should have a m_freem(m) before going to the label (bbr had this
    missing m_freem() but rack did not). This then caused the missing m_freem to show
    up in both BBR and Rack. Also looking at the code referencing m->m_pkthdr.lro_nsegs
    later (after processing) is not a good idea, even though its only for logging. Best to
    copy that off before any frees can take place.
    
    Reviewed by: mtuexen
    Sponsored by: Netflix Inc
    Differential Revision:  https://reviews.freebsd.org/D30727
---
 sys/netinet/tcp_stacks/bbr.c  | 1 +
 sys/netinet/tcp_stacks/rack.c | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/sys/netinet/tcp_stacks/bbr.c b/sys/netinet/tcp_stacks/bbr.c
index d5da2d33c18f..57abbbf694b6 100644
--- a/sys/netinet/tcp_stacks/bbr.c
+++ b/sys/netinet/tcp_stacks/bbr.c
@@ -11441,6 +11441,7 @@ bbr_do_segment_nounlock(struct mbuf *m, struct tcphdr *th, struct socket *so,
 	if ((tp->t_flags & TF_RCVD_TSTMP) && !(to.to_flags & TOF_TS) &&
 	    ((thflags & TH_RST) == 0) && (V_tcp_tolerate_missing_ts == 0)) {
 		retval = 0;
+		m_freem(m);
 		goto done_with_input;
 	}
 	/*
diff --git a/sys/netinet/tcp_stacks/rack.c b/sys/netinet/tcp_stacks/rack.c
index 6ce866b77450..e5926eaf6171 100644
--- a/sys/netinet/tcp_stacks/rack.c
+++ b/sys/netinet/tcp_stacks/rack.c
@@ -13454,6 +13454,7 @@ rack_do_segment_nounlock(struct mbuf *m, struct tcphdr *th, struct socket *so,
 #ifdef TCP_ACCOUNTING
 	int ack_val_set = 0xf;
 #endif
+	int nsegs;
 	uint32_t us_cts;
 	/*
 	 * tv passed from common code is from either M_TSTMP_LRO or
@@ -13465,6 +13466,7 @@ rack_do_segment_nounlock(struct mbuf *m, struct tcphdr *th, struct socket *so,
 	if (m->m_flags & M_ACKCMP) {
 		panic("Impossible reach m has ackcmp? m:%p tp:%p", m, tp);
 	}
+	nsegs = m->m_pkthdr.lro_nsegs;
 	counter_u64_add(rack_proc_non_comp_ack, 1);
 	thflags = th->th_flags;
 #ifdef TCP_ACCOUNTING
@@ -13607,6 +13609,7 @@ rack_do_segment_nounlock(struct mbuf *m, struct tcphdr *th, struct socket *so,
 	if ((thflags & TH_SYN) && (thflags & TH_FIN) && V_drop_synfin) {
 		way_out = 4;
 		retval = 0;
+		m_freem(m);
 		goto done_with_input;
 	}
 	/*
@@ -13641,6 +13644,7 @@ rack_do_segment_nounlock(struct mbuf *m, struct tcphdr *th, struct socket *so,
 	    ((thflags & TH_RST) == 0) && (V_tcp_tolerate_missing_ts == 0)) {
 		way_out = 5;
 		retval = 0;
+		m_freem(m);
 		goto done_with_input;
 	}
 
@@ -13944,7 +13948,7 @@ do_output_now:
 			way_out = 2;
 		}
 	done_with_input:
-		rack_log_doseg_done(rack, cts, nxt_pkt, did_out, way_out, max(1, m->m_pkthdr.lro_nsegs));
+		rack_log_doseg_done(rack, cts, nxt_pkt, did_out, way_out, max(1, nsegs));
 		if (did_out)
 			rack->r_wanted_output = 0;
 #ifdef INVARIANTS