CVS commit: src/sys/kern

Sun, 26 Nov 2023 18:50:35 -0800 

Module Name:    src
Committed By:   ozaki-r
Date:           Mon Nov 27 02:50:27 UTC 2023

Modified Files:
        src/sys/kern: uipc_mbuf.c

Log Message:
mbuf: avoid assertion failure when splitting mbuf cluster

>From OpenBSD:

        commit 7b4d35e0a60ba1dd4daf4b1c2932020a22463a89
        Author: bluhm <bl...@openbsd.org>
        Date:   Fri Oct 20 16:25:15 2023 +0000

            Avoid assertion failure when splitting mbuf cluster.

            m_split() calls m_align() to initialize the data pointer of newly
            allocated mbuf.  If the new mbuf will be converted to a cluster,
            this is not necessary.  If additionally the new mbuf is larger than
            MLEN, this can lead to a panic.
            Only call m_align() when a valid m_data is needed.  This is the
            case if we do not refecence the existing cluster, but memcpy() the
            data into the new mbuf.

            Reported-by: syzbot+0e6817f5877926f0e...@syzkaller.appspotmail.com
            OK claudio@ deraadt@

The issue is harmless if DIAGNOSTIC is not enabled.

XXX pullup-10
XXX pullup-9


To generate a diff of this commit:
cvs rdiff -u -r1.251 -r1.252 src/sys/kern/uipc_mbuf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/kern/uipc_mbuf.c
diff -u src/sys/kern/uipc_mbuf.c:1.251 src/sys/kern/uipc_mbuf.c:1.252
--- src/sys/kern/uipc_mbuf.c:1.251	Wed Apr 12 06:48:08 2023
+++ src/sys/kern/uipc_mbuf.c	Mon Nov 27 02:50:27 2023
@@ -1,4 +1,4 @@
-/*	$NetBSD: uipc_mbuf.c,v 1.251 2023/04/12 06:48:08 riastradh Exp $	*/
+/*	$NetBSD: uipc_mbuf.c,v 1.252 2023/11/27 02:50:27 ozaki-r Exp $	*/
 
 /*
  * Copyright (c) 1999, 2001, 2018 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.251 2023/04/12 06:48:08 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.252 2023/11/27 02:50:27 ozaki-r Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_mbuftrace.h"
@@ -1343,10 +1343,7 @@ m_split_internal(struct mbuf *m0, int le
 		len_save = m0->m_pkthdr.len;
 		m0->m_pkthdr.len = len0;
 
-		if (m->m_flags & M_EXT)
-			goto extpacket;
-
-		if (remain > MHLEN) {
+		if ((m->m_flags & M_EXT) == 0 && remain > MHLEN) {
 			/* m can't be the lead packet */
 			m_align(n, 0);
 			n->m_len = 0;
@@ -1357,8 +1354,6 @@ m_split_internal(struct mbuf *m0, int le
 				return NULL;
 			}
 			return n;
-		} else {
-			m_align(n, remain);
 		}
 	} else if (remain == 0) {
 		n = m->m_next;
@@ -1369,14 +1364,13 @@ m_split_internal(struct mbuf *m0, int le
 		if (n == NULL)
 			return NULL;
 		MCLAIM(n, m->m_owner);
-		m_align(n, remain);
 	}
 
-extpacket:
 	if (m->m_flags & M_EXT) {
 		n->m_data = m->m_data + len;
 		MCLADDREFERENCE(m, n);
 	} else {
+		m_align(n, remain);
 		memcpy(mtod(n, void *), mtod(m, char *) + len, remain);
 	}

Reply via email to