On 2020-02-18 01:44, Gleb Smirnoff wrote:
On Mon, Feb 17, 2020 at 09:46:32AM +0000, Hans Petter Selasky wrote:
H> Author: hselasky
H> Date: Mon Feb 17 09:46:32 2020
H> New Revision: 358013
H> URL: https://svnweb.freebsd.org/changeset/base/358013
H>
H> Log:
H> Fix kernel panic while trying to read multicast stream.
H>
H> When VIMAGE is enabled make sure the "m_pkthdr.rcvif" pointer is set
H> for all mbufs being input by the IGMP/MLD6 code. Else there will be a
H> NULL-pointer dereference in the netisr code when trying to set the
H> VNET based on the incoming mbuf. Add an assert to catch this when
H> queueing mbufs on a netisr to make debugging of similar cases easier.
H>
H> Found by: Vladislav V. Prodan
H> PR: 244002
H> Reviewed by: bz@
H> MFC after: 1 week
H> Sponsored by: Mellanox Technologies
H>
H> Modified:
H> head/sys/net/netisr.c
H> head/sys/netinet/igmp.c
H> head/sys/netinet6/mld6.c
H>
H> Modified: head/sys/net/netisr.c
H>
==============================================================================
H> --- head/sys/net/netisr.c Mon Feb 17 01:59:55 2020 (r358012)
H> +++ head/sys/net/netisr.c Mon Feb 17 09:46:32 2020 (r358013)
H> @@ -1056,6 +1056,8 @@ netisr_queue_src(u_int proto, uintptr_t source, struct
H> if (m != NULL) {
H> KASSERT(!CPU_ABSENT(cpuid), ("%s: CPU %u absent", __func__,
H> cpuid));
H> + VNET_ASSERT(m->m_pkthdr.rcvif != NULL,
H> + ("%s:%d rcvif == NULL: m=%p", __func__, __LINE__, m));
H> error = netisr_queue_internal(proto, m, cpuid);
H> } else
H> error = ENOBUFS;
H>
H> Modified: head/sys/netinet/igmp.c
H>
==============================================================================
H> --- head/sys/netinet/igmp.c Mon Feb 17 01:59:55 2020 (r358012)
H> +++ head/sys/netinet/igmp.c Mon Feb 17 09:46:32 2020 (r358013)
H> @@ -303,6 +303,7 @@ igmp_save_context(struct mbuf *m, struct ifnet *ifp)
H> #ifdef VIMAGE
H> m->m_pkthdr.PH_loc.ptr = ifp->if_vnet;
H> #endif /* VIMAGE */
H> + m->m_pkthdr.rcvif = ifp;
H> m->m_pkthdr.flowid = ifp->if_index;
H> }
H>
H>
H> Modified: head/sys/netinet6/mld6.c
H>
==============================================================================
H> --- head/sys/netinet6/mld6.c Mon Feb 17 01:59:55 2020 (r358012)
H> +++ head/sys/netinet6/mld6.c Mon Feb 17 09:46:32 2020 (r358013)
H> @@ -283,6 +283,7 @@ mld_save_context(struct mbuf *m, struct ifnet *ifp)
H> #ifdef VIMAGE
H> m->m_pkthdr.PH_loc.ptr = ifp->if_vnet;
H> #endif /* VIMAGE */
H> + m->m_pkthdr.rcvif = ifp;
H> m->m_pkthdr.flowid = ifp->if_index;
H> }
This functions igmp_save_context() and mld_save_context() were clearly
designed to avoid dereferencing an ifnet pointer after a packet has been
queued and dequeued on IGMP/MLD internal queue.
This patch now replicates the exactly same problem but with netisr
queue. Of course netisr not always queues, sometimes dispatches
directly, but it may do queue.
I think same thing needs to be done to netisr internally - don't
dereference m->m_pkthdr.rcvif on dequeued packets, but store the
vnet info in the m->m_pkthdr.PH_loc.ptr before queueing.
Hi,
I agree the if_vnet could be de-referenced in general when queueing a
packet for the netisr. Are we certain that m->m_pkthdr.PH_loc.ptr is
always available?
Should then the netisr clear the rcvif? Or is this too dangerous?
Then further, overriding the VNET inside the IGMP/MLD6 packet handler
should be removed, because this is done inside the netisr.
--HPS
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
