m_move_pkthdr leaves m_nextpkt 'dangling'

Andrey V. Elsukov bu7cher at yandex.ru
Fri Jul 7 14:49:12 UTC 2017 

On 05.07.2017 19:23, Adrian Chadd wrote:
>> As many of you know, when dealing with IP fragments the kernel will build a
>> list of packets (fragments) chained together through the m_nextpkt pointer.
>> This is all good until someone tries to do a M_PREPEND on one of the packet
>> in the chain and the M_PREPEND has to create an extra mbuf to prepend at the
>> beginning of the chain.
>>
>> When doing so m_move_pkthdr is called to copy the current PKTHDR fields
>> (tags and flags) to the mbuf that was prepended. The function also does:
>>
>> to->m_pkthdr = from->m_pkthdr;
>>
>> This, for the case I am interested in, essentially leaves the 'from' mbuf
>> with a dangling pointer m_nextpkt pointing to the next fragment. While this
>> is mostly harmless because only mbufs of pkthdr types are supposed to have
>> m_nextpkt it triggers some panics when running with INVARIANTS in NetGraph
>> (see ng_base.c :: CHECK_DATA_MBUF(m)):
>>
>> ...
>>                         if (n->m_nextpkt != NULL)                       \
>>                                 panic("%s: m_nextpkt", __func__);       \
>>                 }
>> ...
>>
>> So I would like to propose the following patch:
>>
>> @@ -442,10 +442,11 @@ m_move_pkthdr(struct mbuf *to, struct mbuf *from)
>>         if ((to->m_flags & M_EXT) == 0)
>>                 to->m_data = to->m_pktdat;
>>         to->m_pkthdr = from->m_pkthdr;          /* especially tags */
>>         SLIST_INIT(&from->m_pkthdr.tags);       /* purge tags from src */
>>         from->m_flags &= ~M_PKTHDR;
>> +       from->m_nextpkt = NULL;
>>  }
>>
>> It will reset the m_nextpkt so we don't have two mbufs pointing to the same
>> next packet. This is fairly harmless and solves a problem for us here at
>> XipLink.
> 
> This seems like a no-brainer. :-) Any objections?

I think the change is reasonable.
But from other side m_demote_pkthdr() may also need this change.
Maybe we can wait when Gleb will be back and review this? Also he is the
author of the mentioned assertion in netgraph code.

-- 
WBR, Andrey V. Elsukov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20170707/07eba5f5/attachment.sig>

More information about the freebsd-net mailing list