svn commit: r328314 - in head/sys: netinet netinet6

Wed Jan 24 05:09:22 UTC 2018

Author: np
Date: Wed Jan 24 05:09:21 2018
New Revision: 328314
URL: https://svnweb.freebsd.org/changeset/base/328314

Log:
  Do not generate illegal mbuf chains during IP fragment reassembly.  Only
  the first mbuf of the reassembled datagram should have a pkthdr.
  
  This was discovered with cxgbe(4) + IPSEC + ping with payload more than
  interface MTU.  cxgbe can generate !M_WRITEABLE mbufs and this results
  in m_unshare being called on the reassembled datagram, and it complains:
  
  panic: m_unshare: m0 0xfffff80020f82600, m 0xfffff8005d054100 has M_PKTHDR
  
  PR:		224922
  Reviewed by:	ae@
  MFC after:	1 week
  Sponsored by:	Chelsio Communications
  Differential Revision:	https://reviews.freebsd.org/D14009

Modified:
  head/sys/netinet/ip_reass.c
  head/sys/netinet6/frag6.c

Modified: head/sys/netinet/ip_reass.c
==============================================================================

--- head/sys/netinet/ip_reass.c	Wed Jan 24 04:29:16 2018	(r328313)
+++ head/sys/netinet/ip_reass.c	Wed Jan 24 05:09:21 2018	(r328314)
@@ -377,6 +377,7 @@ ip_reass(struct mbuf *m)
 		q->m_nextpkt = NULL;
 		m->m_pkthdr.csum_flags &= q->m_pkthdr.csum_flags;
 		m->m_pkthdr.csum_data += q->m_pkthdr.csum_data;
+		m_demote_pkthdr(q);
 		m_cat(m, q);
 	}
 	/*

Modified: head/sys/netinet6/frag6.c
==============================================================================
--- head/sys/netinet6/frag6.c	Wed Jan 24 04:29:16 2018	(r328313)
+++ head/sys/netinet6/frag6.c	Wed Jan 24 05:09:21 2018	(r328314)
@@ -541,6 +541,7 @@ insert:
 		while (t->m_next)
 			t = t->m_next;
 		m_adj(IP6_REASS_MBUF(af6), af6->ip6af_offset);
+		m_demote_pkthdr(IP6_REASS_MBUF(af6));
 		m_cat(t, IP6_REASS_MBUF(af6));
 		free(af6, M_FTABLE);
 		af6 = af6dwn;
