Re: Kernel panics - /usr/src/sys/netinet/raw ip.c - with ps

Mon, 11 Dec 2017 17:43:44 -0800 

On Sun, Dec 10, 2017 at 10:51:49PM -0800, Scott Vanderbilt wrote:
> I am getting kernel panics every 30 to 120 minutes with latest amd64 
> snapshot. The same panic occurs on four different machines (all amd64) 
> running this snapshot:

In icmp_input_if() all mbuf tags are deleted without clearing the
divert flag.  This creates an inconsistency later in rip_input()
that will trigger the assertion.

The m_tag_delete_chain() before icmp_reflect() is not necessary
anymore as I have added a m_resethdr() in the latter recently.

All code paths that lead to a m_tag_delete_chain() are covered by
the divert switch.  So the divert flag should be cleared there.  If
we process the ICMP packet in our stack, it should not be diverted
to raw sockets.

Although there is no m_tag_delete_chain() in the ICMP6 code, also
clear the flag there.  Locally processed packets should not be
diverted to raw sockets.

Does this diff fix the panic?

ok?

bluhm

Index: netinet/ip_icmp.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.173
diff -u -p -r1.173 ip_icmp.c
--- netinet/ip_icmp.c   18 Oct 2017 17:01:14 -0000      1.173
+++ netinet/ip_icmp.c   12 Dec 2017 01:09:39 -0000
@@ -386,12 +386,14 @@ icmp_input_if(struct ifnet *ifp, struct 
                case ICMP_TIMXCEED:
                case ICMP_PARAMPROB:
                case ICMP_SOURCEQUENCH:
+                       m->m_pkthdr.pf.flags &=~ PF_TAG_DIVERTED;
                        break;
                 /*
                  * Although pf_icmp_mapping() considers redirects belonging
                  * to a diverted connection, we must process it here anyway.
                  */
                case ICMP_REDIRECT:
+                       m->m_pkthdr.pf.flags &=~ PF_TAG_DIVERTED;
                        break;
                default:
                        goto raw;
@@ -585,10 +587,6 @@ reflect:
                    &ip->ip_dst.s_addr, 1))
                        goto freeit;
 #endif
-               /* Free packet atttributes */
-               if (m->m_flags & M_PKTHDR)
-                       m_tag_delete_chain(m);
-
                icmpstat_inc(icps_reflect);
                icmpstat_inc(icps_outhist + icp->icmp_type);
                if (!icmp_reflect(m, &opts, NULL)) {
Index: netinet6/icmp6.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/icmp6.c,v
retrieving revision 1.220
diff -u -p -r1.220 icmp6.c
--- netinet6/icmp6.c    3 Nov 2017 14:28:57 -0000       1.220
+++ netinet6/icmp6.c    12 Dec 2017 01:12:36 -0000
@@ -431,6 +431,7 @@ icmp6_input(struct mbuf **mp, int *offp,
                case ICMP6_PACKET_TOO_BIG:
                case ICMP6_TIME_EXCEEDED:
                case ICMP6_PARAM_PROB:
+                       m->m_pkthdr.pf.flags &=~ PF_TAG_DIVERTED;
                        break;
                default:
                        goto raw;

Reply via email to