Re: 6.8 panic _bus_dmamap_load_mbuf: no packet header

Mon, 04 Jan 2021 07:10:35 -0800 

Hello Ralf,

On Sat, Nov 14, 2020 at 08:55:03AM +0100, Ralf Horstmann wrote:
> * Ralf Horstmann <[email protected]> [2020-11-06 18:18]:
> > Why exactly the write filter wants to drop these packets is unclear, the
> > dhcpd BPF program looks like it should accept them.
> 
> It's more clear now :-) When dhcpd sends a response, BPF is actually called
> twice, since dhcpd installs both a BPF write and read filter:
> 
> 1. bpfwrite -> bpf_movein -> bpf_filter -> _bpf_filter
>    this call of _bpf_filter processes the bd_wfilter of the writing BPF socket
> 
> 2. carp_transmit -> bpf_mtap_ether -> bpf_mtap -> _bpf_mtap -> bpf_mfilter -> 
> _bpf_filter
>    this call of _bpf_filter processes all bp_rfilter on the sending interface
> 
> From this I would understand that the second BPF call in carp_transmit is
> intended to feed back outbound packets to all BPF listeners on that interface.
> And not to make a decision whether a packet should be dropped or permitted. So
> the return value of bpf_mtap_ether should be ignored in carp_transmit. And
> hence I think my initial patch is correct:
> 
> Index: sys/netinet/ip_carp.c
> ===================================================================
> RCS file: /home/cvs/src/sys/netinet/ip_carp.c,v
> retrieving revision 1.349
> diff -u -u -r1.349 ip_carp.c
> --- sys/netinet/ip_carp.c     28 Jul 2020 16:44:34 -0000      1.349
> +++ sys/netinet/ip_carp.c     4 Nov 2020 22:13:42 -0000
> @@ -2282,10 +2282,8 @@
>  #if NBPFILTER > 0
>       {
>               caddr_t if_bpf = ifp->if_bpf;
> -             if (if_bpf) {
> -                     if (bpf_mtap_ether(if_bpf, m, BPF_DIRECTION_OUT))
> -                             m_freem(m);
> -             }
> +             if (if_bpf)
> +                     bpf_mtap_ether(if_bpf, m, BPF_DIRECTION_OUT);
>       }
>  #endif /* NBPFILTER > 0 */
>  
> 

    change above is the right fix. It's consistent with all other
    location where we do bpf_mtap_ether(..., BPF_DIRECTION_OUT);

    I've also had off-line chat about with dlg@ he is fine with it too.
    it's been committed with message as follows:

--------8<---------------8<---------------8<------------------8<--------
- fix use after free, when packet gets dropped.

patch submitted by Ralf Horstmann from ackstorm.de

OK dlg@
--------8<---------------8<---------------8<------------------8<--------

thanks for your diff.

regards
sashan

Reply via email to