Date: Wed, 9 Jun 2021 00:05:59 GMT From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 3a3bba7df566 - stable/13 - tcp: Incorrect KASSERT causes a panic in rack Message-ID: <202106090005.15905xj2058210@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=3a3bba7df566e421c385444912ce603ee845c171 commit 3a3bba7df566e421c385444912ce603ee845c171 Author: Randall Stewart <rrs@FreeBSD.org> AuthorDate: 2021-05-13 11:36:04 +0000 Commit: Michael Tuexen <tuexen@FreeBSD.org> CommitDate: 2021-06-09 00:05:15 +0000 tcp: Incorrect KASSERT causes a panic in rack Skyzall found an interesting panic in rack. When a SYN and FIN are both sent together a KASSERT gets tripped where it is validating that a mbuf pointer is in the sendmap. But a SYN and FIN often will not have a mbuf pointer. So the fix is two fold a) make sure that the SYN and FIN split the right way when cloning an RSM SYN on left edge and FIN on right. And also make sure the KASSERT properly accounts for the case that we have a SYN or FIN so we don't panic. Reviewed by: mtuexen Sponsored by: Netflix Inc. Differential Revision: https://reviews.freebsd.org/D30241 (cherry picked from commit 02cffbc2507e83944b0c29d69d6ddf26c9386d54) --- sys/netinet/tcp_stacks/rack.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/sys/netinet/tcp_stacks/rack.c b/sys/netinet/tcp_stacks/rack.c index 48b278806410..6b0eadd89004 100644 --- a/sys/netinet/tcp_stacks/rack.c +++ b/sys/netinet/tcp_stacks/rack.c @@ -6054,6 +6054,12 @@ rack_clone_rsm(struct tcp_rack *rack, struct rack_sendmap *nrsm, for (idx = 0; idx < nrsm->r_rtr_cnt; idx++) { nrsm->r_tim_lastsent[idx] = rsm->r_tim_lastsent[idx]; } + /* Now if we have SYN flag we keep it on the left edge */ + if (nrsm->r_flags & RACK_HAS_SYN) + nrsm->r_flags &= ~RACK_HAS_SYN; + /* Now if we have a FIN flag we keep it on the right edge */ + if (nrsm->r_flags & RACK_HAS_FIN) + nrsm->r_flags &= ~RACK_HAS_FIN; /* * Now we need to find nrsm's new location in the mbuf chain * we basically calculate a new offset, which is soff + @@ -6061,9 +6067,11 @@ rack_clone_rsm(struct tcp_rack *rack, struct rack_sendmap *nrsm, * chain to find the righ postion, it may be the same mbuf * or maybe not. */ - KASSERT((rsm->m != NULL), + KASSERT(((rsm->m != NULL) || + (rsm->r_flags & (RACK_HAS_SYN|RACK_HAS_FIN))), ("rsm:%p nrsm:%p rack:%p -- rsm->m is NULL?", rsm, nrsm, rack)); - rack_setup_offset_for_rsm(rsm, nrsm); + if (rsm->m) + rack_setup_offset_for_rsm(rsm, nrsm); } static struct rack_sendmap *
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202106090005.15905xj2058210>