From nobody@FreeBSD.org  Fri Feb 11 09:14:26 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A05561065674
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 11 Feb 2011 09:14:26 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 8F0B48FC0A
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 11 Feb 2011 09:14:26 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p1B9EQFm039137
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 11 Feb 2011 09:14:26 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p1B9EQu1039136;
	Fri, 11 Feb 2011 09:14:26 GMT
	(envelope-from nobody)
Message-Id: <201102110914.p1B9EQu1039136@red.freebsd.org>
Date: Fri, 11 Feb 2011 09:14:26 GMT
From: "Sergey V. Dyatko" <sergey.dyatko@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: HEAD, 8.1-RELEASE panic after some play with netgraph
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         154676
>Category:       kern
>Synopsis:       [netgraph] [panic] HEAD, 8.1-RELEASE panic after some play with netgraph
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    glebius
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 11 09:20:07 UTC 2011
>Closed-Date:    Thu Apr 21 08:16:05 UTC 2011
>Last-Modified:  Fri Mar 29 14:10:01 UTC 2013
>Originator:     Sergey V. Dyatko
>Release:        8.1-RELEASE-p2, HEAD i386 r217701
>Organization:
>Environment:
FreeBSD laptop.minsk.domain 9.0-CURRENT FreeBSD 9.0-CURRENT #20 r217701M: Fri Jan 21 23:49:33 EET 2011     root@laptop.minsk.domain:/usr/obj/usr/src/sys/b450  i386

>Description:
http://tiger.ipfw.ru/tmp/core.txt
>How-To-Repeat:
host# sockstat -l4 -p 25
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
root     sendmail   1171  3  tcp4   127.0.0.1:25          *:*

host# ngctl

mkpeer ksocket myhook2 inet/stream/tcp
msg .:myhook2 connect inet/127.0.0.1:25

result from FreeBSD 7.0-RELEASE-p5 amd64: http://paste.org.ru/?imirnx
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Feb 13 02:20:33 UTC 2011 
Responsible-Changed-Why:  
reclassify. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=154676 

From: Arnaud Lacombe <lacombar@gmail.com>
To: bug-followup@FreeBSD.org, sergey.dyatko@gmail.com
Cc:  
Subject: Re: kern/154676: [netgraph] [panic] HEAD, 8.1-RELEASE panic after
 some play with netgraph
Date: Sun, 13 Feb 2011 02:03:34 -0500

 Playing a bit with that bug; an INVARIANTS-enabled kernel (9-CURRENT)
 crashes with:
 
 panic: ng_snd_item: no mbuf packet header!
 
 because the mbuf returned by soreceive() does not have M_PKTHDR set,
 while the expected data is present in the mbuf. 7.1 does set the flag:
 
 Adding an m_print() right after soreceive() in ng_ksocket_incoming2() gives:
 
 FreeBSD -current (on 127.0.0.1:25):
 mbuf: 0xc1d7b200 len: 81, next: 0, 0, 32-32-30-...
 
 FreeBSD 7.1 (on 127.0.0.1:22)
 mbuf: 0xc6d47400 len: 40, next: 0, 2<pkthdr>, 53-53-48-...
 
 both stack uses soreceive_generic(),

From: Arnaud Lacombe <lacombar@gmail.com>
To: bug-followup@FreeBSD.org, sergey.dyatko@gmail.com, 
	=?ISO-8859-1?Q?Andr=E9_Oppermann?= <andre@FreeBSD.org>
Cc:  
Subject: [debugged] Re: kern/154676: [netgraph] [panic] HEAD, 8.1-RELEASE
 panic after some play with netgraph
Date: Sun, 13 Feb 2011 04:29:58 -0500

 [Adding andre@, see below]
 
 I think I narrowed this down to right after the call to
 sbappendstream_locked() in netinet/tcp_input.c:tcp_do_segment(), line
 2713. On 7.1, the mbuf has its M_PKTHDR set. It is not set in
 -current. However, the mbuf passed to tcp_do_segment() has the flag
 set (enforced by M_ASSERTPKTHDR(m)), so it should have been lost
 in-between.
 
 [...]
 
 ... of course ...sbappendstream_locked() of 7.1 has no call to
 m_demote(). I suppose that ng_ksocket will work again if I remove the
 call.
 
 [...]
 
 Yes it does...
 
 For the record, this call has been introduced in:
 
 commit ec3cce1383deb16282c3576cc3dc2f3bb1ba9375
 Author: andre <andre@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
 Date:   Mon Jun 22 21:46:40 2009 +0000
 
     In sbappendstream_locked() demote all incoming packet mbufs (and
     chains) to pure data mbufs using m_demote().  This removes the
     packet header and all m_tag information as they are not meaningful
     anymore on a stream socket where mbufs are linked through m->m_next.
     Strictly speaking a packet header can be only ever valid on the first
     mbuf in an m_next chain.
 
     sbcompress() was doing this already when the mbuf chain layout lent
     itself to it (e.g. header splitting or merge-append), just not
     consistently.
 
     This frees resources at socket buffer append time instead of at
     sbdrop_internal() time after data has been read from the socket.
 
     For MAC the per packet information has done its duty and during
     socket buffer appending the policy of the socket itself takes over.
     With the append the packet boundaries disappear naturally and with
     it any context that was based on it.  None of the residual information
     from mbuf headers in the socket buffer on stream sockets was looked at.

From: "Sergey V. Dyatko" <sergey.dyatko@gmail.com>
To: =?ISO-8859-1?Q?Andr=E9?= Oppermann <andre@FreeBSD.org>
Cc: Arnaud Lacombe <lacombar@gmail.com>, bug-followup@FreeBSD.org
Subject: Re: [debugged] Re: kern/154676: [netgraph] [panic] HEAD,
 8.1-RELEASE panic after some play with netgraph
Date: Tue, 15 Mar 2011 10:23:12 +0200

 On Sun, 13 Feb 2011 04:29:58 -0500
 Arnaud Lacombe <lacombar@gmail.com> wrote:
 
 > [Adding andre@, see below]
 > 
 > I think I narrowed this down to right after the call to
 > sbappendstream_locked() in netinet/tcp_input.c:tcp_do_segment(), line
 > 2713. On 7.1, the mbuf has its M_PKTHDR set. It is not set in
 > -current. However, the mbuf passed to tcp_do_segment() has the flag
 > set (enforced by M_ASSERTPKTHDR(m)), so it should have been lost
 > in-between.
 > 
 > [...]
 > 
 > ... of course ...sbappendstream_locked() of 7.1 has no call to
 > m_demote(). I suppose that ng_ksocket will work again if I remove the
 > call.
 > 
 > [...]
 > 
 > Yes it does...
 > 
 > For the record, this call has been introduced in:
 > 
 > commit ec3cce1383deb16282c3576cc3dc2f3bb1ba9375
 > Author: andre <andre@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
 > Date:   Mon Jun 22 21:46:40 2009 +0000
 > 
 >     In sbappendstream_locked() demote all incoming packet mbufs (and
 >     chains) to pure data mbufs using m_demote().  This removes the
 >     packet header and all m_tag information as they are not meaningful
 >     anymore on a stream socket where mbufs are linked through
 > m->m_next. Strictly speaking a packet header can be only ever valid
 > on the first mbuf in an m_next chain.
 > 
 >     sbcompress() was doing this already when the mbuf chain layout
 > lent itself to it (e.g. header splitting or merge-append), just not
 >     consistently.
 > 
 >     This frees resources at socket buffer append time instead of at
 >     sbdrop_internal() time after data has been read from the socket.
 > 
 >     For MAC the per packet information has done its duty and during
 >     socket buffer appending the policy of the socket itself takes
 > over. With the append the packet boundaries disappear naturally and
 > with it any context that was based on it.  None of the residual
 > information from mbuf headers in the socket buffer on stream sockets
 > was looked at.
 
 Andre, I'm ready to test a patch if you provide it
 
 -- 
 wbr, tiger

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/154676: commit references a PR
Date: Thu, 14 Apr 2011 14:54:35 +0000 (UTC)

 Author: glebius
 Date: Thu Apr 14 14:54:22 2011
 New Revision: 220622
 URL: http://svn.freebsd.org/changeset/base/220622
 
 Log:
   Revert r194662, since it breaks ng_ksocket(4) and may break
   other socket consumers with alternate sb_upcall.
   
   PR:		kern/154676
   Submitted by:	Arnaud Lacombe <lacombar gmail.com>
   MFC after:	7 days
 
 Modified:
   head/sys/kern/uipc_sockbuf.c
 
 Modified: head/sys/kern/uipc_sockbuf.c
 ==============================================================================
 --- head/sys/kern/uipc_sockbuf.c	Thu Apr 14 14:25:47 2011	(r220621)
 +++ head/sys/kern/uipc_sockbuf.c	Thu Apr 14 14:54:22 2011	(r220622)
 @@ -528,9 +528,6 @@ sbappendstream_locked(struct sockbuf *sb
  
  	SBLASTMBUFCHK(sb);
  
 -	/* Remove all packet headers and mbuf tags to get a pure data chain. */
 -	m_demote(m, 1);
 -	
  	sbcompress(sb, m, sb->sb_mbtail);
  
  	sb->sb_lastrecord = sb->sb_mb;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: "Sergey V. Dyatko" <tiger@agava.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/154676: [netgraph] [panic] HEAD, 8.1-RELEASE panic after
 some play with netgraph
Date: Fri, 15 Apr 2011 12:06:04 +0300

 Hi, 
 
 Arnaud and glebius@, thanks. Reverting andre@`s commit helps. 
 
 Tested on -CURRENT, i386 (r220649) and 8-STABLE, amd64 (r220557)
 
 -- 
 wbr, tiger
State-Changed-From-To: open->patched 
State-Changed-By: glebius 
State-Changed-When: Fri Apr 15 10:02:54 UTC 2011 
State-Changed-Why:  
Fixed in head. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=154676 
State-Changed-From-To: patched->closed 
State-Changed-By: glebius 
State-Changed-When: Thu Apr 21 08:11:52 UTC 2011 
State-Changed-Why:  
Merged to stable/8. 


Responsible-Changed-From-To: freebsd-net->glebius 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Thu Apr 21 08:11:52 UTC 2011 
Responsible-Changed-Why:  
Merged to stable/8. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=154676 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/154676: commit references a PR
Date: Thu, 21 Apr 2011 08:13:58 +0000 (UTC)

 Author: glebius
 Date: Thu Apr 21 08:13:44 2011
 New Revision: 220912
 URL: http://svn.freebsd.org/changeset/base/220912
 
 Log:
   Merge from head/ 220622:
     Revert r194662, since it breaks ng_ksocket(4) and may break
     other socket consumers with alternate sb_upcall.
   
     PR:           kern/154676
     Submitted by: Arnaud Lacombe <lacombar gmail.com>
 
 Modified:
   stable/8/sys/kern/uipc_sockbuf.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
 
 Modified: stable/8/sys/kern/uipc_sockbuf.c
 ==============================================================================
 --- stable/8/sys/kern/uipc_sockbuf.c	Thu Apr 21 07:26:14 2011	(r220911)
 +++ stable/8/sys/kern/uipc_sockbuf.c	Thu Apr 21 08:13:44 2011	(r220912)
 @@ -528,9 +528,6 @@ sbappendstream_locked(struct sockbuf *sb
  
  	SBLASTMBUFCHK(sb);
  
 -	/* Remove all packet headers and mbuf tags to get a pure data chain. */
 -	m_demote(m, 1);
 -	
  	sbcompress(sb, m, sb->sb_mbtail);
  
  	sb->sb_lastrecord = sb->sb_mb;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/154676: commit references a PR
Date: Fri, 29 Mar 2013 14:04:39 +0000 (UTC)

 Author: glebius
 Date: Fri Mar 29 14:04:26 2013
 New Revision: 248885
 URL: http://svnweb.freebsd.org/changeset/base/248885
 
 Log:
   Revamp mbuf handling in ng_ksocket_incoming2():
   
   - Clear code that workarounded a bug in FreeBSD 3,
     and even predated import of netgraph(4).
   - Clear workaround for m_nextpkt pointing into
     next record in buffer (fixed in r248884).
     Assert that m_nextpkt is clear.
   - Do not rely on SOCK_STREAM sockets containing
     M_PKTHDR mbufs. Create a header ourselves and
     attach chain to it. This is correct fix for
     kern/154676.
   
   PR:		kern/154676
   Sponsored by:	Nginx, Inc
 
 Modified:
   head/sys/netgraph/ng_ksocket.c
 
 Modified: head/sys/netgraph/ng_ksocket.c
 ==============================================================================
 --- head/sys/netgraph/ng_ksocket.c	Fri Mar 29 13:57:55 2013	(r248884)
 +++ head/sys/netgraph/ng_ksocket.c	Fri Mar 29 14:04:26 2013	(r248885)
 @@ -1042,7 +1042,6 @@ ng_ksocket_incoming2(node_p node, hook_p
  {
  	struct socket *so = arg1;
  	const priv_p priv = NG_NODE_PRIVATE(node);
 -	struct mbuf *m;
  	struct ng_mesg *response;
  	struct uio auio;
  	int flags, error;
 @@ -1096,11 +1095,11 @@ ng_ksocket_incoming2(node_p node, hook_p
  
  	/* Read and forward available mbuf's */
  	auio.uio_td = NULL;
 -	auio.uio_resid = 1000000000;
 +	auio.uio_resid = MJUMPAGESIZE;	/* XXXGL: sane limit? */
  	flags = MSG_DONTWAIT;
  	while (1) {
  		struct sockaddr *sa = NULL;
 -		struct mbuf *n;
 +		struct mbuf *m;
  
  		/* Try to get next packet from socket */
  		if ((error = soreceive(so, (so->so_state & SS_ISCONNECTED) ?
 @@ -1114,17 +1113,28 @@ ng_ksocket_incoming2(node_p node, hook_p
  			break;
  		}
  
 +		KASSERT(m->m_nextpkt == NULL, ("%s: nextpkt", __func__));
 +
  		/*
 -		 * Don't trust the various socket layers to get the
 -		 * packet header and length correct (e.g. kern/15175).
 -		 *
 -		 * Also, do not trust that soreceive() will clear m_nextpkt
 -		 * for us (e.g. kern/84952, kern/82413).
 +		 * Stream sockets do not have packet boundaries, so
 +		 * we have to allocate a header mbuf and attach the
 +		 * stream of data to it.
  		 */
 -		m->m_pkthdr.csum_flags = 0;
 -		for (n = m, m->m_pkthdr.len = 0; n != NULL; n = n->m_next) {
 -			m->m_pkthdr.len += n->m_len;
 -			n->m_nextpkt = NULL;
 +		if (so->so_type == SOCK_STREAM) {
 +			struct mbuf *mh;
 +
 +			mh = m_gethdr(M_NOWAIT, MT_DATA);
 +			if (mh == NULL) {
 +				m_freem(m);
 +				if (sa != NULL)
 +					free(sa, M_SONAME);
 +				break;
 +			}
 +
 +			mh->m_next = m;
 +			for (; m; m = m->m_next)
 +				mh->m_pkthdr.len += m->m_len;
 +			m = mh;
  		}
  
  		/* Put peer's socket address (if any) into a tag */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
