git: 37229fed38c6 - main - tcp: Blackbox logging and tcp accounting together can cause a crash.

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Randall Stewart <rrs_at_FreeBSD.org>
Date: Tue, 18 Apr 2023 12:40:15 UTC
The branch main has been updated by rrs:

URL: https://cgit.FreeBSD.org/src/commit/?id=37229fed38c68b26a497f4fb189d4b8e35346232

commit 37229fed38c68b26a497f4fb189d4b8e35346232
Author:     Randall Stewart <rrs@FreeBSD.org>
AuthorDate: 2023-04-17 17:52:00 +0000
Commit:     Randall Stewart <rrs@FreeBSD.org>
CommitDate: 2023-04-17 17:52:00 +0000

    tcp: Blackbox logging and tcp accounting together can cause a crash.
    
    If you currently turn BB logging on and in combination have TCP Accounting on we can get a
    crash where we have no NULL check and we run out of memory. Also lets make sure we
    don't do a divide by 0 in calculating any BB ratios.
    
    Reviewed by: tuexen
    Sponsored by: Netflix Inc
    Differential Revision:https://reviews.freebsd.org/D39622
---
 sys/netinet/tcp_log_buf.c | 38 ++++++++++++++++++++++----------------
 1 file changed, 22 insertions(+), 16 deletions(-)

diff --git a/sys/netinet/tcp_log_buf.c b/sys/netinet/tcp_log_buf.c
index 5a16c7593cfc..c533f8329fbe 100644
--- a/sys/netinet/tcp_log_buf.c
+++ b/sys/netinet/tcp_log_buf.c
@@ -554,7 +554,10 @@ tcp_log_apply_ratio(struct tcpcb *tp, int ratio)
 		INP_WUNLOCK(inp);
 		return (EOPNOTSUPP);
 	}
-	ratio_hash_thresh = max(1, UINT32_MAX / ratio);
+	if (ratio)
+		ratio_hash_thresh = max(1, UINT32_MAX / ratio);
+	else
+		ratio_hash_thresh = 0;
 	TCPID_BUCKET_REF(tlb);
 	INP_WUNLOCK(inp);
 	TCPID_BUCKET_LOCK(tlb);
@@ -1438,30 +1441,33 @@ tcp_log_tcpcbfini(struct tcpcb *tp)
 
 		memset(&log, 0, sizeof(log));
 		if (tp->t_flags2 & TF2_TCP_ACCOUNTING) {
-			for (i = 0; i<TCP_NUM_CNT_COUNTERS; i++) {
+			for (i = 0; i < TCP_NUM_CNT_COUNTERS; i++) {
 				log.u_raw.u64_flex[i] = tp->tcp_cnt_counters[i];
 			}
 			lgb = tcp_log_event(tp, NULL,
-					     NULL,
-					     NULL,
-					     TCP_LOG_ACCOUNTING, 0,
-					     0, &log, false, NULL, NULL, 0, &tv);
-			lgb->tlb_flex1 = TCP_NUM_CNT_COUNTERS;
-			lgb->tlb_flex2 = 1;
+				  NULL,
+				  NULL,
+				  TCP_LOG_ACCOUNTING, 0,
+				  0, &log, false, NULL, NULL, 0, &tv);
+			if (lgb != NULL) {
+				lgb->tlb_flex1 = TCP_NUM_CNT_COUNTERS;
+				lgb->tlb_flex2 = 1;
+			} else
+				goto skip_out;
 			for (i = 0; i<TCP_NUM_CNT_COUNTERS; i++) {
 				log.u_raw.u64_flex[i] = tp->tcp_proc_time[i];
 			}
 			lgb = tcp_log_event(tp, NULL,
-					     NULL,
-					     NULL,
-					     TCP_LOG_ACCOUNTING, 0,
-					     0, &log, false, NULL, NULL, 0, &tv);
-			if (tptoinpcb(tp)->inp_flags2 & INP_MBUF_ACKCMP)
+				 NULL,
+				 NULL,
+				 TCP_LOG_ACCOUNTING, 0,
+				 0, &log, false, NULL, NULL, 0, &tv);
+			if (lgb != NULL) {
 				lgb->tlb_flex1 = TCP_NUM_CNT_COUNTERS;
-			else
-				lgb->tlb_flex1 = TCP_NUM_PROC_COUNTERS;
-			lgb->tlb_flex2 = 2;
+				lgb->tlb_flex2 = 2;
+			}
 		}
+skip_out:
 		log.u_bbr.timeStamp = tcp_get_usecs(&tv);
 		log.u_bbr.cur_del_rate = tp->t_end_info;
 		TCP_LOG_EVENTP(tp, NULL,