git: 02cffbc2507e - main - tcp: Incorrect KASSERT causes a panic in rack

Randall Stewart rrs at FreeBSD.org
Thu May 13 11:39:23 UTC 2021 

The branch main has been updated by rrs:

URL: https://cgit.FreeBSD.org/src/commit/?id=02cffbc2507e83944b0c29d69d6ddf26c9386d54

commit 02cffbc2507e83944b0c29d69d6ddf26c9386d54
Author:     Randall Stewart <rrs at FreeBSD.org>
AuthorDate: 2021-05-13 11:36:04 +0000
Commit:     Randall Stewart <rrs at FreeBSD.org>
CommitDate: 2021-05-13 11:36:04 +0000

    tcp: Incorrect KASSERT causes a panic in rack
    
    Skyzall found an interesting panic in rack. When a SYN and FIN are
    both sent together a KASSERT gets tripped where it is validating that
    a mbuf pointer is in the sendmap. But a SYN and FIN often will not
    have a mbuf pointer. So the fix is two fold a) make sure that the
    SYN and FIN split the right way when cloning an RSM SYN on left
    edge and FIN on right. And also make sure the KASSERT properly
    accounts for the case that we have a SYN or FIN so we don't
    panic.
    
    Reviewed by: mtuexen
    Sponsored by: Netflix Inc.
    Differential Revision:  https://reviews.freebsd.org/D30241
---
 sys/netinet/tcp_stacks/rack.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/sys/netinet/tcp_stacks/rack.c b/sys/netinet/tcp_stacks/rack.c
index 115f5f2ee44b..c4f3be02dd29 100644
--- a/sys/netinet/tcp_stacks/rack.c
+++ b/sys/netinet/tcp_stacks/rack.c
@@ -6054,6 +6054,12 @@ rack_clone_rsm(struct tcp_rack *rack, struct rack_sendmap *nrsm,
 	for (idx = 0; idx < nrsm->r_rtr_cnt; idx++) {
 		nrsm->r_tim_lastsent[idx] = rsm->r_tim_lastsent[idx];
 	}
+	/* Now if we have SYN flag we keep it on the left edge */
+	if (nrsm->r_flags & RACK_HAS_SYN)
+		nrsm->r_flags &= ~RACK_HAS_SYN;
+	/* Now if we have a FIN flag we keep it on the right edge */
+	if (nrsm->r_flags & RACK_HAS_FIN)
+		nrsm->r_flags &= ~RACK_HAS_FIN;
 	/*
 	 * Now we need to find nrsm's new location in the mbuf chain
 	 * we basically calculate a new offset, which is soff +
@@ -6061,9 +6067,11 @@ rack_clone_rsm(struct tcp_rack *rack, struct rack_sendmap *nrsm,
 	 * chain to find the righ postion, it may be the same mbuf
 	 * or maybe not.
 	 */
-	KASSERT((rsm->m != NULL),
+	KASSERT(((rsm->m != NULL) ||
+		 (rsm->r_flags & (RACK_HAS_SYN|RACK_HAS_FIN))),
 		("rsm:%p nrsm:%p rack:%p -- rsm->m is NULL?", rsm, nrsm, rack));
-	rack_setup_offset_for_rsm(rsm, nrsm);
+	if (rsm->m)
+		rack_setup_offset_for_rsm(rsm, nrsm);
 }
 
 static struct rack_sendmap *

More information about the dev-commits-src-main mailing list