Module Name: src
Committed By: ozaki-r
Date: Mon Nov 27 02:50:27 UTC 2023
Modified Files:
src/sys/kern: uipc_mbuf.c
Log Message:
mbuf: avoid assertion failure when splitting mbuf cluster
>From OpenBSD:
commit 7b4d35e0a60ba1dd4daf4b1c2932020a22463a89
Author: bluhm <[email protected]>
Date: Fri Oct 20 16:25:15 2023 +0000
Avoid assertion failure when splitting mbuf cluster.
m_split() calls m_align() to initialize the data pointer of newly
allocated mbuf. If the new mbuf will be converted to a cluster,
this is not necessary. If additionally the new mbuf is larger than
MLEN, this can lead to a panic.
Only call m_align() when a valid m_data is needed. This is the
case if we do not refecence the existing cluster, but memcpy() the
data into the new mbuf.
Reported-by: [email protected]
OK claudio@ deraadt@
The issue is harmless if DIAGNOSTIC is not enabled.
XXX pullup-10
XXX pullup-9
To generate a diff of this commit:
cvs rdiff -u -r1.251 -r1.252 src/sys/kern/uipc_mbuf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/uipc_mbuf.c
diff -u src/sys/kern/uipc_mbuf.c:1.251 src/sys/kern/uipc_mbuf.c:1.252
--- src/sys/kern/uipc_mbuf.c:1.251 Wed Apr 12 06:48:08 2023
+++ src/sys/kern/uipc_mbuf.c Mon Nov 27 02:50:27 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: uipc_mbuf.c,v 1.251 2023/04/12 06:48:08 riastradh Exp $ */
+/* $NetBSD: uipc_mbuf.c,v 1.252 2023/11/27 02:50:27 ozaki-r Exp $ */
/*
* Copyright (c) 1999, 2001, 2018 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.251 2023/04/12 06:48:08 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.252 2023/11/27 02:50:27 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_mbuftrace.h"
@@ -1343,10 +1343,7 @@ m_split_internal(struct mbuf *m0, int le
len_save = m0->m_pkthdr.len;
m0->m_pkthdr.len = len0;
- if (m->m_flags & M_EXT)
- goto extpacket;
-
- if (remain > MHLEN) {
+ if ((m->m_flags & M_EXT) == 0 && remain > MHLEN) {
/* m can't be the lead packet */
m_align(n, 0);
n->m_len = 0;
@@ -1357,8 +1354,6 @@ m_split_internal(struct mbuf *m0, int le
return NULL;
}
return n;
- } else {
- m_align(n, remain);
}
} else if (remain == 0) {
n = m->m_next;
@@ -1369,14 +1364,13 @@ m_split_internal(struct mbuf *m0, int le
if (n == NULL)
return NULL;
MCLAIM(n, m->m_owner);
- m_align(n, remain);
}
-extpacket:
if (m->m_flags & M_EXT) {
n->m_data = m->m_data + len;
MCLADDREFERENCE(m, n);
} else {
+ m_align(n, remain);
memcpy(mtod(n, void *), mtod(m, char *) + len, remain);
}
