Re: crash in in6_cksum

[Iain Hibbert <plunky%rya-online.net@localhost>]

On Tue, 26 Feb 2008, Tatoku Ogaito wrote:

> >> In Message <080226083754.M0226599%mirage.ceres.dti.ne.jp@localhost>
>  at Tue, 26 Feb 2008 08:37:54 +0900
>  Izumi Tsutsui <tsutsui%ceres.dti.ne.jp@localhost> wrote:
>
>  > I also see the same panic with re(4) on i386 and I'm using
>  > in6_cksum.c rev 1.22. (though I don't use ipv6)
>
> In my case, I use ath(4) at cardbus and wm(4) at pci on i386.

[probably not the interface driver then]

> A bunch of KASSERTs reveal the assertion fails at the second
> KASSERT in the following piece of code, which begins with the
> line 346 in revision 1.113.

So, it seems that pfil_run_hooks() has modified the mbuf chain and left it
without the complete ip6_hdr addressable, and I'm guessing that since
ip6_input() already made some effort to pull it up that this is unwanted
behaviour (though pfil(9) does not say so).

(I think that the previous versions of in6_cksum() also required this but
did no validation, I don't know if that means the calculations were
sometimes wrong.. ?)

Is there a way to know which hooks are being run?

> # In my kernel, I set PFIL_HOOKS and FAST_IPSEC.

does this mean that FAST_IPSEC is the packet filter?

The only places I see hooks being added are in:
        net/if_bridge.c
        net/if_pppoe.c
        dist/pf/net/pf_ioctl.c
        dist/ipf/netinet/ip_fil_netbsd.c

I don't really know what the hooks are supposed to be doing, but some of
them use m_makewriteable() which does not guarantee that data is left
contiguous.

iain