[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: kern/50766 panic in tcp_input.c on the banana pi
The following reply was made to PR kern/50766; it has been noted by GNATS.
From: Michael van Elst <mlelstv%serpens.de@localhost>
Subject: Re: kern/50766 panic in tcp_input.c on the banana pi
Date: Sat, 5 Nov 2016 17:37:25 +0100
I just got the same on evbmips running -current and analyzed it a bit.
ip_input() and ip6_input() align the IP header by calling m_copyup when
necessary to enforce alignment.
However, the protocol input routines rely on m_pulldown() to achieve
the same. This assumption breaks when IP header and protocol header
(e.g. ICMP) are not contigous but in separate mbufs. There is no
guarantee that the second mbuf is aligned.
m_copyup() is part of the problem too. It copies the requested
header size but rounds it up to 60 bytes. For a simple packet
this copies part of the protocol header, which is therefore
aligned, and the following m_pullup coalesces remaining bytes.
But with ipv6-in-ipv4 encapsulation you have e.g.
20 bytes IPv4
40 bytes IPv6
20 bytes TCP
If this comes in aligned, everyone is happy.
If this comes in unaligned, then ip_input will m_copyup 60 bytes,
leaving the unaligned TCP header in the original mbuf.
ip6_input will then see that its header is already aligned and
do nothing regarding alignment.
tcp_input will fail because the header isn't aligned and m_pullup
doesn't change that.
I have locally patched the protocol routines to use m_copyup as well.
Michael van Elst
"A potential Snark may lurk in every tree."
Main Index |
Thread Index |