[src/trunk]: src/sys/netinet fix in4_cksum() panic "in4_cksum: mbuf 14 too sh...

[jdolecek <jdolecek%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/e1b33780f67a
branches:  trunk
changeset: 1008585:e1b33780f67a
user:      jdolecek <jdolecek%NetBSD.org@localhost>
date:      Fri Mar 27 16:34:58 2020 +0000

description:
fix in4_cksum() panic "in4_cksum: mbuf 14 too short for IP header 20"
triggered by bridge_output() when passing packet originally for
interface supporting hw csum offload to destination interface
not supporting it

problem happens because bridge_output() is called after ether_output()
M_PREPEND() the ether_header into the mbuf chain, if there is not
enough space on the first mbuf of the chain, it ends up prepending
a new short mbuf with just ether_header

triggered by running UDP (IPv4) 'netio -u' benchmark with packet size 2 KB

XXX seems in6_undefer_cksum() should have similar fix, however I was
XXX not able to trigger the problem there

diffstat:

 sys/netinet/in_offload.c |  28 +++++++++++++++++++++-------
 1 files changed, 21 insertions(+), 7 deletions(-)

diffs (61 lines):

diff -r 1c1d6c7097b8 -r e1b33780f67a sys/netinet/in_offload.c
--- a/sys/netinet/in_offload.c  Fri Mar 27 15:18:22 2020 +0000
+++ b/sys/netinet/in_offload.c  Fri Mar 27 16:34:58 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: in_offload.c,v 1.13 2018/12/12 01:40:20 rin Exp $      */
+/*     $NetBSD: in_offload.c,v 1.14 2020/03/27 16:34:58 jdolecek Exp $ */
 
 /*
  * Copyright (c)2005, 2006 YAMAMOTO Takashi,
@@ -27,7 +27,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in_offload.c,v 1.13 2018/12/12 01:40:20 rin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in_offload.c,v 1.14 2020/03/27 16:34:58 jdolecek Exp $");
 
 #include <sys/param.h>
 #include <sys/mbuf.h>
@@ -197,15 +197,29 @@
  * hardware offloading.
  */
 void
-in_undefer_cksum(struct mbuf *m, size_t hdrlen, int csum_flags)
+in_undefer_cksum(struct mbuf *mh, size_t hdrlen, int csum_flags)
 {
-       const size_t iphdrlen = M_CSUM_DATA_IPv4_IPHL(m->m_pkthdr.csum_data);
+       const size_t iphdrlen = M_CSUM_DATA_IPv4_IPHL(mh->m_pkthdr.csum_data);
        uint16_t csum;
        uint16_t ip_len;
        uint16_t *csump;
+       struct mbuf *m = mh;
 
-       KASSERT(m->m_flags & M_PKTHDR);
-       KASSERT((m->m_pkthdr.csum_flags & csum_flags) == csum_flags);
+       KASSERT(mh->m_flags & M_PKTHDR);
+       KASSERT(mh->m_pkthdr.len > hdrlen);
+       KASSERT((mh->m_pkthdr.csum_flags & csum_flags) == csum_flags);
+
+       /*
+        * Deal with prepended frame header as done by e.g. ether_output().
+        * If first mbuf in chain has just the header, use second mbuf
+        * for the actual checksum. in4_csum() expects the passed mbuf
+        * to have the whole (struct ip) area contiguous.
+        */
+       if (m->m_len <= hdrlen) {
+               hdrlen -= m->m_len;
+               m = m->m_next;
+               KASSERT(m != NULL);
+       }
 
        if (__predict_true(hdrlen + sizeof(struct ip) <= m->m_len)) {
                struct ip *ip = (struct ip *)(mtod(m, uint8_t *) + hdrlen);
@@ -249,7 +263,7 @@
                }
        }
 
-       m->m_pkthdr.csum_flags ^= csum_flags;
+       mh->m_pkthdr.csum_flags ^= csum_flags;
 }
 
 /*