Bug 137145
| Summary: | [mbuf] [patch] Reference count computing isn't correct when more than one threads call function m_copypacket | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Guixian Lin <mclos.lin> | ||||
| Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||
| Status: | Open --- | ||||||
| Severity: | Affects Only Me | Keywords: | patch | ||||
| Priority: | Normal | ||||||
| Version: | Unspecified | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
Responsible Changed From-To: freebsd-amd64->freebsd-bugs reclassify. Responsible Changed From-To: freebsd-bugs->freebsd-net Over to maintainer(s). Responsible Changed From-To: freebsd-net->andre Take over. For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped Keyword:
patch
or patch-ready
– in lieu of summary line prefix:
[patch]
* bulk change for the keyword
* summary lines may be edited manually (not in bulk).
Keyword descriptions and search interface:
<https://bugs.freebsd.org/bugzilla/describekeywords.cgi>
|
In our products, there exists one mbuf+mclust which is used to storage the certificate. And there're 3 threads will call m_copypacket to copy the packet during the communication. At some cases, the reference count of the mclust isn't correct, and which will cause double free the mclust. Fix: Following is my fix for this problem: --- uipc_mbuf.c.org 2009-07-26 10:58:56.000000000 +0800 +++ uipc_mbuf.c 2009-07-26 10:59:27.000000000 +0800 @@ -317,10 +317,7 @@ mb_dupcl(struct mbuf *n, struct mbuf *m) KASSERT(m->m_ext.ref_cnt != NULL, ("%s: ref_cnt not set", __func__)); KASSERT((n->m_flags & M_EXT) == 0, ("%s: M_EXT set", __func__)); - if (*(m->m_ext.ref_cnt) == 1) - *(m->m_ext.ref_cnt) += 1; - else - atomic_add_int(m->m_ext.ref_cnt, 1); + atomic_add_int(m->m_ext.ref_cnt, 1); n->m_ext.ext_buf = m->m_ext.ext_buf; n->m_ext.ext_free = m->m_ext.ext_free; n->m_ext.ext_args = m->m_ext.ext_args; Patch attached with submission follows: How-To-Repeat: In kernel, you can write a test program, which will call m_copypacket. Then use loadrunner to stress the program. After some time, system will panic.