Bug 137145 - [mbuf] [patch] Reference count computing isn't correct when more than one threads call function m_copypacket
Summary: [mbuf] [patch] Reference count computing isn't correct when more than one thr...
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: Unspecified
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
Depends on:
Reported: 2009-07-26 04:20 UTC by Guixian Lin
Modified: 2017-12-31 22:34 UTC (History)
0 users

See Also:

file.diff (578 bytes, patch)
2009-07-26 04:20 UTC, Guixian Lin
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Guixian Lin 2009-07-26 04:20:01 UTC
In our products, there exists one mbuf+mclust which is used to storage the certificate. And there're 3 threads will call m_copypacket to copy the packet during the communication. At some cases, the reference count of the mclust isn't correct, and which will cause double free the mclust.

Fix: Following is my fix for this problem:

--- uipc_mbuf.c.org	2009-07-26 10:58:56.000000000 +0800
+++ uipc_mbuf.c	2009-07-26 10:59:27.000000000 +0800
@@ -317,10 +317,7 @@ mb_dupcl(struct mbuf *n, struct mbuf *m)
 	KASSERT(m->m_ext.ref_cnt != NULL, ("%s: ref_cnt not set", __func__));
 	KASSERT((n->m_flags & M_EXT) == 0, ("%s: M_EXT set", __func__));
-	if (*(m->m_ext.ref_cnt) == 1)
-		*(m->m_ext.ref_cnt) += 1;
-	else
-		atomic_add_int(m->m_ext.ref_cnt, 1);
+	atomic_add_int(m->m_ext.ref_cnt, 1);
 	n->m_ext.ext_buf = m->m_ext.ext_buf;
 	n->m_ext.ext_free = m->m_ext.ext_free;
 	n->m_ext.ext_args = m->m_ext.ext_args;

Patch attached with submission follows:
How-To-Repeat: In kernel, you can write a test program, which will call m_copypacket. Then use loadrunner to stress the program. After some time, system will panic.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2009-07-27 05:41:05 UTC
Responsible Changed
From-To: freebsd-amd64->freebsd-bugs

Comment 2 Bruce Cran freebsd_committer 2010-07-21 17:33:57 UTC
Responsible Changed
From-To: freebsd-bugs->freebsd-net

Over to maintainer(s).
Comment 3 Andre Oppermann freebsd_committer 2010-08-10 23:19:13 UTC
Responsible Changed
From-To: freebsd-net->andre

Take over.
Comment 4 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 08:00:18 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped