amd64/137145: Reference count computing isn't correct when more
than one threads call function m_copypacket
Guixian Lin
mclos.lin at gmail.com
Sun Jul 26 03:20:02 UTC 2009
>Number: 137145
>Category: amd64
>Synopsis: Reference count computing isn't correct when more than one threads call function m_copypacket
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-amd64
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Jul 26 03:20:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Guixian Lin
>Release: FreeBSD 7.0
>Organization:
Array Networks Inc.
>Environment:
FreeBSD AN 7.0-RELEASE FreeBSD 7.0-RELEASE #6: Sun Jul 19 16:30:17 UTC 2009 lin_gx at lingxvm.arraynetworks.com.cn:/array/rel_8/smp/FreeBSD/src/sys/compile/SERVER amd6
>Description:
In our products, there exists one mbuf+mclust which is used to storage the certificate. And there're 3 threads will call m_copypacket to copy the packet during the communication. At some cases, the reference count of the mclust isn't correct, and which will cause double free the mclust.
>How-To-Repeat:
In kernel, you can write a test program, which will call m_copypacket. Then use loadrunner to stress the program. After some time, system will panic.
>Fix:
Following is my fix for this problem:
--- uipc_mbuf.c.org 2009-07-26 10:58:56.000000000 +0800
+++ uipc_mbuf.c 2009-07-26 10:59:27.000000000 +0800
@@ -317,10 +317,7 @@ mb_dupcl(struct mbuf *n, struct mbuf *m)
KASSERT(m->m_ext.ref_cnt != NULL, ("%s: ref_cnt not set", __func__));
KASSERT((n->m_flags & M_EXT) == 0, ("%s: M_EXT set", __func__));
- if (*(m->m_ext.ref_cnt) == 1)
- *(m->m_ext.ref_cnt) += 1;
- else
- atomic_add_int(m->m_ext.ref_cnt, 1);
+ atomic_add_int(m->m_ext.ref_cnt, 1);
n->m_ext.ext_buf = m->m_ext.ext_buf;
n->m_ext.ext_free = m->m_ext.ext_free;
n->m_ext.ext_args = m->m_ext.ext_args;
Patch attached with submission follows:
--- uipc_mbuf.c.org 2009-07-26 10:58:56.000000000 +0800
+++ uipc_mbuf.c 2009-07-26 10:59:27.000000000 +0800
@@ -317,10 +317,7 @@ mb_dupcl(struct mbuf *n, struct mbuf *m)
KASSERT(m->m_ext.ref_cnt != NULL, ("%s: ref_cnt not set", __func__));
KASSERT((n->m_flags & M_EXT) == 0, ("%s: M_EXT set", __func__));
- if (*(m->m_ext.ref_cnt) == 1)
- *(m->m_ext.ref_cnt) += 1;
- else
- atomic_add_int(m->m_ext.ref_cnt, 1);
+ atomic_add_int(m->m_ext.ref_cnt, 1);
n->m_ext.ext_buf = m->m_ext.ext_buf;
n->m_ext.ext_free = m->m_ext.ext_free;
n->m_ext.ext_args = m->m_ext.ext_args;
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-amd64
mailing list