amd64/137145: Reference count computing isn't correct when more than one threads call function m_copypacket

[Guixian Lin]

>Number:         137145
>Category:       amd64
>Synopsis:       Reference count computing isn't correct when more than one threads call function m_copypacket
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-amd64
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jul 26 03:20:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Guixian Lin
>Release:        FreeBSD 7.0
>Organization:
Array Networks Inc.
>Environment:
FreeBSD AN 7.0-RELEASE FreeBSD 7.0-RELEASE #6: Sun Jul 19 16:30:17 UTC 2009     lin_gx at lingxvm.arraynetworks.com.cn:/array/rel_8/smp/FreeBSD/src/sys/compile/SERVER  amd6

>Description:
In our products, there exists one mbuf+mclust which is used to storage the certificate. And there're 3 threads will call m_copypacket to copy the packet during the communication. At some cases, the reference count of the mclust isn't correct, and which will cause double free the mclust.
>How-To-Repeat:
In kernel, you can write a test program, which will call m_copypacket. Then use loadrunner to stress the program. After some time, system will panic.
>Fix:
Following is my fix for this problem:

--- uipc_mbuf.c.org	2009-07-26 10:58:56.000000000 +0800
+++ uipc_mbuf.c	2009-07-26 10:59:27.000000000 +0800
@@ -317,10 +317,7 @@ mb_dupcl(struct mbuf *n, struct mbuf *m)
 	KASSERT(m->m_ext.ref_cnt != NULL, ("%s: ref_cnt not set", __func__));
 	KASSERT((n->m_flags & M_EXT) == 0, ("%s: M_EXT set", __func__));
 
-	if (*(m->m_ext.ref_cnt) == 1)
-		*(m->m_ext.ref_cnt) += 1;
-	else
-		atomic_add_int(m->m_ext.ref_cnt, 1);
+	atomic_add_int(m->m_ext.ref_cnt, 1);
 	n->m_ext.ext_buf = m->m_ext.ext_buf;
 	n->m_ext.ext_free = m->m_ext.ext_free;
 	n->m_ext.ext_args = m->m_ext.ext_args;


Patch attached with submission follows:

--- uipc_mbuf.c.org	2009-07-26 10:58:56.000000000 +0800
+++ uipc_mbuf.c	2009-07-26 10:59:27.000000000 +0800
@@ -317,10 +317,7 @@ mb_dupcl(struct mbuf *n, struct mbuf *m)
 	KASSERT(m->m_ext.ref_cnt != NULL, ("%s: ref_cnt not set", __func__));
 	KASSERT((n->m_flags & M_EXT) == 0, ("%s: M_EXT set", __func__));
 
-	if (*(m->m_ext.ref_cnt) == 1)
-		*(m->m_ext.ref_cnt) += 1;
-	else
-		atomic_add_int(m->m_ext.ref_cnt, 1);
+	atomic_add_int(m->m_ext.ref_cnt, 1);
 	n->m_ext.ext_buf = m->m_ext.ext_buf;
 	n->m_ext.ext_free = m->m_ext.ext_free;
 	n->m_ext.ext_args = m->m_ext.ext_args;


>Release-Note:
>Audit-Trail:
>Unformatted: