From nobody@FreeBSD.org  Sun Jul 26 03:14:47 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DB5E41065672
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 26 Jul 2009 03:14:47 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id AE3CE8FC18
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 26 Jul 2009 03:14:47 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n6Q3Elnp052150
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 26 Jul 2009 03:14:47 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n6Q3ElRh052143;
	Sun, 26 Jul 2009 03:14:47 GMT
	(envelope-from nobody)
Message-Id: <200907260314.n6Q3ElRh052143@www.freebsd.org>
Date: Sun, 26 Jul 2009 03:14:47 GMT
From: Guixian Lin <mclos.lin@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Reference count computing isn't correct when more than one threads call function m_copypacket
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         137145
>Category:       kern
>Synopsis:       [mbuf] [patch] Reference count computing isn't correct when more than one threads call function m_copypacket
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    andre
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jul 26 03:20:01 UTC 2009
>Closed-Date:    
>Last-Modified:  Tue Aug 10 22:19:47 UTC 2010
>Originator:     Guixian Lin
>Release:        FreeBSD 7.0
>Organization:
Array Networks Inc.
>Environment:
FreeBSD AN 7.0-RELEASE FreeBSD 7.0-RELEASE #6: Sun Jul 19 16:30:17 UTC 2009     lin_gx@lingxvm.arraynetworks.com.cn:/array/rel_8/smp/FreeBSD/src/sys/compile/SERVER  amd6

>Description:
In our products, there exists one mbuf+mclust which is used to storage the certificate. And there're 3 threads will call m_copypacket to copy the packet during the communication. At some cases, the reference count of the mclust isn't correct, and which will cause double free the mclust.
>How-To-Repeat:
In kernel, you can write a test program, which will call m_copypacket. Then use loadrunner to stress the program. After some time, system will panic.
>Fix:
Following is my fix for this problem:

--- uipc_mbuf.c.org	2009-07-26 10:58:56.000000000 +0800
+++ uipc_mbuf.c	2009-07-26 10:59:27.000000000 +0800
@@ -317,10 +317,7 @@ mb_dupcl(struct mbuf *n, struct mbuf *m)
 	KASSERT(m->m_ext.ref_cnt != NULL, ("%s: ref_cnt not set", __func__));
 	KASSERT((n->m_flags & M_EXT) == 0, ("%s: M_EXT set", __func__));
 
-	if (*(m->m_ext.ref_cnt) == 1)
-		*(m->m_ext.ref_cnt) += 1;
-	else
-		atomic_add_int(m->m_ext.ref_cnt, 1);
+	atomic_add_int(m->m_ext.ref_cnt, 1);
 	n->m_ext.ext_buf = m->m_ext.ext_buf;
 	n->m_ext.ext_free = m->m_ext.ext_free;
 	n->m_ext.ext_args = m->m_ext.ext_args;


Patch attached with submission follows:

--- uipc_mbuf.c.org	2009-07-26 10:58:56.000000000 +0800
+++ uipc_mbuf.c	2009-07-26 10:59:27.000000000 +0800
@@ -317,10 +317,7 @@ mb_dupcl(struct mbuf *n, struct mbuf *m)
 	KASSERT(m->m_ext.ref_cnt != NULL, ("%s: ref_cnt not set", __func__));
 	KASSERT((n->m_flags & M_EXT) == 0, ("%s: M_EXT set", __func__));
 
-	if (*(m->m_ext.ref_cnt) == 1)
-		*(m->m_ext.ref_cnt) += 1;
-	else
-		atomic_add_int(m->m_ext.ref_cnt, 1);
+	atomic_add_int(m->m_ext.ref_cnt, 1);
 	n->m_ext.ext_buf = m->m_ext.ext_buf;
 	n->m_ext.ext_free = m->m_ext.ext_free;
 	n->m_ext.ext_args = m->m_ext.ext_args;


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-amd64->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Jul 27 04:41:05 UTC 2009 
Responsible-Changed-Why:  
reclassify. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=137145 
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: brucec 
Responsible-Changed-When: Wed Jul 21 16:33:57 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=137145 
Responsible-Changed-From-To: freebsd-net->andre 
Responsible-Changed-By: andre 
Responsible-Changed-When: Tue Aug 10 22:19:13 UTC 2010 
Responsible-Changed-Why:  
Take over. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=137145 
>Unformatted:
