From owner-freebsd-bugs Tue May 9 11:20: 6 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 82E7437BECE for ; Tue, 9 May 2000 11:20:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id LAA02882; Tue, 9 May 2000 11:20:00 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11]) by hub.freebsd.org (Postfix) with SMTP id 1CB3037B5C0 for ; Tue, 9 May 2000 11:11:45 -0700 (PDT) (envelope-from dwmalone@maths.tcd.ie) Received: from walton.maths.tcd.ie by salmon.maths.tcd.ie with SMTP id ; 9 May 2000 19:11:42 +0100 (BST) Message-Id: <200005091911.aa59278@walton.maths.tcd.ie> Date: Tue, 9 May 2000 19:11:42 +0100 (BST) From: dwmalone@maths.tcd.ie Reply-To: dwmalone@maths.tcd.ie To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/18471: Checking freeing of mbufs. Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 18471 >Category: kern >Synopsis: mbuf and mbuf clusters can be freed multiple times >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue May 09 11:20:00 PDT 2000 >Closed-Date: >Last-Modified: >Originator: David Malone >Release: FreeBSD 3.4-STABLE i386 >Organization: School of Mathematics, Trinity College, Dublin, Ireland. >Environment: 3.X, 4.X, 5.X and probably earlier. >Description: The code for freeing mbuf clusters and mbufs doesn't check if the object is already free before freeing it. While this shouldn't happen it makes debugging difficult when it does, as we found while trying to debug some problems with the netatalk code. It would be better if the kernel paniced at the time of the second free, as opposed to some time later when the entry which has been freed twice gets reused while still in use! >How-To-Repeat: Write code which doesn't track it's mbufs carefully enough, and try to debug. >Fix: I've been running a machine tracking current at home with the following KASSERTs added and INVARIENTS on. I've seen no problems with them. Index: mbuf.h =================================================================== RCS file: /cvs/FreeBSD-CVS/src/sys/sys/mbuf.h,v retrieving revision 1.47 diff -u -r1.47 mbuf.h --- mbuf.h 2000/04/19 01:24:26 1.47 +++ mbuf.h 2000/04/22 20:11:49 @@ -381,6 +381,7 @@ #define MCLFREE1(p) do { \ union mcluster *_mp = (union mcluster *)(p); \ \ + KASSERT(mclrefcnt[mtocl(_mp)] > 0, ("freeing free cluster")); \ if (--mclrefcnt[mtocl(_mp)] == 0) { \ _mp->mcl_next = mclfree; \ mclfree = _mp; \ @@ -415,6 +416,7 @@ #define MFREE(m, n) MBUFLOCK( \ struct mbuf *_mm = (m); \ \ + KASSERT(_mm->m_type != MT_FREE, ("freeing free mbuf")); \ mbstat.m_mtypes[_mm->m_type]--; \ if (_mm->m_flags & M_EXT) \ MEXTFREE1(m); \ >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message