From owner-freebsd-amd64@FreeBSD.ORG Sun Jul 26 03:20:01 2009 Return-Path: Delivered-To: freebsd-amd64@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A7D38106564A for ; Sun, 26 Jul 2009 03:20:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8210A8FC1E for ; Sun, 26 Jul 2009 03:20:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6Q3K1ir070993 for ; Sun, 26 Jul 2009 03:20:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6Q3K1Gf070992; Sun, 26 Jul 2009 03:20:01 GMT (envelope-from gnats) Resent-Date: Sun, 26 Jul 2009 03:20:01 GMT Resent-Message-Id: <200907260320.n6Q3K1Gf070992@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-amd64@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Guixian Lin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB5E41065672 for ; Sun, 26 Jul 2009 03:14:47 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id AE3CE8FC18 for ; Sun, 26 Jul 2009 03:14:47 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n6Q3Elnp052150 for ; Sun, 26 Jul 2009 03:14:47 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n6Q3ElRh052143; Sun, 26 Jul 2009 03:14:47 GMT (envelope-from nobody) Message-Id: <200907260314.n6Q3ElRh052143@www.freebsd.org> Date: Sun, 26 Jul 2009 03:14:47 GMT From: Guixian Lin To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 X-Mailman-Approved-At: Sun, 26 Jul 2009 03:38:35 +0000 Cc: Subject: amd64/137145: Reference count computing isn't correct when more than one threads call function m_copypacket X-BeenThere: freebsd-amd64@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting FreeBSD to the AMD64 platform List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jul 2009 03:20:02 -0000 >Number: 137145 >Category: amd64 >Synopsis: Reference count computing isn't correct when more than one threads call function m_copypacket >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-amd64 >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jul 26 03:20:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Guixian Lin >Release: FreeBSD 7.0 >Organization: Array Networks Inc. >Environment: FreeBSD AN 7.0-RELEASE FreeBSD 7.0-RELEASE #6: Sun Jul 19 16:30:17 UTC 2009 lin_gx@lingxvm.arraynetworks.com.cn:/array/rel_8/smp/FreeBSD/src/sys/compile/SERVER amd6 >Description: In our products, there exists one mbuf+mclust which is used to storage the certificate. And there're 3 threads will call m_copypacket to copy the packet during the communication. At some cases, the reference count of the mclust isn't correct, and which will cause double free the mclust. >How-To-Repeat: In kernel, you can write a test program, which will call m_copypacket. Then use loadrunner to stress the program. After some time, system will panic. >Fix: Following is my fix for this problem: --- uipc_mbuf.c.org 2009-07-26 10:58:56.000000000 +0800 +++ uipc_mbuf.c 2009-07-26 10:59:27.000000000 +0800 @@ -317,10 +317,7 @@ mb_dupcl(struct mbuf *n, struct mbuf *m) KASSERT(m->m_ext.ref_cnt != NULL, ("%s: ref_cnt not set", __func__)); KASSERT((n->m_flags & M_EXT) == 0, ("%s: M_EXT set", __func__)); - if (*(m->m_ext.ref_cnt) == 1) - *(m->m_ext.ref_cnt) += 1; - else - atomic_add_int(m->m_ext.ref_cnt, 1); + atomic_add_int(m->m_ext.ref_cnt, 1); n->m_ext.ext_buf = m->m_ext.ext_buf; n->m_ext.ext_free = m->m_ext.ext_free; n->m_ext.ext_args = m->m_ext.ext_args; Patch attached with submission follows: --- uipc_mbuf.c.org 2009-07-26 10:58:56.000000000 +0800 +++ uipc_mbuf.c 2009-07-26 10:59:27.000000000 +0800 @@ -317,10 +317,7 @@ mb_dupcl(struct mbuf *n, struct mbuf *m) KASSERT(m->m_ext.ref_cnt != NULL, ("%s: ref_cnt not set", __func__)); KASSERT((n->m_flags & M_EXT) == 0, ("%s: M_EXT set", __func__)); - if (*(m->m_ext.ref_cnt) == 1) - *(m->m_ext.ref_cnt) += 1; - else - atomic_add_int(m->m_ext.ref_cnt, 1); + atomic_add_int(m->m_ext.ref_cnt, 1); n->m_ext.ext_buf = m->m_ext.ext_buf; n->m_ext.ext_free = m->m_ext.ext_free; n->m_ext.ext_args = m->m_ext.ext_args; >Release-Note: >Audit-Trail: >Unformatted: