Date: Sun, 19 Apr 2009 16:05:55 -0700 From: Maksim Yevmenkin <maksim.yevmenkin@gmail.com> To: "freebsd-bluetooth@freebsd.org" <freebsd-bluetooth@freebsd.org> Subject: sb_mbtail is not set in sbappendrecord_locked() Message-ID: <bb4a86c70904191605m3116e8ccr6f738988d3e1b469@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
hello, i'm fairly certain that sbappendrecord_locked() has bug in it. the bug is triggered by the kernel SOCKBUF_DEBUG option. the easiest way to trigger the bug is to 1) compile kernel with the SOCKBUF_DEBUG option enabled; 2) call sbappendrecord_locked() and try to append mbuf chain with exactly one mbuf (i.e. m0->m_next is NULL) to an empty sockbuf; there is a kern/126742 pr that basically shows the problem and stack traces. initial investigation was done by "pluknet" < pluknet -at- gmail -dot- com >, who confirmed the bug. see http://lists.freebsd.org/pipermail/freebsd-net/2008-August/019345.html for more details. i'm proposing the following patch. please review. == > svn diff Index: uipc_sockbuf.c =================================================================== --- uipc_sockbuf.c (revision 191012) +++ uipc_sockbuf.c (working copy) @@ -577,10 +577,6 @@ if (m0 == 0) return; - m = sb->sb_mb; - if (m) - while (m->m_nextpkt) - m = m->m_nextpkt; /* * Put the first mbuf on the queue. Note this permits zero length * records. @@ -588,17 +584,17 @@ sballoc(sb, m0); SBLASTRECORDCHK(sb); SBLINKRECORD(sb, m0); - if (m) - m->m_nextpkt = m0; - else - sb->sb_mb = m0; + sb->sb_mbtail = m0; m = m0->m_next; m0->m_next = 0; - if (m && (m0->m_flags & M_EOR)) { - m0->m_flags &= ~M_EOR; - m->m_flags |= M_EOR; + if (m != NULL) { + if (m0->m_flags & M_EOR) { + m0->m_flags &= ~M_EOR; + m->m_flags |= M_EOR; + } + + sbcompress(sb, m, m0); } - sbcompress(sb, m, m0); } /* == thanks, max
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bb4a86c70904191605m3116e8ccr6f738988d3e1b469>