From owner-freebsd-current@FreeBSD.ORG  Wed Jun  9 14:50:15 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5656516A4CE; Wed,  9 Jun 2004 14:50:15 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 4FB4E43D39; Wed,  9 Jun 2004 14:50:15 +0000 (GMT)
	(envelope-from bmilekic@FreeBSD.org)
Received: from freefall.freebsd.org (bmilekic@localhost [127.0.0.1])
	i59EnvDj015197;	Wed, 9 Jun 2004 14:49:57 GMT
	(envelope-from bmilekic@freefall.freebsd.org)
Received: (from bmilekic@localhost)
	by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i59EnvUI015196;
	Wed, 9 Jun 2004 14:49:57 GMT
	(envelope-from bmilekic)
Date: Wed, 9 Jun 2004 14:49:57 +0000
From: Bosko Milekic <bmilekic@FreeBSD.org>
To: Maxime Henrion <mux@freebsd.org>
Message-ID: <20040609144957.GA15145@freefall.freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
cc: freebsd-current@freebsd.org
cc: Alex Dupre <ale@freebsd.org>
Subject: Re: kernel panic on smb activity
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jun 2004 14:50:15 -0000


Maxime Henrion wrote:
>Looking at m_getm(), it seems it will panic everytime it's called with
>len < MCLBYTES.  In that case, top will stay NULL because num will be 0,
>but top is dereferenced just after that.  This bug was introduced in the
>mbuma commit.  From my quick reading of the m_getm() function before the
>mbuma commit, I believe the attached patch should fix your issue.  I'm
>Cc'ing Bosko so that he can comment of the correctness of this patch,
>since I didn't test it at all.
>
>Cheers,
>Maxime

  This looks correct.  Could the person who reported the problem please
  verify that this fixes it and then commit at will.  I've already submitted
  your change to the mbuma2 branch but you should feel free to commit it
  to HEAD.

  Please accept my appologies, thanks for the fix.

  -Bosko