Date: Tue, 27 Sep 2016 00:13:43 -0700 From: lohith bellad <lohithbsd@gmail.com> To: svn-src-head@freebsd.org, hiren panchasara <hiren@strugglingcoder.info>, freebsd-current-request@freebsd.org, bde@FreeBSD.org Subject: Re: svn commit: r306337 - head/sys/kern Message-ID: <1474960423.1281.0@smtp.gmail.com>
index | next in thread | raw e-mail
Hi Bruce and Hiren, This is regarding the following commit, which led to kernel panic!!! https://svnweb.freebsd.org/base?view=revision&revision=306337 Discussion thread regarding the kernel panic, https://lists.freebsd.org/pipermail/svn-src-head/2016-September/092110.html Thanks a lot for the input and sorry for the trouble created. Modified diff: Since its not possible to check and free the control mbuf correclty in sendit() routine. We can clear the control mbuf in kern_sendit() routine after checking correctly. Here is the diff, Index: sys/kern/uipc_syscalls.c =================================================================== --- sys/kern/uipc_syscalls.c (revision 305955) +++ sys/kern/uipc_syscalls.c (working copy) @@ -809,6 +809,9 @@ } if (error == 0) td->td_retval[0] = len - auio.uio_resid; + + /* call to sosend would have cleared control */ + control = NULL; #ifdef KTRACE if (ktruio != NULL) { ktruio->uio_resid = td->td_retval[0]; @@ -816,6 +819,8 @@ } #endif bad: + if (control != NULL) + m_freem(control); fdrop(fp, td); return (error); } Since, we know for sure sosend() routine will consume the control mbuf if its present else it will clear the mbuf. So, making control = NULL, after the call to sosend() will prevent double freeing of control mbuf. If there are any errors before call to sosend() in kern_sendit(), for example EBADF (Bad File Descriptor) then we will fall to "bad:" and if control != NULL, we will clear the mbuf. This way mbuf leak for EBADF is also prevented. If this looks good. Can we commit this. Cheers, Lohithhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1474960423.1281.0>