From owner-svn-src-head@freebsd.org  Tue Sep 27 07:13:58 2016
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 562F1BEC000;
 Tue, 27 Sep 2016 07:13:58 +0000 (UTC)
 (envelope-from lohithbsd@gmail.com)
Received: from mail-pf0-x241.google.com (mail-pf0-x241.google.com
 [IPv6:2607:f8b0:400e:c00::241])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 282AECB0;
 Tue, 27 Sep 2016 07:13:58 +0000 (UTC)
 (envelope-from lohithbsd@gmail.com)
Received: by mail-pf0-x241.google.com with SMTP id 21so346738pfy.1;
 Tue, 27 Sep 2016 00:13:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=date:from:subject:to:message-id:mime-version;
 bh=tCNbpo5AfoBXpgGvSzhR0UJPyhs85Dr5Az4EkAZFJcc=;
 b=M/ZBmmf8Fe0WxF0soajLtEqOlUD5axFjneQSui3kJXwdbqRfMfryP3uqnFRKtWZgxv
 DNL3KxWXtbkNR5rGIGx65fQBJo4qbGQdTgIZboXDZLYVFP2x84hect+/3U9xYKS1HavU
 fkL/GBk4XF+u1nhbgGcXSfLXWQyhhSehmFzxJyIz5iuhG6/zPWfC06kYhm6jv4Kzwh+x
 rS71r1P4aw945GIhX4+Wi/SAiEBwDPUYMumW4saVr5yXUJ//UYM4dB8rfqHOggXK9tAW
 iAlhEeFB/gG/kfjOgPJe6xoBzCFrllD0OsbJaQp7ogPKUdGSKQyc7pX7BmlixLDZaDpa
 0bCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:date:from:subject:to:message-id:mime-version;
 bh=tCNbpo5AfoBXpgGvSzhR0UJPyhs85Dr5Az4EkAZFJcc=;
 b=VoDJ+TnSTJerTBBlewXiu89blkHQPCNOGl3jM8Odv9yegxmd6Wz6rqhKo40oOwHscZ
 UBJLzXGcOzng0u9VKz3zi9/vJb/VCPxXOj6xUGTnoQf3EosSH5ULO8BZbx8WGQkIcQWp
 XHSl/nNkrax39pl22vafqy5PvclUp9E2AaXGpG58KmlOhepuLSb/nrFXM1vamg4ttTg5
 T1qDb89yktIMlo+OVC+b+5ZRL2Mr8exf0TAZfgZNLZ0Qiye2izYGJqczd6Pc3UKs9JVZ
 alel0Orvkgex4Zf2kPTd7isBuA42lIExiQCH05Vm6kOlTWyT3AYuACaujMYAP6x9LHST
 Tumg==
X-Gm-Message-State: AE9vXwMMvDms3mxexS88Ws2W67jeuvAbftybrpGaVAnjzI4nQoqBSKRRYIU1XQvBuTCKIQ==
X-Received: by 10.98.101.66 with SMTP id z63mr45028175pfb.59.1474960437526;
 Tue, 27 Sep 2016 00:13:57 -0700 (PDT)
Received: from [10.0.0.37] (c-69-181-167-248.hsd1.ca.comcast.net.
 [69.181.167.248])
 by smtp.gmail.com with ESMTPSA id x9sm1986556pff.19.2016.09.27.00.13.55
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Tue, 27 Sep 2016 00:13:56 -0700 (PDT)
Date: Tue, 27 Sep 2016 00:13:43 -0700
From: lohith bellad <lohithbsd@gmail.com>
Subject: Re: svn commit: r306337 - head/sys/kern
To: svn-src-head@freebsd.org, hiren panchasara <hiren@strugglingcoder.info>,
 freebsd-current-request@freebsd.org, bde@FreeBSD.org
Message-Id: <1474960423.1281.0@smtp.gmail.com>
X-Mailer: geary/0.10.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
X-Content-Filtered-By: Mailman/MimeDel 2.1.23
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2016 07:13:58 -0000

Hi Bruce and Hiren,

This is regarding the following commit, which led to kernel panic!!!

https://svnweb.freebsd.org/base?view=revision&revision=306337

Discussion thread regarding the kernel panic,

https://lists.freebsd.org/pipermail/svn-src-head/2016-September/092110.html

Thanks a lot for the input and sorry for the trouble created.

Modified diff:

Since its not possible to check and free the control mbuf correclty in 
sendit() routine.
We can clear the control mbuf in kern_sendit() routine after checking 
correctly.
Here is the diff,

Index: sys/kern/uipc_syscalls.c
===================================================================
--- sys/kern/uipc_syscalls.c	(revision 305955)
+++ sys/kern/uipc_syscalls.c	(working copy)
@@ -809,6 +809,9 @@
  }
  if (error == 0)
   td->td_retval[0] = len - auio.uio_resid;
+
+	/* call to sosend would have cleared control */
+	control = NULL;
 #ifdef KTRACE
  if (ktruio != NULL) {
   ktruio->uio_resid = td->td_retval[0];
@@ -816,6 +819,8 @@
  }
 #endif
 bad:
+	if (control != NULL)
+	 m_freem(control);
  fdrop(fp, td);
  return (error);
 }

Since, we know for sure sosend() routine will consume the control mbuf 
if its present else it will clear the mbuf. So, making control = NULL, 
after the call to sosend() will prevent double freeing of control mbuf.

If there are any errors before call to sosend() in kern_sendit(), for 
example EBADF (Bad File Descriptor) then we will fall to "bad:" and if 
control != NULL, we will clear the mbuf. This way mbuf leak for EBADF 
is also prevented.

If this looks good. Can we commit this.

Cheers,
Lohith