sb_mbtail is not set in sbappendrecord_locked()
Maksim Yevmenkin
maksim.yevmenkin at gmail.com
Sun Apr 19 23:06:53 UTC 2009
hello,
i'm fairly certain that sbappendrecord_locked() has bug in it. the bug
is triggered by the kernel SOCKBUF_DEBUG option. the easiest way to
trigger the bug is to
1) compile kernel with the SOCKBUF_DEBUG option enabled;
2) call sbappendrecord_locked() and try to append mbuf chain with
exactly one mbuf (i.e. m0->m_next is NULL) to an empty sockbuf;
there is a kern/126742 pr that basically shows the problem and stack traces.
initial investigation was done by "pluknet" < pluknet -at- gmail -dot-
com >, who confirmed the bug. see
http://lists.freebsd.org/pipermail/freebsd-net/2008-August/019345.html
for more details.
i'm proposing the following patch. please review.
==
> svn diff
Index: uipc_sockbuf.c
===================================================================
--- uipc_sockbuf.c (revision 191012)
+++ uipc_sockbuf.c (working copy)
@@ -577,10 +577,6 @@
if (m0 == 0)
return;
- m = sb->sb_mb;
- if (m)
- while (m->m_nextpkt)
- m = m->m_nextpkt;
/*
* Put the first mbuf on the queue. Note this permits zero length
* records.
@@ -588,17 +584,17 @@
sballoc(sb, m0);
SBLASTRECORDCHK(sb);
SBLINKRECORD(sb, m0);
- if (m)
- m->m_nextpkt = m0;
- else
- sb->sb_mb = m0;
+ sb->sb_mbtail = m0;
m = m0->m_next;
m0->m_next = 0;
- if (m && (m0->m_flags & M_EOR)) {
- m0->m_flags &= ~M_EOR;
- m->m_flags |= M_EOR;
+ if (m != NULL) {
+ if (m0->m_flags & M_EOR) {
+ m0->m_flags &= ~M_EOR;
+ m->m_flags |= M_EOR;
+ }
+
+ sbcompress(sb, m, m0);
}
- sbcompress(sb, m, m0);
}
/*
==
thanks,
max
More information about the freebsd-current
mailing list