Date: Mon, 3 Jun 2002 12:13:07 -0700 (PDT) From: Archie Cobbs <archie@dellroad.org> To: freebsd-net@freebsd.org Subject: Race condition with M_EXT ref count? Message-ID: <200206031913.g53JD7547163@arch20m.dellroad.org>
next in thread | raw e-mail | index | archive | help
This is a question about M_EXT mbuf reference counts in FreeBSD-stable. There are several instances in kern/uipc_mbuf.c that add a reference to an M_EXT mbuf by either incrementing the entry in the mclrefcnt[] array or invoking the "custom" ext_ref routine. However, it seems that these instances are all broken because they don't wrap these operations within splimp()... Isn't the following C statement *not* atomic? mclrefcnt[mtocl(m->m_ext.ext_buf)]++; And isn't access to mclrefcnt[] supposed to be protected by splimp()? Note: MCLFREE() *does* set splimp() before decrementing M_EXT ref counts. Therefore, isn't there a race condition wrt. the M_EXT reference counts? The functions which fail to set splimp() before adding a reference are: m_copym() m_copypacket() m_split() Thanks for any comments/clarification on this subject.. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206031913.g53JD7547163>