From owner-freebsd-net  Mon Jun  3 12:40:16 2002
Delivered-To: freebsd-net@freebsd.org
Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88])
	by hub.freebsd.org (Postfix) with ESMTP
	id 384F837B404; Mon,  3 Jun 2002 12:40:09 -0700 (PDT)
Received: from InterJet.elischer.org ([12.232.206.8])
          by rwcrmhc52.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020603194008.EUMT2751.rwcrmhc52.attbi.com@InterJet.elischer.org>;
          Mon, 3 Jun 2002 19:40:08 +0000
Received: from localhost (localhost.elischer.org [127.0.0.1])
	by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id MAA43671;
	Mon, 3 Jun 2002 12:25:53 -0700 (PDT)
Date: Mon, 3 Jun 2002 12:25:52 -0700 (PDT)
From: Julian Elischer <julian@elischer.org>
To: Archie Cobbs <archie@dellroad.org>
Cc: freebsd-net@freebsd.org, smp@freebsd.org
Subject: Re: Race condition with M_EXT ref count?
In-Reply-To: <200206031913.g53JD7547163@arch20m.dellroad.org>
Message-ID: <Pine.BSF.4.21.0206031225070.43219-100000@InterJet.elischer.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

this is YET ANOTHER case for the Atomic reference counting ABI that
jhb has been talking about...


On Mon, 3 Jun 2002, Archie Cobbs wrote:

> This is a question about M_EXT mbuf reference counts in FreeBSD-stable.
> 
> There are several instances in kern/uipc_mbuf.c that add a reference
> to an M_EXT mbuf by either incrementing the entry in the mclrefcnt[]
> array or invoking the "custom" ext_ref routine.
> 
> However, it seems that these instances are all broken because they
> don't wrap these operations within splimp()...
> 
> Isn't the following C statement *not* atomic?
> 
> 	mclrefcnt[mtocl(m->m_ext.ext_buf)]++;
> 
> And isn't access to mclrefcnt[] supposed to be protected by splimp()?
> Note: MCLFREE() *does* set splimp() before decrementing M_EXT ref counts.
> 
> Therefore, isn't there a race condition wrt. the M_EXT reference counts?
> 
> The functions which fail to set splimp() before adding a reference are:
> 
> 	m_copym()
> 	m_copypacket()
> 	m_split()
> 
> Thanks for any comments/clarification on this subject..
> 
> -Archie
> 
> __________________________________________________________________________
> Archie Cobbs     *     Packet Design     *     http://www.packetdesign.com
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message