Date: Tue, 9 May 2000 19:11:42 +0100 (BST) From: dwmalone@maths.tcd.ie To: FreeBSD-gnats-submit@freebsd.org Subject: kern/18471: Checking freeing of mbufs. Message-ID: <200005091911.aa59278@walton.maths.tcd.ie>
next in thread | raw e-mail | index | archive | help
>Number: 18471
>Category: kern
>Synopsis: mbuf and mbuf clusters can be freed multiple times
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Tue May 09 11:20:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: David Malone
>Release: FreeBSD 3.4-STABLE i386
>Organization:
School of Mathematics, Trinity College, Dublin, Ireland.
>Environment:
3.X, 4.X, 5.X and probably earlier.
>Description:
The code for freeing mbuf clusters and mbufs doesn't check if the
object is already free before freeing it. While this shouldn't
happen it makes debugging difficult when it does, as we found while
trying to debug some problems with the netatalk code.
It would be better if the kernel paniced at the time of the second
free, as opposed to some time later when the entry which has been
freed twice gets reused while still in use!
>How-To-Repeat:
Write code which doesn't track it's mbufs carefully enough, and try
to debug.
>Fix:
I've been running a machine tracking current at home with the
following KASSERTs added and INVARIENTS on. I've seen no problems
with them.
Index: mbuf.h
===================================================================
RCS file: /cvs/FreeBSD-CVS/src/sys/sys/mbuf.h,v
retrieving revision 1.47
diff -u -r1.47 mbuf.h
--- mbuf.h 2000/04/19 01:24:26 1.47
+++ mbuf.h 2000/04/22 20:11:49
@@ -381,6 +381,7 @@
#define MCLFREE1(p) do { \
union mcluster *_mp = (union mcluster *)(p); \
\
+ KASSERT(mclrefcnt[mtocl(_mp)] > 0, ("freeing free cluster")); \
if (--mclrefcnt[mtocl(_mp)] == 0) { \
_mp->mcl_next = mclfree; \
mclfree = _mp; \
@@ -415,6 +416,7 @@
#define MFREE(m, n) MBUFLOCK( \
struct mbuf *_mm = (m); \
\
+ KASSERT(_mm->m_type != MT_FREE, ("freeing free mbuf")); \
mbstat.m_mtypes[_mm->m_type]--; \
if (_mm->m_flags & M_EXT) \
MEXTFREE1(m); \
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005091911.aa59278>