Date: Fri, 21 Jan 2011 05:33:17 GMT From: Zhouyi Zhou <zhouzhouyi@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: standards/154185: race condition in mb_dupcl Message-ID: <201101210533.p0L5XHXL003508@red.freebsd.org> Resent-Message-ID: <201101210540.p0L5e6eE076219@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 154185
>Category: standards
>Synopsis: race condition in mb_dupcl
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-standards
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jan 21 05:40:06 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Zhouyi Zhou
>Release: FreeBSD 8.0
>Organization:
ICT CAS
>Environment:
FreeBSD zzy 8.0-RELEASE FreeBSD 8.0-RELEASE #85: Fri Jan 21 12:56:40 UTC 2011 root@zzy:/root/sys/amd64/compile/GENERIC amd64
>Description:
There is race condition in function mb_dupcl in src/sys/kern/uipc_mbuf.c
The code to add reference count in mb_dupcl is as follows
390 if (*(m->m_ext.ref_cnt) == 1)
391 *(m->m_ext.ref_cnt) += 1;
The x86 asm code for these two lines is:
0xffffffff807aa28d <mb_dupcl+13>: sub $0x1,%eax
0xffffffff807aa290 <mb_dupcl+16>: je 0xffffffff807aa2f0 <mb_dupcl+112>
..
0xffffffff807aa2f0 <mb_dupcl+112>: mov (%rdx),%ecx
0xffffffff807aa2f2 <mb_dupcl+114>: add $0x1,%ecx
0xffffffff807aa2f5 <mb_dupcl+117>: mov %ecx,(%rdx)
It is appearant that multiple threads will race for the contents of (%rdx)
>How-To-Repeat:
Can write a kernel module like:
struct mbuf *m;
MGETHDR(m, M_DONTWAIT, MT_DATA);
MCLGET(m, M_DONTWAIT);
Then let multiple threads
execute simulately:
m1 = m_copypacket(m, M_DONTWAIT);
m_freem(m1);
>Fix:
function mb_dupcl
390 - if (*(m->m_ext.ref_cnt) == 1)
391 - *(m->m_ext.ref_cnt) += 1;
392 - else
393 atomic_add_int(m->m_ext.ref_cnt, 1);
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201101210533.p0L5XHXL003508>