From owner-freebsd-bugs@FreeBSD.ORG  Mon Aug 25 12:53:16 2003
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3F40A16A4BF; Mon, 25 Aug 2003 12:53:16 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 76D3843FBF; Mon, 25 Aug 2003 12:53:15 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h7PJqlrO006672;
	Mon, 25 Aug 2003 15:52:47 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)h7PJqk7v006669;
	Mon, 25 Aug 2003 15:52:47 -0400 (EDT)
Date: Mon, 25 Aug 2003 15:52:46 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: Pawel Malachowski <pawmal-posting@freebsd.lublin.pl>
In-Reply-To: <20030823005046.5FBDE5F103@shellma.zin.lublin.pl>
Message-ID: <Pine.NEB.3.96L.1030825155029.5347F-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-bugs@FreeBSD.org
cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: kern/55886: mbuf exhaustion can cause panic
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Aug 2003 19:53:16 -0000

Try the attached patch for -CURRENT, or variation on -STABLE.  Basically,
M_PREPEND() can fail leaving (m == NULL) even with M_TRYWAIT.  Most
consumers of M_PREPEND seem to know that.  Raw IP output seems not to.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories

Index: raw_ip.c
===================================================================
RCS file: /data/fbsd-cvs/ncvs/src/sys/netinet/raw_ip.c,v
retrieving revision 1.114
diff -u -r1.114 raw_ip.c
--- raw_ip.c	20 Aug 2003 14:46:40 -0000	1.114
+++ raw_ip.c	25 Aug 2003 19:50:07 -0000
@@ -288,6 +288,8 @@
 			return(EMSGSIZE);
 		}
 		M_PREPEND(m, sizeof(struct ip), M_TRYWAIT);
+		if (m == NULL)
+			return(ENOBUFS);
 		ip = mtod(m, struct ip *);
 		ip->ip_tos = inp->inp_ip_tos;
 		ip->ip_off = 0;