Date: Tue, 27 Sep 2016 00:13:43 -0700 From: lohith bellad <lohithbsd@gmail.com> To: svn-src-head@freebsd.org, hiren panchasara <hiren@strugglingcoder.info>, freebsd-current-request@freebsd.org, bde@FreeBSD.org Subject: Re: svn commit: r306337 - head/sys/kern Message-ID: <1474960423.1281.0@smtp.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi Bruce and Hiren, This is regarding the following commit, which led to kernel panic!!! https://svnweb.freebsd.org/base?view=revision&revision=306337 Discussion thread regarding the kernel panic, https://lists.freebsd.org/pipermail/svn-src-head/2016-September/092110.html Thanks a lot for the input and sorry for the trouble created. Modified diff: Since its not possible to check and free the control mbuf correclty in sendit() routine. We can clear the control mbuf in kern_sendit() routine after checking correctly. Here is the diff, Index: sys/kern/uipc_syscalls.c =================================================================== --- sys/kern/uipc_syscalls.c (revision 305955) +++ sys/kern/uipc_syscalls.c (working copy) @@ -809,6 +809,9 @@ } if (error == 0) td->td_retval[0] = len - auio.uio_resid; + + /* call to sosend would have cleared control */ + control = NULL; #ifdef KTRACE if (ktruio != NULL) { ktruio->uio_resid = td->td_retval[0]; @@ -816,6 +819,8 @@ } #endif bad: + if (control != NULL) + m_freem(control); fdrop(fp, td); return (error); } Since, we know for sure sosend() routine will consume the control mbuf if its present else it will clear the mbuf. So, making control = NULL, after the call to sosend() will prevent double freeing of control mbuf. If there are any errors before call to sosend() in kern_sendit(), for example EBADF (Bad File Descriptor) then we will fall to "bad:" and if control != NULL, we will clear the mbuf. This way mbuf leak for EBADF is also prevented. If this looks good. Can we commit this. Cheers, Lohith
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1474960423.1281.0>