Date: Mon, 28 Aug 2006 15:44:52 -0700 From: John-Mark Gurney <gurney_j@resnet.uoregon.edu> To: Randall Stewart <rrs@cisco.com> Cc: freebsd-net@freebsd.org, andre@freebsd.org Subject: Re: Problem with uipc_mbuf.c Message-ID: <20060828224452.GK37035@funkthat.com> In-Reply-To: <44F35A65.3080605@cisco.com> References: <44F35A65.3080605@cisco.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Randall Stewart wrote this message on Mon, Aug 28, 2006 at 17:04 -0400:
> atomic_fetchadd_int(m->m_ext.ref_cnt, -1) == 0) {
^
This should be 1 not 0.. as apparently fetchadd_int returns the old value
(at least that's what atomic(9) says), which means that if we ever race
on this comparision, we won't free though we should of...
if we look at refcount.h, it does:
return (atomic_fetchadd_int(count, -1) == 1);
which release a reference and apparently returns true if it needs to
be free'd...
Though the wierd part is that andre, "fixed" it to be 0 in 1.157:
Fix a logic error introduced with mandatory mbuf cluster refcounting and
freeing of mbufs+clusters back to the packet zone.
> I am thinking about restoring the old code.. since
> it appears to work...
>
> Any comments or help would be appreciated..
Lets see what andre has to say about this.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060828224452.GK37035>