This is a question about M_EXT mbuf reference counts in FreeBSD-stable.
There are several instances in kern/uipc_mbuf.c that add a reference
to an M_EXT mbuf by either incrementing the entry in the mclrefcnt[]
array or invoking the "custom" ext_ref routine.
However, it seems that these instances are all broken because they
don't wrap these operations within splimp()...
Isn't the following C statement *not* atomic?
mclrefcnt[mtocl(m->m_ext.ext_buf)]++;
And isn't access to mclrefcnt[] supposed to be protected by splimp()?
Note: MCLFREE() *does* set splimp() before decrementing M_EXT ref counts.
Therefore, isn't there a race condition wrt. the M_EXT reference counts?
The functions which fail to set splimp() before adding a reference are:
m_copym()
m_copypacket()
m_split()
Thanks for any comments/clarification on this subject..
-Archie
__________________________________________________________________________
Archie Cobbs * Packet Design * http://www.packetdesign.com
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
