Hi, On Sat, Mar 23, 2024 at 12:44 AM Edgar Fuß <e...@math.uni-bonn.de> wrote: > > Hello. > > I'm under the impression that MCLADDREFERENCE() may increment the wrong > ext_refcnt. > > In case it's permitted (I cant't find anything to the contrary) to > call MCLADDREFERENCE(m1, m2) and then MCLADDREFERENCE(m2, m3), then the > second call will increment m2's ext_refcnt where it should be incrementing > m1's one (e.g. the one all of m1, m2 and m3's m_ext_ref are pointing to), no? > > So I think > atomic_inc_uint(&(o)->m_ext.ext_refcnt); \ > should really be > atomic_inc_uint(&(o)->m_ext_ref->m_ext.ext_refcnt); \ > which, of course, is the same thing if MEXT_ISEMBEDDED(o) is true. > > Am I getting something wrong?
I think you're right. IIUC use-after-free can occur in some cases. In the case of your example, if the mbufs are freed in the order of m1, m3 and m2, a freed buffer of m1 can be accessed via m2 after m3 is freed. I'll commit your fix. Thanks, ozaki-r
