Module Name: src
Committed By: maxv
Date: Mon Jan 1 12:22:59 UTC 2018
Modified Files:
src/sys/kern: uipc_mbuf.c
Log Message:
Detect use-after-frees on mbufs with external storage, too. This is done
even when the refcount is > 1.
Again, this code is enabled by default, because it is fast and quite
useful.
To generate a diff of this commit:
cvs rdiff -u -r1.175 -r1.176 src/sys/kern/uipc_mbuf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/uipc_mbuf.c
diff -u src/sys/kern/uipc_mbuf.c:1.175 src/sys/kern/uipc_mbuf.c:1.176
--- src/sys/kern/uipc_mbuf.c:1.175 Mon Jan 1 12:09:56 2018
+++ src/sys/kern/uipc_mbuf.c Mon Jan 1 12:22:59 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: uipc_mbuf.c,v 1.175 2018/01/01 12:09:56 maxv Exp $ */
+/* $NetBSD: uipc_mbuf.c,v 1.176 2018/01/01 12:22:59 maxv Exp $ */
/*-
* Copyright (c) 1999, 2001 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.175 2018/01/01 12:09:56 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.176 2018/01/01 12:22:59 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_mbuftrace.h"
@@ -1687,6 +1687,10 @@ m_ext_free(struct mbuf *m)
KASSERT((m->m_flags & M_EXT_CLUSTER) ==
(m->m_ext_ref->m_flags & M_EXT_CLUSTER));
+ if (__predict_false(m->m_type == MT_FREE)) {
+ panic("mbuf %p already freed", m);
+ }
+
if (__predict_true(m->m_ext.ext_refcnt == 1)) {
refcnt = m->m_ext.ext_refcnt = 0;
} else {
@@ -1727,6 +1731,7 @@ m_ext_free(struct mbuf *m)
}
if (dofree) {
m->m_type = MT_FREE;
+ m->m_data = NULL;
pool_cache_put(mb_cache, m);
}
}
