atomic_fetchadd_int is used by mb_free_ext(), but it

returns the previous value that the "add" effected (In this case we are adding -1), afterwhich we compare it to '0'... to see if we free the mbuf... we should be comparing it to '1'... Note that this only effects when there is contention since there is a first part to the comparison that checks to see if its '1'. So this bug would only crop up if two CPU's are trying to free the same mbuf refcount at the same time. This will happen in SCTP but I doubt can happen in TCP or UDP. PR: N/A Submitted by: rrs Reviewed by: gnn,sam Approved by: gnn,sam
svn path=/head/; revision=162515
2024-09-23 10:14:55 +00:00 · 2006-09-21 09:55:43 +00:00 · 2006-09-21 09:55:43 +00:00 · adf5d1c6d0 · 2020-12-20 02:59:44 +00:00
parent f981f1923b
commit adf5d1c6d0
1 changed files with 1 additions and 1 deletions
--- a/sys/kern/uipc_mbuf.c
+++ b/sys/kern/uipc_mbuf.c
@ -215,7 +215,7 @@ mb_free_ext(struct mbuf *m)

 	/* Free attached storage if this mbuf is the only reference to it. */
 	if (*(m->m_ext.ref_cnt) == 1 ||
-	    atomic_fetchadd_int(m->m_ext.ref_cnt, -1) == 0) {
+	    atomic_fetchadd_int(m->m_ext.ref_cnt, -1) == 1) {
 		switch (m->m_ext.ext_type) {
 		case EXT_PACKET:	/* The packet zone is special. */
 			if (*(m->m_ext.ref_cnt) == 0)