Re: MCLADDREFERENCE() incrementing the wrong ext_refcnt?

To: tech-kern%netbsd.org@localhost
Subject: Re: MCLADDREFERENCE() incrementing the wrong ext_refcnt?
From: Ryota Ozaki <ozaki-r%netbsd.org@localhost>
Date: Thu, 28 Mar 2024 18:22:40 +0900

Hi,

On Sat, Mar 23, 2024 at 12:44 AM Edgar Fuß <ef%math.uni-bonn.de@localhost> wrote:
>
> Hello.
>
> I'm under the impression that MCLADDREFERENCE() may increment the wrong
> ext_refcnt.
>
> In case it's permitted (I cant't find anything to the contrary) to
> call MCLADDREFERENCE(m1, m2) and then MCLADDREFERENCE(m2, m3), then the
> second call will increment m2's ext_refcnt where it should be incrementing
> m1's one (e.g. the one all of m1, m2 and m3's m_ext_ref are pointing to), no?
>
> So I think
>         atomic_inc_uint(&(o)->m_ext.ext_refcnt);                        \
> should really be
>         atomic_inc_uint(&(o)->m_ext_ref->m_ext.ext_refcnt);             \
> which, of course, is the same thing if MEXT_ISEMBEDDED(o) is true.
>
> Am I getting something wrong?

I think you're right.

IIUC use-after-free can occur in some cases. In the case of your example,
if the mbufs are freed in the order of m1, m3 and m2, a freed buffer of m1
can be accessed via m2 after m3 is freed.

I'll commit your fix.

Thanks,
  ozaki-r

Follow-Ups:
- Re: MCLADDREFERENCE() incrementing the wrong ext_refcnt?
  - From: Edgar Fuß

References:
- MCLADDREFERENCE() incrementing the wrong ext_refcnt?
  - From: Edgar Fuß

Prev by Date: Re: Fullfs file system
Next by Date: Re: [GSOC][NEWBIE]
Previous by Thread: MCLADDREFERENCE() incrementing the wrong ext_refcnt?
Next by Thread: Re: MCLADDREFERENCE() incrementing the wrong ext_refcnt?
Indexes:

Home | Main Index | Thread Index | Old Index