[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BSD network memory allocation bug

Date: Fri, 21 May 1999 11:02:20 -0600
From: eric at cls.usask.ca (Eric Norum)
Subject: BSD network memory allocation bug

I've been looking into getting rid of the `"Network mbuf space can not be enlarged' panic in the RTEMS/FreeBSD networking code.  In doing so I think I've uncovered a bug in the FreeBSD code.  I'd like to have this verified by others, though.

It seems to me that the FreeBSD mbuf memory allocation routines can return NULL even if they are called with the M_WAIT flag.  However, much of the FreeBSD code that calls an mbuf allocation routine with M_WAIT assumes that a valid pointer will always be returned.

For example, in the sogetopt() routine (kern/uipc_socket.c) there is:
	        m = m_get(M_WAIT, MT_SOOPTS);
                m->m_len = sizeof (int);

Here is the mechanism in the FreeBSD code whereby a NULL can be returned by an M_WAIT allocation request:
1) Some routine calls m_get(M_WAIT,.....)
2) The mbuf free list happens to be empty (mmbfree == 0) so the MGET macro calls m_mballoc to try to get more mbufs.
3) The map happens to be full (mb_map_full != 0) so m_mballoc returns 0.
4) The MGET macro calls m_retry
5) m_retry calls m_reclaim to try and reclaim some space.
6) Assume that no space is reclaimed.
7) m_retry calls MGET again
8) The free list will still be empty (since m_reclaim didn't reclaim any space)
9) The MGET macro will call m_mballoc.
10) The map is still full, so m_mballoc returns 0.
11) The MGET macro returns 0.
12) m_retry returns 0 (to the original MGET macro call)
13) The original MGET macro call returns 0.

Simple, isn't it :-)

Note that the above sequence can't happen with the existing RTEMS/FreeBSD code since the call to m_mballoc causes a panic.....

=======================================================================

So, to make a long story short:

1) The m_mballoc and m_clalloc routines need to be rewritten for RTEMS so that they do not generate a panic.  
2) It seems to me that when doing this rewrite I should also ensure that they never return a NULL value when M_WAIT is specified.

Comments?

My aim is always to make the absolute minimum number of changes to the FreeBSD code, but it looks like I'm going to have to get in and modify some of the routines in kern/uipc_mbuf.c.

-- 
Eric Norum                                 eric at cls.usask.ca
Saskatchewan Accelerator Laboratory        Phone: (306) 966-6308
University of Saskatchewan                 FAX:   (306) 966-6058
Saskatoon, Canada.

Follow-Ups:
- BSD network memory allocation bug
  - From: qqi at world.std.com (Quality Quorum)
- BSD network memory allocation bug
  - From: ian at airs.com (Ian Lance Taylor)

Prev by Date: mips64orion _CPU_ISR_Set_level
Next by Date: BSD network memory allocation bug
Previous by thread: FW: Boot loading (fwd)
Next by thread: BSD network memory allocation bug
Index(es):
- Date
- Thread