diff --git a/sys/kern/uipc_mbuf.c b/sys/kern/uipc_mbuf.c index 80c40611203..27ca156c23c 100644 --- a/sys/kern/uipc_mbuf.c +++ b/sys/kern/uipc_mbuf.c @@ -560,6 +560,11 @@ bad: * Partition an mbuf chain in two pieces, returning the tail -- * all but the first len0 bytes. In case of failure, it returns NULL and * attempts to restore the chain to its original state. + * + * Note that the resulting mbufs might be read-only, because the new + * mbuf can end up sharing an mbuf cluster with the original mbuf if + * the "breaking point" happens to lie within a cluster mbuf. Use the + * M_WRITABLE() macro to check for this case. */ struct mbuf * m_split(struct mbuf *m0, int len0, int wait) @@ -609,7 +614,6 @@ extpacket: n->m_flags |= M_EXT; n->m_ext = m->m_ext; MEXT_ADD_REF(m); - m->m_ext.ext_size = 0; /* For Accounting XXXXXX danger */ n->m_data = m->m_data + len; } else { bcopy(mtod(m, caddr_t) + len, mtod(n, caddr_t), remain); diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h index 4075a5d2265..5cfb1aebf35 100644 --- a/sys/sys/mbuf.h +++ b/sys/sys/mbuf.h @@ -344,6 +344,9 @@ struct mbstat { /* * Compute the amount of space available * before the current start of data in an mbuf. + * + * The M_WRITABLE() is a temporary, conservative safety measure: the burden + * of checking writability of the mbuf data area rests solely with the caller. */ #define M_LEADINGSPACE(m) \ ((m)->m_flags & M_EXT ? \ @@ -354,10 +357,14 @@ struct mbstat { /* * Compute the amount of space available * after the end of data in an mbuf. + * + * The M_WRITABLE() is a temporary, conservative safety measure: the burden + * of checking writability of the mbuf data area rests solely with the caller. */ #define M_TRAILINGSPACE(m) \ - ((m)->m_flags & M_EXT ? (m)->m_ext.ext_buf + \ - (m)->m_ext.ext_size - ((m)->m_data + (m)->m_len) : \ + ((m)->m_flags & M_EXT ? \ + (M_WRITABLE(m) ? (m)->m_ext.ext_buf + (m)->m_ext.ext_size \ + - ((m)->m_data + (m)->m_len) : 0) : \ &(m)->m_dat[MLEN] - ((m)->m_data + (m)->m_len)) /*