Author :
mvs
Date :
2025-04-15 12:14:06
Hash :42337cd2 Message :Release `sb_mtx' mutex(9) while doing sleeping m_copym(..., M_WAIT) in
soreceive() and somove(). It is possible in both places. We copy only
`len' bytes from the single mbuf(9) pointed by `m'. The `len' is always
less than m->m_len. The m->m_len could only grow while `sb_mtx' is
unlocked, but concurrent thread will not override our chunk of
m->m_data. There is no difference with the lockless uiomove(mtod(m)).
Reported-by: syzbot+6cac839a17bc8be499d7@syzkaller.appspotmail.com
ok bluhm