! svn merge -c 182841 $FBDSVN/head/sys sys
! svn merge -c 182842 $FBDSVN/head/sys sys
! 
! MFC r182841:
!   Add a second KASSERT checking for len >= 0 in the tcp output path.
! 
!   This is different to the first one (as len gets updated between those
!   two) and would have caught various edge cases (read bugs) at a well
!   defined place I had been debugging the last months instead of
!   triggering (random) panics further down the call graph.
! 
! MFC r182842:
! 
!   Catch a possible NULL pointer deref in case the offsets got mangled
!   somehow.
!   As a consequence we may now get an unexpected result(*).
!   Catch that error cases with a well defined panic giving appropriate
!   pointers to ease debugging.
! 
!   (*) While the concensus was that the case should never happen unless
!       there was a bug, noone was definitively sure.
! 

Property changes on: sys
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /head/sys:r182841-182842

Index: sys/kern/uipc_sockbuf.c
===================================================================
--- sys/kern/uipc_sockbuf.c	(revision 190718)
+++ sys/kern/uipc_sockbuf.c	(working copy)
@@ -936,11 +936,13 @@
 
 	/* Advance by len to be as close as possible for the next transmit. */
 	for (off = off - sb->sb_sndptroff + len - 1;
-	     off > 0 && off >= m->m_len;
+	     off > 0 && m != NULL && off >= m->m_len;
 	     m = m->m_next) {
 		sb->sb_sndptroff += m->m_len;
 		off -= m->m_len;
 	}
+	if (off > 0 && m == NULL)
+		panic("%s: sockbuf %p and mbuf %p clashing", __func__, sb, ret);
 	sb->sb_sndptr = m;
 
 	return (ret);
Index: sys/netinet/tcp_output.c
===================================================================
--- sys/netinet/tcp_output.c	(revision 190718)
+++ sys/netinet/tcp_output.c	(working copy)
@@ -391,7 +391,7 @@
 	}
 
 	/* len will be >= 0 after this point. */
-	KASSERT(len >= 0, ("%s: len < 0", __func__));
+	KASSERT(len >= 0, ("[%s:%d]: len < 0", __func__, __LINE__));
 
 	/*
 	 * Automatic sizing of send socket buffer.  Often the send buffer
@@ -741,6 +741,12 @@
 /*#endif*/
 
 	/*
+	 * This KASSERT is here to catch edge cases at a well defined place.
+	 * Before, those had triggered (random) panic conditions further down.
+	 */
+	KASSERT(len >= 0, ("[%s:%d]: len < 0", __func__, __LINE__));
+
+	/*
 	 * Grab a header mbuf, attaching a copy of data to
 	 * be transmitted, and initialize the header from
 	 * the template for sends on this connection.

Property changes on: sys/dev/cxgb
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /head/sys/dev/cxgb:r182841-182842


Property changes on: sys/dev/ath/ath_hal
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /head/sys/dev/ath/ath_hal:r182841-182842


Property changes on: sys/contrib/pf
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /head/sys/contrib/pf:r182841-182842