Shouldn't we also call unp_internalize() in the case where m != NULL? I know that calls from userspace will pass a uio, but it seems possible that some kernel consumer may pass control messages.

Seems like this should be a routine in mbuf.h.

I'm pretty sure there is no valid case for a kernel socket to send control.

I would do it as soon as there is a second place with the same sequence.

Maybe, but then we're making an equivalency "uio != NULL if and only if the sender is userspace", which is fragile IMHO and wasn't present in the replaced code. Formally it's not a bug since nothing will trigger it today, but it feels strange.

I always seen this equivalency as a strong statement! uio is a structure to pass data between user and kernel, so if a kernel thread uses it, then it does something very hack-a-like and it is their responsibility to fully emulate user-like context, e.g. be able to sleep.

I don't really understand. KTLS is (almost) an example: it converts the uio to mbufs before passing data to the protocol send method, in order to insert frame headers. Is that hacky? Why can't such a thing be done one layer up above sosend? I can easily imagine something like the Linuxulator needing to do this to implement some special Linux interface.

I don't want to argue too much since this is probably not a real problem for now, but it also seems easy to fix, unless I'm missing something. We would just have a contract which says that anything passing a control message should be prepared to sleep, no matter whether data is passed with an mbuf chain or a uio.

If you still plan to omit the unp_internalize() call here, I'd suggest making this an explicit panic not depending on INVARIANTS. It's cheap to check.

I don't really understand. KTLS is (almost) an example: it converts the uio to mbufs before passing data to the protocol send method, in order to insert frame headers. Is that hacky? Why can't such a thing be done one layer up above sosend? I can easily imagine something like the Linuxulator needing to do this to implement some special Linux interface.

I meant hacky is to send uio from a kernel thread. It isn't hacky to send mbufs from a userland sosend() with uio substituted to mbufs by some intermediate shim. However, until this happens to any unix/dgram consumer, I would prefer to keep invariant that this doesn't happen.

I don't want to argue too much since this is probably not a real problem for now, but it also seems easy to fix, unless I'm missing something. We would just have a contract which says that anything passing a control message should be prepared to sleep, no matter whether data is passed with an mbuf chain or a uio.

We already have this contract, since processing many of the control messages requires sleeping.

Will do.

Ok.

This is racy, the PCB isn't locked at this point.

fixed