Date: Thu, 10 Jun 2004 00:04:27 +0000 (UTC) From: Bosko Milekic <bmilekic@FreeBSD.org> To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/kern uipc_mbuf.c Message-ID: <200406100004.i5A04RSt084805@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
bmilekic 2004-06-10 00:04:27 UTC
FreeBSD src repository
Modified files:
sys/kern uipc_mbuf.c
Log:
Plug a race where upon free this scenario could occur:
(time grows downward)
thread 1 thread 2
------------|------------
dec ref_cnt |
| dec ref_cnt <-- ref_cnt now zero
cmpset |
free all |
return |
|
alloc again,|
reuse prev |
ref_cnt |
| cmpset, read
| already freed
| ref_cnt
------------|------------
This should fix that by performing only a single
atomic test-and-set that will serve to decrement
the ref_cnt, only if it hasn't changed since the
earlier read, otherwise it'll loop and re-read.
This forces ordering of decrements so that truly
the thread which did the LAST decrement is the
one that frees.
This is how atomic-instruction-based refcnting
should probably be handled.
Submitted by: Julian Elischer
Revision Changes Path
1.132 +30 -15 src/sys/kern/uipc_mbuf.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200406100004.i5A04RSt084805>