From owner-svn-src-head@FreeBSD.ORG Fri Feb 13 22:08:18 2015 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C3B33FE3 for ; Fri, 13 Feb 2015 22:08:18 +0000 (UTC) Received: from mail-pd0-f174.google.com (mail-pd0-f174.google.com [209.85.192.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8015514B for ; Fri, 13 Feb 2015 22:08:18 +0000 (UTC) Received: by pdjg10 with SMTP id g10so22114604pdj.1 for ; Fri, 13 Feb 2015 14:08:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netflix.com; s=google; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=wmRCk1tX0Mu0rXZ0fEYiO7RHCqMArGNnUPEAFUFCJTI=; b=LhQILhYt7Z/PuXUApTIm+7iausmRwbkg66vQQKD1RQnBqgIamHwiO/EPav5w4CEl2s 4Ekiy+WOLuYEY9Fe9zGBmwyhlmX8tsMkN2mYpRCUHgN4umKawNAetbzqsAEHnVqjCCPC SVt8G2eLCVa4VWhwXD8E4nNGn2jnm4H0xDkNw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=wmRCk1tX0Mu0rXZ0fEYiO7RHCqMArGNnUPEAFUFCJTI=; b=AT+jSqcgZ0TZhQiSfaX4JWU+OH/Dh0UKyHMiTxLSSp1OI56mvxb8TApXuDiSkprfGU mrGTYSE51/4XiShXi8L2VN0oVLozOH3ycWV5iCf1Cldjwe5h568PpFnVIv+zgxiZraiV Daxa2vhoNL7Q1u0QKZwJv8kiCyCyaQMzMTsxVRvfvczvj/xWtMlfOvGXLou7y7P/5U5c XT5+GrNrXhp/gSWsSNMaKKdcm5I65etkKdb45k5y2TT/H801LMxgIK75ykjw+OH/DYES BqiJwZN5fWXZN+36x1rwpZM6SL9FYSIgk7x0qSYgVgHZXFLU2+6tAkMzfioFv2Mowh2S RWJg== X-Gm-Message-State: ALoCoQkwGh5lz+6jNQCW3qnzBFJq2T4iyyv8TGZ9QEL3fkKTdsCQ/E4mAMUiAAts8t9xQCUySean X-Received: by 10.66.66.7 with SMTP id b7mr2165859pat.9.1423865297980; Fri, 13 Feb 2015 14:08:17 -0800 (PST) Received: from [10.64.24.11] ([69.53.236.236]) by mx.google.com with ESMTPSA id bi11sm7711793pdb.8.2015.02.13.14.08.14 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 13 Feb 2015 14:08:16 -0800 (PST) Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: svn commit: r278472 - in head/sys: netinet netinet6 From: Randall Stewart In-Reply-To: <20150213212128.GG15484@FreeBSD.org> Date: Fri, 13 Feb 2015 17:08:12 -0500 Message-Id: <1655B9AB-AC55-49EE-ADB6-F355F578915A@netflix.com> References: <201502091928.t19JSC5P066293@svn.freebsd.org> <1903622.i3cFFNVYcL@ralph.baldwin.cx> <20150213212128.GG15484@FreeBSD.org> To: Gleb Smirnoff X-Mailer: Apple Mail (2.1878.6) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: src-committers@freebsd.org, John Baldwin , Eric van Gyzen , svn-src-all@freebsd.org, Randall Stewart , svn-src-head@freebsd.org, zont@FreeBSD.org, rstone@FreeBSD.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2015 22:08:18 -0000 On Feb 13, 2015, at 4:21 PM, Gleb Smirnoff wrote: > On Mon, Feb 09, 2015 at 03:11:21PM -0500, John Baldwin wrote: > J> On Monday, February 09, 2015 07:28:12 PM Randall Stewart wrote: > J> > Author: rrs > J> > Date: Mon Feb 9 19:28:11 2015 > J> > New Revision: 278472 > J> > URL: https://svnweb.freebsd.org/changeset/base/278472 > J> >=20 > J> > Log: > J> > This fixes a bug in the way that the LLE timers for nd6 > J> > and arp were being used. They basically would pass in the > J> > mutex to the callout_init. Because they used this method > J> > to the callout system, it was possible to "stop" the callout. > J> > When flushing the table and you stopped the running callout, = the > J> > callout_stop code would return 1 indicating that it was going > J> > to stop the callout (that was about to run on the callout_wheel = blocked > J> > by the function calling the stop). Now when 1 was returned, it = would > J> > lower the reference count one extra time for the stopped timer, = then > J> > a few lines later delete the memory. Of course the = callout_wheel was > J> > stuck in the lock code and would then crash since it was = accessing > J> > freed memory. By using callout_init(c, 1) we always get a 0 = back > J> > and the reference counting bug does not rear its head. We do = have > J> > to make a few adjustments to the callouts themselves though to = make > J> > sure it does the proper thing if rescheduled as well as gets = the lock. > J> >=20 > J> > Commented upon by hiren and sbruno > J> > See Phabricator D1777 for more details. > J> >=20 > J> > Commented upon by hiren and sbruno > J> > Reviewed by: adrian, jhb and bz > J> > Sponsored by: Netflix Inc. > J>=20 > J> Eh, I looked at it, but I really, really don't like it. I think=20 > J> callout_init_*() should be preferred to CALLOUT_MPSAFE whenever = possible as it=20 > J> is less race-prone. I think this should probably be fixed by = adding Hans'=20 > J> callout_drain_async() instead, though this is fine as a temporary = workaround. >=20 > I second concerns. Please look at kern/165863 and r238990 that fixed = it. > Transition from CALLOUT_MPSAFE to callout_init_rw() was intentional > and fixed races. >=20 > I added to Cc guys who helped to track down that races. May be someone = still > has test scripts at hand. AFAIR, there were some that allowed to put a = box > down quite quickly. Well without it we can also put a box down quickly.. at least Sbruno and = Hiren seem to be able to.. you end up with deleted memory being accessed by the callout = code. I can look at kern/165863 and 238990.. let me go see what I can see ;0 >=20 > --=20 > Totus tuus, Glebius. -------- Randall Stewart rrs@netflix.com 803-317-4952