From owner-svn-src-all@FreeBSD.ORG Mon Jul 13 11:59:38 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99FFD106566C; Mon, 13 Jul 2009 11:59:38 +0000 (UTC) (envelope-from lstewart@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 6DA208FC15; Mon, 13 Jul 2009 11:59:38 +0000 (UTC) (envelope-from lstewart@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n6DBxcXQ024365; Mon, 13 Jul 2009 11:59:38 GMT (envelope-from lstewart@svn.freebsd.org) Received: (from lstewart@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n6DBxcF8024363; Mon, 13 Jul 2009 11:59:38 GMT (envelope-from lstewart@svn.freebsd.org) Message-Id: <200907131159.n6DBxcF8024363@svn.freebsd.org> From: Lawrence Stewart Date: Mon, 13 Jul 2009 11:59:38 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r195655 - head/sys/netinet X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 11:59:39 -0000 Author: lstewart Date: Mon Jul 13 11:59:38 2009 New Revision: 195655 URL: http://svn.freebsd.org/changeset/base/195655 Log: Fix a race in the manipulation of the V_tcp_sack_globalholes global variable, which is currently not protected by any type of lock. When triggered, the bug would sometimes cause a panic when the TCP activity to an affected machine eventually slowed during a lull. The panic only occurs if INVARIANTS is compiled into the kernel, and has laid dormant for some time as a result of INVARIANTS being off by default except in FreeBSD-CURRENT. Switch to atomic operations in the locations where the variable is changed. Reads have not been updated to be protected by atomics, so there is a possibility of accounting errors in any given calculation where the variable is read. This is considered unlikely to occur in the wild, and will not cause serious harm on rare occasions where it does. Thanks to Robert Watson for debugging help. Reported by: Kamigishi Rei Tested by: Kamigishi Rei Reviewed by: silby Approved by: re (rwatson), kensmith (mentor temporarily unavailable) Modified: head/sys/netinet/tcp_sack.c Modified: head/sys/netinet/tcp_sack.c ============================================================================== --- head/sys/netinet/tcp_sack.c Mon Jul 13 11:51:02 2009 (r195654) +++ head/sys/netinet/tcp_sack.c Mon Jul 13 11:59:38 2009 (r195655) @@ -273,7 +273,7 @@ tcp_sackhole_alloc(struct tcpcb *tp, tcp hole->rxmit = start; tp->snd_numholes++; - V_tcp_sack_globalholes++; + atomic_add_int(&V_tcp_sack_globalholes, 1); return hole; } @@ -289,7 +289,7 @@ tcp_sackhole_free(struct tcpcb *tp, stru uma_zfree(V_sack_hole_zone, hole); tp->snd_numholes--; - V_tcp_sack_globalholes--; + atomic_subtract_int(&V_tcp_sack_globalholes, 1); KASSERT(tp->snd_numholes >= 0, ("tp->snd_numholes >= 0")); KASSERT(V_tcp_sack_globalholes >= 0, ("tcp_sack_globalholes >= 0"));