From owner-freebsd-stable@freebsd.org  Wed Dec  2 19:29:37 2015
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A9E1DA3E7A5
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Wed,  2 Dec 2015 19:29:37 +0000 (UTC)
 (envelope-from jenkins-admin@FreeBSD.org)
Received: from jenkins-9.freebsd.org (jenkins-9.freebsd.org [8.8.178.209])
 by mx1.freebsd.org (Postfix) with ESMTP id 9A5BE1251;
 Wed,  2 Dec 2015 19:29:37 +0000 (UTC)
 (envelope-from jenkins-admin@FreeBSD.org)
Received: from jenkins-9.freebsd.org (localhost [127.0.0.1])
 by jenkins-9.freebsd.org (Postfix) with ESMTP id 59EAC501;
 Wed,  2 Dec 2015 19:29:37 +0000 (UTC)
Date: Wed, 2 Dec 2015 19:29:31 +0000 (GMT)
From: jenkins-admin@FreeBSD.org
To: fabient@FreeBSD.org, jenkins-admin@FreeBSD.org, freebsd-stable@FreeBSD.org
Message-ID: <1427676947.364.1449084575695.JavaMail.jenkins@jenkins-9.freebsd.org>
In-Reply-To: <321144087.362.1449070632560.JavaMail.jenkins@jenkins-9.freebsd.org>
References: <321144087.362.1449070632560.JavaMail.jenkins@jenkins-9.freebsd.org>
Subject: FreeBSD_stable_10 - Build #1860 - Fixed
MIME-Version: 1.0
X-Jenkins-Job: FreeBSD_stable_10
X-Jenkins-Result: SUCCESS
Precedence: bulk
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.20
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 19:29:37 -0000

FreeBSD_stable_10 - Build #1860 - Fixed:

Build information: https://jenkins.FreeBSD.org/job/FreeBSD_stable_10/1860/
Full change log: https://jenkins.FreeBSD.org/job/FreeBSD_stable_10/1860/changes
Full build log: https://jenkins.FreeBSD.org/job/FreeBSD_stable_10/1860/console

Change summaries:

291652 by fabient:
MFC r291301:

The r241129 description was wrong that the scenario is possible
 only for read locks on pcbs. The same race can happen with write
 lock semantics as well.

 The race scenario:

 - Two threads (1 and 2) locate pcb with writer semantics (INPLOOKUP_WLOCKPCB)
  and do in_pcbref() on it.
 - 1 and 2 both drop the inp hash lock.
 - Another thread (3) grabs the inp hash lock. Then it runs in_pcbfree(),
  which wlocks the pcb. They must happen faster than 1 or 2 come INP_WLOCK()!
 - 1 and 2 congest in INP_WLOCK().
 - 3 does in_pcbremlists(), drops hash lock, and runs in_pcbrele_wlocked(),
  which doesn't free the pcb due to two references on it.
  Then it unlocks the pcb.
 - 1 (or 2) gets wlock on the pcb, runs in_pcbrele_wlocked(), which doesn't
  report inp as freed, due to 2 (or 1) still helding extra reference on it.
  The thread tries to do smth with a disconnected pcb and crashes.

 Submitted by:	emeric.poupon@stormshield.eu
 Reviewed by:	glebius@
 Sponsored by: Stormshield
 Tested by: Cassiano Peixoto, Stormshield