Date: Mon, 09 Feb 2015 15:11:21 -0500 From: John Baldwin <jhb@freebsd.org> To: Randall Stewart <rrs@freebsd.org> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r278472 - in head/sys: netinet netinet6 Message-ID: <1903622.i3cFFNVYcL@ralph.baldwin.cx> In-Reply-To: <201502091928.t19JSC5P066293@svn.freebsd.org> References: <201502091928.t19JSC5P066293@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday, February 09, 2015 07:28:12 PM Randall Stewart wrote: > Author: rrs > Date: Mon Feb 9 19:28:11 2015 > New Revision: 278472 > URL: https://svnweb.freebsd.org/changeset/base/278472 > > Log: > This fixes a bug in the way that the LLE timers for nd6 > and arp were being used. They basically would pass in the > mutex to the callout_init. Because they used this method > to the callout system, it was possible to "stop" the callout. > When flushing the table and you stopped the running callout, the > callout_stop code would return 1 indicating that it was going > to stop the callout (that was about to run on the callout_wheel blocked > by the function calling the stop). Now when 1 was returned, it would > lower the reference count one extra time for the stopped timer, then > a few lines later delete the memory. Of course the callout_wheel was > stuck in the lock code and would then crash since it was accessing > freed memory. By using callout_init(c, 1) we always get a 0 back > and the reference counting bug does not rear its head. We do have > to make a few adjustments to the callouts themselves though to make > sure it does the proper thing if rescheduled as well as gets the lock. > > Commented upon by hiren and sbruno > See Phabricator D1777 for more details. > > Commented upon by hiren and sbruno > Reviewed by: adrian, jhb and bz > Sponsored by: Netflix Inc. Eh, I looked at it, but I really, really don't like it. I think callout_init_*() should be preferred to CALLOUT_MPSAFE whenever possible as it is less race-prone. I think this should probably be fixed by adding Hans' callout_drain_async() instead, though this is fine as a temporary workaround. -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1903622.i3cFFNVYcL>