From owner-svn-src-all@FreeBSD.ORG Mon Feb 9 20:34:39 2015 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E38907DF; Mon, 9 Feb 2015 20:34:39 +0000 (UTC) Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [IPv6:2001:470:1f11:75::1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BC76AAD8; Mon, 9 Feb 2015 20:34:39 +0000 (UTC) Received: from ralph.baldwin.cx (pool-173-54-116-245.nwrknj.fios.verizon.net [173.54.116.245]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id D4677B945; Mon, 9 Feb 2015 15:34:37 -0500 (EST) From: John Baldwin To: Randall Stewart Subject: Re: svn commit: r278472 - in head/sys: netinet netinet6 Date: Mon, 09 Feb 2015 15:11:21 -0500 Message-ID: <1903622.i3cFFNVYcL@ralph.baldwin.cx> User-Agent: KMail/4.14.2 (FreeBSD/10.1-STABLE; KDE/4.14.2; amd64; ; ) In-Reply-To: <201502091928.t19JSC5P066293@svn.freebsd.org> References: <201502091928.t19JSC5P066293@svn.freebsd.org> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Mon, 09 Feb 2015 15:34:37 -0500 (EST) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2015 20:34:40 -0000 On Monday, February 09, 2015 07:28:12 PM Randall Stewart wrote: > Author: rrs > Date: Mon Feb 9 19:28:11 2015 > New Revision: 278472 > URL: https://svnweb.freebsd.org/changeset/base/278472 > > Log: > This fixes a bug in the way that the LLE timers for nd6 > and arp were being used. They basically would pass in the > mutex to the callout_init. Because they used this method > to the callout system, it was possible to "stop" the callout. > When flushing the table and you stopped the running callout, the > callout_stop code would return 1 indicating that it was going > to stop the callout (that was about to run on the callout_wheel blocked > by the function calling the stop). Now when 1 was returned, it would > lower the reference count one extra time for the stopped timer, then > a few lines later delete the memory. Of course the callout_wheel was > stuck in the lock code and would then crash since it was accessing > freed memory. By using callout_init(c, 1) we always get a 0 back > and the reference counting bug does not rear its head. We do have > to make a few adjustments to the callouts themselves though to make > sure it does the proper thing if rescheduled as well as gets the lock. > > Commented upon by hiren and sbruno > See Phabricator D1777 for more details. > > Commented upon by hiren and sbruno > Reviewed by: adrian, jhb and bz > Sponsored by: Netflix Inc. Eh, I looked at it, but I really, really don't like it. I think callout_init_*() should be preferred to CALLOUT_MPSAFE whenever possible as it is less race-prone. I think this should probably be fixed by adding Hans' callout_drain_async() instead, though this is fine as a temporary workaround. -- John Baldwin