From owner-svn-src-all@FreeBSD.ORG Mon Feb 9 20:47:56 2015 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D08CAF44 for ; Mon, 9 Feb 2015 20:47:56 +0000 (UTC) Received: from relay03.pair.com (relay03.pair.com [209.68.5.17]) by mx1.freebsd.org (Postfix) with SMTP id 6D558C96 for ; Mon, 9 Feb 2015 20:47:55 +0000 (UTC) Received: (qmail 61314 invoked from network); 9 Feb 2015 20:41:13 -0000 Received: from 188.182.139.176 (HELO x2.osted.lan) (188.182.139.176) by relay03.pair.com with SMTP; 9 Feb 2015 20:41:13 -0000 X-pair-Authenticated: 188.182.139.176 Received: from x2.osted.lan (localhost [127.0.0.1]) by x2.osted.lan (8.14.9/8.14.9) with ESMTP id t19KfBHx047323 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 9 Feb 2015 21:41:12 +0100 (CET) (envelope-from pho@x2.osted.lan) Received: (from pho@localhost) by x2.osted.lan (8.14.9/8.14.9/Submit) id t19KfBPn047322; Mon, 9 Feb 2015 21:41:11 +0100 (CET) (envelope-from pho) Date: Mon, 9 Feb 2015 21:41:11 +0100 From: Peter Holm To: Randall Stewart Subject: Re: svn commit: r278472 - in head/sys: netinet netinet6 Message-ID: <20150209204111.GA47080@x2.osted.lan> References: <201502091928.t19JSC5P066293@svn.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201502091928.t19JSC5P066293@svn.freebsd.org> User-Agent: Mutt/1.5.23 (2014-03-12) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2015 20:47:57 -0000 On Mon, Feb 09, 2015 at 07:28:12PM +0000, Randall Stewart wrote: > Author: rrs > Date: Mon Feb 9 19:28:11 2015 > New Revision: 278472 > URL: https://svnweb.freebsd.org/changeset/base/278472 > > Log: > This fixes a bug in the way that the LLE timers for nd6 > and arp were being used. They basically would pass in the > mutex to the callout_init. Because they used this method > to the callout system, it was possible to "stop" the callout. > When flushing the table and you stopped the running callout, the > callout_stop code would return 1 indicating that it was going > to stop the callout (that was about to run on the callout_wheel blocked > by the function calling the stop). Now when 1 was returned, it would > lower the reference count one extra time for the stopped timer, then > a few lines later delete the memory. Of course the callout_wheel was > stuck in the lock code and would then crash since it was accessing > freed memory. By using callout_init(c, 1) we always get a 0 back > and the reference counting bug does not rear its head. We do have > to make a few adjustments to the callouts themselves though to make > sure it does the proper thing if rescheduled as well as gets the lock. > > Commented upon by hiren and sbruno > See Phabricator D1777 for more details. > > Commented upon by hiren and sbruno > Reviewed by: adrian, jhb and bz > Sponsored by: Netflix Inc. > > Modified: > head/sys/netinet/if_ether.c > head/sys/netinet/in.c > head/sys/netinet6/in6.c > head/sys/netinet6/nd6.c > Could this be yours? db:0:pho> bt Tracing pid 9629 tid 100639 td 0xfffff8011cce14a0 in6_lltable_lookup() at in6_lltable_lookup+0x11a/frame 0xfffffe081e426200 nd6_output() at nd6_output+0x15d/frame 0xfffffe081e426290 ip6_output() at ip6_output+0x2128/frame 0xfffffe081e426790 tcp_output() at tcp_output+0x2dae/frame 0xfffffe081e426c30 tcp_usr_send() at tcp_usr_send+0x2fe/frame 0xfffffe081e426cb0 sosend_generic() at sosend_generic+0x414/frame 0xfffffe081e426d60 clnt_vc_call() at clnt_vc_call+0x477/frame 0xfffffe081e426ec0 clnt_reconnect_call() at clnt_reconnect_call+0x46c/frame 0xfffffe081e426f70 newnfs_request() at newnfs_request+0x9ba/frame 0xfffffe081e4270d0 nfscl_request() at nfscl_request+0x72/frame 0xfffffe081e427120 nfsrpc_lookup() at nfsrpc_lookup+0x213/frame 0xfffffe081e4272a0 nfs_lookup() at nfs_lookup+0x467/frame 0xfffffe081e4275c0 VOP_LOOKUP_APV() at VOP_LOOKUP_APV+0x10f/frame 0xfffffe081e4275f0 lookup() at lookup+0x5d5/frame 0xfffffe081e427680 namei() at namei+0x536/frame 0xfffffe081e427740 kern_statat() at kern_statat+0xae/frame 0xfffffe081e427900 sys_fstatat() at sys_fstatat+0x2c/frame 0xfffffe081e4279a0 amd64_syscall() at amd64_syscall+0x29c/frame 0xfffffe081e427ab0 http://people.freebsd.org/~pho/stress/log/rrs003.txt - Peter