Date: Tue, 1 Mar 2005 18:53:21 -0500 From: Bosko Milekic <bmilekic@technokratis.com> To: Doug White <dwhite@gumbysoft.com> Cc: Kris Kennaway <kris@obsecurity.org> Subject: Re: Race condition in mb_free_ext()? Message-ID: <20050301235321.GA20232@technokratis.com> In-Reply-To: <20050228214850.X62607@carver.gumbysoft.com> References: <20050301000436.GA33346@xor.obsecurity.org> <20050228214850.X62607@carver.gumbysoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Feb 28, 2005 at 10:00:25PM -0800, Doug White wrote: > Forgive me for being naieve, but is there a reason you don't do an atomic > subtraction on the refcount? I can see why it repeats -- if two things > are warring over the refcount one or the other keep trying until one wins > -- but the subtraction would seem more intuitive. The subtraction is atomic and is part of the cmpset. If you were to only do a subtraction, you risk racing on figuring out what the counter value before the subtraction was and making sure that it stays consistent after the subtraction. That is the purpose of the cmpset. The idea is that only the LAST thread to decrement the counter down to exactly 1 frees the cluster. If you look at the CVS history for that routine and its various incarnations (you might need to look at kern/subr_mbuf.c in the attic, since mb_free_ext() used to be there, iirc), you will see various points in time where we had this wrong. > -- > Doug White | FreeBSD: The Power to Serve > dwhite@gumbysoft.com | www.FreeBSD.org -- Bosko Milekic bmilekic@technokratis.com bmilekic@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050301235321.GA20232>