Date: Thu, 10 Nov 2005 11:40:13 -0500 From: John Baldwin <jhb@freebsd.org> To: freebsd-current@freebsd.org Cc: max@love2party.net, snezhko@indorsoft.ru, bug-followup@freebsd.org Subject: Re: kern/88725: /usr/sbin/ppp panic with 2005.10.21 netinet6 changes Message-ID: <200511101140.15374.jhb@freebsd.org> In-Reply-To: <x74q6kh5oe.wl%suz@alaxala.net> References: <uy83x3hon.fsf@indorsoft.ru> <uslu4ydqt.fsf@indorsoft.ru> <x74q6kh5oe.wl%suz@alaxala.net>
index | next in thread | previous in thread | raw e-mail
On Thursday 10 November 2005 10:40 am, SUZUKI Shinsuke wrote:
> >>>>> On Thu, 10 Nov 2005 16:54:34 +0600
> >>>>> snezhko@indorsoft.ru(Victor Snezhko) said:
> >
> > Mark Tinguely has found the offending timer.
> > The following patch fixes the problem for me:
>
> Thanks. sounds right for me.
> So please commit it if when you've finished the test with fresh -current.
As a general rule you should be using callout_drain() before freeing a callout
to handle the race condition where the callout is running on another CPU (so
callout_stop can't stop it) while you are freeing it. Note that you can not
use callout_drain() if you are holding any locks, though. In those cases you
will need to defer the callout_drain() and free() until you have dropped the
locks. Here's one example fix:
Index: nd6.c
===================================================================
RCS file: /usr/cvs/src/sys/netinet6/nd6.c,v
retrieving revision 1.62
diff -u -r1.62 nd6.c
--- nd6.c 22 Oct 2005 05:07:16 -0000 1.62
+++ nd6.c 3 Nov 2005 19:56:42 -0000
@@ -398,7 +398,7 @@
if (tick < 0) {
ln->ln_expire = 0;
ln->ln_ntick = 0;
- callout_stop(&ln->ln_timer_ch);
+ callout_drain(&ln->ln_timer_ch);
} else {
ln->ln_expire = time_second + tick / hz;
if (tick > INT_MAX) {
--
John Baldwin <jhb@FreeBSD.org> <>< http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve" = http://www.FreeBSD.org
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200511101140.15374.jhb>