From owner-freebsd-bugs@FreeBSD.ORG  Wed Apr  5 22:20:18 2006
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BE80616A42C
	for <freebsd-bugs@hub.freebsd.org>;
	Wed,  5 Apr 2006 22:20:18 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E58B743D46
	for <freebsd-bugs@hub.freebsd.org>;
	Wed,  5 Apr 2006 22:20:17 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k35MKHYH055040
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 5 Apr 2006 22:20:17 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k35MKH7u055039;
	Wed, 5 Apr 2006 22:20:17 GMT (envelope-from gnats)
Resent-Date: Wed, 5 Apr 2006 22:20:17 GMT
Resent-Message-Id: <200604052220.k35MKH7u055039@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Neel Natu <neelnatu@yahoo.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7697816A400
	for <freebsd-gnats-submit@FreeBSD.org>;
	Wed,  5 Apr 2006 22:20:01 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 199FB43D45
	for <freebsd-gnats-submit@FreeBSD.org>;
	Wed,  5 Apr 2006 22:20:01 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k35MK0r5046059
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 5 Apr 2006 22:20:00 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k35MK0S0046058;
	Wed, 5 Apr 2006 22:20:00 GMT (envelope-from nobody)
Message-Id: <200604052220.k35MK0S0046058@www.freebsd.org>
Date: Wed, 5 Apr 2006 22:20:00 GMT
From: Neel Natu <neelnatu@yahoo.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-2.3
Cc: 
Subject: kern/95368: Test for race between callout_drain() and softclock()
	generates false positive
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2006 22:20:19 -0000


>Number:         95368
>Category:       kern
>Synopsis:       Test for race between callout_drain() and softclock() generates false positive
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 05 22:20:17 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Neel Natu
>Release:        6.0-RELEASE
>Organization:
>Environment:
FreeBSD butternut.silverspringnet.com 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov  3 09:36:13 UTC 2005     root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
This bug is applicable only on the 6.0 releng branch.


The check for race condition with softclock() will return positive even in the common case (i.e. when there is no race). This is because of the post-increment
operator on wakeup_ctr.

>From kern_timeout.c:
_callout_stop_safe()
{
                ...
                if (safe) {
                        /* We need to wait until the callout is finished. */
                        wakeup_needed = 1;
                        wakeup_cookie = wakeup_ctr++;
                        mtx_unlock_spin(&callout_lock);
                        mtx_lock(&callout_wait_lock);

                        /*
                         * Check to make sure that softclock() didn't
                         * do the wakeup in between our dropping
                         * callout_lock and picking up callout_wait_lock
                         */
                        if (wakeup_cookie - wakeup_done_ctr > 0)
                                cv_wait(&callout_wait, &callout_wait_lock);

                        mtx_unlock(&callout_wait_lock);
                 ...
}
>How-To-Repeat:

>Fix:
Index: kern_timeout.c
===================================================================
RCS file: /cvsroot/eng/gw/sys/kern/kern_timeout.c,v
retrieving revision 1.1.1.1.30.1
diff -u -r1.1.1.1.30.1 kern_timeout.c
--- kern_timeout.c      17 Feb 2006 04:23:15 -0000      1.1.1.1.30.1
+++ kern_timeout.c      5 Apr 2006 22:16:06 -0000
@@ -523,7 +523,7 @@
                if (safe) {
                        /* We need to wait until the callout is finished. */
                        wakeup_needed = 1;
-                       wakeup_cookie = wakeup_ctr++;
+                       wakeup_cookie = ++wakeup_ctr;
                        mtx_unlock_spin(&callout_lock);
                        mtx_lock(&callout_wait_lock);

>Release-Note:
>Audit-Trail:
>Unformatted: