Race condition in mb_free_ext()?
Bosko Milekic
bmilekic at technokratis.com
Tue Mar 1 23:53:25 GMT 2005
On Mon, Feb 28, 2005 at 10:00:25PM -0800, Doug White wrote:
> Forgive me for being naieve, but is there a reason you don't do an atomic
> subtraction on the refcount? I can see why it repeats -- if two things
> are warring over the refcount one or the other keep trying until one wins
> -- but the subtraction would seem more intuitive.
The subtraction is atomic and is part of the cmpset. If you were to
only do a subtraction, you risk racing on figuring out what the
counter value before the subtraction was and making sure that it stays
consistent after the subtraction. That is the purpose of the cmpset.
The idea is that only the LAST thread to decrement the counter down to
exactly 1 frees the cluster.
If you look at the CVS history for that routine and its various
incarnations (you might need to look at kern/subr_mbuf.c in the attic,
since mb_free_ext() used to be there, iirc), you will see various
points in time where we had this wrong.
> --
> Doug White | FreeBSD: The Power to Serve
> dwhite at gumbysoft.com | www.FreeBSD.org
--
Bosko Milekic
bmilekic at technokratis.com
bmilekic at FreeBSD.org
More information about the freebsd-net
mailing list