svn commit: r278472 - in head/sys: netinet netinet6
John Baldwin
jhb at freebsd.org
Mon Feb 9 20:34:40 UTC 2015
On Monday, February 09, 2015 07:28:12 PM Randall Stewart wrote:
> Author: rrs
> Date: Mon Feb 9 19:28:11 2015
> New Revision: 278472
> URL: https://svnweb.freebsd.org/changeset/base/278472
>
> Log:
> This fixes a bug in the way that the LLE timers for nd6
> and arp were being used. They basically would pass in the
> mutex to the callout_init. Because they used this method
> to the callout system, it was possible to "stop" the callout.
> When flushing the table and you stopped the running callout, the
> callout_stop code would return 1 indicating that it was going
> to stop the callout (that was about to run on the callout_wheel blocked
> by the function calling the stop). Now when 1 was returned, it would
> lower the reference count one extra time for the stopped timer, then
> a few lines later delete the memory. Of course the callout_wheel was
> stuck in the lock code and would then crash since it was accessing
> freed memory. By using callout_init(c, 1) we always get a 0 back
> and the reference counting bug does not rear its head. We do have
> to make a few adjustments to the callouts themselves though to make
> sure it does the proper thing if rescheduled as well as gets the lock.
>
> Commented upon by hiren and sbruno
> See Phabricator D1777 for more details.
>
> Commented upon by hiren and sbruno
> Reviewed by: adrian, jhb and bz
> Sponsored by: Netflix Inc.
Eh, I looked at it, but I really, really don't like it. I think
callout_init_*() should be preferred to CALLOUT_MPSAFE whenever possible as it
is less race-prone. I think this should probably be fixed by adding Hans'
callout_drain_async() instead, though this is fine as a temporary workaround.
--
John Baldwin
More information about the svn-src-all
mailing list