svn commit: r278472 - in head/sys: netinet netinet6

Peter Holm peter at holm.cc
Mon Feb 9 20:47:57 UTC 2015 

On Mon, Feb 09, 2015 at 07:28:12PM +0000, Randall Stewart wrote:
> Author: rrs
> Date: Mon Feb  9 19:28:11 2015
> New Revision: 278472
> URL: https://svnweb.freebsd.org/changeset/base/278472
> 
> Log:
>   This fixes a bug in the way that the LLE timers for nd6
>   and arp were being used. They basically would pass in the
>   mutex to the callout_init. Because they used this method
>   to the callout system, it was possible to "stop" the callout.
>   When flushing the table and you stopped the running callout, the
>   callout_stop code would return 1 indicating that it was going
>   to stop the callout (that was about to run on the callout_wheel blocked
>   by the function calling the stop). Now when 1 was returned, it would
>   lower the reference count one extra time for the stopped timer, then
>   a few lines later delete the memory. Of course the callout_wheel was
>   stuck in the lock code and would then crash since it was accessing
>   freed memory. By using callout_init(c, 1) we always get a 0 back
>   and the reference counting bug does not rear its head. We do have
>   to make a few adjustments to the callouts themselves though to make
>   sure it does the proper thing if rescheduled as well as gets the lock.
>   
>   Commented upon by hiren and sbruno
>   See Phabricator D1777 for more details.
>   
>   Commented upon by hiren and sbruno
>   Reviewed by:	adrian, jhb and bz
>   Sponsored by:	Netflix Inc.
> 
> Modified:
>   head/sys/netinet/if_ether.c
>   head/sys/netinet/in.c
>   head/sys/netinet6/in6.c
>   head/sys/netinet6/nd6.c
> 

Could this be yours?

db:0:pho> bt
Tracing pid 9629 tid 100639 td 0xfffff8011cce14a0
in6_lltable_lookup() at in6_lltable_lookup+0x11a/frame
0xfffffe081e426200
nd6_output() at nd6_output+0x15d/frame 0xfffffe081e426290
ip6_output() at ip6_output+0x2128/frame 0xfffffe081e426790
tcp_output() at tcp_output+0x2dae/frame 0xfffffe081e426c30
tcp_usr_send() at tcp_usr_send+0x2fe/frame 0xfffffe081e426cb0
sosend_generic() at sosend_generic+0x414/frame 0xfffffe081e426d60
clnt_vc_call() at clnt_vc_call+0x477/frame 0xfffffe081e426ec0
clnt_reconnect_call() at clnt_reconnect_call+0x46c/frame
0xfffffe081e426f70
newnfs_request() at newnfs_request+0x9ba/frame 0xfffffe081e4270d0
nfscl_request() at nfscl_request+0x72/frame 0xfffffe081e427120
nfsrpc_lookup() at nfsrpc_lookup+0x213/frame 0xfffffe081e4272a0
nfs_lookup() at nfs_lookup+0x467/frame 0xfffffe081e4275c0
VOP_LOOKUP_APV() at VOP_LOOKUP_APV+0x10f/frame 0xfffffe081e4275f0
lookup() at lookup+0x5d5/frame 0xfffffe081e427680
namei() at namei+0x536/frame 0xfffffe081e427740
kern_statat() at kern_statat+0xae/frame 0xfffffe081e427900
sys_fstatat() at sys_fstatat+0x2c/frame 0xfffffe081e4279a0
amd64_syscall() at amd64_syscall+0x29c/frame 0xfffffe081e427ab0

http://people.freebsd.org/~pho/stress/log/rrs003.txt

- Peter

More information about the svn-src-head mailing list