On 02/09/15 at 07:28P, Randall Stewart wrote: > Author: rrs > Date: Mon Feb 9 19:28:11 2015 > New Revision: 278472 > URL: https://svnweb.freebsd.org/changeset/base/278472 > > Log: > This fixes a bug in the way that the LLE timers for nd6 > and arp were being used. They basically would pass in the > mutex to the callout_init. Because they used this method > to the callout system, it was possible to "stop" the callout. > When flushing the table and you stopped the running callout, the > callout_stop code would return 1 indicating that it was going > to stop the callout (that was about to run on the callout_wheel blocked > by the function calling the stop). Now when 1 was returned, it would > lower the reference count one extra time for the stopped timer, then > a few lines later delete the memory. Of course the callout_wheel was > stuck in the lock code and would then crash since it was accessing > freed memory. By using callout_init(c, 1) we always get a 0 back > and the reference counting bug does not rear its head. We do have > to make a few adjustments to the callouts themselves though to make > sure it does the proper thing if rescheduled as well as gets the lock. > > Commented upon by hiren and sbruno > See Phabricator D1777 for more details. > > Commented upon by hiren and sbruno > Reviewed by: adrian, jhb and bz > Sponsored by: Netflix Inc.
Thanks for the fix, Randall. When do you plan to MFC this? It'd be nice to have this MFC'd along with D1711 changes so that we do not see panics reported in the review. Cheers, Hiren
pgpxbn0PUYVgW.pgp
Description: PGP signature
