New "timeout" api, to replace callout

John Baldwin jhb at
Thu Jan 3 08:28:32 PST 2008

On Wednesday 02 January 2008 05:53:56 pm Andre Oppermann wrote:
> John Baldwin wrote:
> > On Sunday 02 December 2007 07:53:18 am Andre Oppermann wrote:
> >> Poul-Henning Kamp wrote:
> >>> In message <4752998A.9030007 at>, Andre Oppermann writes:
> >>>>  o TCP puts the timer into an allocated structure and upon close of the
> >>>>    session it has to be deallocated including stopping of all currently
> >>>>    running timers.
> >>>>    [...]
> >>>>     -> The timer facility should provide an atomic stop/remove call
> >>>>        that prevent any further callbacks upon return.  It should not
> >>>>        do a 'drain' where the callback may be run anyway.
> >>>>        Note: We hold the lock the callback would have to obtain.
> >>> It is my intent, that the implementation behind the new API will
> >>> only ever grab the specified lock when it calls the timeout function.
> >> This is the same for the current one and pretty much a given.
> >>
> >>> When you do a timeout_disable() or timeout_cleanup() you will be
> >>> sleeping on a mutex internal to the implementation, if the timeout
> >>> is currently executing.
> >> This is the problematic part.  We can't sleep in TCP when cleaning up
> >> the timer.  We're not always called from userland but from interrupt
> >> context.  And when calling the cleanup we currently hold the lock the
> >> callout wants to obtain.  We can't drop it either as the race would
> >> be back again.  What you describe here is the equivalent of callout_
> >> drain().  This is unfortunately unworkable in TCP's context.  The
> >> callout has to go away even if it is already pending and waiting on
> >> the lock.  Maybe that can only be solved by a flag in the lock saying
> >> "give up and go away".
> > 
> > The reason you need to do a drain is to allow for safe destroying of the 
> > Specifically, drivers tend to do this:
> > 
> > 	FOO_LOCK(sc);
> > 	...
> > 	callout_stop(...);
> > 	FOO_UNLOCK(sc);
> > 	...
> > 	callout_drain(...);
> > 	...
> > 	mtx_destroy(&sc->foo_mtx);
> > 
> > If you don't have the drain and softclock is trying to acquire the backing 
> > mutex while you have it held (before the callout_stop) then Bad Things can 
> > happen if you don't do the drain.  Having the lock just "give up" doesn't 
> > work either because if the memory containing the lock is free'd and 
> > reinitialized such that it looks enough like a valid lock then softclock 
> > its equivalent) will still try to obtain it.  Also, you need to do a drain 
> > it is safe to free the callout structure to prevent it from being recycled 
> > and having weird races where it gets recycled and rescheduled but the 
> > code thinks it has a pending stop for that pointer and so it aborts the 
> > instance of the timer, etc.
> This is all well known.  ;)  What isn't known is that this (the
> sleep part) is a major problem for TCP due to being run from
> interrupt context.  Hence the request for some kind of busy-drain
> or other method prevent the sleep.  A second less severe problem
> are races while the lock is dropped during the sleep.  Here some
> other part of TCP may go into the tcpcb scheduled for destruction.

My point is that there isn't really a good way to fix this that doesn't 
involve sleeping.  If you just spin you may spin forever (netisr has a higher 
priority than softclock IIRC).  One option is to not destroy pcb's directly 
in interrupt context but instead to queue them and let a task on a taskqueue 
finish the destruction in a context where it can sleep if necessary.

John Baldwin

More information about the freebsd-arch mailing list