Race condition in mb_free_ext()?

Bosko Milekic bmilekic at technokratis.com
Tue Mar 1 23:53:25 GMT 2005


On Mon, Feb 28, 2005 at 10:00:25PM -0800, Doug White wrote:
> Forgive me for being naieve, but is there a reason you don't do an atomic
> subtraction on the refcount?  I can see why it repeats -- if two things
> are warring over the refcount one or the other keep trying until one wins
> -- but the subtraction would seem more intuitive.

  The subtraction is atomic and is part of the cmpset.  If you were to
  only do a subtraction, you risk racing on figuring out what the
  counter value before the subtraction was and making sure that it stays
  consistent after the subtraction.  That is the purpose of the cmpset.
  The idea is that only the LAST thread to decrement the counter down to
  exactly 1 frees the cluster.

  If you look at the CVS history for that routine and its various
  incarnations (you might need to look at kern/subr_mbuf.c in the attic,
  since mb_free_ext() used to be there, iirc), you will see various
  points in time where we had this wrong.

> -- 
> Doug White                    |  FreeBSD: The Power to Serve
> dwhite at gumbysoft.com          |  www.FreeBSD.org

-- 
Bosko Milekic
bmilekic at technokratis.com
bmilekic at FreeBSD.org


More information about the freebsd-net mailing list