[Differential] [Updated] D1777: Associated fix for arp/nd6 timer usage.
jhb (John Baldwin)
phabric-noreply at FreeBSD.org
Wed Feb 4 22:44:06 UTC 2015
jhb added a comment.
This is just "How It Works". You are always supposed to do a callout_drain() before freeing the storage belonging to a callout. I don't understand how you are preventing the callout/lock being freed out from under the callout routine in this version either. Now you can have this sequence:
a) softclock dequeues callout to run
b) other thread grabs lle_lock
c) softclock blocks on lle_wlock above
d) other thread tears down structure, unlocks lock, zeros memory, 0xdeadc0de, etc.
e) softclock wakes up in mutex code and panics becuase the mutex is destroyed and it either triggers an assertion, follows a bad pointer trying to propagate priority or see if the "owner" is running, etc.
You have to drain the callout somehow. Hans other solution is to arrange to have a callback function do the free for you if you can't block in the context where you are trying to free the structure.
REVISION DETAIL
https://reviews.freebsd.org/D1777
To: rrs, imp, sbruno, gnn, rwatson, lstewart, kostikbel, adrian, bz, jhb
Cc: bz, emaste, hiren, julian, hselasky, freebsd-net
More information about the freebsd-net
mailing list