Date: Fri, 11 Dec 2015 10:17:21 +0100 From: Hans Petter Selasky <hps@selasky.org> To: "Alexander V. Chernikov" <melifaro@freebsd.org>, Adrian Chadd <adrian@freebsd.org>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Race between arptimer() and lle removal [WAS: panic in arptimer in r289937] Message-ID: <566A94A1.60400@selasky.org> In-Reply-To: <2739461446298483@web2h.yandex.ru> References: null <CAJ-VmonvVyTNuYv_as41yPCFdfR5T3FE45DP9MKAc-eyzXzPUg@mail.gmail.com> <2739461446298483@web2h.yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
Pulling the nail out of the haystack hopefully.
>> Any ideas on where next to look?
Adrian: In your dump aswell I see:
la_flags = 1
That means there was a race calling arptimer() and removing the "lle".
Alexander: Can you comment on the following patch:
> Index: netinet/if_ether.c
> ===================================================================
> --- netinet/if_ether.c (revision 291256)
> +++ netinet/if_ether.c (working copy)
> @@ -185,7 +185,13 @@
> LLE_WUNLOCK(lle);
> return;
> }
> - ifp = lle->lle_tbl->llt_ifp;
> + if (lle->la_flags & LLE_LINKED) {
> + ifp = lle->lle_tbl->llt_ifp;
> + } else {
> + /* XXX RACE entry has been freed */
> + llentry_free(lle);
> + return;
> + }
> CURVNET_SET(ifp->if_vnet);
>
> if ((lle->la_flags & LLE_DELETED) == 0) {
We need a check in arptimer() that the lle is still linked before
proceeding, in there from what I can see. Because the callback is not
protected by a mutex, it is not atomically stopped by callout_stop().
--HPS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?566A94A1.60400>