From nobody@FreeBSD.org  Wed Apr  5 22:20:01 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7697816A400
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  5 Apr 2006 22:20:01 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 199FB43D45
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  5 Apr 2006 22:20:01 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k35MK0r5046059
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 5 Apr 2006 22:20:00 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k35MK0S0046058;
	Wed, 5 Apr 2006 22:20:00 GMT
	(envelope-from nobody)
Message-Id: <200604052220.k35MK0S0046058@www.freebsd.org>
Date: Wed, 5 Apr 2006 22:20:00 GMT
From: Neel Natu <neelnatu@yahoo.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Test for race between callout_drain() and softclock() generates false positive
X-Send-Pr-Version: www-2.3

>Number:         95368
>Category:       kern
>Synopsis:       [kernel] [patch] Test for race between callout_drain() and softclock() generates false positive
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 05 22:20:17 GMT 2006
>Closed-Date:    Tue Feb 10 14:03:36 UTC 2009
>Last-Modified:  Tue Feb 10 14:03:36 UTC 2009
>Originator:     Neel Natu
>Release:        6.0-RELEASE
>Organization:
>Environment:
FreeBSD butternut.silverspringnet.com 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov  3 09:36:13 UTC 2005     root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
This bug is applicable only on the 6.0 releng branch.


The check for race condition with softclock() will return positive even in the common case (i.e. when there is no race). This is because of the post-increment
operator on wakeup_ctr.

From kern_timeout.c:
_callout_stop_safe()
{
                ...
                if (safe) {
                        /* We need to wait until the callout is finished. */
                        wakeup_needed = 1;
                        wakeup_cookie = wakeup_ctr++;
                        mtx_unlock_spin(&callout_lock);
                        mtx_lock(&callout_wait_lock);

                        /*
                         * Check to make sure that softclock() didn't
                         * do the wakeup in between our dropping
                         * callout_lock and picking up callout_wait_lock
                         */
                        if (wakeup_cookie - wakeup_done_ctr > 0)
                                cv_wait(&callout_wait, &callout_wait_lock);

                        mtx_unlock(&callout_wait_lock);
                 ...
}
>How-To-Repeat:

>Fix:
Index: kern_timeout.c
===================================================================
RCS file: /cvsroot/eng/gw/sys/kern/kern_timeout.c,v
retrieving revision 1.1.1.1.30.1
diff -u -r1.1.1.1.30.1 kern_timeout.c
--- kern_timeout.c      17 Feb 2006 04:23:15 -0000      1.1.1.1.30.1
+++ kern_timeout.c      5 Apr 2006 22:16:06 -0000
@@ -523,7 +523,7 @@
                if (safe) {
                        /* We need to wait until the callout is finished. */
                        wakeup_needed = 1;
-                       wakeup_cookie = wakeup_ctr++;
+                       wakeup_cookie = ++wakeup_ctr;
                        mtx_unlock_spin(&callout_lock);
                        mtx_lock(&callout_wait_lock);

>Release-Note:
>Audit-Trail:

From: John Baldwin <jhb@FreeBSD.org>
To: bug-followup@FreeBSD.org, neelnatu@yahoo.com
Cc: rwatson@FreeBSD.org
Subject: Re: kern/95368: [kernel] [patch] Test for race between callout_drain() and softclock() generates false positive
Date: Tue, 10 Feb 2009 08:45:01 -0500

 At this point I do not think that a fix is going to be applied to the 
 RELENG_6_0 branch.  This bug is not present in more recent 6.x releases since 
 they now use the spin lock directly with sleepqueues avoiding the need for 
 the separate callout_wait_lock.
 
 -- 
 John Baldwin

From: John Baldwin <jhb@FreeBSD.org>
To: bug-followup@FreeBSD.org, neelnatu@yahoo.com
Cc: rwatson@FreeBSD.org
Subject: Re: kern/95368: [kernel] [patch] Test for race between callout_drain() and softclock() generates false positive
Date: Tue, 10 Feb 2009 08:45:01 -0500

 At this point I do not think that a fix is going to be applied to the 
 RELENG_6_0 branch.  This bug is not present in more recent 6.x releases since 
 they now use the spin lock directly with sleepqueues avoiding the need for 
 the separate callout_wait_lock.
 
 -- 
 John Baldwin
 
State-Changed-From-To: open->closed 
State-Changed-By: rwatson 
State-Changed-When: Tue Feb 10 14:02:45 UTC 2009 
State-Changed-Why:  
This bug is believed independently fixed in more recent FreeBSD versions; 
thanks for the report and sorry it took so long before someone got to it! 
If this problem recurs, please follow up on this PR and we can reopen it. 

Thanks, 

http://www.freebsd.org/cgi/query-pr.cgi?pr=95368 
>Unformatted:
