Re: CVS commit: src/sys/netinet

To: Christoph Egger <Christoph_Egger%gmx.de@localhost>
Subject: Re: CVS commit: src/sys/netinet
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Sun, 9 Nov 2008 19:31:17 +0100

On Sun, Nov 09, 2008 at 06:35:33PM +0100, Christoph Egger wrote:
> Manuel Bouyer wrote:
> > Module Name:        src
> > Committed By:       bouyer
> > Date:               Sun Nov  9 17:32:38 UTC 2008
> > 
> > Modified Files:
> >     src/sys/netinet: tcp_timer.c
> > 
> > Log Message:
> > Fix kern/39769: race condition in TCP timers
> > When a TCP timer is disarmed (with callout_stop()) in the general case
> > callout_invoking() isn't checked, so the timer handler could be called run
> > when the current interrupt handler exits, athough the timer is disarmed.
> > This case cause bad things like TCPT_REXMT and TCPT_PERSIST being both 
> > pending,
> > causing a panic (see the PR for details).
> > Close the issue by aborting the handler if the timer is not 
> > callout_expired().
> > (the EXPIRED flag being cleared by callout_stop()).
> 
> Does this also fix PR 39655 (the TCP part) ?

It's not clear. The only way the timers could have callout_destroyed is if
tcp_close had already been called. If tcp_timer_2msl() is called at the
wrong time it could maybe do it.
I didn't look at the path in details to see if the extra call to tcp_close()
could be from e.g. tcp_input().

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--

References:
- CVS commit: src/sys/netinet
  - From: Manuel Bouyer
- Re: CVS commit: src/sys/netinet
  - From: Christoph Egger

Prev by Date: CVS commit: src/distrib/utils/sysinst
Next by Date: CVS commit: [christos-time_t] src/include
Previous by Thread: Re: CVS commit: src/sys/netinet
Next by Thread: Re: CVS commit: src/sys/netinet
Indexes:

Home | Main Index | Thread Index | Old Index