tcp: use locked callouts for the TCP timers
AbandonedPublic
Actions

Authored by glebius on Nov 4 2022, 3:54 AM.

Details

Reviewers

Group Reviewers

Summary

Initialize the TCP timers pointing at the inpcb rwlock as the callout
lock. This allows the tcp_timer_stop() to stop a timer immediately
and avoid use of callout_async_drain(). In its turn this makes
tcp_discardcb() the single entry point for tcpcb destructor, merging
the tcp_freecb() to the end of the function. This also removed lots
of lingering checks in the callout handlers themselves.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 48139
Build 45026: arc lint + arc unit

Event Timeline

glebius created this revision.Nov 4 2022, 3:54 AM

Herald added 1 blocking reviewer(s): transport. · View Herald TranscriptNov 4 2022, 3:54 AM

Herald added subscribers: melifaro, imp. · View Herald Transcript

glebius requested review of this revision.Nov 4 2022, 3:54 AM

glebius added a parent revision: D37127: tcp: embed inpcb into tcpcb.

Harbormaster completed remote builds in B48139: Diff 112580.Nov 4 2022, 3:54 AM

Note: this version will fire KASSERT at certain conditions, as it is incorrect. However, even with correct assert this version has potential use after free, that is hidden by the use of SMR memory for tcpcbs. Right now this revision is not targeted to cgit, it is posted just to share code.

• hselasky added inline comments.Nov 9 2022, 1:41 AM

sys/netinet/tcp_timer.c
1145	You cannot remove the callout_async_drain() it needs to stay, because the mutex may be used after free! Try to keep this call and the issue with SMR will go away!

Yes, you are right. It is impossible to create raceless self-freeing callout with two callouts embedded into the same structure. This revision superseded by D37321.