Do we need to use callout_pending(), callout_active(), and callout_deactiveate() here (Avoiding Race Conditions #3) given that the callout was initiailized with callout_init_mtx()?

It seems strange to free resources from within the callout.

Instead of callout_stop(), should callout_drain() be used here instead, without locking the mutex?

I suspect that a flag will need to be set before callout_stop() to tell the callout not to reschedule itself, or maybe just retain the early return if !callout_active().

So, the main objection for the patch is resource freeing within the callout?

I used callout_drain() before in FreeBSD10.1-stable but I got kernel panic "sleeping thread (tid 100130, pid 0) owns a non-sleepable lock" since Dummynet uses locks in many places. In FreeBSD11-CURRENT, this panic does not appear but I don't know why. So, callout_drain() solution can be applied to PIE for FreeBSD11 only.

Regarding the idea of using a flag, it could work but the problem is with the variable that holds the flag should also be freed. I cannot use one global variable because multiple instances of PIE can exist.
Using "the early return if !callout_active()" I think it could also cause problem because if the callout function is about to be called and we have freed the memory just before that, then the timeout subsystem will use struct callout instance that was already freed.

Yes, that is a very strange thing do to, but it looks like it may be unavoidable on FreeBSD 10. It could also be done by using taskqueue, but that looks like it would add other complications.

Also, the callout_pending()/callout_active()/callout_deactivate() stuff can all go away since callout_init_mtx() avoids the race conditions that those are meant to avoid when using plain callout_init().

Yeah, I think you were getting the panic because callout_drain() can sleep and it looks like dummynet can call the cleanup handler while holding a mutex. I don't know why you saw different behaviour between 10 and 11.

On 11 I think the proper fix would be to use callout_drain_async() as hselasky suggested. For FreeBSD 10, see my comment for lines 653-655 in the post-patch code. If callout_drain_async() is used and resources are not freed by a callout, then the CALLOUT_RETURNUNLOCKED flag to callout_init_mtx and the mtx_unlock() calls in the callout can be eliminated.

Instead of using calculate_drop_prob() as the callout handler, you could use a separate cleanup function. That would avoid the need for the new flag.

As you suggested, I removed the callout_pending()/callout_active()/callout_deactivate() stuff from the callout function and everything is working fine.

It seems callout_drain_async() patch commit (r287780) has been reverted until more developers have their say. So, I cannot used for now.

It got backed out by r288096 but it was added back by r290664, so it available for any version of FreeBSD 11 that has the PIE code (r300779 and newer).

That said, I'd concentrate on the FreeBSD 10-compatible version for now. We can use that to patch the code in the HEAD branch (after approval by re@ since we are currently in code freeze for 11.0-RELEASE), and then MFC it back to FreeBSD 10.3-STABLE. Sometime after 11.0-RELEASE we can update the code in the HEAD branch to use callout_async_drain() (I got the name wrong above). If that is after the 11.0-STABLE branch is created, then we can MFC the change to 11.0-STABLE.

Any thoughts on moving this to a separate function?

static void
pie_callout_cleanup(void *x)
{
    struct pie_status *pst = (struct pie_status *) x;

    mtx_unlock(&pst->lock_mtx);
    mtx_destroy(&pst->lock_mtx);
    pie_desc.ref_count--;
}

BTW, the ref_count manipulation should probably be done with atomic ops. I thought about protecting it with the mutex, but that doesn't work if there are multiple PIE instances. If the dummynet lock serializes access to ref_count, then we don't need atomic ops, but then we need to move the ref_count manipulation out of the cleanup handler and move it into a context that is protected by the dummynet lock.

The above change on eliminates the need for PIE_STOP_CALLOUT and lines 639-641 would change to

callout_reset_sbt(&pst->aqm_pie_callout,
        SBT_1US, 0, pie_callout_cleanup, pst, 0);

Using a separate cleanup function makes it easier to convert it to use callout_async_drain(). I think that lines 639-643 would change to:

 q->aqm_status = NULL;
 if (callout_async_drain(&pst->aqm_pie_callout, pie_callout_cleanup) == 0)
         mtx_unlock(&pst->lock_mtx);
else
         pie_callout_cleanup(pst);

Unfortunately it looks like we can't get rid of CALLOUT_RETURNUNLOCKED even in the latter version.

I can move the code to a separate function but I have to call it from inside the callout function (read my next comments).
Regarding protecting ref_count, you are right but I will leave it for now because ref_count checked just when dummynet is kldundloaded and if ref_count is not zero the unloading process will stop without causing a panic.

What about if calculate_drop_prob() is about to be executed and then pie_callout_cleanup() is executed before the execution of calculate_drop_prob()? I am not pretty sure about the occurrence of such scenario but maybe it happens as callout_reset_sbt() performs the equivalent of callout_stop() at the beginning.

Interesting point. If calculate_drop_prob() is about to execute, it can't start because we hold the mutex at this point. When we call callout_reset_sbt(), it will update the function pointer stored in the callout, and then the callout will then preceed when we drop the mutex and pie_callout_cleanup() should get executed instead of calculate_drop_prob(), assuming that the callout thread doesn't look at the function pointer until after it grabs the mutex. I don't know why it would be otherwise.

The other potential hazard that I see would be that pie_callout_cleanup() could be called twice, once due to the alreading pending callout, and the other due to the new one that is scheduled by the callout_reset_sbt() call. If so, your patch has the same issue.
The pending call to calculate_drop_prob() will see the PIE_STOP_CALLOUT flag and destroy things and a new call to calculate_drop_prob() will be scheduled, which will then crash and burn.

The man page does say that callout_reset*() cancels any pending callout before scheduling a new one.

Very good points.
I don't have enough info about callout internals. However, I have another idea to solve the problem which should work fine (I think (-; ):

What about if calculate_drop_prob() does not free the memory but just return when see the PIE_STOP_CALLOUT flag (no rescheduling). Then we can schedule another callout (additional callout variable should be added to pie_status struct) for pie_callout_cleanup() to be call after tupdate of time. So, we guarantee no calculate_drop_prob() is scheduled and no one will use the memory.

The drawbacks of this solution are the memory will still be allocated for tupdate of time (15ms by default) and additional callout struct identifier should be added.

My concern with ref_count is that it could be possible to get into a state where the module could not be unloaded. Since the increment/decrement are not atomic ops, then an increment executed by a user thread and a decrement executed by the callout thread could race, causing unpredictable results. It might also be possible to get a zero ref_count when there are still active PIE instances. If the ref_count decrement is done in the user thread, then races should be less likely (there would have to be user threads adding or deleting instances at the same time) or impossible (if the dummynet mutex blocks this).

I don't think that amount of complexity is needed.

With callout_init_mtx(), callout_stop() would almost work here. The case where it doesn't work is when the time expires and the callout gets scheduled while we are holding the mutex. The callout thread will then be waiting in mtx_lock() for us to unlock the mutex. If we did a callout_stop() and unlocked the mutex and did the cleanup in the main thread, then there would be a race between the callout thread sitting in mtx_unlock() waiting for us to unlock the mutex, and the mtx_destroy() and freeing of memory in the main thread.

If we use callout_reset_sbt(), I think the pending callout can be cleanly cancelled. There's no reason that callout_reset_sbt() can't set some flags in the callout to indicate that it needs to be rescheduled. The callout thread will see those once it returns from mtx_unlock() and not actually execute the callout, but instead re-add it to the wheel at the new time. I'm willing to believe the claim in the man page here.

I've tried looking at the callout internals and the code is pretty difficult to understand. It would be helpful if the callout_man page had separate descriptions of what happens in the callout_init() case vs. the callout_init_mtx() case.

callout_async_drain() will call the cleanup callback function unlocked.

--HPS

I've tried looking at the callout internals and the code is pretty difficult to understand. It would be helpful if the callout_man page had separate descriptions of what happens in the callout_init() case vs. the callout_init_mtx() case.

Hi,

+1

Maybe this implementation of the callout API is easier to understand:

https://svnweb.freebsd.org/base/projects/hps_head/sys/kern/kern_timeout.c?revision=299262&view=markup

--HPS

Either ref_count should be decremented by the user thread after the callout_reset_sbt(() call to avoid possible miscounts due to races between the user thread and the callout thread, or all ref_count manipulations should be done wth atomic operations.