Page MenuHomeFreeBSD
Differential D24500

Use LIST_FOREACH_SAFE instead of LIST_FOREACH as we are removing elements in the middle.
ClosedPublic
Actions

Authored by delphij on Apr 19 2020, 2:32 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Nov 13, 6:05 PM
Unknown Object (File)
Oct 3 2024, 3:58 AM
Unknown Object (File)
Sep 27 2024, 6:13 AM
Unknown Object (File)
Sep 23 2024, 8:04 PM
Unknown Object (File)
Sep 20 2024, 1:20 PM
Unknown Object (File)
Sep 20 2024, 1:20 PM
Unknown Object (File)
Sep 20 2024, 1:20 PM
Unknown Object (File)
Sep 20 2024, 1:10 PM
View All 42 Files
Subscribers
imp

Details

Reviewers
wulf
emaste
gonzo
jceel
Commits
rS360104: Use LIST_FOREACH_SAFE instead of LIST_FOREACH as we are removing
Summary

This fixes a panic when detaching USB mouse.

PR: 245732

Test Plan

plug and unplug mouse multiple times

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

delphij created this revision.Apr 19 2020, 2:32 AM
Harbormaster completed remote builds in B30606: Diff 70767.Apr 19 2020, 2:32 AM
delphij added a reviewer: emaste.Apr 19 2020, 2:32 AM
delphij added reviewers: gonzo, jceel.Apr 19 2020, 6:37 AM
wulf accepted this revision.Apr 19 2020, 11:06 AM

Thanks.
List item is free()-ed asynchronously in other thread which is woken up in evdev_notify_event(). That is why this panic is rare.

This revision is now accepted and ready to land.Apr 19 2020, 11:06 AM
wulf added a comment.Apr 19 2020, 11:16 AM

But the thread which is woken up locks evdev too. It should postpone all the free()s until FOREACH loop is completed.

wulf added a comment.Apr 19 2020, 11:30 AM

Do you have some local modifications of cdev.c? Especially with relaxed locking in evdev_dtor()?

Closed by commit rS360104: Use LIST_FOREACH_SAFE instead of LIST_FOREACH as we are removing (authored by delphij). · Explain WhyApr 19 2020, 5:28 PM
This revision was automatically updated to reflect the committed changes.
delphij added a commit: rS360104: Use LIST_FOREACH_SAFE instead of LIST_FOREACH as we are removing.
Herald added a subscriber: imp. · View Herald TranscriptApr 19 2020, 5:28 PM
delphij added a comment.Apr 19 2020, 5:46 PM
In D24500#538844, @wulf wrote:

Do you have some local modifications of cdev.c? Especially with relaxed locking in evdev_dtor()?

No I don't have local changes here (I'm not really familiar with this code which is why I'm asking for review :).

What appears to happen was that in the LIST_FOREACH loop we have called evdev_dispose_client(). The latter does assert the lock being held (which we did acquire in evdev_unregister() earlier), then immediately removed the client from the list:

void
evdev_dispose_client(struct evdev_dev *evdev, struct evdev_client *client)
{
        debugf(evdev, "removing client for device %s", evdev->ev_shortname);
                
        EVDEV_LOCK_ASSERT(evdev);
        
        LIST_REMOVE(client, ec_link);                // <--- here

When INVARIANT is enabled, the prev and next pointers would be TRASHIT'ed (set to -1 or 0xffffffffffffffff). When using LIST_FOREACH, we are still using the next pointer instead of copying it in LIST_FOREACH_SAFE before going through the code in the loop, therefore when we are trying to traverse to the next node, we will call evdev_revoke_client() with -1. This won't happen for non-INVARIANT kernels and probably nobody have reported it so far.

wulf added a comment.Apr 19 2020, 7:05 PM
In D24500#538927, @delphij wrote:

When INVARIANT is enabled, the prev and next pointers would be TRASHIT'ed (set to -1 or 0xffffffffffffffff).

Thanks for explanation. This means 'TRASHIT' calls in LIST_FOREACH macro in queue.h are bogus. They assumes that free() must be called within FOREACH loop. But that is It is not evdev case. free() is called asynchronously here.

delphij added a comment.Apr 19 2020, 7:10 PM
In D24500#538939, @wulf wrote:
In D24500#538927, @delphij wrote:

When INVARIANT is enabled, the prev and next pointers would be TRASHIT'ed (set to -1 or 0xffffffffffffffff).

Thanks for explanation. This means 'TRASHIT' calls in LIST_FOREACH macro in queue.h are bogus. They assumes that free() must be called within FOREACH loop. But that is It is not evdev case. free() is called asynchronously here.

No... The TRASHIT calls in _REMOVE methods were intentional (it's an invariant requirement for FOREACH loops, and this helps to catch misuse). When it's necessary to allow _REMOVE, we have to use _FOREACH_SAFE, this is documented in queue(3).

Revision Contents
Changeset List

PathSize
head/
sys/
dev/
evdev/
4 lines

Diff 70786

View Options

head/sys/dev/evdev/evdev.c

Loading...