Page MenuHomeFreeBSD
Differential D27266

callout(9): Fix a race between migration and callout_drain()
ClosedPublic
Actions

Authored by markj on Nov 18 2020, 2:10 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mar 7 2024, 10:45 PM
Unknown Object (File)
Mar 2 2024, 4:39 PM
Unknown Object (File)
Feb 29 2024, 6:39 AM
Unknown Object (File)
Feb 20 2024, 11:32 PM
Unknown Object (File)
Feb 19 2024, 10:09 PM
Unknown Object (File)
Jan 26 2024, 8:26 PM
Unknown Object (File)
Jan 17 2024, 1:30 PM
Unknown Object (File)
Dec 20 2023, 8:06 AM
View All 40 Files
Subscribers
emaste
imp

Details

Reviewers
hselasky
rrs
emaste
Commits
rS367849: callout(9): Fix a race between CPU migration and callout_drain()
Summary

Suppose a running callout re-arms itself, and before the callout
finishes running another CPU calls callout_drain() and goes to sleep.
softclock_call_cc() will wake up the draining thread, which may not run
immediately if there is a lot of CPU load. Furthermore, the callout is
still in the callout wheel so it can continue to run and re-arm itself.
Then, suppose that the callout migrates to another CPU before the
draining thread gets a chance to run. The draining thread is in this
loop in _callout_stop_safe():

while (cc_exec_curr(cc) == c) {
	CC_UNLOCK(cc);
	sleep();
	CC_LOCK(cc);
}

but after the migration, cc points to the wrong CPU's callout state.
Then the draining thread goes off and removes the callout from the
wheel, but does so using the wrong lock and per-CPU callout state.

Fix the problem by doing a re-lookup of the callout CPU after sleeping.
This is a minimal patch intended to be suitable for backporting.

Test Plan

syzkaller found this bug using kevent() and EVFILT_TIMER.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj requested review of this revision.Nov 18 2020, 2:10 PM
markj created this revision.
Harbormaster completed remote builds in B34877: Diff 79699.Nov 18 2020, 2:10 PM
markj edited the test plan for this revision. (Show Details)Nov 18 2020, 2:11 PM
markj added reviewers: hselasky, rrs.
hselasky accepted this revision.Nov 18 2020, 2:23 PM
hselasky added inline comments.
sys/kern/kern_timeout.c
1164 ↗(On Diff #79699)

There is no need for a while () statement here. Change it into an if (). The block is always exited via a goto.

This revision is now accepted and ready to land.Nov 18 2020, 2:23 PM
markj updated this revision to Diff 79700.Nov 18 2020, 2:30 PM
markj marked an inline comment as done.

while -> if

This revision now requires review to proceed.Nov 18 2020, 2:30 PM
Harbormaster completed remote builds in B34878: Diff 79700.Nov 18 2020, 2:30 PM
emaste added a subscriber: emaste.Nov 18 2020, 2:58 PM
hselasky accepted this revision.Nov 18 2020, 5:58 PM
This revision is now accepted and ready to land.Nov 18 2020, 5:58 PM
emaste accepted this revision.Nov 18 2020, 6:22 PM
Closed by commit rS367849: callout(9): Fix a race between CPU migration and callout_drain() (authored by markj). · Explain WhyNov 19 2020, 6:37 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rS367849: callout(9): Fix a race between CPU migration and callout_drain().
Herald added a subscriber: imp. · View Herald TranscriptNov 19 2020, 6:37 PM

Revision Contents
Changeset List

PathSize
head/
sys/
kern/
4 lines

Diff 79775

View Options

head/sys/kern/kern_timeout.c

Loading...