Differential D20027

ioctl handler
ClosedPublic
Actions

Authored by kevans on Apr 23 2019, 4:28 PM.

Details

Reviewers

ae
bz

Commits

rS346670: tun/tap: close race between destroy/ioctl handler

Summary

It seems that there should be a better way to handle this, but this seems to be the more common approach and it should likely get replaced in all of the places it happens... Basically, thread 1 is in the process of destroying the tun/tap while thread 2 is executing one of the ioctls that requires the tun/tap mutex and the mutex is destroyed before the ioctl handler can acquire it.

This is only one of the races described/found in PR 233955.

PR: 233955

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 23861

Event Timeline

kevans created this revision.Apr 23 2019, 4:28 PM

Herald added a subscriber: imp. · View Herald TranscriptApr 23 2019, 4:28 PM

Harbormaster completed remote builds in B23849: Diff 56544.Apr 23 2019, 4:28 PM

kevans edited the summary of this revision. (Show Details)Apr 23 2019, 4:30 PM

emaste added a subscriber: emaste.Apr 23 2019, 6:40 PM

decke added a subscriber: decke.Apr 23 2019, 7:50 PM

Actually functional, after a little bit more coffee and testing... previous version caused trivial deadlock as follows:

1.) ifconfig tun1 create
2.) ifconfig tun1 10.10.1.1 10.10.1.2
3.) ifconfig tun1 destroy

*_destroy only needs to hold ioctl_sx long enough to invalidate the if_softc, while the ioctl handler needs to hold it to guarantee liveness until it's done. Minimize the destroy bits.

Harbormaster completed remote builds in B23861: Diff 56565.Apr 24 2019, 2:26 AM

LGTM.

This revision is now accepted and ready to land.Apr 24 2019, 9:59 AM

Closed by commit rS346670: tun/tap: close race between destroy/ioctl handler (authored by kevans). · Explain WhyApr 25 2019, 12:44 PM

This revision was automatically updated to reflect the committed changes.