kern/89538: [tty] [panic] triggered by "sysctl -a"

Kostik Belousov kostikbel at gmail.com
Tue Oct 21 18:46:37 UTC 2008 

On Tue, Oct 21, 2008 at 02:37:17PM -0400, John Baldwin wrote:
> On Tuesday 21 October 2008 02:29:12 pm Kostik Belousov wrote:
> > On Tue, Oct 21, 2008 at 01:41:40PM -0400, John Baldwin wrote:
> > > On Tuesday 21 October 2008 05:21:32 am Sergey N. Voronkov wrote:
> > > > Please, reopen this PR. Fix need to be MFC'd to RELENG_6 & RELENG_6_4 
> until
> > > > there is not too late for 6.4!!!
> > > > 
> > > > Sergey N. Voronkov,
> > > 
> > > There are actually a few changes to merge.  Looks like I didn't merge to 
> 6.x 
> > > because of the 6.3 freeze and forgot to do it after the freeze was lifted.
> > I guess this is a request for approval. It is approved then.
> > 
> > Note that in RELENG_6 destroy_dev() does not guarantee that all threads
> > leaved cdevsw methods before device is destoyed.
> 
> Would you rather remove the ttyrel() from ttyfree() then and just leak the 
> structures?
I do not know what is worse. Leak looks more tolerable.

> 
> > > 
> > > jhb         2008-01-08 04:53:29 UTC
> > > 
> > >   FreeBSD src repository
> > > 
> > >   Modified files:
> > >     sys/kern             tty.c 
> > >   Log:
> > >   Close a race in the kern.ttys sysctl handler that resulted in panics in
> > >   dev2udev() when a tty was being detached concurrently with the sysctl
> > >   handler:
> > >   - Hold the 'tty_list_mutex' lock while we read all the fields out of the
> > >     struct tty for copying out later.  Previously the pty(4) and pts(4)
> > >     destroy routines could set t_dev to NULL, drop their reference on the
> > >     tty and destroy the cdev while the sysctl handler was attempting to
> > >     invoke dev2udev() on the cdev being destroyed.  This happened when the
> > >     sysctl handler read the value of t_dev prior to it being set to NULL
> > >     either due to it being stale or due to timing races.  By holding the
> > >     list lock we guarantee that the destroy routines will block in 
> ttyrel()
> > >     in that case and not destroy the cdev until after we've copied all of 
> our
> > >     data.  We may see a NULL cdev pointer or we may see the previous 
> value,
> > >     but the previous value will no longer point to a destroyed cdev if we
> > >     see it.
> > >   - Fix the ttyfree() routine used by tty device drivers in their detach
> > >     methods to use ttyrel() on the tty so we don't leak them.  Also, fix 
> it
> > >     to use the same order of operations as pty/pts destruction (set t_dev
> > >     NULL, ttyrel(), destroy_dev()) so it cooperates with the sysctl 
> handler.
> > >   
> > >   MFC after:      3 days
> > >   Tested by:      avatar
> > >   
> > >   Revision  Changes    Path
> > >   1.274     +20 -3     src/sys/kern/tty.c
> > > 
> > > kib         2008-05-23 16:47:55 UTC
> > > 
> > >   FreeBSD src repository
> > > 
> > >   Modified files:
> > >     sys/kern             tty.c 
> > >   Log:
> > >   Rev. 1.274 put the ttyrel() call before the destroy_dev() in the
> > >   ttyfree(), freeing the tty. Since destroy_dev() may call d_purge()
> > >   cdevsw method, that is the ttypurge() for the tty, the code ends up
> > >   accessing freed tty structure.
> > >   
> > >   Put the ttyrel() after destroy_dev() in the ttyfree. To prevent the
> > >   panic the rev. 1.274 provided fix for, check the TS_GONE in sysctl
> > >   handler and refuse to provide information on such tty.
> > >   
> > >   Reported, debugging help and tested by: pho
> > >   DIscussed with and reviewed by: jhb
> > >   MFC after:      1 week
> > >   
> > >   Revision  Changes    Path
> > >   1.280     +5 -2      src/sys/kern/tty.c
> > > 
> > > 
> > > Property changes on: .
> > > ___________________________________________________________________
> > > Modified: svn:mergeinfo
> > >    Merged /head/sys:r175152,179251
> > > 
> > > Index: kern/tty.c
> > > ===================================================================
> > > --- kern/tty.c	(revision 184128)
> > > +++ kern/tty.c	(working copy)
> > > @@ -3024,16 +3024,20 @@
> > >   *
> > >   * XXX: This shall sleep until all threads have left the driver.
> > >   */
> > > - 
> > >  void
> > >  ttyfree(struct tty *tp)
> > >  {
> > > +	struct cdev *dev;
> > >  	u_int unit;
> > >   
> > >  	mtx_assert(&Giant, MA_OWNED);
> > >  	ttygone(tp);
> > >  	unit = tp->t_devunit;
> > > -	destroy_dev(tp->t_mdev);
> > > +	dev = tp->t_mdev;
> > > +	dev->si_tty = NULL;
> > > +	tp->t_dev = NULL;
> > > +	destroy_dev(dev);
> > > +	ttyrel(tp);
> > >  	free_unr(tty_unit, unit);
> > >  }
> > >  
> > > @@ -3049,8 +3053,9 @@
> > >  	tp = TAILQ_FIRST(&tty_list);
> > >  	if (tp != NULL)
> > >  		ttyref(tp);
> > > -	mtx_unlock(&tty_list_mutex);
> > >  	while (tp != NULL) {
> > > +		if (tp->t_state & TS_GONE)
> > > +			goto nexttp;
> > >  		bzero(&xt, sizeof xt);
> > >  		xt.xt_size = sizeof xt;
> > >  #define XT_COPY(field) xt.xt_##field = tp->t_##field
> > > @@ -3058,6 +3063,18 @@
> > >  		xt.xt_cancc = tp->t_canq.c_cc;
> > >  		xt.xt_outcc = tp->t_outq.c_cc;
> > >  		XT_COPY(line);
> > > +
> > > +		/*
> > > +		 * XXX: We hold the tty list lock while doing this to
> > > +		 * work around a race with pty/pts tty destruction.
> > > +		 * They set t_dev to NULL and then call ttyrel() to
> > > +		 * free the structure which will block on the list
> > > +		 * lock before they call destroy_dev() on the cdev
> > > +		 * backing t_dev.
> > > +		 *
> > > +		 * XXX: ttyfree() now does the same since it has been
> > > +		 * fixed to not leak ttys.
> > > +		 */
> > >  		if (tp->t_dev != NULL)
> > >  			xt.xt_dev = dev2udev(tp->t_dev);
> > >  		XT_COPY(state);
> > > @@ -3080,19 +3097,22 @@
> > >  		XT_COPY(olowat);
> > >  		XT_COPY(ospeedwat);
> > >  #undef XT_COPY
> > > +		mtx_unlock(&tty_list_mutex);
> > >  		error = SYSCTL_OUT(req, &xt, sizeof xt);
> > >  		if (error != 0) {
> > >  			ttyrel(tp);
> > >  			return (error);
> > >  		}
> > >  		mtx_lock(&tty_list_mutex);
> > > -		tp2 = TAILQ_NEXT(tp, t_list);
> > > +nexttp:		tp2 = TAILQ_NEXT(tp, t_list);
> > >  		if (tp2 != NULL)
> > >  			ttyref(tp2);
> > >  		mtx_unlock(&tty_list_mutex);
> > >  		ttyrel(tp);
> > >  		tp = tp2;
> > > +		mtx_lock(&tty_list_mutex);
> > >  	}
> > > +	mtx_unlock(&tty_list_mutex);
> > >  	return (0);
> > >  }
> > >  
> > > 
> > > -- 
> > > John Baldwin
> > 
> 
> 
> 
> -- 
> John Baldwin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-bugs/attachments/20081021/f326962f/attachment.pgp

More information about the freebsd-bugs mailing list