Race conditions
John Baldwin
jhb at freebsd.org
Wed Sep 2 18:35:33 UTC 2015
On Wednesday, September 02, 2015 04:59:22 PM Konstantin Belousov wrote:
> On Sun, Aug 30, 2015 at 05:04:31PM -0700, John Baldwin wrote:
> > On Saturday, August 29, 2015 01:30:49 PM Konstantin Belousov wrote:
> > > On Fri, Aug 28, 2015 at 01:34:58PM -0700, John Baldwin wrote:
> > > > Perhaps we could force cloning to serialize with opens? That is, use
> > > > some sort of global lock in devfs such that any non-cloning opens use
> > > > a shared lock but an exclusive lock is taken before running clone
> > > > event handlers (and held until after d_open returns)? To really
> > > > close this sort of race, the exclusive lock acquired when a clone
> > > > is created in lookup() would have to be held until devfs_open() is
> > > > called. That's rather gross. I suppose you could always aquire the
> > > > lock in devfs_lookup() when ISOPEN is set (exclusive if you have to
> > > > clone, otherwise shared) and then drop it in devfs_open() after d_open
> > > > returns.
> > > Hm, I do not think taking a lock in lookup(ISOPEN) is feasible. VFS migh
> > > not call VOP_OPEN() after the lookup, for misc. reasons (e.g. due to the
> > > permissions, or forced umount reclaiming vnode as two obvious cases).
> > >
> > > Also, I am not sure about the definition about non-cloning open. Other
> > > thread might race with the cloner and open the newly cloned node
> > > before the cloner has a chance to proceed. Do you want to prevent this
> > > situation ? If yes, then why ? si_drv1 issue should be handled by other
> > > means.
> >
> > This isn't about si_drv1, this is about my other change of trying to let
> > an open of /dev/tap reliably open a "free" tap device. The race my current
> > change there doesn't handle is that if an open of /dev/tap that returns
> > a "free" tap device from the clone handler might race with another process
> > that opens a tap device by name (e.g. /dev/tap0).
> This is a race which must be handled by userspace, I am afraid.
It can't really be handled well though. It would mean that any user of /dev/tap
basically has to do opens of /dev/tap in a loop in case the open fails with
EBUSY. This makes it useless for existing applications (e.g. the use case I
care about personally is when I run multiple bhyve VMs. Currently I have to
statically allocate tap0 to vm0, tap1 to vm1, etc. What I would really like to
do is just tell my various VMs to open /dev/tap and get a "free" tap device to
use for the lifetime of the VM.
> > An entirely different possibility is to change /dev/tap to not use cloning
> > at all and instead use cdevpriv. It could then safely choose a "free"
> > tap device during its open routine. This might be a bit of an API change
> > though as devname/fdevname could no longer be used to determine the name
> > of the interface opened by an open of /dev/tap.
> What if we change tap to use cdevpriv, and have some unit number
> sequencer for the cdevprivs (as I understand, this would correspond to
> the unit of the cloned tap interface ?). Also, we add a cdevsw method to
> get the devname. By default, the method will provide dev->si_name.
>
> For tap, the method would create the the /dev/tapX, where X is the tap
> interface number, and returns corresponding name. The /dev/tapX opens
> would need to find cdevprivs from the /dev/tap.
>
> This would cause KBI change for the cdevs, but no API change for tap
> consumers and no KPI changes for cdevs.
If we allow a cdevsw to override how devname works, then that would probably
be sufficient on its own. I don't think you would need to change the
/dev/tapX devices at all. The cdevpriv for /dev/tap desciptors would have a
reference to the /dev/tapX device it is using and return that device's name
in the devname override.
Another option that I had started to play with previously is to let devices
auto-created by /dev/tap set an internal 'destroy-on-close' flag. That
seems a bit more heavyweight, but it might also be simpler to implement?
--
John Baldwin
More information about the freebsd-drivers
mailing list