devfs panic w/INVARIANTS

Andrew Gallatin gallatin at cs.duke.edu
Fri Feb 5 13:51:33 UTC 2010 

Kostik Belousov wrote:
> On Thu, Feb 04, 2010 at 03:40:28PM -0500, Andrew Gallatin wrote:
>> I've got a commercial driver that uses device cloning.
>> At unload time, the driver calls clone_cleanup(). When I unload
>> the driver when the kernel is built with INVARIANTS, I'll see a
>> panic in devfs_populate_loop().  This happens in 6-stable,
>> as well as 8-stable.
>>
>> From what I can see the clone has been freed, but it
>> remains on the devfs cdevp_list.   Then the next time
>> devfs_populate_loop() is called, it trips over the bad
>> entry (cdp->cdp_dirents points to 0xdeadc0dedeadc0de)
>> See appended kgdb session.
>>
>> If I trace the code path, it looks like clone_cleanup()
>> calls destroy_devl().  And destroy_devl() will eventually
>> call devfs_free() if the si_refcnt is zero.  But I don't
>> see anything which will get the cdev removed from
>> the cdevp_list prior to it being freed.
>>
>> The only code I see which will get the cdev removed from
>> the cdevp_list() seems to be the "GC any lingering devices"
>> block in devfs_populate_loop
>>
>> What am I missing?
> 
> You did not mentioned it, but my guess is that you create clones from
> the dev_clone event handler. Please note that devfs_lookup() that fires

Yes, I do.

> dev_clone event, consumes a device reference. Thus clone handlers shall
> do dev_ref().
> 
> Due to races with cleanup, you should use MAKEDEV_REF flag for
> make_dev_credv(9) KPI instead of doing make_dev()/dev_ref() pair.

I need to support FreeBSD going all the way back to 6, so that's not an
option in some versions.

But, I'm talking about device removal time.  If I call clone_cleanup()
where the clones have dev->si_refcount==1, then I get the use-after-free
panic.  If I hack things to elevate the reference count (such that
dev->si_refcount==2 when clone_cleanup() is called), then I don't
get the panic.

Are you saying I should have been taking the extra reference
via my dev_clone eventhandler?   Won't having the extra reference
lead to a memory leak?   Or am I just mis-reading the code, and
this will lead to things being freed normally?

> That said, do you really need clones at all ?

I need to support FreeBSD back to 6.x, and I need to support the
linux-like model of opening the "same" /dev/node multiple times
and getting unique handles.  So I think I need clones.

Thanks for the help!
Drew

More information about the freebsd-hackers mailing list