git: 942951ba46ec - main - uma dbg: catch more corruption with atomics

Ryan Libby rlibby at freebsd.org
Fri Jan 1 18:52:36 UTC 2021 

On Fri, Jan 1, 2021 at 5:46 AM Michal Meloun <meloun.michal at gmail.com> wrote:
>
>
>
> On 31.12.2020 22:03, Ryan Libby wrote:
> > The branch main has been updated by rlibby:
> >
> > URL: https://cgit.FreeBSD.org/src/commit/?id=942951ba46ecd5ebab18de006a24dc52e2d3f745
> >
> > commit 942951ba46ecd5ebab18de006a24dc52e2d3f745
> > Author:     Ryan Libby <rlibby at FreeBSD.org>
> > AuthorDate: 2020-12-31 21:02:45 +0000
> > Commit:     Ryan Libby <rlibby at FreeBSD.org>
> > CommitDate: 2020-12-31 21:02:45 +0000
> >
> >      uma dbg: catch more corruption with atomics
> >
> >      Use atomic testandset and testandclear to catch concurrent double free,
> >      and to reduce the number of atomic operations.
> >
> >      Submitted by:   jeff
> >      Reviewed by:    cem, kib, markj (all previous version)
> >      Sponsored by:   Dell EMC Isilon
> >      Differential Revision:  https://reviews.freebsd.org/D22703
> Unfortunately, this broke arm and arm64 kernel with random
> 'duplicate alloc'/'duplicate free' panics.
>
> Michal
>

Thanks for the report.  It's probably going to be several hours before I
can dig into this properly.  A GENERIC-NODEBUG kernel should avoid the
problem.

>From a quick scan of source, it looks to me like arm64's
atomic_testand{set,clear}_64 are broken because of a wrong mask value
under _ATOMIC_TEST_OP_IMPL(64, ...).

If you would like to test a patch, you could try the one attached
(only compile tested on my end).

Ryan

> > ---
> >   sys/vm/uma_core.c | 9 ++++-----
> >   1 file changed, 4 insertions(+), 5 deletions(-)
> >
> > diff --git a/sys/vm/uma_core.c b/sys/vm/uma_core.c
> > index a0192642205d..39c846effac8 100644
> > --- a/sys/vm/uma_core.c
> > +++ b/sys/vm/uma_core.c
> > @@ -5392,10 +5392,10 @@ uma_dbg_alloc(uma_zone_t zone, uma_slab_t slab, void *item)
> >       keg = zone->uz_keg;
> >       freei = slab_item_index(slab, keg, item);
> >
> > -     if (BIT_ISSET(keg->uk_ipers, freei, slab_dbg_bits(slab, keg)))
> > +     if (BIT_TEST_SET_ATOMIC(keg->uk_ipers, freei,
> > +         slab_dbg_bits(slab, keg)))
> >               panic("Duplicate alloc of %p from zone %p(%s) slab %p(%d)",
> >                   item, zone, zone->uz_name, slab, freei);
> > -     BIT_SET_ATOMIC(keg->uk_ipers, freei, slab_dbg_bits(slab, keg));
> >   }
> >
> >   /*
> > @@ -5426,11 +5426,10 @@ uma_dbg_free(uma_zone_t zone, uma_slab_t slab, void *item)
> >               panic("Unaligned free of %p from zone %p(%s) slab %p(%d)",
> >                   item, zone, zone->uz_name, slab, freei);
> >
> > -     if (!BIT_ISSET(keg->uk_ipers, freei, slab_dbg_bits(slab, keg)))
> > +     if (!BIT_TEST_CLR_ATOMIC(keg->uk_ipers, freei,
> > +         slab_dbg_bits(slab, keg)))
> >               panic("Duplicate free of %p from zone %p(%s) slab %p(%d)",
> >                   item, zone, zone->uz_name, slab, freei);
> > -
> > -     BIT_CLR_ATOMIC(keg->uk_ipers, freei, slab_dbg_bits(slab, keg));
> >   }
> >   #endif /* INVARIANTS */
> >
> >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-arm64-fix-mask-in-atomic_test-64-ops.patch
Type: text/x-patch
Size: 1221 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/dev-commits-src-all/attachments/20210101/ca6ce0f0/attachment.bin>

More information about the dev-commits-src-all mailing list