From nobody Fri Dec 31 22:06:58 2021 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 66AB5192B120; Fri, 31 Dec 2021 22:06:59 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JQfPb0yjJz4f4j; Fri, 31 Dec 2021 22:06:59 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 00FC212F6C; Fri, 31 Dec 2021 22:06:59 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1BVM6waD054724; Fri, 31 Dec 2021 22:06:58 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1BVM6wTa054723; Fri, 31 Dec 2021 22:06:58 GMT (envelope-from git) Date: Fri, 31 Dec 2021 22:06:58 GMT Message-Id: <202112312206.1BVM6wTa054723@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mark Johnston Subject: git: 6b95cf5bdedc - main - callout: Wait for the softclock thread to switch before rescheduling List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 6b95cf5bdedce7b4fa515af38c86b1d8a8dcbbe3 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1640988419; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=97rm25MIMjaMdVtvqMPKJ/KAJGbqhED+7VSJfN3Eia0=; b=khyiS5pCCuQODlYyKRbj6Frngwd42V3DfbnpjpFvNUEcCkf1CueDedWc6JJ2LPoA7OowHg RSuT6G1JWdWjM1q4ScW5A2gqycILCgNuxEK+IxpBYh3GK5cZyRgiWfh+EgS0nag8CP+2vU uLNuymWUdjyMLizrL95AZHpGNhwQi5lwnH4wXhdYYBXj8lUlRI19qyYOC6mK9qwTmWMk2q kLftAUfUG7javYKpHzgnEznO2qYmzWZqXzxai23DHCwXPbAhgdB375kxO2SCQ7yFT8r+Bt DSEfok7kP+cZnXvKmX5qx5cZUBbddZ9G+dDBdktIzpAOfFk7EPus71hN5Qi7Cg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1640988419; a=rsa-sha256; cv=none; b=pSyqnlq47qf6P0WRr6p5/bzeOWlX/0Dep+f3CJQ/9npO2rEyERFLtCdficW2Z0athH8AGr 9yk0bZD7+ClpJh5oiHZegeKwH0tAdnHyyHomPxavGvvoQjMeJvNpzaX8vx3wjkmIpsaEsq QcIQcXUG/xS+1+xJdE6pwB84p/kc/BgM/vpsyC4wmuZnCnFbCCmsXQLQptf+FAAwU6GeTB 8CfNieZV1TOynzTpen9lbTJOmI9Bax/BApBEUzAiuVicNQHq+XFrBmPvYj1CGn5sNAnchv MX5+z3Y0JEPJZ+40tNW/fCE1jYIegJdA/QUslWN9h1FjJU0ac9hFEeIqvty50Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=6b95cf5bdedce7b4fa515af38c86b1d8a8dcbbe3 commit 6b95cf5bdedce7b4fa515af38c86b1d8a8dcbbe3 Author: Mark Johnston AuthorDate: 2021-12-31 22:01:39 +0000 Commit: Mark Johnston CommitDate: 2021-12-31 22:01:39 +0000 callout: Wait for the softclock thread to switch before rescheduling When a softclock thread prepares to go off-CPU, the following happens in the context of the thread: 1. callout state is locked 2. thread state is set to IWAIT 3. thread lock is switched from the tdq lock to the callout lock 4. tdq lock is released 5. sched_switch() sets td_lock to &blocked_lock 6. sched_switch() releases old td_lock (callout lock) 7. sched_switch() removes td from its runqueue 8. cpu_switch() sets td_lock back to the callout lock Suppose a timer interrupt fires while the softclock thread is switching off, and callout_process() schedules the softclock thread. Then there is a window between steps 5 and 8 where callout_process() can call sched_add() while td_lock is &blocked_lock, but this is not correct since the thread is not logically locked. callout_process() thus needs to spin waiting for the softclock thread to finish switching off (i.e., after step 8 completes) before rescheduling it, since callout_process() does not acquire the thread lock directly. Reported by: syzbot+fb44dbf6734ff492c337@syzkaller.appspotmail.com Fixes: 74cf7cae4d22 ("softclock: Use dedicated ithreads for running callouts.") Reviewed by: mav, kib, jhb Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33709 --- sys/kern/kern_timeout.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys/kern/kern_timeout.c b/sys/kern/kern_timeout.c index 3923c214be8d..91882ddb5fba 100644 --- a/sys/kern/kern_timeout.c +++ b/sys/kern/kern_timeout.c @@ -548,6 +548,8 @@ next: if (!TAILQ_EMPTY(&cc->cc_expireq)) { td = cc->cc_thread; if (TD_AWAITING_INTR(td)) { + thread_lock_block_wait(td); + THREAD_LOCK_ASSERT(td, MA_OWNED); TD_CLR_IWAIT(td); sched_add(td, SRQ_INTR); } else