From nobody Tue Dec 21 16:17:14 2021
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 28F9D18EF8A2
	for <bugs@mlmmj.nyi.freebsd.org>; Tue, 21 Dec 2021 16:17:15 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JJM6f4RDPz3vlv
	for <bugs@FreeBSD.org>; Tue, 21 Dec 2021 16:17:14 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5CB804A7C
	for <bugs@FreeBSD.org>; Tue, 21 Dec 2021 16:17:14 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 1BLGHEES058041
	for <bugs@FreeBSD.org>; Tue, 21 Dec 2021 16:17:14 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 1BLGHEFD058040
	for bugs@FreeBSD.org; Tue, 21 Dec 2021 16:17:14 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 260591] [attach/detach] [panic] insufficient multi-thread
 protection for probe/attach/detach
Date: Tue, 21 Dec 2021 16:17:14 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: ghuckriede@blackberry.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
 attachments.created
Message-ID: <bug-260591-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@freebsd.org
MIME-Version: 1.0
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1640103434;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=jVv2I/AHM+6kg5jkl8UkD88i0fitodIpJ0Di207S+ho=;
	b=F6uzFrcCH4fRGSmLJbwteoAmbkA6vIIfddcj2BXmYlhwfHeUTW6au0svi4UaHG5Xl8Uvyp
	46+umotjUD3OtBYK1aGYMI1tEOz92jLyDNuo5JNTEbQZscd2Zgk2QLU13sDVkf6hmI8sLa
	USEd97B+kZ0Gltq87lruWsPc0ErCZl8m3keQa4I+RojhXvWlEApMs46RAhv0vFysOwvm3d
	Hj7AOHAJPM690oAj0F/jo2eyIGS4Cf3HHT1fNPxIAsjn4hpMpzZTAAtm2jkKw+CyW40grT
	v1S3VxoWuF+X71+s2cKSKINFx92cIyt+Jz5LnsG+8r2JvV4YSQdg2Z/GdMi0MQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1640103434; a=rsa-sha256; cv=none;
	b=NA8klMRIHq0MG96Glc/3VxKqnsFeuljuZO1VLuukMFtl1VfSwx8nXqarFsFeLnR/h4ScoW
	En01cb8waBJHUwSRb+VMhl3zIR4dCMJ+PjklGTH76WZeMBpGQIM9oupC7rZOWe8Ct3eSau
	kfstpHqwVfi0yCGdDyn7i1vXG1p55HuXnn0VkFU/RJpps7OgRioVAfJ3KzXqefYHwdjkkU
	2qRTydXSeQaZdq//MEjt2s7Q9i/IS2cXXtUAMArHzYzH0/Ih2E83Rq1p+jzvFJYzce79kq
	CBkTDtCFOx1CSjT0IFuuZY2qaUkYn2Ey4DSm1uNPZ6YiK3cA4Gn4/lH2GCfsRQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260591

            Bug ID: 260591
           Summary: [attach/detach] [panic] insufficient multi-thread
                    protection for probe/attach/detach
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: ghuckriede@blackberry.com

Created attachment 230290
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D230290&action=
=3Dedit
main-n251848-3e01ee76f20 Panic

The protection for probe/attach/detach appears to be the 'Giant' mutex lock=
.=20
This is insufficient to protect against multiple thread attaching/detaching=
 at
the same time.  Some attach/detach actions require "sleeps", this releases =
the
'Giant' lock, allowing other threads to also attach/detach.  There are no
checks for `DS_ATTACHING` state in device_attach() and there is currently no
`DS_DETACHING` state to check in device_detach().

Steps to Reproduce:
This is easily reproduced with devices that "sleep" during attach/detach, as
Giant lock is dropped in these cases.

https://www.freebsd.org/cgi/man.cgi?locking(9). "Giant is dropped during
unbounded sleeps and reacquired after wakeup."=20

igb devices enter e1000_get_cfg_done_i210()->safe_pause_sbt()->pause_sbt()
during detach, thus releasing the Giant lock.  As show in the attached
backtrace.

root@FBSDCURRENT:/ # devinfo -v | grep igb0
            igb0 pnpinfo vendor=3D0x8086 device=3D0x1533 subvendor=3D0x8086
subdevice=3D0x0002 class=3D0x020000 at slot=3D0 function=3D0 dbsf=3Dpci0:6:=
0:0
handle=3D\_SB_.PCI0.RP05.PXSX
root@FBSDCURRENT:/ #

Terminal #1:
# sh
root@FBSDCURRENT:/ # while [ true ] ; do devctl attach pci0:6:0:0;devctl de=
tach
pci0:6:0:0;done

Terminal #2:
# sh
root@FBSDCURRENT:/ # while [ true ] ; do devctl attach pci0:6:0:0;devctl de=
tach
pci0:6:0:0;done

Actual Results:
This causes an immediate panic when Terminal #2 starts loop.

A backtrace of the 2 threads both running the devctl's devctl2_ioctl() is
attached (locally build kernel). `vmcore` file from "13.0-RELEASE" can also=
 be
provided.

Expected Results:
The kernel should not panic/crash.  First thread should complete.  The seco=
nd
thread should return an error (or wait until the other thread is complete).

Build Date & Hardware:=20
Locally compiled with git updated Dec 21 2021:

FreeBSD FBSDCURRENT 14.0-CURRENT FreeBSD 14.0-CURRENT #3
main-n251848-3e01ee76f20: Tue Dec 21 00:33:45 EST 2021=20=20=20=20
root@FBSDCURRENT:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64

Also reproducible on 13.0-RELEASE (Downloaded/Updated):

FreeBSD TrafficHammerTwoHanded 13.0-RELEASE FreeBSD 13.0-RELEASE #0
releng/13.0-n244733-ea31abc261f: Fri Apr  9 04:24:09 UTC 2021=20=20=20=20
root@releng1.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64

--=20
You are receiving this mail because:
You are the assignee for the bug.=