[Bug 278826] [hpet] cdev->si_refcount leakage when enable hpet as timecounter hardware

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 278826] [hpet] cdev->si_refcount leakage when enable hpet as timecounter hardware"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 278826] [hpet] cdev->si_refcount leakage when enable hpet as timecounter hardware"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 278826] [hpet] cdev->si_refcount leakage when enable hpet as timecounter hardware"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 278826] [hpet] cdev->si_refcount leakage when enable hpet as timecounter hardware"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 278826] [hpet] cdev->si_refcount leakage when enable hpet as timecounter hardware"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 278826] [hpet] cdev->si_refcount leakage when enable hpet as timecounter hardware"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 278826] [hpet] cdev->si_refcount leakage when enable hpet as timecounter hardware"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 278826] [hpet] cdev->si_refcount leakage when enable hpet as timecounter hardware"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 278826] [hpet] cdev->si_refcount leakage when enable hpet as timecounter hardware"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 278826] [hpet] cdev->si_refcount leakage when enable hpet as timecounter hardware"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 278826] [hpet] cdev->si_refcount leakage when enable hpet as timecounter hardware"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 07 May 2024 05:19:57 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278826

            Bug ID: 278826
           Summary: [hpet] cdev->si_refcount leakage when enable hpet as
                    timecounter hardware
           Product: Base System
           Version: 15.0-CURRENT
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: austin.zhang@dell.com

reproduce the issue on the latest 15.0-CURRENT
```
[root@freebsd-main ~]# uname -a
FreeBSD freebsd-main 15.0-CURRENT FreeBSD 15.0-CURRENT #13
main-n269920-7929aeebbde1: Mon May  6 20:44:10 CST 2024    
root@freebsd-main:/usr/obj/root/workspace/freebsd-src/amd64.amd64/sys/GENERIC
amd64
```

test steps:
select hpet as timecounter hardware
```
[root@freebsd-main ~]# sysctl kern.timecounter.hardware=HPET
kern.timecounter.hardware: TSC -> HPET
```
when HPET is chosen as timecounter, libc's VDSO implementation will map
`/dev/hpet0` into process's mmap, then we could observe `cdev->si_refcount`
leakage occurs

```
[root@freebsd-main ~]# dtrace -n 'fbt::dev_ref:entry {printf("[%s]: invoke
dev_ref: %s, refcount:%d", execname, args[0]->si_name, args[0]->si_refcount)}'
dtrace: description 'fbt::dev_ref:entry ' matched 1 probe
CPU     ID                    FUNCTION:NAME
  1  43845                    dev_ref:entry [sshd]: invoke dev_ref: hpet0,
refcount:11
  0  43845                    dev_ref:entry [sshd]: invoke dev_ref: hpet0,
refcount:12
  0  43845                    dev_ref:entry [bash]: invoke dev_ref: hpet0,
refcount:13
  1  43845                    dev_ref:entry [resizewin]: invoke dev_ref: hpet0,
refcount:14
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:15
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:16
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:17
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:18
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:19
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:20
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:21
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:22
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:23
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:24
  1  43845                    dev_ref:entry [sh]: invoke dev_ref: hpet0,
refcount:25
  1  43845                    dev_ref:entry [atrun]: invoke dev_ref: hpet0,
refcount:26
```

this cdev->si_refcount leak might have kernel panic risk if enable KASSERT(),
see dev_rel()
```
void
dev_rel(struct cdev *dev)
{
        int flag = 0;

        dev_lock_assert_unlocked();
        dev_lock();
        dev->si_refcount--;
        KASSERT(dev->si_refcount >= 0,
            ("dev_rel(%s) gave negative count", devtoname(dev)));
        if (dev->si_devsw == NULL && dev->si_refcount == 0) {
                LIST_REMOVE(dev, si_list);
                flag = 1;
        }
        dev_unlock();
        if (flag)
                devfs_free(dev);
}
```

-- 
You are receiving this mail because:
You are the assignee for the bug.