Race conditions

[Konstantin Belousov]

On Fri, Aug 28, 2015 at 01:34:58PM -0700, John Baldwin wrote:
> Perhaps we could force cloning to serialize with opens? That is, use
> some sort of global lock in devfs such that any non-cloning opens use
> a shared lock but an exclusive lock is taken before running clone
> event handlers (and held until after d_open returns)? To really
> close this sort of race, the exclusive lock acquired when a clone
> is created in lookup() would have to be held until devfs_open() is
> called. That's rather gross. I suppose you could always aquire the
> lock in devfs_lookup() when ISOPEN is set (exclusive if you have to
> clone, otherwise shared) and then drop it in devfs_open() after d_open
> returns.
Hm, I do not think taking a lock in lookup(ISOPEN) is feasible. VFS migh
not call VOP_OPEN() after the lookup, for misc. reasons (e.g. due to the
permissions, or forced umount reclaiming vnode as two obvious cases).

Also, I am not sure about the definition about non-cloning open. Other
thread might race with the cloner and open the newly cloned node
before the cloner has a chance to proceed. Do you want to prevent this
situation ? If yes, then why ? si_drv1 issue should be handled by other
means.

> Well, we've had this race in most cdev drivers in the tree for a long
> time. It's a narrow one that doesn't get hit often (if at all) in
> practice, but if I were to do a sweep to patch all the open routines
> to handle it, I'd rather we do it this way instead. OTOH, I don't have
> a burning desire to patch all the open routines.

For the race to be real, the device must be created after the userspace
is running. I think that the main case there are pty.

I do not see a possibility of removing existing make_dev*() after the
make_dev_uber() is introduced, so there is no need for the whole tree
sweep.