Page MenuHomeFreeBSD
Differential D38656

witness: exit witness_checkorder() if rebooting
AbandonedPublic
Actions

Authored by mhorne on Feb 17 2023, 7:55 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Oct 25, 4:14 PM
Unknown Object (File)
Oct 5 2024, 4:17 AM
Unknown Object (File)
Sep 30 2024, 7:49 PM
Unknown Object (File)
Sep 30 2024, 11:31 AM
Unknown Object (File)
Sep 30 2024, 11:29 AM
Unknown Object (File)
Sep 30 2024, 9:24 AM
Unknown Object (File)
Sep 20 2024, 6:48 AM
Unknown Object (File)
Sep 16 2024, 10:34 PM
View All 49 Files
Subscribers
None

Details

Reviewers
jhb
markj
bz
imp
Summary

witness_checkorder() contains an assertion against acquiring a
blockable/sleepable lock within a critical section. This assertion is
not triggered if kdb_active is true. The function also returns early
when KERNEL_PANICKED() is true.

The kern_reboot() function will set kdb_active = 0 as part of the
shutdown sequence. After that it will acquire the eventhandler_mutex to
run the shutdown handlers.

When invoking the kernel debugger via console alt-break sequence, we
call kdb_enter() from an interrupt filter context (critical section). If
the "reset" command is issued in ddb, this leaves a very small window
where:

  1. The kernel has not panicked.
  2. kdb_active is false.
  3. We appear to be running in a critical section.

This triggers the assertion in witness_checkorder() when we try to
acquire eventhandler_mutex. To fix this we can also check against
'rebooting' variable, which is set to true in the shutdown path right
before kdb_active is adjusted.

This was made visible by my recent change to the "reset" command in
5644850620ae.

Reported by: bz

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 49923
Build 46815: arc lint + arc unit

Event Timeline

mhorne requested review of this revision.Feb 17 2023, 7:55 PM
mhorne created this revision.
Harbormaster completed remote builds in B49865: Diff 117500.Feb 17 2023, 7:55 PM
mhorne added inline comments.Feb 17 2023, 8:11 PM
sys/kern/subr_witness.c
1128

There are multiple ways to solve the reported issue, this one being the minimal change required. A more complete solution might be to upgrade the panic checks in this file to SCHEDULER_STOPPED(), as I have done with lockmgr in D38655. I am less certain of the implications of that, however.

The kdb_active check below suggests that we expect to execute some portion of the witness code while kdb is active. I cannot say why that would be useful exactly.

markj added inline comments.Feb 20 2023, 2:33 PM
sys/kern/subr_witness.c
1128

If I understand correctly, this could hide witness reports raised during regular shutdown/reboot, which would make it harder to debug shutdown deadlocks. Is that right?

mhorne updated this revision to Diff 117690.Feb 21 2023, 2:37 PM

rebooting has too wide a scope. Instead, switch the !kdb_active check to !SCHEDULER_STOPPED(). For posterity, include sys/kassert.h explicity as we already rely on it.

Harbormaster completed remote builds in B49923: Diff 117690.Feb 21 2023, 2:37 PM
mhorne marked an inline comment as done.Feb 21 2023, 2:38 PM
mhorne added inline comments.
sys/kern/subr_witness.c
1128

Absolutely right, thanks.

markj accepted this revision.Feb 21 2023, 7:02 PM
This revision is now accepted and ready to land.Feb 21 2023, 7:02 PM
mhorne mentioned this in D42684: kern_reboot(): don't clear kdb_active.Nov 20 2023, 6:00 PM
mhorne abandoned this revision.Nov 20 2023, 6:27 PM
mhorne marked an inline comment as done.

Let's do D42684 instead.

Revision Contents
Changeset List

PathSize
sys/
kern/
6 lines

Diff 117690

View Options

sys/kern/subr_witness.c

Loading...