Page MenuHomeFreeBSD
Differential D45492

ithread: Improve synchronization in ithread_destroy()
ClosedPublic
Actions

Authored by markj on Jun 5 2024, 1:22 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Sep 25, 1:09 PM
Unknown Object (File)
Tue, Sep 24, 3:24 PM
Unknown Object (File)
Tue, Sep 24, 3:24 PM
Unknown Object (File)
Tue, Sep 24, 3:24 PM
Unknown Object (File)
Sun, Sep 22, 7:26 PM
Unknown Object (File)
Wed, Sep 18, 9:20 AM
Unknown Object (File)
Wed, Sep 18, 9:19 AM
Unknown Object (File)
Wed, Sep 18, 9:19 AM
View All 31 Files
Subscribers
imp
olce

Details

Reviewers
jhb
imp
kib
Commits
rG04716d51ba5b: ithread: Improve synchronization in ithread_destroy()
rG8381e9f49ec7: ithread: Improve synchronization in ithread_destroy()
Summary

Previously, to destroy an ithread we would set IT_DEAD in its flags, and
then wake it up if it wasn't already running. After doing this,
intr_event_destroy() would free the intr_event structure. However, it
did not wait for the ithread to exit, so it was possible for the ithread
to access the intr_event after it was freed.

This use-after-free happens readily when running the pf tests in
parallel, since they frequently create and destroy VNET jails, and pf
registers several VNET-local swi handlers.

Fix the race by modifying ithread_destroy() to wait until the ithread
has signaled that it is about to exit by setting ie->ie_thread = NULL.
Existing callers of intr_event_destroy() are allowed to sleep.

Reported by: KASAN

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 58061
Build 54949: arc lint + arc unit

Event Timeline

markj created this revision.Jun 5 2024, 1:22 AM
Herald added subscribers: olce, imp. · View Herald TranscriptJun 5 2024, 1:22 AM
markj requested review of this revision.Jun 5 2024, 1:22 AM
Harbormaster completed remote builds in B58061: Diff 139481.Jun 5 2024, 1:22 AM
markj added a parent revision: D45491: ithread: Annotate a branch in ithread_execute_handlers().Jun 5 2024, 1:22 AM
markj added a comment.Jul 29 2024, 6:40 PM

The bug is causing panics while running our test suite for a long time, most recently: https://ci.freebsd.org/job/FreeBSD-main-amd64-test/25367/console

I would like to commit it soon if there are no objections.

markj added reviewers: imp, kib.Jul 29 2024, 6:40 PM
kib accepted this revision.Jul 30 2024, 1:06 AM
kib added inline comments.
sys/kern/kern_intr.c
584

Should we assert ie_lock there?

1311
This revision is now accepted and ready to land.Jul 30 2024, 1:06 AM
markj marked 2 inline comments as done.Jul 30 2024, 12:39 PM
markj added inline comments.
sys/kern/kern_intr.c
584

Yes, that makes sense, I did that locally.

jhb accepted this revision.Jul 30 2024, 2:17 PM
Closed by commit rG8381e9f49ec7: ithread: Improve synchronization in ithread_destroy() (authored by markj). · Explain WhyJul 30 2024, 2:39 PM
This revision was automatically updated to reflect the committed changes.
markj marked an inline comment as done.
markj added a commit: rG8381e9f49ec7: ithread: Improve synchronization in ithread_destroy().
markj added a commit: rG04716d51ba5b: ithread: Improve synchronization in ithread_destroy().Aug 20 2024, 2:06 PM

Revision Contents
Changeset List

PathSize
sys/
kern/
39 lines

Diff 139481

View Options

sys/kern/kern_intr.c

Loading...