Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 22 Jan 2004 18:17:31 +1100 (EST)
From:      Bruce Evans <bde@zeta.org.au>
To:        Kris Kennaway <kris@obsecurity.org>
Cc:        current@freebsd.org
Subject:   Re: LOR with turnstile chain and sio
Message-ID:  <20040122173211.U11494@gamplex.bde.org>
In-Reply-To: <20040121182535.GA40652@xor.obsecurity.org>
References:  <20040121182138.GA40579@xor.obsecurity.org> <20040121182535.GA40652@xor.obsecurity.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 21 Jan 2004, Kris Kennaway wrote:

> On Wed, Jan 21, 2004 at 10:21:38AM -0800, Kris Kennaway wrote:
> > Well, I managed to panic bento in under 12 hours of use, after Joe had
> > been using it for the past 2 months without problems :-)
>
> It panicked again a few minutes after rebooting:

It got a page fault (probably a null pointer) in propagate_priority().
The rest is bugs in the debugging code.  It's interesting that it managed
to print messages about a bug in siocnputc() (actually mostly in witness)
using siocnputc().

> lock order reversal
>  1st 0xc06e6864 turnstile chain (turnstile chain) @ kern/subr_turnstile.c:233

The turnstile lock seems to be tc->tc_lock.  sched_lock is also held in
propagate_priority() and doesn't seem to cause any LORs or other problems
with serial consoles, but holding it for calls to printf() at least used
to be fatal for syscons consoles.

>  2nd 0xc0717580 sio (sio) @ dev/sio/sio.c:3203
> Stack backtrace:
> backtrace(c06923f4,c0717580,c06d2020,c06d2020,c06a0ede) at backtrace+0x17

The LOR is bogus.  cnputc() must be callable at almost any time so that it
can print debugging messages like this one, so acquiring sio_lock must work
no matter what other locks are held.

> witness_lock(c0717580,8,c06a0ede,c83,3f8) at witness_lock+0x672
> _mtx_lock_spin_flags(c0717580,0,c06a0ed5,c83,c6758aa8) at _mtx_lock_spin_flags+0xda
> siocnputc(c06d21a0,6b,5,e1bffa1c,6b) at siocnputc+0x81
> cnputc(6b,c06e9688,1,c64f1640,c06a51d9) at cnputc+0x7a
> putchar(6b,e1bffa1c,c06e97c8,c06e9688,c06e7c80) at putchar+0x6c
> kvprintf(c06a51d8,c0529640,e1bffa1c,a,e1bffa3c) at kvprintf+0x8d

I think the printf is about a trap with interrupts disabled.  That shouldn't
happen any more than the page fault, but it is certain to happen for page
faults in propagate_priority() in -current, since sched_lock is held and
spinlocks mask interrupts too much.

> printf(c06a51d8,c,1,c068e464,14b) at printf+0x57
> trap(c06e0018,ffc00010,c06e0010,b4,c64f2740) at trap+0xd7

Got a page fault in propagate_priority().

> calltrap() at calltrap+0x5
> --- trap 0xc, eip = 0xc052e9f0, esp = 0xe1bffac0, ebp = 0xe1bffae4 ---
> propagate_priority(c64f1640,0,c0691bdc,1dd,c06e7080) at propagate_priority+0x220
> turnstile_wait(0,c06e34e0,c64f13c0,1cc,c06e34e0) at turnstile_wait+0x33d
> _mtx_lock_sleep(c06e34e0,0,c06929fb,2e7,c6846500) at _mtx_lock_sleep+0x125
> _mtx_lock_flags(c06e34e0,0,c06929fb,2e7,0) at _mtx_lock_flags+0x98
> kern_select(c64f1640,7,bfbfed40,0,0) at kern_select+0x47
> select(c64f1640,e1bffd14,c06a525a,3ee,5) at select+0x66
> syscall(2f,2f,2f,bfbfedc0,80810a0) at syscall+0x2c0
> Xint0x80_syscall() at Xint0x80_syscall+0x1d
> --- syscall (93), eip = 0x28105b8f, esp = 0xbfbfed0c, ebp = 0xbfbfee58 ---
>
> and then page faulted and went into a hard lockup.

Perhaps it recursed some more into the debugging code.

I used the following in an old uncommitted version of sio to prevent sio
locking going anywhere near witness even in the non-console case:

%%%
Index: sio.c
===================================================================
RCS file: /home/ncvs/src/sys/dev/sio/sio.c,v
retrieving revision 1.418
diff -u -2 -r1.418 sio.c
--- sio.c	18 Jan 2004 12:26:33 -0000	1.418
+++ sio.c	19 Jan 2004 00:18:06 -0000
@@ -522,7 +640,7 @@
 	while (sio_inited != 2)
 		if (atomic_cmpset_int(&sio_inited, 0, 1)) {
+			/* XXX might still need MTX_QUIET. */
 			mtx_init(&sio_lock, sio_driver_name, NULL,
-			    (comconsole != -1) ?
-			    MTX_SPIN | MTX_QUIET : MTX_SPIN);
+				 MTX_SPIN | MTX_NOWITNESS);
 			atomic_store_rel_int(&sio_inited, 2);
 		}
%%%

The current version uses lower level locking so witnessing the locking
is just unavailable.

Bruce



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040122173211.U11494>