Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 07 May 2024 05:19:57 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 278826] [hpet] cdev->si_refcount leakage when enable hpet as timecounter hardware
Message-ID:  <bug-278826-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D278826

            Bug ID: 278826
           Summary: [hpet] cdev->si_refcount leakage when enable hpet as
                    timecounter hardware
           Product: Base System
           Version: 15.0-CURRENT
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: austin.zhang@dell.com

reproduce the issue on the latest 15.0-CURRENT
```
[root@freebsd-main ~]# uname -a
FreeBSD freebsd-main 15.0-CURRENT FreeBSD 15.0-CURRENT #13
main-n269920-7929aeebbde1: Mon May  6 20:44:10 CST 2024=20=20=20=20
root@freebsd-main:/usr/obj/root/workspace/freebsd-src/amd64.amd64/sys/GENER=
IC
amd64
```

test steps:
select hpet as timecounter hardware
```
[root@freebsd-main ~]# sysctl kern.timecounter.hardware=3DHPET
kern.timecounter.hardware: TSC -> HPET
```
when HPET is chosen as timecounter, libc's VDSO implementation will map
`/dev/hpet0` into process's mmap, then we could observe `cdev->si_refcount`
leakage occurs

```
[root@freebsd-main ~]# dtrace -n 'fbt::dev_ref:entry {printf("[%s]: invoke
dev_ref: %s, refcount:%d", execname, args[0]->si_name, args[0]->si_refcount=
)}'
dtrace: description 'fbt::dev_ref:entry ' matched 1 probe
CPU     ID                    FUNCTION:NAME
  1  43845                    dev_ref:entry [sshd]: invoke dev_ref: hpet0,
refcount:11
  0  43845                    dev_ref:entry [sshd]: invoke dev_ref: hpet0,
refcount:12
  0  43845                    dev_ref:entry [bash]: invoke dev_ref: hpet0,
refcount:13
  1  43845                    dev_ref:entry [resizewin]: invoke dev_ref: hp=
et0,
refcount:14
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:15
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:16
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:17
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:18
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:19
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:20
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:21
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:22
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:23
  1  43845                    dev_ref:entry [sysctl]: invoke dev_ref: hpet0,
refcount:24
  1  43845                    dev_ref:entry [sh]: invoke dev_ref: hpet0,
refcount:25
  1  43845                    dev_ref:entry [atrun]: invoke dev_ref: hpet0,
refcount:26
```

this cdev->si_refcount leak might have kernel panic risk if enable KASSERT(=
),
see dev_rel()
```
void
dev_rel(struct cdev *dev)
{
        int flag =3D 0;

        dev_lock_assert_unlocked();
        dev_lock();
        dev->si_refcount--;
        KASSERT(dev->si_refcount >=3D 0,
            ("dev_rel(%s) gave negative count", devtoname(dev)));
        if (dev->si_devsw =3D=3D NULL && dev->si_refcount =3D=3D 0) {
                LIST_REMOVE(dev, si_list);
                flag =3D 1;
        }
        dev_unlock();
        if (flag)
                devfs_free(dev);
}
```

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-278826-227>