Date: Tue, 07 May 2024 05:19:57 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 278826] [hpet] cdev->si_refcount leakage when enable hpet as timecounter hardware Message-ID: <bug-278826-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D278826 Bug ID: 278826 Summary: [hpet] cdev->si_refcount leakage when enable hpet as timecounter hardware Product: Base System Version: 15.0-CURRENT Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: austin.zhang@dell.com reproduce the issue on the latest 15.0-CURRENT ``` [root@freebsd-main ~]# uname -a FreeBSD freebsd-main 15.0-CURRENT FreeBSD 15.0-CURRENT #13 main-n269920-7929aeebbde1: Mon May 6 20:44:10 CST 2024=20=20=20=20 root@freebsd-main:/usr/obj/root/workspace/freebsd-src/amd64.amd64/sys/GENER= IC amd64 ``` test steps: select hpet as timecounter hardware ``` [root@freebsd-main ~]# sysctl kern.timecounter.hardware=3DHPET kern.timecounter.hardware: TSC -> HPET ``` when HPET is chosen as timecounter, libc's VDSO implementation will map `/dev/hpet0` into process's mmap, then we could observe `cdev->si_refcount` leakage occurs ``` [root@freebsd-main ~]# dtrace -n 'fbt::dev_ref:entry {printf("[%s]: invoke dev_ref: %s, refcount:%d", execname, args[0]->si_name, args[0]->si_refcount= )}' dtrace: description 'fbt::dev_ref:entry ' matched 1 probe CPU ID FUNCTION:NAME 1 43845 dev_ref:entry [sshd]: invoke dev_ref: hpet0, refcount:11 0 43845 dev_ref:entry [sshd]: invoke dev_ref: hpet0, refcount:12 0 43845 dev_ref:entry [bash]: invoke dev_ref: hpet0, refcount:13 1 43845 dev_ref:entry [resizewin]: invoke dev_ref: hp= et0, refcount:14 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:15 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:16 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:17 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:18 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:19 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:20 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:21 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:22 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:23 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:24 1 43845 dev_ref:entry [sh]: invoke dev_ref: hpet0, refcount:25 1 43845 dev_ref:entry [atrun]: invoke dev_ref: hpet0, refcount:26 ``` this cdev->si_refcount leak might have kernel panic risk if enable KASSERT(= ), see dev_rel() ``` void dev_rel(struct cdev *dev) { int flag =3D 0; dev_lock_assert_unlocked(); dev_lock(); dev->si_refcount--; KASSERT(dev->si_refcount >=3D 0, ("dev_rel(%s) gave negative count", devtoname(dev))); if (dev->si_devsw =3D=3D NULL && dev->si_refcount =3D=3D 0) { LIST_REMOVE(dev, si_list); flag =3D 1; } dev_unlock(); if (flag) devfs_free(dev); } ``` --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-278826-227>