From nobody Tue May 7 05:19:57 2024 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VYRRd2lZyz5K1GS for ; Tue, 07 May 2024 05:19:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VYRRd12jZz469V for ; Tue, 7 May 2024 05:19:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1715059197; a=rsa-sha256; cv=none; b=n7jVJ6TgzlcqN/FySk6juxUMwqdkvyDBMxVrZFujJWbdVb4RIj/0iBNY/8CX/E3QemDVVH bAsi1lJJP8U/xL/NrSXpGv7pofiNjXjqyUccjacR9d2QVRitUHA6VaLqtmZ6zBd+LKLBAF aQYrIPAhM0KawdCmIxzXy5EAkudQ4NuRKP/gkJDz4A/Sue9nuxfszDGI2rdefRP1rR2Z5E XgqfRQhJBsWZbJJZS+hxPvk3OKDQFwkG+1C8JP94FirRk3dQtIQfDaozFVsYKqiUibHaoW bJfWax07s/yXDe1PxmVNvWZAD12zqWswUAH7cSo6VV9v2V533nYo3kre1wmToA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1715059197; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FfyjzDjjED5dXz3IpJzmofw1F4wbL5BJ/R5VWPy3o/k=; b=J2fDqkLSsYxO7Mz4R0t5eakE81ZR+RO89Pw4z1J6RJFwXIqFd/BwbJjBYgymoILYfTrHBW jjyCDMvX4te0G7Fp1Dr8ZlGKgs83qCg9oQCQMi1zdLttgV/3M/tEGtKSmqY3SqbSM9mcRt VicFkfFSJJUP1mLND03YI8i5K018HivQ/pfS0uXx5o5R0DWNUGotPTGq2Z9EemKRdRxkJD BtFvEeRBEr/tn9y634Ym2N7MBqfmRvDGZaSVdzW1t3LJEI0frYLmUjvgMriWaxX/DjRE4e qaQ2RNMnBmArsiaO/F8AyY/sMeKMjj1yc02PqAdlW2sqxxnTpVHuApcQOJ90Uw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VYRRd0dpNzSqV for ; Tue, 7 May 2024 05:19:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 4475JuMK018322 for ; Tue, 7 May 2024 05:19:56 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 4475JuSr018321 for bugs@FreeBSD.org; Tue, 7 May 2024 05:19:56 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 278826] [hpet] cdev->si_refcount leakage when enable hpet as timecounter hardware Date: Tue, 07 May 2024 05:19:57 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 15.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: austin.zhang@dell.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D278826 Bug ID: 278826 Summary: [hpet] cdev->si_refcount leakage when enable hpet as timecounter hardware Product: Base System Version: 15.0-CURRENT Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: austin.zhang@dell.com reproduce the issue on the latest 15.0-CURRENT ``` [root@freebsd-main ~]# uname -a FreeBSD freebsd-main 15.0-CURRENT FreeBSD 15.0-CURRENT #13 main-n269920-7929aeebbde1: Mon May 6 20:44:10 CST 2024=20=20=20=20 root@freebsd-main:/usr/obj/root/workspace/freebsd-src/amd64.amd64/sys/GENER= IC amd64 ``` test steps: select hpet as timecounter hardware ``` [root@freebsd-main ~]# sysctl kern.timecounter.hardware=3DHPET kern.timecounter.hardware: TSC -> HPET ``` when HPET is chosen as timecounter, libc's VDSO implementation will map `/dev/hpet0` into process's mmap, then we could observe `cdev->si_refcount` leakage occurs ``` [root@freebsd-main ~]# dtrace -n 'fbt::dev_ref:entry {printf("[%s]: invoke dev_ref: %s, refcount:%d", execname, args[0]->si_name, args[0]->si_refcount= )}' dtrace: description 'fbt::dev_ref:entry ' matched 1 probe CPU ID FUNCTION:NAME 1 43845 dev_ref:entry [sshd]: invoke dev_ref: hpet0, refcount:11 0 43845 dev_ref:entry [sshd]: invoke dev_ref: hpet0, refcount:12 0 43845 dev_ref:entry [bash]: invoke dev_ref: hpet0, refcount:13 1 43845 dev_ref:entry [resizewin]: invoke dev_ref: hp= et0, refcount:14 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:15 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:16 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:17 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:18 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:19 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:20 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:21 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:22 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:23 1 43845 dev_ref:entry [sysctl]: invoke dev_ref: hpet0, refcount:24 1 43845 dev_ref:entry [sh]: invoke dev_ref: hpet0, refcount:25 1 43845 dev_ref:entry [atrun]: invoke dev_ref: hpet0, refcount:26 ``` this cdev->si_refcount leak might have kernel panic risk if enable KASSERT(= ), see dev_rel() ``` void dev_rel(struct cdev *dev) { int flag =3D 0; dev_lock_assert_unlocked(); dev_lock(); dev->si_refcount--; KASSERT(dev->si_refcount >=3D 0, ("dev_rel(%s) gave negative count", devtoname(dev))); if (dev->si_devsw =3D=3D NULL && dev->si_refcount =3D=3D 0) { LIST_REMOVE(dev, si_list); flag =3D 1; } dev_unlock(); if (flag) devfs_free(dev); } ``` --=20 You are receiving this mail because: You are the assignee for the bug.=