Date: Sun, 21 Sep 2008 08:49:54 -0700 From: "Maksim Yevmenkin" <maksim.yevmenkin@gmail.com> To: "Kostik Belousov" <kostikbel@gmail.com> Cc: Alexey Shuvaev <shuvaev@physik.uni-wuerzburg.de>, freebsd-current@freebsd.org Subject: Re: Interface auto-cloning bug or feature? Message-ID: <bb4a86c70809210849w2065f5f0rb678cd3d86bf86e8@mail.gmail.com> In-Reply-To: <20080920132703.GG47828@deviant.kiev.zoral.com.ua> References: <48D2F942.4070801@FreeBSD.org> <20080919084201.GD44330@wep4035.physik.uni-wuerzburg.de> <48D38DFF.8000803@FreeBSD.org> <20080919203310.GA34131@localhost.my.domain> <bb4a86c70809191543y7f3d38ex73c48186dfd163c5@mail.gmail.com> <20080920132703.GG47828@deviant.kiev.zoral.com.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
[...] >> --- if_tap.c.orig 2008-09-08 17:20:57.000000000 -0700 >> +++ if_tap.c 2008-09-19 15:35:02.000000000 -0700 >> @@ -94,6 +94,7 @@ >> static int tapifioctl(struct ifnet *, u_long, caddr_t); >> static void tapifinit(void *); >> >> +static int tap_clone_lookup(struct cdev **, u_short); >> static int tap_clone_create(struct if_clone *, int, caddr_t); >> static void tap_clone_destroy(struct ifnet *); >> static int vmnet_clone_create(struct if_clone *, int, caddr_t); >> @@ -176,6 +177,28 @@ >> DEV_MODULE(if_tap, tapmodevent, NULL); >> >> static int >> +tap_clone_lookup(struct cdev **dev, u_short extra) >> +{ >> + struct tap_softc *tp; >> + >> + mtx_lock(&tapmtx); >> + SLIST_FOREACH(tp, &taphead, tap_next) { >> + mtx_lock(&tp->tap_mtx); >> + if ((tp->tap_flags & (TAP_OPEN|extra)) == extra) { >> + *dev = tp->tap_dev; >> + mtx_unlock(&tp->tap_mtx); >> + mtx_unlock(&tapmtx); >> + >> + return (1); >> + } >> + mtx_unlock(&tp->tap_mtx); >> + } >> + mtx_unlock(&tapmtx); >> + >> + return (0); >> +} >> + >> +static int >> tap_clone_create(struct if_clone *ifc, int unit, caddr_t params) >> { >> struct cdev *dev; >> @@ -353,8 +376,18 @@ >> >> /* We're interested in only tap/vmnet devices. */ >> if (strcmp(name, TAP) == 0) { >> + if (tap_clone_lookup(dev, 0)) { >> + dev_ref(*dev); >> + return; > What would prevent two concurrent threads from selecting the same device > there ? First thread could look up the device, unloc tapmtx and be > preempted. Then second thread is put on CPU, do the same selection. > Now you have a problem. i told it was *very* quick :) and, yes, it seems like the race you describing would be possible. clone handler gets invoked with sx lock held, however its shared lock. also devfs mount point exclusive sx lock is dropped before invoking clone handler. anyway, the fix probably would be to move dev_rel() into the clone_lookup() routine and protect it by tap softc mutex. also clone_lookup() should check the number of references to the device to make sure 2 threads do not grab the same device. another approach would be to add another flag like TAP_OPEN to indicate that device is about to be open ans set it in the clone_lookup() routine. i'll put something together on monday (may be soon if i will have a free minute). please feel free to beat me to it :) thanks, max
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bb4a86c70809210849w2065f5f0rb678cd3d86bf86e8>