From owner-freebsd-drivers@freebsd.org Wed Sep 2 18:35:33 2015 Return-Path: Delivered-To: freebsd-drivers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 50E739C89B1 for ; Wed, 2 Sep 2015 18:35:33 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [IPv6:2001:470:1f11:75::1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2C0B3671 for ; Wed, 2 Sep 2015 18:35:33 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from ralph.baldwin.cx (c-73-231-226-104.hsd1.ca.comcast.net [73.231.226.104]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id 8F834B98E; Wed, 2 Sep 2015 14:35:31 -0400 (EDT) From: John Baldwin To: Konstantin Belousov Cc: freebsd-drivers@freebsd.org, Leonardo Fogel Subject: Re: Race conditions Date: Wed, 02 Sep 2015 10:59:12 -0700 Message-ID: <1619676.EuPFulsFRT@ralph.baldwin.cx> User-Agent: KMail/4.14.3 (FreeBSD/10.2-PRERELEASE; KDE/4.14.3; amd64; ; ) In-Reply-To: <20150902135922.GZ2072@kib.kiev.ua> References: <1439923294.98963.YahooMailBasic@web120801.mail.ne1.yahoo.com> <17365161.8JflB5H0LB@ralph.baldwin.cx> <20150902135922.GZ2072@kib.kiev.ua> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Wed, 02 Sep 2015 14:35:31 -0400 (EDT) X-BeenThere: freebsd-drivers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Writing device drivers for FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Sep 2015 18:35:33 -0000 On Wednesday, September 02, 2015 04:59:22 PM Konstantin Belousov wrote: > On Sun, Aug 30, 2015 at 05:04:31PM -0700, John Baldwin wrote: > > On Saturday, August 29, 2015 01:30:49 PM Konstantin Belousov wrote: > > > On Fri, Aug 28, 2015 at 01:34:58PM -0700, John Baldwin wrote: > > > > Perhaps we could force cloning to serialize with opens? That is, use > > > > some sort of global lock in devfs such that any non-cloning opens use > > > > a shared lock but an exclusive lock is taken before running clone > > > > event handlers (and held until after d_open returns)? To really > > > > close this sort of race, the exclusive lock acquired when a clone > > > > is created in lookup() would have to be held until devfs_open() is > > > > called. That's rather gross. I suppose you could always aquire the > > > > lock in devfs_lookup() when ISOPEN is set (exclusive if you have to > > > > clone, otherwise shared) and then drop it in devfs_open() after d_open > > > > returns. > > > Hm, I do not think taking a lock in lookup(ISOPEN) is feasible. VFS migh > > > not call VOP_OPEN() after the lookup, for misc. reasons (e.g. due to the > > > permissions, or forced umount reclaiming vnode as two obvious cases). > > > > > > Also, I am not sure about the definition about non-cloning open. Other > > > thread might race with the cloner and open the newly cloned node > > > before the cloner has a chance to proceed. Do you want to prevent this > > > situation ? If yes, then why ? si_drv1 issue should be handled by other > > > means. > > > > This isn't about si_drv1, this is about my other change of trying to let > > an open of /dev/tap reliably open a "free" tap device. The race my current > > change there doesn't handle is that if an open of /dev/tap that returns > > a "free" tap device from the clone handler might race with another process > > that opens a tap device by name (e.g. /dev/tap0). > This is a race which must be handled by userspace, I am afraid. It can't really be handled well though. It would mean that any user of /dev/tap basically has to do opens of /dev/tap in a loop in case the open fails with EBUSY. This makes it useless for existing applications (e.g. the use case I care about personally is when I run multiple bhyve VMs. Currently I have to statically allocate tap0 to vm0, tap1 to vm1, etc. What I would really like to do is just tell my various VMs to open /dev/tap and get a "free" tap device to use for the lifetime of the VM. > > An entirely different possibility is to change /dev/tap to not use cloning > > at all and instead use cdevpriv. It could then safely choose a "free" > > tap device during its open routine. This might be a bit of an API change > > though as devname/fdevname could no longer be used to determine the name > > of the interface opened by an open of /dev/tap. > What if we change tap to use cdevpriv, and have some unit number > sequencer for the cdevprivs (as I understand, this would correspond to > the unit of the cloned tap interface ?). Also, we add a cdevsw method to > get the devname. By default, the method will provide dev->si_name. > > For tap, the method would create the the /dev/tapX, where X is the tap > interface number, and returns corresponding name. The /dev/tapX opens > would need to find cdevprivs from the /dev/tap. > > This would cause KBI change for the cdevs, but no API change for tap > consumers and no KPI changes for cdevs. If we allow a cdevsw to override how devname works, then that would probably be sufficient on its own. I don't think you would need to change the /dev/tapX devices at all. The cdevpriv for /dev/tap desciptors would have a reference to the /dev/tapX device it is using and return that device's name in the devname override. Another option that I had started to play with previously is to let devices auto-created by /dev/tap set an internal 'destroy-on-close' flag. That seems a bit more heavyweight, but it might also be simpler to implement? -- John Baldwin