From owner-svn-src-head@freebsd.org  Thu Nov 19 18:37:29 2020
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 530214718CC;
 Thu, 19 Nov 2020 18:37:29 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4CcT1j1xcjz3Fc5;
 Thu, 19 Nov 2020 18:37:29 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 312ECB9C;
 Thu, 19 Nov 2020 18:37:29 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0AJIbS6e058379;
 Thu, 19 Nov 2020 18:37:28 GMT (envelope-from markj@FreeBSD.org)
Received: (from markj@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0AJIbS2E058378;
 Thu, 19 Nov 2020 18:37:28 GMT (envelope-from markj@FreeBSD.org)
Message-Id: <202011191837.0AJIbS2E058378@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: markj set sender to
 markj@FreeBSD.org using -f
From: Mark Johnston <markj@FreeBSD.org>
Date: Thu, 19 Nov 2020 18:37:28 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r367849 - head/sys/kern
X-SVN-Group: head
X-SVN-Commit-Author: markj
X-SVN-Commit-Paths: head/sys/kern
X-SVN-Commit-Revision: 367849
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2020 18:37:29 -0000

Author: markj
Date: Thu Nov 19 18:37:28 2020
New Revision: 367849
URL: https://svnweb.freebsd.org/changeset/base/367849

Log:
  callout(9): Fix a race between CPU migration and callout_drain()
  
  Suppose a running callout re-arms itself, and before the callout
  finishes running another CPU calls callout_drain() and goes to sleep.
  softclock_call_cc() will wake up the draining thread, which may not run
  immediately if there is a lot of CPU load.  Furthermore, the callout is
  still in the callout wheel so it can continue to run and re-arm itself.
  Then, suppose that the callout migrates to another CPU before the
  draining thread gets a chance to run.  The draining thread is in this
  loop in _callout_stop_safe():
  
  	while (cc_exec_curr(cc) == c) {
  		CC_UNLOCK(cc);
  		sleep();
  		CC_LOCK(cc);
  	}
  
  but after the migration, cc points to the wrong CPU's callout state.
  Then the draining thread goes off and removes the callout from the
  wheel, but does so using the wrong lock and per-CPU callout state.
  
  Fix the problem by doing a re-lookup of the callout CPU after sleeping.
  
  Reported by:	syzbot+79569cd4d76636b2cc1c@syzkaller.appspotmail.com
  Reported by:	syzbot+1b27e0237aa22d8adffa@syzkaller.appspotmail.com
  Reported by:	syzbot+e21aa5b85a9aff90ef3e@syzkaller.appspotmail.com
  Reviewed by:	emaste, hselasky
  Tested by:	pho
  MFC after:	1 week
  Sponsored by:	The FreeBSD Foundation
  Differential Revision:	https://reviews.freebsd.org/D27266

Modified:
  head/sys/kern/kern_timeout.c

Modified: head/sys/kern/kern_timeout.c
==============================================================================
--- head/sys/kern/kern_timeout.c	Thu Nov 19 18:03:40 2020	(r367848)
+++ head/sys/kern/kern_timeout.c	Thu Nov 19 18:37:28 2020	(r367849)
@@ -1145,7 +1145,7 @@ again:
 			 * just wait for the current invocation to
 			 * finish.
 			 */
-			while (cc_exec_curr(cc, direct) == c) {
+			if (cc_exec_curr(cc, direct) == c) {
 				/*
 				 * Use direct calls to sleepqueue interface
 				 * instead of cv/msleep in order to avoid
@@ -1193,7 +1193,7 @@ again:
 
 				/* Reacquire locks previously released. */
 				PICKUP_GIANT();
-				CC_LOCK(cc);
+				goto again;
 			}
 			c->c_flags &= ~CALLOUT_ACTIVE;
 		} else if (use_lock &&