Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 28 Sep 2022 10:13:21 +0000
From:      bugzilla-noreply@freebsd.org
To:        net@FreeBSD.org
Subject:   [Bug 252165] usb network and mii bus media status race condition
Message-ID:  <bug-252165-7501-LwDI1PenyE@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-252165-7501@https.bugs.freebsd.org/bugzilla/>
References:  <bug-252165-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D252165

--- Comment #24 from Ali Abdallah <ali.abdallah@suse.com> ---
Created attachment 236901
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D236901&action=
=3Dedit
dtrace ure usb traces

I got another machine on which I didn't apply the workaround, running 13.1,
with a USB Lan adapter that uses if_ure, I used the following dtrace probes.

dtrace -n
'fbt:miibus:mii_pollstat:*,fbt:uether:ue_tick_task:*,fbt:if_ure:ure_tick:*,=
fbt:if_ure:ure_ifmedia_sts:*,fbt:miibus:mii_tick:*,fbt:miibus:miibus_linkch=
g:*,
fbt:usb:* { printf("%p", curthread); }'

You can see from the attached debug log (numbered lines)

1  48573            ure_ifmedia_sts:entry fffffe00dc75c720
1  48475               mii_pollstat:entry fffffe00dc75c720

But before exit entry of re_ifmedia_sts:return of thread fffffe00dc75c720, =
you
can see:

1052   0  48573            ure_ifmedia_sts:entry fffffe00e00271e0
1053   2  27791        usb_command_wrapper:entry fffffe0082a17ac0
1054   2  27738      usbd_callback_wrapper:entry fffffe0082a17ac0
1055   0  48475               mii_pollstat:entry fffffe00e00271e0

And that exactly when the link up/down happened.

So thread fffffe00e00271e0 managed to go ahead and call mii_pollstat, acqui=
ring
the sc mutex, despite that thread fffffe00dc75c720 didn't release it yet, y=
ou
can see that the return from "polling the media state" on thread
fffffe00dc75c720 comes way after the ure_ifmedia_sts:entry of thread
fffffe00e00271e0

1517   3  48476              mii_pollstat:return fffffe00dc75c720
1518   3  48574           ure_ifmedia_sts:return fffffe00dc75c720

__snip if_ure__=20

ure_ifmedia_sts
{
  ...
  URE_LOCK(sc);=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
  mii_pollstat(mii);
  ifmr->ifm_active =3D mii->mii_media_active;
  ifmr->ifm_status =3D mii->mii_media_status;
  URE_UNLOCK(sc);
}
__snip__

The mutex locked/released by URE_LOCK, is the same mutex used in if_ure, USB
xfer and USB transfer, so I guess something is not playing well in the
release/acquire sequence...

Will try if time permits to dig more into the USB transfer/process code, bu=
t I
have to say that I'm extremely surprised that this bug didn't attract much
attention, it actually renders any USB Ethernet device unusable on FreeBSD.=
..

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-252165-7501-LwDI1PenyE>