NetBSD Problem Report #58596
From www@netbsd.org Wed Aug 14 13:11:57 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 58CE11A9242
for <gnats-bugs@gnats.NetBSD.org>; Wed, 14 Aug 2024 13:11:57 +0000 (UTC)
Message-Id: <20240814131155.C0E571A9243@mollari.NetBSD.org>
Date: Wed, 14 Aug 2024 13:11:55 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: bpf(4) MP-safety issues
X-Send-Pr-Version: www-1.0
>Number: 58596
>Category: kern
>Synopsis: bpf(4) MP-safety issues
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Aug 14 13:15:00 +0000 2024
>Last-Modified: Fri Sep 13 14:15:02 +0000 2024
>Originator: Taylor R Campbell
>Release: current, 10, 9, ...
>Organization:
The NeFoundatBPF tion
>Environment:
>Description:
Correctness issues:
1. access to bif_mbuf_head/tail is not serialized by a lock, and it's not clear the caller is always guaranteed to run on the same CPU
2. concurrent bpf_read on the same instance is not serialized, which might lead to uiomove on d->bd_hbuf in one thread while another thread is rotating the buffer
3. selnotify is done outside the lock
4. fownsignal is done in softint context (_bpf_mtap/_bpf_mptap2 -> bpf_deliver -> catchpacket [under pserialize] -> bpf_wakeup -> fownsignal) but takes the adaptive lock proc_lock which is probably forbidden in softint and certainly forbidden during pserialize (comment in bpf_deliver: /* Assume catchpacket doesn't sleep */)
5. updates to bd_pid are not consistently serialized by a lock (also bd_pid concept seems incoherent and appears to be only used for stat, why bother?)
6. bpf_detachd does pserialize_perform under a spin lock (bd_buf_mtx), which is forbidden
7. callout_halt in bpf_ioctl and bpf_read doesn't prevent concurrent select/poll from starting up timer again (also unclear why bpf_ioctl or bpf_read should cancel a concurrent select/poll)
Performance issues:
8. bpf_write shouldn't need to take bd_mtx; should do it with pserialize
>How-To-Repeat:
1. code inspection
2. write a program that opens /dev/bpf and reads from the same fd in two threads at once
>Fix:
Yes, please!
>Audit-Trail:
From: "Rin Okuyama" <rin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58596 CVS commit: src/sys/net
Date: Thu, 15 Aug 2024 02:22:46 +0000
Module Name: src
Committed By: rin
Date: Thu Aug 15 02:22:46 UTC 2024
Modified Files:
src/sys/net: bpf.c
Log Message:
bpf: Mark bpfread_filtops FILTEROP_MPSAFE
Fix deadlock for non-NET_MPSAFE kernel, reported as
PR kern/58531 (thanks manu@ for test).
I've confirmed that there is no new regression for ATF with
any combination of -HEAD/netbsd-10 and default/NET_MPSAFE
rump kernels (aarch64).
Although, some problems have been reported on MP-safety for
bpf(4), PR kern/58596. But, it should take some time to fix.
At the moment, commit this part in advance.
OK ozaki-r@
To generate a diff of this commit:
cvs rdiff -u -r1.252 -r1.253 src/sys/net/bpf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Ryota Ozaki" <ozaki-r@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58596 CVS commit: src/sys/net
Date: Mon, 19 Aug 2024 07:45:31 +0000
Module Name: src
Committed By: ozaki-r
Date: Mon Aug 19 07:45:31 UTC 2024
Modified Files:
src/sys/net: bpf.c bpfdesc.h
Log Message:
bpf: restore wakeup softint
This change fixes the issue that fownsignal which can take an
adaptive mutex is called inside a pserialize read section in
bpf_deliver.
Fix issue #4 (only the latter of two) in PR#58596
To generate a diff of this commit:
cvs rdiff -u -r1.255 -r1.256 src/sys/net/bpf.c
cvs rdiff -u -r1.48 -r1.49 src/sys/net/bpfdesc.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Ryota Ozaki" <ozaki-r@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58596 CVS commit: src/sys/net
Date: Mon, 19 Aug 2024 07:47:16 +0000
Module Name: src
Committed By: ozaki-r
Date: Mon Aug 19 07:47:16 UTC 2024
Modified Files:
src/sys/net: bpf.c bpfdesc.h
Log Message:
bpf: protect selnotify and selrecord with bd_buf_mtx
We have to make updates and checks of buffers and calls of
selnotify/selrecord atomic to satisfy constraints of sel* API.
Also, bd_state and bd_cv are protected by bd_buf_mtx now.
Fix issue #3 of PR#58596
Part of the fix is inspired by riastradh's patch.
To generate a diff of this commit:
cvs rdiff -u -r1.256 -r1.257 src/sys/net/bpf.c
cvs rdiff -u -r1.49 -r1.50 src/sys/net/bpfdesc.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58596 CVS commit: [netbsd-10] src/sys/net
Date: Thu, 22 Aug 2024 19:31:08 +0000
Module Name: src
Committed By: martin
Date: Thu Aug 22 19:31:08 UTC 2024
Modified Files:
src/sys/net [netbsd-10]: bpf.c
Log Message:
Pull up following revision(s) (requested by rin in ticket #784):
sys/net/bpf.c: revision 1.253
bpf: Mark bpfread_filtops FILTEROP_MPSAFE
Fix deadlock for non-NET_MPSAFE kernel, reported as
PR kern/58531 (thanks manu@ for test).
I've confirmed that there is no new regression for ATF with
any combination of -HEAD/netbsd-10 and default/NET_MPSAFE
rump kernels (aarch64).
Although, some problems have been reported on MP-safety for
bpf(4), PR kern/58596. But, it should take some time to fix.
At the moment, commit this part in advance.
OK ozaki-r@
To generate a diff of this commit:
cvs rdiff -u -r1.249.2.1 -r1.249.2.2 src/sys/net/bpf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58596 CVS commit: [netbsd-10] src/sys/net
Date: Fri, 13 Sep 2024 14:13:06 +0000
Module Name: src
Committed By: martin
Date: Fri Sep 13 14:13:06 UTC 2024
Modified Files:
src/sys/net [netbsd-10]: bpf.c bpfdesc.h
Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #858):
sys/net/bpfdesc.h: revision 1.49
sys/net/bpf.c: revision 1.256
sys/net/bpf.c: revision 1.257
sys/net/bpfdesc.h: revision 1.50
bpf: restore wakeup softint
This change fixes the issue that fownsignal which can take an
adaptive mutex is called inside a pserialize read section in
bpf_deliver.
Fix issue #4 (only the latter of two) in PR#58596
bpf: protect selnotify and selrecord with bd_buf_mtx
We have to make updates and checks of buffers and calls of
selnotify/selrecord atomic to satisfy constraints of sel* API.
Also, bd_state and bd_cv are protected by bd_buf_mtx now.
Fix issue #3 of PR#58596
Part of the fix is inspired by riastradh's patch.
To generate a diff of this commit:
cvs rdiff -u -r1.249.2.2 -r1.249.2.3 src/sys/net/bpf.c
cvs rdiff -u -r1.48 -r1.48.10.1 src/sys/net/bpfdesc.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58596 CVS commit: [netbsd-9] src/sys/net
Date: Fri, 13 Sep 2024 14:14:41 +0000
Module Name: src
Committed By: martin
Date: Fri Sep 13 14:14:41 UTC 2024
Modified Files:
src/sys/net [netbsd-9]: bpf.c bpfdesc.h
Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #1886):
sys/net/bpfdesc.h: revision 1.49
sys/net/bpf.c: revision 1.256
sys/net/bpf.c: revision 1.257
sys/net/bpfdesc.h: revision 1.50
bpf: restore wakeup softint
This change fixes the issue that fownsignal which can take an
adaptive mutex is called inside a pserialize read section in
bpf_deliver.
Fix issue #4 (only the latter of two) in PR#58596
bpf: protect selnotify and selrecord with bd_buf_mtx
We have to make updates and checks of buffers and calls of
selnotify/selrecord atomic to satisfy constraints of sel* API.
Also, bd_state and bd_cv are protected by bd_buf_mtx now.
Fix issue #3 of PR#58596
Part of the fix is inspired by riastradh's patch.
To generate a diff of this commit:
cvs rdiff -u -r1.229.2.3 -r1.229.2.4 src/sys/net/bpf.c
cvs rdiff -u -r1.46 -r1.46.6.1 src/sys/net/bpfdesc.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.