On Wed, Sep 01, 2021 at 08:53:35AM +0200, Martin Pieuchot wrote:
> syzkaller reported [0] the following lock ordering issue:
>
> db{0}> trace
> db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
> panic(ffffffff82464b8f) at panic+0x177 sys/kern/subr_prf.c:202
> witness_checkorder(ffffffff82838c20,9,0) at witness_checkorder+0x11eb
> sys/kern/subr_witness.c:833
> __mp_lock(ffffffff82838a18) at __mp_lock+0xa1 read_rflags
> machine/cpufunc.h:195 [inline]
> __mp_lock(ffffffff82838a18) at __mp_lock+0xa1 intr_disable
> machine/cpufunc.h:216 [inline]
> __mp_lock(ffffffff82838a18) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
> intr_handler(ffff80002123ad80,ffff800000255d80) at intr_handler+0x5e
> sys/arch/amd64/amd64/intr.c:532
> Xintr_ioapic_edge20_untramp() at Xintr_ioapic_edge20_untramp+0x18f
> Xspllower() at Xspllower+0x19
> mtx_enter_try(ffffffff829b8d10) at mtx_enter_try+0x100
> mtx_enter(ffffffff829b8d10) at mtx_enter+0x4b sys/kern/kern_lock.c:266
> pool_get(ffffffff829b8d10,9) at pool_get+0xbf sys/kern/subr_pool.c:581
> vm_create(ffff800000b29000,ffff8000211922a8) at vm_create+0x261
> sys/arch/amd64/amd64/vmm.c:1526
> vmmioctl(a00,c5005601,ffff800000b29000,1,ffff8000211922a8) at vmmioctl+0x1f2
> VOP_IOCTL(fffffd806e213830,c5005601,ffff800000b29000,1,fffffd807f7d8840,ffff8000211922a8)
> at VOP_IOCTL+0x9a sys/kern/vfs_vops.c:295
> vn_ioctl(fffffd806e4aca28,c5005601,ffff800000b29000,ffff8000211922a8) at
> vn_ioctl+0xba sys/kern/vfs_vnops.c:531
> sys_ioctl(ffff8000211922a8,ffff80002123b398,ffff80002123b3e0) at
> sys_ioctl+0x4a2
>
>
> The issue is that pool_get(9) at line 1526 is done after grabbing the
> `vm_lock'. If an interrupt needing the KERNEL_LOCK() occurs at that
> moment the above mentionned lock ordering problem could cause a
> deadlock.
>
> To prevent such issue we generally mark the pool with IPL_MPFLOOR.
>
> [0]
> https://syzkaller.appspot.com/bug?id=c73756cc996a58a625da35fbaa90ba6b9e0c60dc
>
Thanks, will take a look. This was introduced yesterday with the new vcpu
locking
diff.
-ml
> Index: arch/amd64/amd64/vmm.c
> ===================================================================
> RCS file: /cvs/src/sys/arch/amd64/amd64/vmm.c,v
> retrieving revision 1.287
> diff -u -p -r1.287 vmm.c
> --- arch/amd64/amd64/vmm.c 31 Aug 2021 17:40:59 -0000 1.287
> +++ arch/amd64/amd64/vmm.c 1 Sep 2021 06:45:38 -0000
> @@ -430,7 +430,7 @@ vmm_attach(struct device *parent, struct
>
> pool_init(&vm_pool, sizeof(struct vm), 0, IPL_NONE, PR_WAITOK,
> "vmpool", NULL);
> - pool_init(&vcpu_pool, sizeof(struct vcpu), 64, IPL_NONE, PR_WAITOK,
> + pool_init(&vcpu_pool, sizeof(struct vcpu), 64, IPL_MPFLOOR, PR_WAITOK,
> "vcpupl", NULL);
>
> vmm_softc = sc;
>
