Re: kern/56844: delete auto-modified network route crash

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

The following reply was made to PR port-amd64/56844; it has been noted by GNATS.

From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: ocb%l25.fi@localhost, ozaki-r%NetBSD.org@localhost
Subject: Re: kern/56844: delete auto-modified network route crash
Date: Sat, 3 Dec 2022 02:36:47 +0000

 There's some logic in rt_free to defer the freeing action to workqueue
 if the caller is in softint, presumably because cv_wait tripped an
 assertion that forbids sleeping in softint context:
 
 void
 rt_free(struct rtentry *rt)
 {
 
         KASSERTMSG(rt->rt_refcnt > 0, "rt_refcnt=3D%d", rt->rt_refcnt);
         if (rt_wait_ok()) {
                 atomic_dec_uint(&rt->rt_refcnt);
                 _rt_free(rt);
                 return;
         }
 
         mutex_enter(&rt_free_global.lock);
         /* No need to add a reference here. */
         SLIST_INSERT_HEAD(&rt_free_global.queue, rt, rt_free);
         if (!rt_free_global.enqueued) {
                 workqueue_enqueue(rt_free_global.wq, &rt_free_global.wk, NU=
 LL);
                 rt_free_global.enqueued =3D true;
         }
         mutex_exit(&rt_free_global.lock);
 }
 
 Unfortunately, this doesn't work.  It appears that some lock is held
 around the rt_free and cv_wait (probably softnet_lock), and that lock
 is taken in softint context, so cv_wait under it is forbidden too --
 but there's no assertion to catch it, so _most_ of the time this code
 gets away with it.  That is, until someone hits a softint deadlock.
 
 I think for now rt_wait_ok should be made to always return false, but
 this logic needs some more thought to ensure starvation won't happen.