kern/59576: viogpu causes race condition between pckbd_enable and pckbd_set_leds

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/59576: viogpu causes race condition between pckbd_enable and pckbd_set_leds
From: alex14fr%gmail.com@localhost
Date: Wed, 6 Aug 2025 08:20:00 +0000 (UTC)

>Number:         59576
>Category:       kern
>Synopsis:       viogpu causes race condition between pckbd_enable and pckbd_set_leds
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Aug 06 08:20:00 +0000 2025
>Originator:     Alexandre Janon
>Release:        11
>Organization:
>Environment:
NetBSD netbsd 11.99.1 NetBSD 11.99.1 (GENERIC) #0: Mon Aug  4 11:53:52 UTC 2025  mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
When using virtio-gpu-vga device of QEMU 10.3 with one vCPU with NetBSD as guest OS, pckbd_enable fails with the following in dmesg:

[     1.058498] viogpu0: 1920x1023, 32bpp
[     1.058498] wsdisplay0 at viogpu0 kbdmux 1
[     1.058498] wsmux1: connecting to wsdisplay0
[     1.529788] pckbd_enable: command error

and keyboard doesn't work in the viogpu display.

The problem doesn't arise with qemu's stdvga (-vga std), or virtio-gpu-vga with multiple vCPUs (-smp n with n>1).

>How-To-Repeat:
qemu command line:

qemu-system-x86_64 -enable-kvm -m1024 -drive if=virtio,file=NetBSD-11.99.1-amd64-live.img -vga virtio

>Fix:
The problem seems to be caused by a race condition with the pckbc interrupt handler and pckbd_enable (which uses pckbport_poll_cmd):

- pckbd_enable uses pckbport_poll_cmd to send KBC_ENABLE command
- pckbcintr fires, causing a call to pckbd_set_leds
- pckbd_set_leds sends a KBC_MODEIND keyboard command, waits for acknowledgement but eats the acknowledgement of KBC_ENABLE that should have been read by pckbd_enable/pckbport_poll_cmd
- pckbd_enable/pckbport_poll_cmd is unable to get acknowledgement, and reports failure.

Using spltty fixes the problem (see the diff below), not sure if this is the right thing to do though.

--- sys/dev/pckbport/pckbd.c	2024-02-09 23:08:36.000000000 +0100
+++ sys/dev/pckbport/pckbd.c	2025-08-06 09:33:56.097180758 +0200
@@ -459,6 +459,7 @@
 	struct pckbd_softc *sc = v;
 	int res;
 	u_char cmd[1];
+	int s;
 
 	if (on) {
 		if (sc->sc_enabled) {
@@ -466,18 +467,24 @@
 			return EBUSY;
 		}
 
+		s = spltty();
 		pckbport_slot_enable(sc->id->t_kbctag, sc->id->t_kbcslot, 1);
 
 		cmd[0] = KBC_ENABLE;
 		res = pckbport_poll_cmd(sc->id->t_kbctag, sc->id->t_kbcslot,
 		    cmd, 1, 0, NULL, 0);
+		splx(s);
+
 		if (res) {
 			printf("%s: command error\n", __func__);
 			return res;
 		}
 
+		s = spltty();
 		res = pckbd_set_xtscancode(sc->id->t_kbctag,
 		    sc->id->t_kbcslot, sc->id);
+		splx(s);
+
 		if (res)
 			return res;

Prev by Date: Re: bin/59575: bind upgrade issues postinstall probably should help with
Next by Date: Re: toolchain/59549: gdb is not ctype(3) safe
Previous by Thread: bin/59575: bind upgrade issues postinstall probably should help with
Next by Thread: Re: kern/59576: viogpu causes race condition between pckbd_enable and pckbd_set_leds
Indexes:

Home | Main Index | Thread Index | Old Index