From frank@lap.exit.com  Thu Oct 28 02:22:17 2004
Return-Path: <frank@lap.exit.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2E28316A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Oct 2004 02:22:17 +0000 (GMT)
Received: from tinker.exit.com (tinker.exit.com [206.223.0.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C07CA43D5E
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Oct 2004 02:22:16 +0000 (GMT)
	(envelope-from frank@lap.exit.com)
Received: from lap.exit.com (lap.exit.com [206.223.0.35])
	by tinker.exit.com (8.13.1/8.12.9) with ESMTP id i9S2OUoJ059789
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 27 Oct 2004 19:24:30 -0700 (PDT)
	(envelope-from frank@lap.exit.com)
Received: from lap.exit.com (localhost [127.0.0.1])
	by lap.exit.com (8.13.1/8.13.1) with ESMTP id i9S2MGio000746
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 27 Oct 2004 19:22:16 -0700 (PDT)
	(envelope-from frank@lap.exit.com)
Received: (from frank@localhost)
	by lap.exit.com (8.13.1/8.13.1/Submit) id i9S2MFpC000745;
	Wed, 27 Oct 2004 19:22:15 -0700 (PDT)
	(envelope-from frank)
Message-Id: <200410280222.i9S2MFpC000745@lap.exit.com>
Date: Wed, 27 Oct 2004 19:22:15 -0700 (PDT)
From: Frank Mayhar <frank@lap.exit.com>
Reply-To: Frank Mayhar <frank@exit.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Lock order reversal in ntoskrnl_timercall()
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         73224
>Category:       kern
>Synopsis:       [ndis] [lor] [patch] Lock order reversal in ntoskrnl_timercall()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 28 02:30:24 GMT 2004
>Closed-Date:    Sun May 18 14:34:52 UTC 2008
>Last-Modified:  Sun May 18 14:34:52 UTC 2008
>Originator:     Frank Mayhar
>Release:        FreeBSD 5.3-STABLE i386
>Organization:
Exit Consulting
>Environment:
System: FreeBSD lap 5.3-STABLE FreeBSD 5.3-STABLE #6: Wed Oct 27 18:08:57 PDT 2004 frank@lap:/home/obj/usr/src/sys/AUTON i386

	This happened on boot of a DIAGNOSTIC kernel.

lock order reversal
 1st 0xc06c90c0 dont_sleep_in_callout (dont_sleep_in_callout) @ /usr/src/sys/kern/kern_timeout.c:257
 2nd 0xc06c75a0 Giant (Giant) @ /usr/src/sys/modules/ndis/../../compat/ndis/subr_ntoskrnl.c:1647
KDB: stack backtrace:
kdb_backtrace(0,ffffffff,c06cf7c0,c06d06e8,c069a2dc) at kdb_backtrace+0x29
witness_checkorder(c06c75a0,9,c0d0a5f2,66f) at witness_checkorder+0x544
_mtx_lock_flags(c06c75a0,0,c0d0a5f2,66f,c1fd3360) at _mtx_lock_flags+0x5b
ntoskrnl_timercall(c1fd3360,c06c90c0,0,c0665fbd,101) at ntoskrnl_timercall+0x98
softclock(0) at softclock+0x1af
ithread_loop(c1d8fc80,d55e8d48,c1d8fc80,c04e6160,0) at ithread_loop+0x124
fork_exit(c04e6160,c1d8fc80,d55e8d48) at fork_exit+0xa4
fork_trampoline() at fork_trampoline+0x8
--- trap 0x1, eip = 0, esp = 0xd55e8d7c, ebp = 0 ---
KDB: enter: witness_checkorder

#1  0xc0517083 in witness_checkorder (lock=0xc06c75a0, flags=0x9, 
    file=0xc0d0a5f2 "/usr/src/sys/modules/ndis/../../compat/ndis/subr_ntoskrnl.c", line=0x66f)
    at /usr/src/sys/kern/subr_witness.c:952
#2  0xc04f0233 in _mtx_lock_flags (m=0xc06c75a0, opts=0x0, 
    file=0xc0d0a5f2 "/usr/src/sys/modules/ndis/../../compat/ndis/subr_ntoskrnl.c", line=0x66f)
    at /usr/src/sys/kern/kern_mutex.c:271
#3  0xc0d07410 in ntoskrnl_timercall (arg=0xc1fd3360)
    at /usr/src/sys/modules/ndis/../../compat/ndis/subr_ntoskrnl.c:1647
#4  0xc0503307 in softclock (dummy=0x0) at /usr/src/sys/kern/kern_timeout.c:259
#5  0xc04e6284 in ithread_loop (arg=0xc1d8fc80) at /usr/src/sys/kern/kern_intr.c:547
#6  0xc04e5694 in fork_exit (callout=0xc04e6160 <ithread_loop>, arg=0xc1d8fc80, frame=0xd55e8d48)
    at /usr/src/sys/kern/kern_fork.c:811
#7  0xc0614e3c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:209


The ntoskrnl_timercall() drops Giant on entry and tries to pick it up again
on exit.  I suspect that it shouldn't do anything with Giant at all, but I
don't know the code well enough to say that for certain.  Assuming that my
suspicion is correct, though, the patch would be:

Index: subr_ntoskrnl.c
===================================================================
RCS file: /cvs/repos/src/sys/compat/ndis/subr_ntoskrnl.c,v
retrieving revision 1.43.2.1
diff -u -r1.43.2.1 subr_ntoskrnl.c
--- subr_ntoskrnl.c     13 Oct 2004 19:23:33 -0000      1.43.2.1
+++ subr_ntoskrnl.c     28 Oct 2004 02:14:39 -0000
@@ -1616,8 +1616,6 @@
        ktimer                  *timer;
        struct timeval          tv;
 
-       mtx_unlock(&Giant);
-
        timer = arg;
 
        timer->k_header.dh_inserted = FALSE;
@@ -1644,8 +1642,6 @@
 
        ntoskrnl_wakeup(&timer->k_header);
 
-       mtx_lock(&Giant);
-
        return;
 }

>Description:
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:

From: Frank Mayhar <frank@exit.com>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: i386/73224: Lock order reversal in ntoskrnl_timercall()
Date: Fri, 29 Oct 2004 17:12:29 -0700 (PDT)

 It appears that there is another LOR just like this one in if_ndis.c in
 the ndis_timer() function.  Patch is below, I've been running for a short
 time with the two patches without obvious incident other than the preexisting
 panic that I've been trying to track down...
 
 Index: sys/compat/ndis/subr_ntoskrnl.c
 ===================================================================
 RCS file: /cvs/repos/src/sys/compat/ndis/subr_ntoskrnl.c,v
 retrieving revision 1.43.2.1
 diff -u -r1.43.2.1 subr_ntoskrnl.c
 --- sys/compat/ndis/subr_ntoskrnl.c     13 Oct 2004 19:23:33 -0000      1.43.2.1
 +++ sys/compat/ndis/subr_ntoskrnl.c     30 Oct 2004 00:10:30 -0000
 @@ -1616,8 +1616,6 @@
         ktimer                  *timer;
         struct timeval          tv;
  
 -       mtx_unlock(&Giant);
 -
         timer = arg;
  
         timer->k_header.dh_inserted = FALSE;
 @@ -1644,8 +1642,6 @@
  
         ntoskrnl_wakeup(&timer->k_header);
  
 -       mtx_lock(&Giant);
 -
         return;
  }
  
 Index: sys/dev/if_ndis/if_ndis.c
 ===================================================================
 RCS file: /cvs/repos/src/sys/dev/if_ndis/if_ndis.c,v
 retrieving revision 1.69.2.2
 diff -u -r1.69.2.2 if_ndis.c
 --- sys/dev/if_ndis/if_ndis.c   23 Oct 2004 18:56:39 -0000      1.69.2.2
 +++ sys/dev/if_ndis/if_ndis.c   30 Oct 2004 00:10:30 -0000
 @@ -1061,16 +1061,12 @@
  {
         struct ndis_softc       *sc;
  
 -       mtx_unlock(&Giant);
 -
         sc = xsc;
  
         ndis_sched(ndis_ticktask, sc, NDIS_TASKQUEUE);
         sc->ndis_stat_ch = timeout(ndis_tick, sc, hz *
             sc->ndis_block.nmb_checkforhangsecs);
  
 -       mtx_lock(&Giant);
 -
         return;
  }
 
 -- 
 Frank Mayhar frank@exit.com	http://www.exit.com/
 Exit Consulting                 http://www.gpsclock.com/
                                 http://www.exit.com/blog/frank/
Responsible-Changed-From-To: freebsd-i386->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Oct 30 05:45:31 GMT 2004 
Responsible-Changed-Why:  
This does not sound i386-specific. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73224 
Responsible-Changed-From-To: freebsd-bugs->freebsd-emulation 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Sep 14 00:07:51 GMT 2005 
Responsible-Changed-Why:  
Bug in the emulation code. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73224 
Responsible-Changed-From-To: freebsd-emulation->emulation 
Responsible-Changed-By: gerald 
Responsible-Changed-When: Mon Oct 3 19:03:16 GMT 2005 
Responsible-Changed-Why:  
Use canonical name for the emulation mailing list. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73224 
Responsible-Changed-From-To: freebsd-emulation->wpaul 
Responsible-Changed-By: netchild 
Responsible-Changed-When: Thu Dec 29 15:47:27 UTC 2005 
Responsible-Changed-Why:  
Bill is the NDIS guru, let him decide what to do with this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73224 
Responsible-Changed-From-To: wpaul->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Jul 31 07:33:59 UTC 2007 
Responsible-Changed-Why:  
Reassign from inactive committer. 

Hat:		bugmeister 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73224 
State-Changed-From-To: open->closed 
State-Changed-By: matteo 
State-Changed-When: Dom 18 Mag 2008 14:32:24 UTC 
State-Changed-Why:  
ndis(4) looks free from Giant now. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73224 
>Unformatted:
