[HEADSUP] if_watchdog considered unsafe

From: Gleb Smirnoff <glebius_at_FreeBSD.org>
Date: Fri, 1 Dec 2006 14:06:23 +0300
  Not a HEADSUP really, but just an announcement.

  Every interface structure in the kernel has an interger field
called if_timer. A periodic event in the network stack goes through
the list of interfaces and checks whether timer is charged to
some non-zero value. If it is, then if_timer is decremented and
if it has just reached zero value the interface's if_watchdog
method is called. The if_watchdog method usually resets the
hardware.

 Not all interface structures use this API. All virtual interfaces
like tun(4), bridge(4), ng_iface(4), carp(4), etc., do not use
it, but if_timer and if_watchdog fields are present in their
struct ifnet.

  During 6.2-RELEASE preparation it was found that the race between
if_slowtimo() checking the ifp->if_timer and driver updating the
ifp->if_timer is real and hit in practice, at least for the
em(4) driver.

  Since the driver mutex is opaque to the network stack, it is
impossible to lock access to if_timer in the if_slowtimo(). So,
it was decided that the drivers that really need to care about
hardwares hangs should use their own locked callout to check
for hardware problems.

  A patch has been committed to HEAD, that prints a warning if
driver uses unsafe if_watchdog API. If you see such a warning,
do not worry. Your system has the same chance to hit the race
as it had before :)

  If you want, you can convert the driver you are using to do
the watchdog job itself and don't use if_watchdog. ATM, three
drivers have been converted to handle the watchdog theirselves:
em(4), bge(4) and fxp(4). You can take them as examples.

-- 
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE
Received on Fri Dec 01 2006 - 10:06:26 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:03 UTC