From owner-freebsd-current@FreeBSD.ORG Sun Sep 28 14:30:44 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8FA111065689 for ; Sun, 28 Sep 2008 14:30:44 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 68D2C8FC13 for ; Sun, 28 Sep 2008 14:30:44 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTP id E780B46B85; Sun, 28 Sep 2008 10:30:43 -0400 (EDT) Date: Sun, 28 Sep 2008 15:30:43 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Stefan Ehmann In-Reply-To: <200809262233.59216.shoesoft@gmx.net> Message-ID: References: <200809231851.42849.shoesoft@gmx.net> <200809260408.35831.shoesoft@gmx.net> <200809262233.59216.shoesoft@gmx.net> User-Agent: Alpine 1.10 (BSF 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-current@freebsd.org Subject: Re: ipfw: LOR/panic with uid rules X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Sep 2008 14:30:44 -0000 On Fri, 26 Sep 2008, Stefan Ehmann wrote: > > > #10 0xc07eccd6 in _rw_rlock (rw=0xc0e5acec, file=0xc103ceed > > > "/usr/src/sys/modules/ipfw/../../netinet/ip_fw2.c", line=2020) at > > > /usr/src/sys/kern/kern_rwlock.c:283 > > > > > > #11 0xc103b92a in ipfw_chk (args=0xc47328a8) at > > > /usr/src/sys/modules/ipfw/../../netinet/ip_fw2.c:2020 > > > > This surprises me -- can in principle we've passed down 'inp' so there > > should be no need to look it up. In higher frames, 'inp' is definitely > > non-NULL, so what happened here? Could you print out the values of the > > local variables in the check_uidgid() frame? Especially, 'inp' and > > 'lookup'? > > Something seems to be broken or I'm doing something wrong. I can't access > the locals: Dear Stefan: Could you update to ip_fw2.c:1.195? I've fixed an issue there that caused ipfw to look up the inpcb even thought it was passed down in the case that a TCP connection was in TIMEWAIT: revision 1.195 date: 2008/09/27 19:28:28; author: rwatson; state: Exp; lines: +2 -1 SVN rev 183418 on 2008-09-27 19:28:28Z by rwatson When an inpcb doesn't have a socket but the inpcb is passed to ipfw in the transmit path, such as TCPS_TIMEWAIT, fail the credential extraction immediately rather than acquiring locks and looking up the inpcb on the global lists in order to reach the conclusion that the credential extraction has failed. This is more efficient, but more importantly, it avoids lock recursion on the inpcbinfo, which is no longer allowed with rwlocks. This appears to have been responsible for at least two reported panics. MFC after: 3 days Reported by: ganbold Robert N M Watson Computer Laboratory University of Cambridge