From owner-freebsd-bugs@FreeBSD.ORG Tue Mar 5 16:00:02 2013 Return-Path: Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 0E456775 for ; Tue, 5 Mar 2013 16:00:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id E6432A6B for ; Tue, 5 Mar 2013 16:00:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r25G01Ie029799 for ; Tue, 5 Mar 2013 16:00:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r25G01VB029798; Tue, 5 Mar 2013 16:00:01 GMT (envelope-from gnats) Resent-Date: Tue, 5 Mar 2013 16:00:01 GMT Resent-Message-Id: <201303051600.r25G01VB029798@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Lutz Donnerhacke Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 00DD1615 for ; Tue, 5 Mar 2013 15:54:51 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id E70FBA21 for ; Tue, 5 Mar 2013 15:54:51 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r25Fso6O024296 for ; Tue, 5 Mar 2013 15:54:50 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.5/8.14.5/Submit) id r25Fso9u024295; Tue, 5 Mar 2013 15:54:50 GMT (envelope-from nobody) Message-Id: <201303051554.r25Fso9u024295@red.freebsd.org> Date: Tue, 5 Mar 2013 15:54:50 GMT From: Lutz Donnerhacke To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: kern/176667: libalias locks on uninitalized data X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Mar 2013 16:00:02 -0000 >Number: 176667 >Category: kern >Synopsis: libalias locks on uninitalized data >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Mar 05 16:00:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Lutz Donnerhacke >Release: FreeBSD 8.3-RELEASE (GENERIC) >Organization: IKS Service GmbH >Environment: FreeBSD server7.net.encoline.de 8.3-RELEASE FreeBSD 8.3-RELEASE #0: Mon Apr 9 21:23:18 UTC 2012 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 >Description: While testing terminating a huge number of PPPoX clients the kernel panics while doing in-kernel NAT. #4 0xffffffff808e8775 at calltrap+0x8 #5 0xffffffff80fa0f01 at HouseKeeping+0xa1 #6 0xffffffff80f9e6ab at LibAliasOutLocked+0x3b Please note, that the stack trace is incomplete. There are calls to IncrementalCleanup() and DeleteLink(), which are not reported in the stack trace. The problem seems to come from incorrect locking, so the contents of the libalias database get corrupted. This patch might be not the full solution, but is an obvious fix for an obvious bug. >How-To-Repeat: Setting up ipfw nat, add more then 9000 clients using mpd5.6, generate traffic >Fix: --- sys/netinet/libalias/alias_db.c.ORIG 2013-03-05 16:49:13.000000000 +0100 +++ sys/netinet/libalias/alias_db.c 2013-03-05 16:50:09.000000000 +0100 @@ -2767,8 +2767,8 @@ struct ip_fw rule; /* On-the-fly built rule */ int fwhole; /* Where to punch hole */ - LIBALIAS_LOCK_ASSERT(la); la = lnk->la; + LIBALIAS_LOCK_ASSERT(la); /* Don't do anything unless we are asked to */ if (!(la->packetAliasMode & PKT_ALIAS_PUNCH_FW) || @@ -2841,8 +2841,8 @@ { struct libalias *la; - LIBALIAS_LOCK_ASSERT(la); la = lnk->la; + LIBALIAS_LOCK_ASSERT(la); if (lnk->link_type == LINK_TCP) { int fwhole = lnk->data.tcp->fwhole; /* Where is the firewall * hole? */ >Release-Note: >Audit-Trail: >Unformatted: