From owner-freebsd-bugs@FreeBSD.ORG  Tue Mar  5 16:00:02 2013
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 0E456775
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Tue,  5 Mar 2013 16:00:02 +0000 (UTC)
 (envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id E6432A6B
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Tue,  5 Mar 2013 16:00:01 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r25G01Ie029799
 for <freebsd-bugs@freefall.freebsd.org>; Tue, 5 Mar 2013 16:00:01 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r25G01VB029798;
 Tue, 5 Mar 2013 16:00:01 GMT (envelope-from gnats)
Resent-Date: Tue, 5 Mar 2013 16:00:01 GMT
Resent-Message-Id: <201303051600.r25G01VB029798@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
 Lutz Donnerhacke <lutz@iks-service.de>
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 00DD1615
 for <freebsd-gnats-submit@FreeBSD.org>; Tue,  5 Mar 2013 15:54:51 +0000 (UTC)
 (envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
 by mx1.freebsd.org (Postfix) with ESMTP id E70FBA21
 for <freebsd-gnats-submit@FreeBSD.org>; Tue,  5 Mar 2013 15:54:51 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
 by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r25Fso6O024296
 for <freebsd-gnats-submit@FreeBSD.org>; Tue, 5 Mar 2013 15:54:50 GMT
 (envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
 by red.freebsd.org (8.14.5/8.14.5/Submit) id r25Fso9u024295;
 Tue, 5 Mar 2013 15:54:50 GMT (envelope-from nobody)
Message-Id: <201303051554.r25Fso9u024295@red.freebsd.org>
Date: Tue, 5 Mar 2013 15:54:50 GMT
From: Lutz Donnerhacke <lutz@iks-service.de>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Subject: kern/176667: libalias locks on uninitalized data
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2013 16:00:02 -0000


>Number:         176667
>Category:       kern
>Synopsis:       libalias locks on uninitalized data
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 05 16:00:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Lutz Donnerhacke
>Release:        FreeBSD 8.3-RELEASE (GENERIC)
>Organization:
IKS Service GmbH
>Environment:
FreeBSD server7.net.encoline.de 8.3-RELEASE FreeBSD 8.3-RELEASE #0: Mon Apr  9 21:23:18 UTC 2012     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
While testing terminating a huge number of PPPoX clients the kernel panics while doing in-kernel NAT.

#4 0xffffffff808e8775 at calltrap+0x8
#5 0xffffffff80fa0f01 at HouseKeeping+0xa1
#6 0xffffffff80f9e6ab at LibAliasOutLocked+0x3b

Please note, that the stack trace is incomplete. There are calls to IncrementalCleanup() and DeleteLink(), which are not reported in the stack trace.

The problem seems to come from incorrect locking, so the contents of the libalias database get corrupted.

This patch might be not the full solution, but is an obvious fix for an obvious bug.
>How-To-Repeat:
Setting up ipfw nat, add more then 9000 clients using mpd5.6, generate traffic
>Fix:
--- sys/netinet/libalias/alias_db.c.ORIG        2013-03-05 16:49:13.000000000 +0100
+++ sys/netinet/libalias/alias_db.c     2013-03-05 16:50:09.000000000 +0100
@@ -2767,8 +2767,8 @@
        struct ip_fw rule;      /* On-the-fly built rule */
        int fwhole;             /* Where to punch hole */

-       LIBALIAS_LOCK_ASSERT(la);
        la = lnk->la;
+       LIBALIAS_LOCK_ASSERT(la);

 /* Don't do anything unless we are asked to */
        if (!(la->packetAliasMode & PKT_ALIAS_PUNCH_FW) ||
@@ -2841,8 +2841,8 @@
 {
        struct libalias *la;

-       LIBALIAS_LOCK_ASSERT(la);
        la = lnk->la;
+       LIBALIAS_LOCK_ASSERT(la);
        if (lnk->link_type == LINK_TCP) {
                int fwhole = lnk->data.tcp->fwhole;     /* Where is the firewall
                                                         * hole? */



>Release-Note:
>Audit-Trail:
>Unformatted: