From owner-freebsd-stable@FreeBSD.ORG  Mon Aug 18 22:39:02 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1A1EC106566C;
	Mon, 18 Aug 2008 22:39:02 +0000 (UTC)
	(envelope-from volker@vwsoft.com)
Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103])
	by mx1.freebsd.org (Postfix) with ESMTP id 7E6058FC1E;
	Mon, 18 Aug 2008 22:39:01 +0000 (UTC)
	(envelope-from volker@vwsoft.com)
Received: from mail.vtec.ipme.de (Q7d26.q.ppp-pool.de [89.53.125.38])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by frontmail.ipactive.de (Postfix) with ESMTP id 5FA6012883F;
	Tue, 19 Aug 2008 00:15:03 +0200 (CEST)
Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3])
	by mail.vtec.ipme.de (Postfix) with ESMTP id 6B4932E90F;
	Tue, 19 Aug 2008 00:14:29 +0200 (CEST)
Message-ID: <48A9F452.8020900@vwsoft.com>
Date: Tue, 19 Aug 2008 00:14:42 +0200
From: Volker <volker@vwsoft.com>
User-Agent: Thunderbird 2.0.0.16 (X11/20080727)
MIME-Version: 1.0
To: FreeBSD Stable <freebsd-stable@freebsd.org>, 
	"FreeBSD (PF)" <freebsd-pf@freebsd.org>
X-Enigmail-Version: 0.95.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
MailScanner-NULL-Check: 1219702470.22674@lg3on696R3IlxuyqxZV9gg
X-MailScanner-ID: 6B4932E90F.695CC
X-VWSoft-MailScanner: Found to be clean
X-MailScanner-From: volker@vwsoft.com
X-ipactive-MailScanner-Information: Please contact the ISP for more information
X-ipactive-MailScanner: Found to be clean
X-ipactive-MailScanner-From: volker@vwsoft.com
Cc: 
Subject: LOR with pf + synproxy state
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Aug 2008 22:39:02 -0000

Hi!

Last week I discovered an LOR on 7-STABLE (last build: 2008-Aug-17,
RELENG_7).

I can easily recreate the problem when running a synproxy state rule for
incoming tcp connections and ssh'ing to my box.

W/o using synproxy state (keep'ing state instead), no LOR takes place.


 lock order reversal:
 1st 0xc575c92c pf task mtx (pf task mtx) @
/usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:6774
 2nd 0xc521777c radix node head (radix node head) @
/usr/src/sys/net/route.c:278
 KDB: stack backtrace:
 db_trace_self_wrapper(c0a2fa65,e557b890,c075f315,c0a30e10,c521777c,...)
at db_trace_self_wrapper+0x26
 kdb_backtrace(c0a30e10,c521777c,c0a31129,c0a31129,c0a374a0,...) at
kdb_backtrace+0x29
 witness_checkorder(c521777c,9,c0a374a0,116,c507d000,...) at
witness_checkorder+0x5e5
 _mtx_lock_flags(c521777c,0,c0a374a0,116,c5fe9a00,...) at
_mtx_lock_flags+0x34
 rtalloc1_fib(e557b998,1,100,0,e557b994,...) at rtalloc1_fib+0x76
 rtalloc_ign_fib(e557b994,100,0,e557b9b4,c5734a38,...) at
rtalloc_ign_fib+0xad
 in_rtalloc_ign(e557b994,100,0,692a1600,5b47f56,...) at in_rtalloc_ign+0x1f
 pf_calc_mss(c62a881c,2,5b4,2,e557bb4c,...) at pf_calc_mss+0x88
 pf_test_tcp(e557bb68,e557bb64,1,c56e9400,c5fe9a00,...) at pf_test_tcp+0xdf6
 pf_test(1,c507d000,e557bbc4,0,0,...) at pf_test+0x1028
 pf_check_in(0,e557bbc4,c507d000,1,0,...) at pf_check_in+0x39
 pfil_run_hooks(c0b79ec0,e557bc18,c507d000,1,0,...) at pfil_run_hooks+0x78
 ip_input(c5fe9a00,14e,800,c507d000,800,...) at ip_input+0x265
 netisr_dispatch(2,c5fe9a00,10,3,0,...) at netisr_dispatch+0x55
 ether_demux(c507d000,c5fe9a00,3,0,3,...) at ether_demux+0x1c1
 ether_input(c507d000,c5fe9a00,c0a0391b,c57,c507d000,...) at
ether_input+0x323
 bge_intr(c5084000,0,c0a2b122,4b6,c4ef84e8,...) at bge_intr+0x77a
 ithread_loop(c50814f0,e557bd38,c0a2af4a,305,c508cad0,...) at
ithread_loop+0x155
 fork_exit(c07102d0,c50814f0,e557bd38) at fork_exit+0x94
 fork_trampoline() at fork_trampoline+0x8
 --- trap 0, eip = 0, esp = 0xe557bd70, ebp = 0 ---
 KDB: enter: witness_checkorder
 exclusive sleep mutex pf task mtx r = 0 (0xc575c92c) locked @
/usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:6774
 shared rw PFil hook read/write mutex r = 0 (0xc0b79ed8) locked @
/usr/src/sys/net/pfil.c:73
 exclusive sx so_rcv_sx r = 0 (0xc5db208c) locked @
/usr/src/sys/kern/uipc_sockbuf.c:148
 exclusive sx so_rcv_sx r = 0 (0xc551f22c) locked @
/usr/src/sys/kern/uipc_sockbuf.c:148
 exclusive sleep mutex pf task mtx r = 0 (0xc575c92c) locked @
/usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:6774
 shared rw PFil hook read/write mutex r = 0 (0xc0b79ed8) locked @
/usr/src/sys/net/pfil.c:73


pf rules used:
## Macros
TCPSYN="S/SA"

if_lan = "bge0"
if_wlan = "ndis0"
if_ipsec = "enc"

###########################
tcp_in = "{ ssh http mdns 9102 49101 5900 }"
udp_in = "{ mdns snmp 5029 }"

passicmp = "{ 3 4 6 9 10 11 12 17 18 }"

samba_tcp = "{ 139 445 }"
samba_udp = "{ 137 1434 }"

######################################################
table <rfcnoroute> { 127/8 10/8 172.16/12 192.168/16 }
table <multicast> { 224/8 239/8 }


######################################################
## GLOBAL OPTIONS
set block-policy drop
set fingerprints "/etc/pf.os"
set state-policy if-bound
set skip on lo0
set optimization conservative

###########################
## TRAFFIC NORMALIZATION
scrub all random-id fragment reassemble reassemble tcp

###########################
## TRANSLATION RULES (NAT)
nat on $if_lan -> ($if_lan)
nat on $if_wlan -> ($if_wlan)

######################################################
## FILTER RULES

block quick on lo0 proto {tcp udp} from any to any port biff
pass quick on lo0 all
antispoof log quick for { $if_lan $if_wlan }

block drop log all
block return in quick proto { tcp udp } from any to any port auth

###########################
# IPSEC VPN
###########################
pass log quick on {$if_lan $if_wlan} proto udp from any \
	to any port isakmp keep state
pass log quick on {$if_lan $if_wlan} proto udp from any \
	to any port isakmp keep state
pass quick log on {$if_lan $if_wlan} proto { ah, esp } from any \
	to any keep state
pass quick log on {$if_lan $if_wlan} proto { ah, esp } from any \
	to any keep state
pass quick log on $if_ipsec from any to any keep state


###########################
# ICMP
###########################
pass quick log on {$if_lan $if_wlan} proto icmp from any to any \
	tag PASSOK keep state
pass quick log inet proto icmp all icmp-type $passicmp keep state  \
	(max 2, max-src-states 1, max-src-nodes 1, source-track rule )
pass in quick log on {$if_lan $if_wlan} proto icmp from any to any \
	keep state probability 50%

###########################
# out traffic
###########################
pass out log quick on {$if_lan $if_wlan} all flags $TCPSYN keep state

###########################
# in traffic
###########################
# allow broadcasts + samba - don't log
pass quick on $if_lan from any to ($if_lan:broadcast)
pass quick on $if_wlan from any to ($if_wlan:broadcast)
pass quick on {$if_lan $if_wlan} from any to 255.255.255.255

pass in log on {$if_lan $if_wlan} proto tcp \
	from any to any port $tcp_in \
	flags $TCPSYN synproxy state
# change to 'keep state' here to avoid LOR
pass in log on {$if_lan $if_wlan} proto tcp from any port $tcp_in \
	to any flags $TCPSYN synproxy state
# change to 'keep state' here to avoid LOR
pass in log on {$if_lan $if_wlan} proto udp from any \
	to any port $udp_in keep state
pass in log on {$if_lan $if_wlan} proto udp from any port $udp_in \
	to any keep state

pass quick on {$if_lan $if_wlan} from any to <multicast>
# EOF

That LOR may be the same as reported here before (2007-12) - haven't
checked the old sources (will verify if it's worth the time to confirm):
http://unix.derkeiler.com/Mailing-Lists/FreeBSD/net/2007-12/msg00150.html

`uname -a`:
FreeBSD cesar.sz.vwsoft.com 7.0-STABLE FreeBSD 7.0-STABLE #38: Sun Aug
17 15:12:10 CEST 2008
root@cesar.sz.vwsoft.com:/usr/obj/usr/src/sys/CESAR  i386

Volker