Date: Wed, 24 Sep 2008 22:47:12 +0200 From: Stefan Ehmann <shoesoft@gmx.net> To: freebsd-current@freebsd.org Cc: Robert Watson <rwatson@freebsd.org> Subject: Re: ipfw: LOR/panic with uid rules Message-ID: <200809242247.13189.shoesoft@gmx.net> In-Reply-To: <alpine.BSF.1.10.0809240907090.68287@fledge.watson.org> References: <200809231851.42849.shoesoft@gmx.net> <alpine.BSF.1.10.0809232242310.68287@fledge.watson.org> <alpine.BSF.1.10.0809240907090.68287@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 24 September 2008 10:08:13 Robert Watson wrote: > On Tue, 23 Sep 2008, Robert Watson wrote: > > On Tue, 23 Sep 2008, Stefan Ehmann wrote: > >> Also posted about this problem recently in stable@. But got no replies > >> there. So I tried on a recent CURRENT but the problem persists: > >> > >> ipfw rules using uid are causing a deadlock. eg. allow ip from any to > >> any uid root A simple HTTP fetch triggers this problem nearly instantly. > >> > >> For me, this problem existed in 6.x with PREEMPTION enabled. It was > >> fixed in 7.0. But in RELENG_7 and head it's back. This is a single > >> processor i386 machine. > > > > This is an interesting edge case -- to prevent lookup of an inpcb in the > > output path, we normally pass the inpcb reference down to the firewall so > > it can directly access the cred rather than looking it up. Thus, we > > don't recurse the global tcbinfo or inpcb locks normally on the transmit > > path. However, it looks like we have an edge case here where we've freed > > the inpcb but not yet unlocked the tcbinfo, and since the inpcb is freed > > we don't pass it down--the firewall code tries to look up the inpcb and > > improperly recurses the tcbinfo lock, boom. > > > > The uid/gid/jail code in ipfw is undesirable for a number of reasons, not > > least because it's a layering violation. Historically, layering > > violations meant slightly awkward and risky recursion, but now they also > > mean lock recursion, which has more serious consequences. I'll > > investigate tomorrow and see what the best solution is -- probably to > > drop the lock before calling tcp_dropwithreset() on a NULL inpcb, which > > is a workaround/hack, but I think our hands are forced in this case. > > I'll follow up with a patch then. > > Here is a possible candidate patch, could you see if it resolves all of the > issues you reported? (Possibly I have missed other similar cases as > well...) Thanks for the patch. Unfortunately the LORs and the panic still remain.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809242247.13189.shoesoft>