From owner-freebsd-current@FreeBSD.ORG Fri Sep 26 18:17:11 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2367D1065688 for ; Fri, 26 Sep 2008 18:17:11 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id EBB548FC0A for ; Fri, 26 Sep 2008 18:17:10 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTP id 84BFE46B3B; Fri, 26 Sep 2008 14:17:10 -0400 (EDT) Date: Fri, 26 Sep 2008 19:17:10 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Stefan Ehmann In-Reply-To: <200809260408.35831.shoesoft@gmx.net> Message-ID: References: <200809231851.42849.shoesoft@gmx.net> <200809250139.10332.shoesoft@gmx.net> <200809260408.35831.shoesoft@gmx.net> User-Agent: Alpine 1.10 (BSF 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-current@freebsd.org Subject: Re: ipfw: LOR/panic with uid rules X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2008 18:17:11 -0000 On Fri, 26 Sep 2008, Stefan Ehmann wrote: > lock order reversal: > > 1st 0xc4c9ee94 tcp_sc_head (tcp_sc_head) @ > /usr/src/sys/kern/kern_mutex.c:137 > > 2nd 0xc0e59fd8 PFil hook read/write mutex (PFil hook read/write mutex) @ > /usr/src/sys/net/pfil.c:74 > > KDB: stack backtrace: > > db_trace_self_wrapper(c0bad7c2,c45aca48,c082cf95,4,c0ba916b,...) at > db_trace_self_wrapper+0x26 > > kdb_backtrace(4,c0ba916b,c0bb97db,c4879d08,c45acaa4,...) at > kdb_backtrace+0x29 > > _witness_debugger(c0bb0077,c0e59fd8,c0bb97f3,c4879d08,c0bb97db,...) at > _witness_debugger+0x25 > > witness_checkorder(c0e59fd8,1,c0bb97db,4a,0,...) at witness_checkorder+0x810 > > _rm_rlock_debug(c0e59fd8,c45acaec,c0bb97db,4a,c089e366,...) at > _rm_rlock_debug+0x38 > > pfil_run_hooks(c0e59fc0,c45acb78,c4b0a000,2,0,...) at pfil_run_hooks+0x3f > > ip_output(c4cbba00,0,0,0,0,...) at ip_output+0x872 > > syncache_respond(c5376b00,0,0,0,c45acc48,...) at syncache_respond+0x3a9 > > syncache_timer(c4c9ee94,1,c0bab9c2,16b,c0cf3034,...) at syncache_timer+0x147 I believe this is an accepted LOR to do with using an rwlock in this way in pfil. > #10 0xc07eccd6 in _rw_rlock (rw=0xc0e5acec, file=0xc103ceed > "/usr/src/sys/modules/ipfw/../../netinet/ip_fw2.c", line=2020) at > /usr/src/sys/kern/kern_rwlock.c:283 > > #11 0xc103b92a in ipfw_chk (args=0xc47328a8) at > /usr/src/sys/modules/ipfw/../../netinet/ip_fw2.c:2020 This surprises me -- can in principle we've passed down 'inp' so there should be no need to look it up. In higher frames, 'inp' is definitely non-NULL, so what happened here? Could you print out the values of the local variables in the check_uidgid() frame? Especially, 'inp' and 'lookup'? > #12 0xc103c4c8 in ipfw_check_out (arg=0x0, m0=0xc47329cc, ifp=0xc4b0a000, > dir=2, inp=0xc50fe420) at > /usr/src/sys/modules/ipfw/../../netinet/ip_fw_pfil.c:253 See non-NULL inp here. Robert N M Watson Computer Laboratory University of Cambridge