From Mark_Andrews@isc.org  Mon Apr  6 22:00:18 2009
Return-Path: <Mark_Andrews@isc.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 80D751065736
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  6 Apr 2009 22:00:18 +0000 (UTC)
	(envelope-from Mark_Andrews@isc.org)
Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5])
	by mx1.freebsd.org (Postfix) with ESMTP id 66AE78FC25
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  6 Apr 2009 22:00:18 +0000 (UTC)
	(envelope-from Mark_Andrews@isc.org)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified))
	by farside.isc.org (Postfix) with ESMTP id CC281E60F1
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  6 Apr 2009 22:00:17 +0000 (UTC)
	(envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1])
	by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n36M0Fw5003743
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 7 Apr 2009 08:00:15 +1000 (EST)
	(envelope-from marka@drugs.dv.isc.org)
Received: (from marka@localhost)
	by drugs.dv.isc.org (8.14.3/8.14.3/Submit) id n36M0Fud003742;
	Tue, 7 Apr 2009 08:00:15 +1000 (EST)
	(envelope-from marka)
Message-Id: <200904062200.n36M0Fud003742@drugs.dv.isc.org>
Date: Tue, 7 Apr 2009 08:00:15 +1000 (EST)
From: Mark Andrews <Mark_Andrews@isc.org>
Reply-To: Mark Andrews <Mark_Andrews@isc.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Unbalanced kernel lock in src/sys/netinet/ip_output.c
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         133445
>Category:       kern
>Synopsis:       [ipsec] [netinet] Unbalanced kernel lock in src/sys/netinet/ip_output.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 06 22:10:00 UTC 2009
>Closed-Date:    Fri Apr 10 11:12:28 UTC 2009
>Last-Modified:  Fri Apr 10 11:12:28 UTC 2009
>Originator:     Mark Andrews
>Release:        FreeBSD 6.4-STABLE i386
>Organization:
ISC
>Environment:
System: FreeBSD drugs.dv.isc.org 6.4-STABLE FreeBSD 6.4-STABLE #30: Mon Feb 9 12:22:29 EST 2009 marka@drugs.dv.isc.org:/usr/obj/usr/src/sys/DRUGS i386


>Description:

	There is a missing INP_INFO_WUNLOCK(pcbinfo); before the
	final break; in this case statement.  Looking at other code
	here it looks like INP_LOCK(inp); is supposed to be being
	set around the ipsec4_set_policy() call and isn't.  I suspect
	a bad MFC.

	Mark

$FreeBSD: src/sys/netinet/ip_output.c,v 1.242.2.20 2009/03/24 10:15:35 obrien Exp $

#if defined(IPSEC) || defined(FAST_IPSEC)
                case IP_IPSEC_POLICY:
                {
                        caddr_t req;
                        size_t len = 0;
                        int priv;
                        struct mbuf *m;
                        int optname;

                        if ((error = soopt_getm(sopt, &m)) != 0) /* XXX */
                                break;
                        if ((error = soopt_mcopyin(sopt, m)) != 0) /* XXX */
                                break;
                        priv = (sopt->sopt_td != NULL &&
                                suser(sopt->sopt_td) != 0) ? 0 : 1;
                        req = mtod(m, caddr_t);
                        len = m->m_len;
                        optname = sopt->sopt_name;
                        INP_INFO_WLOCK(pcbinfo);
                        if (so->so_pcb == NULL) {
                                INP_INFO_WUNLOCK(pcbinfo);
                                m_free(m);
                                error = EINVAL;
                                break;
                        }
                        error = ipsec4_set_policy(inp, optname, req, len, priv);
                        m_freem(m);
                        break;
                }
#endif /*IPSEC*/

	
>How-To-Repeat:
	By ispection.
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->obrien 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Apr 7 01:44:05 UTC 2009 
Responsible-Changed-Why:  
Over to committer noted in the PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=133445 
Responsible-Changed-From-To: obrien->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Tue Apr 7 11:07:16 UTC 2009 
Responsible-Changed-Why:  
Even though CVSID says obrien I am sure this one isn't for him. 
So let me take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=133445 

From: Mikolaj Golub <to.my.trociny@gmail.com>
To: bug-followup@FreeBSD.org,Mark_Andrews@isc.org
Cc:  
Subject: Re: kern/133445: Unbalanced kernel lock in src/sys/netinet/ip_output.c
Date: Tue, 07 Apr 2009 16:27:29 +0300

 It looks like related to kern/133415
 
 -- 
 Mikolaj Golub

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, Mark_Andrews@isc.org
Cc:  
Subject: Re: kern/133445: [ipsec] [netinet] Unbalanced kernel lock in
 src/sys/netinet/ip_output.c
Date: Tue, 7 Apr 2009 17:22:48 +0000 (UTC)

 Hi,
 
 Your analysis of the problem seems to be correct
 (and mine was wrong - it is an obrien problem;-) .
 
 Anyway, this would be the patch. Can you give it a try?
 
 Index: sys/netinet/ip_output.c
 ===================================================================
 --- sys/netinet/ip_output.c	(revision 190800)
 +++ sys/netinet/ip_output.c	(working copy)
 @@ -1376,7 +1376,10 @@
   				error = EINVAL;
   				break;
   			}
 +			INP_LOCK(inp);
 +			INP_INFO_WUNLOCK(pcbinfo);
   			error = ipsec4_set_policy(inp, optname, req, len, priv);
 +			INP_UNLOCK(inp);
   			m_freem(m);
   			break;
   		}
 
 -- 
 Bjoern A. Zeeb                      The greatest risk is not taking one.

From: Mark Andrews <Mark_Andrews@isc.org>
To: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/133445: [ipsec] [netinet] Unbalanced kernel lock in src/sys/netinet/ip_output.c 
Date: Wed, 08 Apr 2009 13:01:47 +1000

 In message <20090407172012.X15361@maildrop.int.zabbadoz.net>, "Bjoern A. Zeeb" writes:
 > Hi,
 > 
 > Your analysis of the problem seems to be correct
 > (and mine was wrong - it is an obrien problem;-) .
 > 
 > Anyway, this would be the patch. Can you give it a try?
 
 	I'm not in a position to at the moment.  I only looked at
 	it based on a comment in stable@ (in the last couple of
 	days) that the roll back the previous commit fixed some
 	some stability issues with inetd.
 
 	Mark
 -- 
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/133445: commit references a PR
Date: Fri, 10 Apr 2009 11:08:46 +0000 (UTC)

 Author: bz
 Date: Fri Apr 10 11:08:27 2009
 New Revision: 190890
 URL: http://svn.freebsd.org/changeset/base/190890
 
 Log:
   Fix a locking bug introduced in r190369 -
   add a missing unlock operation on the pcbinfo.
   
   Also porperly protect the inp before releasing the lock as in 6.x inps
   can possibly become invalid at that point. [1]
   
   PR:		kern/133415
   PR:		kern/133445
   Tested by:	eugen kuzbass.ru (Eugene Grosbein)
   Discussed with:	rwatson [1]
   Pointy hat:	obrien
 
 Modified:
   stable/6/sys/netinet/ip_output.c
 
 Modified: stable/6/sys/netinet/ip_output.c
 ==============================================================================
 --- stable/6/sys/netinet/ip_output.c	Fri Apr 10 10:59:48 2009	(r190889)
 +++ stable/6/sys/netinet/ip_output.c	Fri Apr 10 11:08:27 2009	(r190890)
 @@ -1376,7 +1376,10 @@ ip_ctloutput_pcbinfo(so, sopt, pcbinfo)
  				error = EINVAL;
  				break;
  			}
 +			INP_LOCK(inp);
 +			INP_INFO_WUNLOCK(pcbinfo);
  			error = ipsec4_set_policy(inp, optname, req, len, priv);
 +			INP_UNLOCK(inp);
  			m_freem(m);
  			break;
  		}
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: bz 
State-Changed-When: Fri Apr 10 11:11:29 UTC 2009 
State-Changed-Why:  
Fix committed. Thanks for the report and the analysis. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=133445 
>Unformatted:
