From nobody@FreeBSD.org  Tue Mar  5 15:54:52 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
	by hub.freebsd.org (Postfix) with ESMTP id 00DD1615
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  5 Mar 2013 15:54:51 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id E70FBA21
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  5 Mar 2013 15:54:51 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r25Fso6O024296
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 5 Mar 2013 15:54:50 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id r25Fso9u024295;
	Tue, 5 Mar 2013 15:54:50 GMT
	(envelope-from nobody)
Message-Id: <201303051554.r25Fso9u024295@red.freebsd.org>
Date: Tue, 5 Mar 2013 15:54:50 GMT
From: Lutz Donnerhacke <lutz@iks-service.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: libalias locks on uninitalized data
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         176667
>Category:       kern
>Synopsis:       [libalias] [patch] libalias locks on uninitalized data
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    glebius
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 05 16:00:00 UTC 2013
>Closed-Date:    Mon Jun 24 09:22:40 UTC 2013
>Last-Modified:  Mon Jun 24 09:30:03 UTC 2013
>Originator:     Lutz Donnerhacke
>Release:        FreeBSD 8.3-RELEASE (GENERIC)
>Organization:
IKS Service GmbH
>Environment:
FreeBSD server7.net.encoline.de 8.3-RELEASE FreeBSD 8.3-RELEASE #0: Mon Apr  9 21:23:18 UTC 2012     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
While testing terminating a huge number of PPPoX clients the kernel panics while doing in-kernel NAT.

#4 0xffffffff808e8775 at calltrap+0x8
#5 0xffffffff80fa0f01 at HouseKeeping+0xa1
#6 0xffffffff80f9e6ab at LibAliasOutLocked+0x3b

Please note, that the stack trace is incomplete. There are calls to IncrementalCleanup() and DeleteLink(), which are not reported in the stack trace.

The problem seems to come from incorrect locking, so the contents of the libalias database get corrupted.

This patch might be not the full solution, but is an obvious fix for an obvious bug.
>How-To-Repeat:
Setting up ipfw nat, add more then 9000 clients using mpd5.6, generate traffic
>Fix:
--- sys/netinet/libalias/alias_db.c.ORIG        2013-03-05 16:49:13.000000000 +0100
+++ sys/netinet/libalias/alias_db.c     2013-03-05 16:50:09.000000000 +0100
@@ -2767,8 +2767,8 @@
        struct ip_fw rule;      /* On-the-fly built rule */
        int fwhole;             /* Where to punch hole */

-       LIBALIAS_LOCK_ASSERT(la);
        la = lnk->la;
+       LIBALIAS_LOCK_ASSERT(la);

 /* Don't do anything unless we are asked to */
        if (!(la->packetAliasMode & PKT_ALIAS_PUNCH_FW) ||
@@ -2841,8 +2841,8 @@
 {
        struct libalias *la;

-       LIBALIAS_LOCK_ASSERT(la);
        la = lnk->la;
+       LIBALIAS_LOCK_ASSERT(la);
        if (lnk->link_type == LINK_TCP) {
                int fwhole = lnk->data.tcp->fwhole;     /* Where is the firewall
                                                         * hole? */



>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Mar 6 06:43:36 UTC 2013 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=176667 

From: Gleb Smirnoff <glebius@FreeBSD.org>
To: Lutz Donnerhacke <lutz@iks-service.de>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/176667: libalias locks on uninitalized data
Date: Thu, 7 Mar 2013 20:30:26 +0400

 On Tue, Mar 05, 2013 at 03:54:50PM +0000, Lutz Donnerhacke wrote:
 L> 
 L> >Number:         176667
 L> >Category:       kern
 L> >Synopsis:       libalias locks on uninitalized data
 L> >Confidential:   no
 L> >Severity:       non-critical
 L> >Priority:       low
 L> >Responsible:    freebsd-bugs
 L> >State:          open
 L> >Quarter:        
 L> >Keywords:       
 L> >Date-Required:
 L> >Class:          sw-bug
 L> >Submitter-Id:   current-users
 L> >Arrival-Date:   Tue Mar 05 16:00:00 UTC 2013
 L> >Closed-Date:
 L> >Last-Modified:
 L> >Originator:     Lutz Donnerhacke
 L> >Release:        FreeBSD 8.3-RELEASE (GENERIC)
 L> >Organization:
 L> IKS Service GmbH
 L> >Environment:
 L> FreeBSD server7.net.encoline.de 8.3-RELEASE FreeBSD 8.3-RELEASE #0: Mon Apr  9 21:23:18 UTC 2012     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
 L> 
 L> >Description:
 L> While testing terminating a huge number of PPPoX clients the kernel panics while doing in-kernel NAT.
 L> 
 L> #4 0xffffffff808e8775 at calltrap+0x8
 L> #5 0xffffffff80fa0f01 at HouseKeeping+0xa1
 L> #6 0xffffffff80f9e6ab at LibAliasOutLocked+0x3b
 L> 
 L> Please note, that the stack trace is incomplete. There are calls to IncrementalCleanup() and DeleteLink(), which are not reported in the stack trace.
 L> 
 L> The problem seems to come from incorrect locking, so the contents of the libalias database get corrupted.
 L> 
 L> This patch might be not the full solution, but is an obvious fix for an obvious bug.
 L> >How-To-Repeat:
 L> Setting up ipfw nat, add more then 9000 clients using mpd5.6, generate traffic
 L> >Fix:
 L> --- sys/netinet/libalias/alias_db.c.ORIG        2013-03-05 16:49:13.000000000 +0100
 L> +++ sys/netinet/libalias/alias_db.c     2013-03-05 16:50:09.000000000 +0100
 L> @@ -2767,8 +2767,8 @@
 L>         struct ip_fw rule;      /* On-the-fly built rule */
 L>         int fwhole;             /* Where to punch hole */
 L> 
 L> -       LIBALIAS_LOCK_ASSERT(la);
 L>         la = lnk->la;
 L> +       LIBALIAS_LOCK_ASSERT(la);
 L> 
 L>  /* Don't do anything unless we are asked to */
 L>         if (!(la->packetAliasMode & PKT_ALIAS_PUNCH_FW) ||
 L> @@ -2841,8 +2841,8 @@
 L>  {
 L>         struct libalias *la;
 L> 
 L> -       LIBALIAS_LOCK_ASSERT(la);
 L>         la = lnk->la;
 L> +       LIBALIAS_LOCK_ASSERT(la);
 L>         if (lnk->link_type == LINK_TCP) {
 L>                 int fwhole = lnk->data.tcp->fwhole;     /* Where is the firewall
 L>                                                          * hole? */
 
 The code edited isn't correct and the patch is neither.
 
 The fw punching isn't supported when libalias is compiled into kernel.
 
 The LIBALIAS_LOCK_ASSERT(la) on not initialized variable couldn't even
 pass compiler, if only the entire fw punching code was enabled.
 
 So these lines need to be just removed for sanity. Unfortunately this isn't
 related to panic you are hitting.
 
 Do you have cores of that panic?
 
 -- 
 Totus tuus, Glebius.

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/176667: commit references a PR
Date: Mon, 11 Mar 2013 12:22:52 +0000 (UTC)

 Author: glebius
 Date: Mon Mar 11 12:22:44 2013
 New Revision: 248158
 URL: http://svnweb.freebsd.org/changeset/base/248158
 
 Log:
   Remove LIBALIAS_LOCK_ASSERT(), including a couple with an uninitialzed
   argument, in code that isn't compiled in kernel.
   
   PR:		kern/176667
   Sponsored by:	Nginx, Inc.
 
 Modified:
   head/sys/netinet/libalias/alias_db.c
 
 Modified: head/sys/netinet/libalias/alias_db.c
 ==============================================================================
 --- head/sys/netinet/libalias/alias_db.c	Mon Mar 11 12:14:20 2013	(r248157)
 +++ head/sys/netinet/libalias/alias_db.c	Mon Mar 11 12:22:44 2013	(r248158)
 @@ -2729,7 +2729,6 @@ static void
  InitPunchFW(struct libalias *la)
  {
  
 -	LIBALIAS_LOCK_ASSERT(la);
  	la->fireWallField = malloc(la->fireWallNumNums);
  	if (la->fireWallField) {
  		memset(la->fireWallField, 0, la->fireWallNumNums);
 @@ -2745,7 +2744,6 @@ static void
  UninitPunchFW(struct libalias *la)
  {
  
 -	LIBALIAS_LOCK_ASSERT(la);
  	ClearAllFWHoles(la);
  	if (la->fireWallFD >= 0)
  		close(la->fireWallFD);
 @@ -2765,7 +2763,6 @@ PunchFWHole(struct alias_link *lnk)
  	struct ip_fw rule;	/* On-the-fly built rule */
  	int fwhole;		/* Where to punch hole */
  
 -	LIBALIAS_LOCK_ASSERT(la);
  	la = lnk->la;
  
  /* Don't do anything unless we are asked to */
 @@ -2839,7 +2836,6 @@ ClearFWHole(struct alias_link *lnk)
  {
  	struct libalias *la;
  
 -	LIBALIAS_LOCK_ASSERT(la);
  	la = lnk->la;
  	if (lnk->link_type == LINK_TCP) {
  		int fwhole = lnk->data.tcp->fwhole;	/* Where is the firewall
 @@ -2864,7 +2860,6 @@ ClearAllFWHoles(struct libalias *la)
  	struct ip_fw rule;	/* On-the-fly built rule */
  	int i;
  
 -	LIBALIAS_LOCK_ASSERT(la);
  	if (la->fireWallFD < 0)
  		return;
  
 @@ -2878,7 +2873,7 @@ ClearAllFWHoles(struct libalias *la)
  	memset(la->fireWallField, 0, la->fireWallNumNums);
  }
  
 -#endif
 +#endif /* !NO_FW_PUNCH */
  
  void
  LibAliasSetFWBase(struct libalias *la, unsigned int base, unsigned int num)
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: hiren 
State-Changed-When: Tue May 7 05:03:30 UTC 2013 
State-Changed-Why:  
Gleb committed r248158. 


Responsible-Changed-From-To: freebsd-net->glebius 
Responsible-Changed-By: hiren 
Responsible-Changed-When: Tue May 7 05:03:30 UTC 2013 
Responsible-Changed-Why:  
Gleb committed r248158. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=176667 
State-Changed-From-To: patched->closed 
State-Changed-By: glebius 
State-Changed-When: Mon Jun 24 09:22:27 UTC 2013 
State-Changed-Why:  
Merged to stable/9. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=176667 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/176667: commit references a PR
Date: Mon, 24 Jun 2013 09:23:34 +0000 (UTC)

 Author: glebius
 Date: Mon Jun 24 09:23:24 2013
 New Revision: 252150
 URL: http://svnweb.freebsd.org/changeset/base/252150
 
 Log:
   Merge r248158:
     Remove LIBALIAS_LOCK_ASSERT(), including a couple with an uninitialzed
     argument, in code that isn't compiled in kernel.
   
     PR:           kern/176667
     Sponsored by: Nginx, Inc.
 
 Modified:
   stable/9/sys/netinet/libalias/alias_db.c
 Directory Properties:
   stable/9/sys/   (props changed)
 
 Modified: stable/9/sys/netinet/libalias/alias_db.c
 ==============================================================================
 --- stable/9/sys/netinet/libalias/alias_db.c	Mon Jun 24 09:21:55 2013	(r252149)
 +++ stable/9/sys/netinet/libalias/alias_db.c	Mon Jun 24 09:23:24 2013	(r252150)
 @@ -2729,7 +2729,6 @@ static void
  InitPunchFW(struct libalias *la)
  {
  
 -	LIBALIAS_LOCK_ASSERT(la);
  	la->fireWallField = malloc(la->fireWallNumNums);
  	if (la->fireWallField) {
  		memset(la->fireWallField, 0, la->fireWallNumNums);
 @@ -2745,7 +2744,6 @@ static void
  UninitPunchFW(struct libalias *la)
  {
  
 -	LIBALIAS_LOCK_ASSERT(la);
  	ClearAllFWHoles(la);
  	if (la->fireWallFD >= 0)
  		close(la->fireWallFD);
 @@ -2765,7 +2763,6 @@ PunchFWHole(struct alias_link *lnk)
  	struct ip_fw rule;	/* On-the-fly built rule */
  	int fwhole;		/* Where to punch hole */
  
 -	LIBALIAS_LOCK_ASSERT(la);
  	la = lnk->la;
  
  /* Don't do anything unless we are asked to */
 @@ -2839,7 +2836,6 @@ ClearFWHole(struct alias_link *lnk)
  {
  	struct libalias *la;
  
 -	LIBALIAS_LOCK_ASSERT(la);
  	la = lnk->la;
  	if (lnk->link_type == LINK_TCP) {
  		int fwhole = lnk->data.tcp->fwhole;	/* Where is the firewall
 @@ -2864,7 +2860,6 @@ ClearAllFWHoles(struct libalias *la)
  	struct ip_fw rule;	/* On-the-fly built rule */
  	int i;
  
 -	LIBALIAS_LOCK_ASSERT(la);
  	if (la->fireWallFD < 0)
  		return;
  
 @@ -2878,7 +2873,7 @@ ClearAllFWHoles(struct libalias *la)
  	memset(la->fireWallField, 0, la->fireWallNumNums);
  }
  
 -#endif
 +#endif /* !NO_FW_PUNCH */
  
  void
  LibAliasSetFWBase(struct libalias *la, unsigned int base, unsigned int num)
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
