On Wednesday 21 July 2004 23:37, Wiktor Niesiobedzki wrote: > Hi, > > I don't think, it was reported yet, but here it goes: > > lock order reversal > 1st 0xc0632c80 pf task mtx (pf task mtx) _at_ > /usr/src/sys/contrib/pf/net/pf.c:5822 2nd 0xc066638c tcp (tcp) _at_ > /usr/src/sys/contrib/pf/net/pf.c:2420 > KDB: stack backtrace: > kdb_backtrace(c05f529a,c066638c,c05f4e21,c05f4e21,c05e7e3f) at > kdb_backtrace+0x2e witness_checkorder(c066638c,9,c05e7e3f,974,104) at > witness_checkorder+0x672 _mtx_lock_flags(c066638c,0,c05e7e3f,974,c1893230) > at _mtx_lock_flags+0x80 > pf_socket_lookup(cb9659b4,cb9659b8,2,cb965a70,c14fad00) at > pf_socket_lookup+0xb4 pf_test_tcp(cb965a20,cb965a18,2,c14fad00,c1475100) at > pf_test_tcp+0x529 pf_test(2,c10d8014,cb965b00,c15276a0,c0665ee0) at > pf_test+0x4a3 > pf_check_out(0,cb965b00,c10d8014,2,c1475100) at pf_check_out+0x5b > pfil_run_hooks(c0665ee0,cb965bc0,c10d8014,2,c04e8a70) at > pfil_run_hooks+0xca ip_output(c1475100,0,0,1,0) at ip_output+0x66d > ip_forward(c1475100,0,0,1,0) at ip_forward+0x37d > ip_input(c1475100,0,c05fad20,96,c0665598) at ip_input+0x65d > netisr_processqueue(c0665598,0,c05fad20,fe,c10d62c0) at > netisr_processqueue+0x8e swi_net(0,0,c05ef737,263,c063ae60) at swi_net+0xa3 > ithread_loop(c10dd400,cb965d48,c05ef52e,328,c10dd400) at ithread_loop+0x172 > fork_exit(c04ad4c0,c10dd400,cb965d48) at fork_exit+0xc2 > fork_trampoline() at fork_trampoline+0x8 > --- trap 0x1, eip = 0, esp = 0xcb965d7c, ebp = 0 --- Ture, this was not reported earlier but is wellknown with ipfw. It exists as checking UID/GID in an IP-level firewall is a layer violation. The original LO comes from the following path: proto_output: lock PCB -> ip_output(... pcb) -> pflil_hooks -> pf: lock pf vs. the above ip_input -> pfil_hooks -> pf: lock pf -> check socket credentials: lock PCB It is not possible to drop the pf lock for lookup as this happens during ruleset evaluation (and no other thread should be allowed to modify the rules). I know that people are looking for a solution for ipfw, I have no idea at the moment and hence am very happy for any suggestion. -- /"\ Best regards, | mlaier_at_freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier_at_EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:02 UTC