On 06/06/07 16:29, Max Laier wrote: > After several attempts to fix user/group rules which ended like the most > recent one - cited below - with *ZERO* feedback, I won't waste anymore > effort. Either somebody steps up, does proper testing and reports back, > or user/group rules go! End of story! Max, I've upgraded my -STABLE standby desktop system into a -CURRENT system (just for you... *s*) to test your patch. Before trying to check your fixes, I've set up a plain (recently csup'ed) -CURRENT system w/o your patch. Unfortunately while trying hard to get that box into an LOR, I'm unable to do so easy. As I need to verify an unpatched against a patched system, I need to find a _reliable_ way to get the box LORing. I've added two pf rules which should (AFAIK) get this into an LOR: pass out log quick on $if_lan all user volker keep state pass in log on $if_lan proto {tcp udp} from any to \ any port 49152:65535 user avahi keep state After having that box running for a while (3-4 hours), generated some icmp, tcp and udp traffic, I was able to get just one single LOR which has been caused by a DHCPd response (but even 1 out of 5 bootp udp packets caused that LOR): lock order reversal: 1st 0xc34e7d84 pf task mtx (pf task mtx) _at_ /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:6414 2nd 0xc0a6456c udp (udp) _at_ /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:2760 KDB: stack backtrace: db_trace_self_wrapper(c092a516,d404d888,c06ab8fe,c092c9c0,c0a6456c,...) at db_trace_self_wrapper+0x26 kdb_backtrace(c092c9c0,c0a6456c,c092ca6d,c092ca6d,c34e4da8,...) at kdb_backtrace+0x29 witness_checkorder(c0a6456c,9,c34e4da8,ac8,0,...) at witness_checkorder+0x6de _mtx_lock_flags(c0a6456c,0,c34e4da8,ac8,1,...) at _mtx_lock_flags+0xbc pf_socket_lookup(d404d984,d404d980,1,d404d9f0,0,...) at pf_socket_lookup+0x25b pf_test_udp(d404da74,d404da70,1,c3481300,c3259c00,...) at pf_test_udp+0x1099 pf_test(1,c3160c00,d404dad0,0,0,...) at pf_test+0xf32 pf_check_in(0,d404dad0,c3160c00,1,0,...) at pf_check_in+0x39 pfil_run_hooks(c0a63d60,d404db24,c3160c00,1,0,...) at pfil_run_hooks+0x88 ip_input(c3259c00,14e,800,c3160c00,800,...) at ip_input+0x27d netisr_dispatch(2,c3259c00,10,3,0,...) at netisr_dispatch+0x73 ether_demux(c3160c00,c3259c00,3,0,3,...) at ether_demux+0x1f1 ether_input(c3160c00,c3259c00,c094ce2d,647,c32516d8,...) at ether_input+0x41f nve_ospacketrx(c3251600,d404dc04,1,0,0,...) at nve_ospacketrx+0xfa UpdateReceiveDescRingData(c088a950,c088aa80,c088a980,c088ab20,c088a930,...) at UpdateReceiveDescRingData+0x2f8 nve_osalloc(c3249a40,d4306010,c3251600,c088a9b0,c088a950,...) at nve_osalloc _end(c32c9c00,c3102c08,3065766e,0,0,...) at 0xc30f8540 _end(c3249a40,d4306010,c3251600,c088a9b0,c088a950,...) at 0xc32423c0 What am I doing wrong? How do I get the (unpatched) system reliable into an LOR and being able to verify that with a patched system? My pf.c (w/o your patch): src/sys/contrib/pf/net/pf.c,v 1.44 2007/05/21 20:08:59 dhartmei pf.c commit rev 1.43 already states LORs as being fixed. By reading your patches, you're just wrapping 1.43 fixes by a systctl setting. Next story... what does your patch really do? I've analyzed it and you're just wrapping the pf_socket_lookup by an if(debug_pfugidhack) statement. Your patch also auto sets debug.pfugidhack=1 if an uid/gid rule has been parsed. It can manually be set to zero by sysctl but that would just cause skipping pf_socket_lookup() completely at runtime (which disables uid/gid rule parsing?). So I'm wondering if the LOR has really been fixed or if the patch is just a cosmetical one? Can you help me to find a reliable way to get that LOR and proof your patch? Anybody else having any comments on this? Thx Volker epeios# uname -v FreeBSD 7.0-CURRENT #15: Sat Jun 9 08:19:03 CEST 2007 dmesg: Copyright (c) 1992-2007 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 7.0-CURRENT #15: Sat Jun 9 08:19:03 CEST 2007 root_at_epeios.sz.vwsoft.com:/usr/obj/usr/src/sys/EPEIOS WARNING: WITNESS option enabled, expect reduced performance. ACPI APIC Table: <A M I OEMAPIC > Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: AMD Athlon(tm) 64 Processor 3200+ (2009.16-MHz 686-class CPU) Origin = "AuthenticAMD" Id = 0x20ff2 Stepping = 2 Features=0x78bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2> Features2=0x1<SSE3> AMD Features=0xe2500800<SYSCALL,NX,MMX+,FFXSR,LM,3DNow!+,3DNow!> AMD Features2=0x1<LAHF> real memory = 503054336 (479 MB) avail memory = 474140672 (452 MB) ioapic0 <Version 1.1> irqs 0-23 on motherboard kbd1 at kbdmux0 ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) cryptosoft0: <software crypto> on motherboard acpi0: <A M I OEMXSDT> on motherboard acpi0: [ITHREAD] acpi0: Power Button (fixed) acpi0: reservation of 0, a0000 (3) failed acpi0: reservation of 100000, 1ff00000 (3) failed Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x508-0x50b on acpi0 cpu0: <ACPI CPU> on acpi0 pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0 pci0: <ACPI PCI bus> on pcib0 pci0: <memory, RAM> at device 0.0 (no driver attached) pci0: <memory, RAM> at device 0.1 (no driver attached) pci0: <memory, RAM> at device 0.2 (no driver attached) pci0: <memory, RAM> at device 0.3 (no driver attached) pci0: <memory, RAM> at device 0.4 (no driver attached) pci0: <memory, RAM> at device 0.5 (no driver attached) pci0: <memory, RAM> at device 0.6 (no driver attached) pci0: <memory, RAM> at device 0.7 (no driver attached) pcib1: <ACPI PCI-PCI bridge> at device 2.0 on pci0 pci1: <ACPI PCI bus> on pcib1 pcib2: <ACPI PCI-PCI bridge> at device 3.0 on pci0 pci2: <ACPI PCI bus> on pcib2 pcib3: <ACPI PCI-PCI bridge> at device 4.0 on pci0 pci3: <ACPI PCI bus> on pcib3 nvidia0: <GeForce 6150> mem 0xfd000000-0xfdffffff,0xd0000000-0xdfffffff,0xfc000000-0xfcffffff at device 5.0 on pci0 nvidia0: [GIANT-LOCKED] nvidia0: [ITHREAD] pci0: <memory, RAM> at device 9.0 (no driver attached) isab0: <PCI-ISA bridge> at device 10.0 on pci0 isa0: <ISA bus> on isab0 pci0: <serial bus, SMBus> at device 10.1 (no driver attached) ohci0: <OHCI (generic) USB controller> mem 0xfebde000-0xfebdefff irq 21 at device 11.0 on pci0 ohci0: [GIANT-LOCKED] ohci0: [ITHREAD] usb0: OHCI version 1.0, legacy support usb0: <OHCI (generic) USB controller> on ohci0 usb0: USB revision 1.0 uhub0: <nVidia OHCI root hub, class 9/0, rev 1.00/1.00, addr 1> on usb0 uhub0: 8 ports with 8 removable, self powered ehci0: <EHCI (generic) USB 2.0 controller> mem 0xfebdfc00-0xfebdfcff irq 22 at device 11.1 on pci0 ehci0: [GIANT-LOCKED] ehci0: [ITHREAD] usb1: EHCI version 1.0 usb1: companion controller, 8 ports each: usb0 usb1: <EHCI (generic) USB 2.0 controller> on ehci0 usb1: USB revision 2.0 uhub1: <nVidia EHCI root hub, class 9/0, rev 2.00/1.00, addr 1> on usb1 uhub1: 8 ports with 8 removable, self powered atapci0: <nVidia nForce MCP51 UDMA133 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xffa0-0xffaf at device 13.0 on pci0 ata0: <ATA channel 0> on atapci0 ata0: [ITHREAD] ata1: <ATA channel 1> on atapci0 ata1: [ITHREAD] atapci1: <nVidia nForce MCP51 SATA300 controller> port 0xe800-0xe807,0xe480-0xe483,0xe400-0xe407,0xe080-0xe083,0xe000-0xe00f mem 0xfebdd000-0xfebddfff irq 23 at device 14.0 on pci0 atapci1: [ITHREAD] ata2: <ATA channel 0> on atapci1 ata2: [ITHREAD] ata3: <ATA channel 1> on atapci1 ata3: [ITHREAD] atapci2: <nVidia nForce MCP51 SATA300 controller> port 0xdc00-0xdc07,0xd880-0xd883,0xd800-0xd807,0xd480-0xd483,0xd400-0xd40f mem 0xfebdc000-0xfebdcfff irq 20 at device 15.0 on pci0 atapci2: [ITHREAD] ata4: <ATA channel 0> on atapci2 ata4: [ITHREAD] ata5: <ATA channel 1> on atapci2 ata5: [ITHREAD] pcib4: <ACPI PCI-PCI bridge> at device 16.0 on pci0 pci4: <ACPI PCI bus> on pcib4 fwohci0: <VIA Fire II (VT6306)> port 0xcc00-0xcc7f mem 0xfaaff800-0xfaafffff irq 17 at device 5.0 on pci4 fwohci0: [FILTER] fwohci0: OHCI version 1.0 (ROM=1) fwohci0: No. of Isochronous channels is 4. fwohci0: EUI64 00:11:d8:00:00:67:ed:4b fwohci0: Phy 1394a available S400, 2 ports. fwohci0: Link S400, max_rec 2048 bytes. firewire0: <IEEE1394(FireWire) bus> on fwohci0 fwe0: <Ethernet over FireWire> on firewire0 if_fwe0: Fake Ethernet address: 02:11:d8:67:ed:4b fwe0: Ethernet address: 02:11:d8:67:ed:4b fwip0: <IP over FireWire> on firewire0 fwip0: Firewire address: 00:11:d8:00:00:67:ed:4b _at_ 0xfffe00000000, S400, maxrec 2048 sbp0: <SBP-2/SCSI over FireWire> on firewire0 dcons_crom0: <dcons configuration ROM> on firewire0 dcons_crom0: bus_addr 0x1d500000 fwohci0: Initiate bus reset fwohci0: BUS reset fwohci0: node_id=0xc800ffc0, gen=1, CYCLEMASTER mode pci0: <multimedia> at device 16.1 (no driver attached) nve0: <NVIDIA nForce MCP13 Networking Adapter> port 0xd080-0xd087 mem 0xfebd7000-0xfebd7fff irq 22 at device 20.0 on pci0 nve0: Ethernet address 00:15:f2:02:df:f5 miibus0: <MII bus> on nve0 e1000phy0: <Marvell 88E1111 Gigabit PHY> PHY 1 on miibus0 e1000phy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX-FDX, auto nve0: using obsoleted if_watchdog interface nve0: Ethernet address: 00:15:f2:02:df:f5 nve0: [ITHREAD] acpi_button0: <Power Button> on acpi0 fdc0: <floppy drive controller (FDE)> port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0 fdc0: [FILTER] atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0 atkbd0: <AT Keyboard> irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] atkbd0: [ITHREAD] psm0: <PS/2 Mouse> irq 12 on atkbdc0 psm0: [GIANT-LOCKED] psm0: [ITHREAD] psm0: model MouseMan+, device ID 0 pmtimer0 on isa0 sc0: <System console> at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0 ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/9 bytes threshold ppbus0: <Parallel port bus> on ppc0 lpt0: <Printer> on ppbus0 lpt0: Interrupt-driven port ppi0: <Parallel I/O> on ppbus0 ppc0: [GIANT-LOCKED] ppc0: [ITHREAD] Timecounter "TSC" frequency 2009159850 Hz quality 800 Timecounters tick every 1.000 msec Fast IPsec: Initialized Security Association Processing. firewire0: 1 nodes, maxhop <= 0, cable IRM = 0 (me) firewire0: bus manager 0 (me) ad4: 76319MB <SAMSUNG HD080HJ WT100-33> at ata2-master SATA300 WARNING: WITNESS option enabled, expect reduced performance. Trying to mount root from ufs:/dev/ad4s1a KERNCONF: machine i386 cpu I686_CPU ident EPEIOS # To statically compile in device wiring instead of /boot/device.hints #hints "GENERIC.hints" # Default places to look for devices. makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols options SCHED_4BSD # 4BSD scheduler options PREEMPTION # Enable kernel thread preemption options INET # InterNETworking options INET6 # IPv6 communications protocols options FAST_IPSEC options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_ACL # Support for access control lists options UFS_DIRHASH # Improve performance on big directories options UFS_GJOURNAL # Enable gjournal-based UFS journaling options MD_ROOT # MD is a potential root device options NFSCLIENT # Network Filesystem Client options NFSSERVER # Network Filesystem Server options NFS_ROOT # NFS usable as /, requires NFSCLIENT options MSDOSFS # MSDOS Filesystem options CD9660 # ISO 9660 Filesystem options PROCFS # Process filesystem (requires PSEUDOFS) options PSEUDOFS # Pseudo-filesystem framework #options GEOM_GPT # GUID Partition Tables. options GEOM_PART_GPT # GUID Partition Tables. options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!] options COMPAT_43TTY # BSD 4.3 TTY compat [KEEP THIS!] options COMPAT_FREEBSD4 # Compatible with FreeBSD4 options COMPAT_FREEBSD5 # Compatible with FreeBSD5 options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI options KTRACE # ktrace(1) support options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options KBD_INSTALL_CDEV # install a CDEV entry in /dev options ADAPTIVE_GIANT # Giant mutex is adaptive. options STOP_NMI # Stop CPUS using NMI instead of IPI options HZ=1000 options SMP device apic # I/O APIC # Debugging for use in -current options KDB # Enable kernel debugger support. options DDB # Support DDB. options GDB # Support remote GDB. options INVARIANTS # Enable calls of extra sanity checking options INVARIANT_SUPPORT # Extra sanity checks of internal structures, required by INVARIANTS options WITNESS # Enable checks to detect deadlocks and cycles options WITNESS_SKIPSPIN # Don't run witness on spinlocks for speed # Bus support. #device eisa device pci # Floppy drives device fdc # ATA and ATAPI devices device ata device atadisk # ATA disk drives device ataraid # ATA RAID drives device atapicd # ATAPI CDROM drives device atapifd # ATAPI floppy drives device atapist # ATAPI tape drives options ATA_STATIC_ID # Static device numbering device atapicam # SCSI Controllers device ahc # AHA2940 and onboard AIC7xxx devices options AHC_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~128k to driver. device ahd # AHA39320/29320 and onboard AIC79xx devices options AHD_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~215k to driver. device ncv # NCR 53C500 device nsp # Workbit Ninja SCSI-3 device stg # TMC 18C30/18C50 # SCSI peripherals device scbus # SCSI bus (required for SCSI) device ch # SCSI media changers device da # Direct Access (disks) device sa # Sequential Access (tape etc) device cd # CD device pass # Passthrough device (direct SCSI access) device ses # SCSI Environmental Services (and SAF-TE) # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard device psm # PS/2 mouse device kbdmux # keyboard multiplexer device vga # VGA video card driver device splash # Splash screen and screen saver support # syscons is the default console driver, resembling an SCO console device sc # Enable this for the pcvt (VT220 compatible) console driver #device vt #options XSERVER # support for X server on a vt console #options FAT_CURSOR # start with block cursor device agp # support several AGP chipsets # Power management support (see NOTES for more options) #device apm # Add suspend/resume support for the i8254. device pmtimer # Serial (COM) ports #device sio # 8250, 16[45]50 based serial ports #device uart # Parallel port device ppc device ppbus # Parallel port bus (required) device lpt # Printer device ppi # Parallel port interface device #device vpo # Requires scbus and da # If you've got a "dumb" serial or parallel PCI card that is # supported by the puc(4) glue driver, uncomment the following # line to enable it (connects to the sio and/or ppc drivers): #device puc # PCI Ethernet NICs. device de # DEC/Intel DC21x4x (``Tulip'') device em # Intel PRO/1000 adapter Gigabit Ethernet Card device ixgb # Intel PRO/10GbE Ethernet Card device txp # 3Com 3cR990 (``Typhoon'') device vx # 3Com 3c590, 3c595 (``Vortex'') # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device bce # Broadcom BCM5706/BCM5708 Gigabit Ethernet device bfe # Broadcom BCM440x 10/100 Ethernet device bge # Broadcom BCM570xx Gigabit Ethernet device dc # DEC/Intel 21143 and various workalikes device fxp # Intel EtherExpress PRO/100B (82557, 82558) device lge # Level 1 LXT1001 gigabit Ethernet device nge # NatSemi DP83820 gigabit Ethernet device nve # nVidia nForce MCP on-board Ethernet Networking device pcn # AMD Am79C97x PCI 10/100(precedence over 'lnc') device re # RealTek 8139C+/8169/8169S/8110S device rl # RealTek 8129/8139 device sf # Adaptec AIC-6915 (``Starfire'') device sis # Silicon Integrated Systems SiS 900/SiS 7016 device sk # SysKonnect SK-984x & SK-982x gigabit Ethernet device ste # Sundance ST201 (D-Link DFE-550TX) device stge # Sundance/Tamarack TC9021 gigabit Ethernet device ti # Alteon Networks Tigon I/II gigabit Ethernet device tl # Texas Instruments ThunderLAN device tx # SMC EtherPower II (83c170 ``EPIC'') device vge # VIA VT612x gigabit Ethernet device vr # VIA Rhine, Rhine II device wb # Winbond W89C840F device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'') # Wireless NIC cards device wlan # 802.11 support device wlan_wep # 802.11 WEP support device wlan_ccmp # 802.11 CCMP support device wlan_tkip # 802.11 TKIP support device wlan_amrr device an # Aironet 4500/4800 802.11 wireless NICs. device ath # Atheros pci/cardbus NIC's device ath_hal # Atheros HAL (Hardware Access Layer) device ath_rate_sample # SampleRate tx rate control for ath device awi # BayStack 660 and others device ral # Ralink Technology RT2500 wireless NICs. device wi # WaveLAN/Intersil/Symbol 802.11 wireless NICs. #device wl # Older non 802.11 Wavelan wireless NIC. # Pseudo devices. device mem device io device loop # Network loopback device random # Entropy device device ether # Ethernet support device ppp # Kernel PPP device tun # Packet tunnel. device pty # Pseudo-ttys (telnet etc) device md # Memory "disks" device gif # IPv6 and IPv4 tunneling device faith # IPv6-to-IPv4 relaying (translation) # The `bpf' device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! # Note that 'bpf' is required for DHCP. device bpf # Berkeley packet filter # USB support device uhci # UHCI PCI->USB interface device ohci # OHCI PCI->USB interface device ehci # EHCI PCI->USB interface (USB 2.0) device usb # USB Bus (required) #device udbp # USB Double Bulk Pipe devices device ugen # Generic device uhid # "Human Interface Devices" device ukbd # Keyboard device ulpt # Printer device umass # Disks/Mass storage - Requires scbus and da device ums # Mouse device ural # Ralink Technology RT2500USB wireless NICs device rum device urio # Diamond Rio 500 MP3 player device uscanner # Scanners # USB Ethernet, requires miibus device aue # ADMtek USB Ethernet device axe # ASIX Electronics USB Ethernet device cdce # Generic USB over Ethernet device cue # CATC USB Ethernet device kue # Kawasaki LSI USB Ethernet device rue # RealTek RTL8150 USB Ethernet options ALTQ options ALTQ_CBQ # Class Bases Queueing options ALTQ_RED # Random Early Detection options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler options ALTQ_CDNR # Traffic conditioner options ALTQ_PRIQ # Priority Queueing options ALTQ_NOPCC # Required if the TSC is unusable #options ALTQ_DEBUG # FireWire support device firewire # FireWire bus code device sbp # SCSI over FireWire (Requires scbus and da) device fwe # Ethernet over FireWire (non-standard!) device fwip device dcons device dcons_crom device crypto device encReceived on Sat Jun 09 2007 - 17:26:31 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:12 UTC