Attention pf/ipfw users with uid/gid/jail rules (Re: Reminder: NET_NEEDS_GIANT, debug.mpsafenet going away in 7.0)

Max Laier max at love2party.net
Fri Jul 27 07:44:13 UTC 2007 

On Friday 27 July 2007, Kris Kennaway wrote:
> On Fri, Jul 20, 2007 at 11:36:50AM -0700, Julian Elischer wrote:
> > Robert Watson wrote:
> > >On Tue, 17 Jul 2007, Max Laier wrote:
> > >
> > >So far I have had 0 (zero) reports of problems since this thread
> > > began. Could people using uid/gid/jail rules with ipfw or pf on 7.x
> > > *please* try running their firewalls without debug.mpsafenet --
> > > ignore the witness warnings and/or disable witness, and let us know
> > > if you experience deadlocks.  We're reaching the very end of the
> > > merge cycle for 7.0, and I would really like to remove the Giant
> > > crutches (now effectively unused) from the network stack so it's
> > > not part of the ABI/API, the code is simplified and cleaned up,
> > > etc.
> >
> > does "problem" include a LOR message, or only a deadlock?
> > I've seen plenty of the first, but not the second.
>
> Various users have reported definite deadlocks relating to uid/gid
                              ^------^           ^------^
> firewall rules in the past.

I don't think the strong wording is true.  I have seen a few reports of 
deadlocks in the past where debug.mpsafenet "fixed" the issue, but none 
of the reporters where able to provide enough debugging details to 
actually identify the culprit.

Also note that a lot has changed since the early reports.  What WITNESS is 
warning about now is something like:

	rlock(&lock1);
	mtx_lock(&lock2);
	mtx_unlock(&lock2);
	runlock(&lock1);

 vs.

	mtx_lock(&lock2);
	rlock(&lock1);
	runlock(&lock1);
	mtx_unlock(&lock2);

It's obvious that this can't cause a deadlock unless there is a third 
codepath that does either:

	wlock(&lock1);
	mtx_lock(&lock2);
	mtx_unlock(&lock2);
	wunlock(&lock1);

 or

	mtx_lock(&lock2);
	wlock(&lock1);
	wunlock(&lock1);
	mtx_unlock(&lock2);

I have an idea how to teach WITNESS about this, but it's an awful hack, 
yet.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20070727/909429be/attachment.pgp

More information about the freebsd-arch mailing list