From nobody@FreeBSD.org  Wed Sep  7 14:17:30 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C26E11065672
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  7 Sep 2011 14:17:30 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 9772C8FC17
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  7 Sep 2011 14:17:30 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p87EHUAt010045
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 7 Sep 2011 14:17:30 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p87EHUIu010035;
	Wed, 7 Sep 2011 14:17:30 GMT
	(envelope-from nobody)
Message-Id: <201109071417.p87EHUIu010035@red.freebsd.org>
Date: Wed, 7 Sep 2011 14:17:30 GMT
From: Nikos Vassiliadis <nvass@gmx.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [vimage][pf][patch] panic: userret: Returning on td 0xxxxxxxxx (pid xxxx, pftop) with vnet 0xxxxxxxxx set in pfioctl
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         160541
>Category:       kern
>Synopsis:       [vimage][pf][patch] panic: userret: Returning on td 0xxxxxxxxx (pid xxxx, pftop) with vnet 0xxxxxxxxx set in pfioctl
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-virtualization
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 07 14:20:06 UTC 2011
>Closed-Date:    
>Last-Modified:  Fri Sep 09 21:45:27 UTC 2011
>Originator:     Nikos Vassiliadis
>Release:        9.0-CURRENT
>Organization:
>Environment:
FreeBSD lab.local 9.0-BETA2 FreeBSD 9.0-BETA2 #81 r225405M: Wed Sep  7 13:23:11 EEST 2011     root@lab.local:/usr/obj/usr/src/sys/LAB  i386

>Description:
A VIMAGE kernel panics when certain pf IOCTLs are used. The
panic is triggered by pftop for example.

Unread portion of the kernel message buffer:
panic: userret: Returning on td 0xc3a0e2e0 (pid 1311, pftop) with vnet 0xc35a9000 set in pfioctl
cpuid = 0
KDB: enter: panic
Physical memory: 491 MB
Dumping 55 MB: 40 24 8

>How-To-Repeat:
build a VIMAGE kernel
build pftop port
kldload pf
run pftop and cycle through the views
the kernel will panic
>Fix:
For certain IOCTLs, CURVNET_RESTORE() is not called
upon return from pfioctl():/sys/contrib/pf/net/pf_ioctl.c

Patch attached with submission follows:

Index: sys/contrib/pf/net/pf_ioctl.c
===================================================================
--- sys/contrib/pf/net/pf_ioctl.c	(revision 225405)
+++ sys/contrib/pf/net/pf_ioctl.c	(working copy)
@@ -1517,9 +1517,11 @@
 			if (((struct pfioc_table *)addr)->pfrio_flags &
 			    PFR_FLAG_DUMMY)
 				break; /* dummy operation ok */
-			return (EPERM);
+			error = EPERM;
+			goto notpermitted;
 		default:
-			return (EPERM);
+			error = EPERM;
+			goto notpermitted;
 		}
 
 	if (!(flags & FWRITE))
@@ -1564,14 +1566,18 @@
 				flags |= FWRITE; /* need write lock for dummy */
 				break; /* dummy operation ok */
 			}
-			return (EACCES);
+			error = EACCES;
+			goto notpermitted;
 		case DIOCGETRULE:
 			if (((struct pfioc_rule *)addr)->action ==
-			    PF_GET_CLR_CNTR)
-				return (EACCES);
+			    PF_GET_CLR_CNTR) {
+				error = EACCES;
+				goto notpermitted;
+			}
 			break;
 		default:
-			return (EACCES);
+			error = EACCES;
+			goto notpermitted;
 		}
 
 	if (flags & FWRITE)
@@ -3909,6 +3915,8 @@
 		rw_exit_read(&pf_consistency_lock);
 #endif
 
+notpermitted:
+	/* EPERM and EACCES jump here */
 	CURVNET_RESTORE();
 
 	return (error);


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Sep 8 06:12:12 UTC 2011 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=160541 
Responsible-Changed-From-To: freebsd-pf->freebsd-virtualization 
Responsible-Changed-By: bz 
Responsible-Changed-When: Fri Sep 9 21:45:13 UTC 2011 
Responsible-Changed-Why:  
Re-assign to right mailing list 

http://www.freebsd.org/cgi/query-pr.cgi?pr=160541 
>Unformatted:
