From nobody@FreeBSD.org  Mon Jul 23 21:33:47 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 8BA88106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 23 Jul 2012 21:33:47 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 75B738FC1A
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 23 Jul 2012 21:33:47 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q6NLXlxW025693
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 23 Jul 2012 21:33:47 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q6NLXkvE025692;
	Mon, 23 Jul 2012 21:33:46 GMT
	(envelope-from nobody)
Message-Id: <201207232133.q6NLXkvE025692@red.freebsd.org>
Date: Mon, 23 Jul 2012 21:33:46 GMT
From: Takanori Watanabe <takawata@init-main.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Dyanamically-attached network interface will crash with VIMAGE enabled kernel
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         170096
>Category:       kern
>Synopsis:       [vimage] Dynamically-attached network interface will crash with VIMAGE enabled kernel
>Confidential:   no
>Severity:       critical
>Priority:       low
>Responsible:    rodrigc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 23 21:40:09 UTC 2012
>Closed-Date:    Tue Oct 15 18:47:23 PDT 2013
>Last-Modified:  Tue Oct 15 18:47:23 PDT 2013
>Originator:     Takanori Watanabe
>Release:        FreeBSD 10.0-CURRENT
>Organization:
>Environment:
FreeBSD konata.init-main.com 10.0-CURRENT FreeBSD 10.0-CURRENT #7 r222214:238558M: Thu Jul 19 02:07:57 JST 2012     takawata@konata.init-main.com:/sys/i386/compile/LIEUTENANT  i386

>Description:
In VIMAGE network stack, curvnet macro is frequently referenced. It is actually reference td_vnet member in curthread structure. Usual user thread has valid pointer in td_vnet, but kernel thread, by which some dynamic interface attached, have initialized with NULL, so kernel will crash when curvnet is referenced.


>How-To-Repeat:
Plug dynamic network interface, like USB wlan, bluetooth or something, and kernel will crash where VNET() is refenced, like ng_make_node_common();
(I confirmed in USB only, but it may not limited in USB if my idea is correct.)
>Fix:
None yet.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-virtualization 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Jul 23 22:00:00 UTC 2012 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=170096 

From: Takanori Watanabe <takawata@init-main.com>
To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-virtualization@FreeBSD.org
Cc:  
Subject: Re: kern/170096: Dyanamically-attached network interface will crash with VIMAGE enabled kernel
Date: Tue, 24 Jul 2012 13:54:10 +0900

 It is fixed with following patch, though some consideration needed with
 kernel module:
 
 Index: usb_process.c
 ===================================================================
 --- usb_process.c       (revision 238557)
 +++ usb_process.c       (working copy)
 @@ -55,6 +55,7 @@
  #include <sys/proc.h>
  #include <sys/kthread.h>
  #include <sys/sched.h>
 +#include <net/vnet.h>
  
  #if (__FreeBSD_version < 700000)
  #define        thread_lock(td) mtx_lock_spin(&sched_lock)
 @@ -111,6 +112,9 @@
         td = curthread;
         thread_lock(td);
         sched_prio(td, up->up_prio);
 +#ifdef VIMAGE
 +       td->td_vnet = vnet0;
 +#endif
         thread_unlock(td);
  
         mtx_lock(up->up_mtx);
 ===
 
Responsible-Changed-From-To: freebsd-virtualization->rodrigc 
Responsible-Changed-By: rodrigc 
Responsible-Changed-When: Sun Jul 14 13:01:03 PDT 2013 
Responsible-Changed-Why:  
. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=170096 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/170096: commit references a PR
Date: Mon, 15 Jul 2013 01:33:03 +0000 (UTC)

 Author: rodrigc
 Date: Mon Jul 15 01:32:55 2013
 New Revision: 253346
 URL: http://svnweb.freebsd.org/changeset/base/253346
 
 Log:
   PR: 168520 170096
   Submitted by: adrian, zec
   
   Fix multiple kernel panics when VIMAGE is enabled in the kernel.
   These fixes are based on patches submitted by Adrian Chadd and Marko Zec.
   
   (1)  Set curthread->td_vnet to vnet0 in device_probe_and_attach() just before calling
        device_attach().  This fixes multiple VIMAGE related kernel panics
        when trying to attach Bluetooth or USB Ethernet devices because
        curthread->td_vnet is NULL.
   
   (2)  Set curthread->td_vnet in if_detach().  This fixes kernel panics when detaching networking
        interfaces, especially USB Ethernet devices.
   
   (3)  Use VNET_DOMAIN_SET() in ng_btsocket.c
   
   (4)  In ng_unref_node() set curthread->td_vnet.  This fixes kernel panics
        when detaching Netgraph nodes.
 
 Modified:
   head/sys/kern/subr_bus.c
   head/sys/net/if.c
   head/sys/netgraph/bluetooth/socket/ng_btsocket.c
   head/sys/netgraph/ng_base.c
 
 Modified: head/sys/kern/subr_bus.c
 ==============================================================================
 --- head/sys/kern/subr_bus.c	Mon Jul 15 00:49:10 2013	(r253345)
 +++ head/sys/kern/subr_bus.c	Mon Jul 15 01:32:55 2013	(r253346)
 @@ -53,6 +53,8 @@ __FBSDID("$FreeBSD$");
  #include <sys/bus.h>
  #include <sys/interrupt.h>
  
 +#include <net/vnet.h>
 +
  #include <machine/stdarg.h>
  
  #include <vm/uma.h>
 @@ -2735,7 +2737,11 @@ device_probe_and_attach(device_t dev)
  		return (0);
  	else if (error != 0)
  		return (error);
 -	return (device_attach(dev));
 +
 +	CURVNET_SET_QUIET(vnet0);
 +	error = device_attach(dev);
 +	CURVNET_RESTORE();
 +	return error;
  }
  
  /**
 
 Modified: head/sys/net/if.c
 ==============================================================================
 --- head/sys/net/if.c	Mon Jul 15 00:49:10 2013	(r253345)
 +++ head/sys/net/if.c	Mon Jul 15 01:32:55 2013	(r253346)
 @@ -505,6 +505,7 @@ if_free(struct ifnet *ifp)
  
  	ifp->if_flags |= IFF_DYING;			/* XXX: Locking */
  
 +	CURVNET_SET_QUIET(ifp->if_vnet);
  	IFNET_WLOCK();
  	KASSERT(ifp == ifnet_byindex_locked(ifp->if_index),
  	    ("%s: freeing unallocated ifnet", ifp->if_xname));
 @@ -512,9 +513,9 @@ if_free(struct ifnet *ifp)
  	ifindex_free_locked(ifp->if_index);
  	IFNET_WUNLOCK();
  
 -	if (!refcount_release(&ifp->if_refcount))
 -		return;
 -	if_free_internal(ifp);
 +	if (refcount_release(&ifp->if_refcount))
 +		if_free_internal(ifp);
 +	CURVNET_RESTORE();
  }
  
  /*
 @@ -803,7 +804,9 @@ void
  if_detach(struct ifnet *ifp)
  {
  
 +	CURVNET_SET_QUIET(ifp->if_vnet);
  	if_detach_internal(ifp, 0);
 +	CURVNET_RESTORE();
  }
  
  static void
 
 Modified: head/sys/netgraph/bluetooth/socket/ng_btsocket.c
 ==============================================================================
 --- head/sys/netgraph/bluetooth/socket/ng_btsocket.c	Mon Jul 15 00:49:10 2013	(r253345)
 +++ head/sys/netgraph/bluetooth/socket/ng_btsocket.c	Mon Jul 15 01:32:55 2013	(r253346)
 @@ -46,6 +46,8 @@
  #include <sys/sysctl.h>
  #include <sys/taskqueue.h>
  
 +#include <net/vnet.h>
 +
  #include <netgraph/ng_message.h>
  #include <netgraph/netgraph.h>
  #include <netgraph/bluetooth/include/ng_bluetooth.h>
 @@ -285,4 +287,4 @@ ng_btsocket_modevent(module_t mod, int e
  	return (error);
  } /* ng_btsocket_modevent */
  
 -DOMAIN_SET(ng_btsocket_);
 +VNET_DOMAIN_SET(ng_btsocket_);
 
 Modified: head/sys/netgraph/ng_base.c
 ==============================================================================
 --- head/sys/netgraph/ng_base.c	Mon Jul 15 00:49:10 2013	(r253345)
 +++ head/sys/netgraph/ng_base.c	Mon Jul 15 01:32:55 2013	(r253346)
 @@ -789,6 +789,8 @@ ng_unref_node(node_p node)
  	if (node == &ng_deadnode)
  		return;
  
 +	CURVNET_SET(node->nd_vnet);
 +
  	if (refcount_release(&node->nd_refs)) { /* we were the last */
  
  		node->nd_type->refs--; /* XXX maybe should get types lock? */
 @@ -807,6 +809,7 @@ ng_unref_node(node_p node)
  		mtx_destroy(&node->nd_input_queue.q_mtx);
  		NG_FREE_NODE(node);
  	}
 +	CURVNET_RESTORE();
  }
  
  /************************************************************************
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/170096: commit references a PR
Date: Sat, 27 Jul 2013 05:32:46 +0000 (UTC)

 Author: rodrigc
 Date: Sat Jul 27 05:32:26 2013
 New Revision: 253700
 URL: http://svnweb.freebsd.org/changeset/base/253700
 
 Log:
   Approved by: re (hrs, marius)
   
   MFC 253346:
   
       PR: 168520 170096
       Submitted by: adrian, zec
   
       Fix multiple kernel panics when VIMAGE is enabled in the kernel.
       These fixes are based on patches submitted by Adrian Chadd and Marko Zec.
   
       (1)  Set curthread->td_vnet to vnet0 in device_probe_and_attach() just before calling
        device_attach().  This fixes multiple VIMAGE related kernel panics
        when trying to attach Bluetooth or USB Ethernet devices because
        curthread->td_vnet is NULL.
   
       (2)  Set curthread->td_vnet in if_detach().  This fixes kernel panics when detaching networking
            interfaces, especially USB Ethernet devices.
   
       (3)  Use VNET_DOMAIN_SET() in ng_btsocket.c
   
       (4)  In ng_unref_node() set curthread->td_vnet.  This fixes kernel panics
            when detaching Netgraph nodes.
 
 Modified:
   stable/9/sys/kern/subr_bus.c
   stable/9/sys/net/if.c
   stable/9/sys/netgraph/bluetooth/socket/ng_btsocket.c
   stable/9/sys/netgraph/ng_base.c
 Directory Properties:
   stable/9/sys/   (props changed)
   stable/9/sys/net/   (props changed)
 
 Modified: stable/9/sys/kern/subr_bus.c
 ==============================================================================
 --- stable/9/sys/kern/subr_bus.c	Sat Jul 27 00:53:07 2013	(r253699)
 +++ stable/9/sys/kern/subr_bus.c	Sat Jul 27 05:32:26 2013	(r253700)
 @@ -53,6 +53,8 @@ __FBSDID("$FreeBSD$");
  #include <sys/bus.h>
  #include <sys/interrupt.h>
  
 +#include <net/vnet.h>
 +
  #include <machine/stdarg.h>
  
  #include <vm/uma.h>
 @@ -2727,7 +2729,11 @@ device_probe_and_attach(device_t dev)
  		return (0);
  	else if (error != 0)
  		return (error);
 -	return (device_attach(dev));
 +
 +	CURVNET_SET_QUIET(vnet0);
 +	error = device_attach(dev);
 +	CURVNET_RESTORE();
 +	return error;
  }
  
  /**
 
 Modified: stable/9/sys/net/if.c
 ==============================================================================
 --- stable/9/sys/net/if.c	Sat Jul 27 00:53:07 2013	(r253699)
 +++ stable/9/sys/net/if.c	Sat Jul 27 05:32:26 2013	(r253700)
 @@ -509,6 +509,7 @@ if_free_type(struct ifnet *ifp, u_char t
  
  	ifp->if_flags |= IFF_DYING;			/* XXX: Locking */
  
 +	CURVNET_SET_QUIET(ifp->if_vnet);
  	IFNET_WLOCK();
  	KASSERT(ifp == ifnet_byindex_locked(ifp->if_index),
  	    ("%s: freeing unallocated ifnet", ifp->if_xname));
 @@ -516,9 +517,9 @@ if_free_type(struct ifnet *ifp, u_char t
  	ifindex_free_locked(ifp->if_index);
  	IFNET_WUNLOCK();
  
 -	if (!refcount_release(&ifp->if_refcount))
 -		return;
 -	if_free_internal(ifp);
 +	if (refcount_release(&ifp->if_refcount))
 +		if_free_internal(ifp);
 +	CURVNET_RESTORE();
  }
  
  /*
 @@ -830,7 +831,9 @@ void
  if_detach(struct ifnet *ifp)
  {
  
 +	CURVNET_SET_QUIET(ifp->if_vnet);
  	if_detach_internal(ifp, 0);
 +	CURVNET_RESTORE();
  }
  
  static void
 
 Modified: stable/9/sys/netgraph/bluetooth/socket/ng_btsocket.c
 ==============================================================================
 --- stable/9/sys/netgraph/bluetooth/socket/ng_btsocket.c	Sat Jul 27 00:53:07 2013	(r253699)
 +++ stable/9/sys/netgraph/bluetooth/socket/ng_btsocket.c	Sat Jul 27 05:32:26 2013	(r253700)
 @@ -46,6 +46,8 @@
  #include <sys/sysctl.h>
  #include <sys/taskqueue.h>
  
 +#include <net/vnet.h>
 +
  #include <netgraph/ng_message.h>
  #include <netgraph/netgraph.h>
  #include <netgraph/bluetooth/include/ng_bluetooth.h>
 @@ -285,4 +287,4 @@ ng_btsocket_modevent(module_t mod, int e
  	return (error);
  } /* ng_btsocket_modevent */
  
 -DOMAIN_SET(ng_btsocket_);
 +VNET_DOMAIN_SET(ng_btsocket_);
 
 Modified: stable/9/sys/netgraph/ng_base.c
 ==============================================================================
 --- stable/9/sys/netgraph/ng_base.c	Sat Jul 27 00:53:07 2013	(r253699)
 +++ stable/9/sys/netgraph/ng_base.c	Sat Jul 27 05:32:26 2013	(r253700)
 @@ -789,6 +789,8 @@ ng_unref_node(node_p node)
  	if (node == &ng_deadnode)
  		return;
  
 +	CURVNET_SET(node->nd_vnet);
 +
  	if (refcount_release(&node->nd_refs)) { /* we were the last */
  
  		node->nd_type->refs--; /* XXX maybe should get types lock? */
 @@ -807,6 +809,7 @@ ng_unref_node(node_p node)
  		mtx_destroy(&node->nd_input_queue.q_mtx);
  		NG_FREE_NODE(node);
  	}
 +	CURVNET_RESTORE();
  }
  
  /************************************************************************
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: rodrigc 
State-Changed-When: Tue Oct 15 18:46:42 PDT 2013 
State-Changed-Why:  
Fixed in PR 168520 

http://www.freebsd.org/cgi/query-pr.cgi?pr=170096 
>Unformatted:
