Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 7 Sep 2011 14:17:30 GMT
From:      Nikos Vassiliadis <nvass@gmx.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/160541: [vimage][pf][patch] panic: userret: Returning on td 0xxxxxxxxx (pid xxxx, pftop) with vnet 0xxxxxxxxx set in pfioctl
Message-ID:  <201109071417.p87EHUIu010035@red.freebsd.org>
Resent-Message-ID: <201109071420.p87EK66J087248@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         160541
>Category:       kern
>Synopsis:       [vimage][pf][patch] panic: userret: Returning on td 0xxxxxxxxx (pid xxxx, pftop) with vnet 0xxxxxxxxx set in pfioctl
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 07 14:20:06 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Nikos Vassiliadis
>Release:        9.0-CURRENT
>Organization:
>Environment:
FreeBSD lab.local 9.0-BETA2 FreeBSD 9.0-BETA2 #81 r225405M: Wed Sep  7 13:23:11 EEST 2011     root@lab.local:/usr/obj/usr/src/sys/LAB  i386

>Description:
A VIMAGE kernel panics when certain pf IOCTLs are used. The
panic is triggered by pftop for example.

Unread portion of the kernel message buffer:
panic: userret: Returning on td 0xc3a0e2e0 (pid 1311, pftop) with vnet 0xc35a9000 set in pfioctl
cpuid = 0
KDB: enter: panic
Physical memory: 491 MB
Dumping 55 MB: 40 24 8

>How-To-Repeat:
build a VIMAGE kernel
build pftop port
kldload pf
run pftop and cycle through the views
the kernel will panic
>Fix:
For certain IOCTLs, CURVNET_RESTORE() is not called
upon return from pfioctl():/sys/contrib/pf/net/pf_ioctl.c

Patch attached with submission follows:

Index: sys/contrib/pf/net/pf_ioctl.c
===================================================================
--- sys/contrib/pf/net/pf_ioctl.c	(revision 225405)
+++ sys/contrib/pf/net/pf_ioctl.c	(working copy)
@@ -1517,9 +1517,11 @@
 			if (((struct pfioc_table *)addr)->pfrio_flags &
 			    PFR_FLAG_DUMMY)
 				break; /* dummy operation ok */
-			return (EPERM);
+			error = EPERM;
+			goto notpermitted;
 		default:
-			return (EPERM);
+			error = EPERM;
+			goto notpermitted;
 		}
 
 	if (!(flags & FWRITE))
@@ -1564,14 +1566,18 @@
 				flags |= FWRITE; /* need write lock for dummy */
 				break; /* dummy operation ok */
 			}
-			return (EACCES);
+			error = EACCES;
+			goto notpermitted;
 		case DIOCGETRULE:
 			if (((struct pfioc_rule *)addr)->action ==
-			    PF_GET_CLR_CNTR)
-				return (EACCES);
+			    PF_GET_CLR_CNTR) {
+				error = EACCES;
+				goto notpermitted;
+			}
 			break;
 		default:
-			return (EACCES);
+			error = EACCES;
+			goto notpermitted;
 		}
 
 	if (flags & FWRITE)
@@ -3909,6 +3915,8 @@
 		rw_exit_read(&pf_consistency_lock);
 #endif
 
+notpermitted:
+	/* EPERM and EACCES jump here */
 	CURVNET_RESTORE();
 
 	return (error);


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201109071417.p87EHUIu010035>