kern/160541: [vimage][pf][patch] panic: userret: Returning on td 0xxxxxxxxx (pid xxxx, pftop) with vnet 0xxxxxxxxx set in pfioctl

Wed, 07 Sep 2011 07:20:30 -0700 

>Number:         160541
>Category:       kern
>Synopsis:       [vimage][pf][patch] panic: userret: Returning on td 0xxxxxxxxx 
>(pid xxxx, pftop) with vnet 0xxxxxxxxx set in pfioctl
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 07 14:20:06 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Nikos Vassiliadis
>Release:        9.0-CURRENT
>Organization:
>Environment:
FreeBSD lab.local 9.0-BETA2 FreeBSD 9.0-BETA2 #81 r225405M: Wed Sep  7 13:23:11 
EEST 2011     root@lab.local:/usr/obj/usr/src/sys/LAB  i386

>Description:
A VIMAGE kernel panics when certain pf IOCTLs are used. The
panic is triggered by pftop for example.

Unread portion of the kernel message buffer:
panic: userret: Returning on td 0xc3a0e2e0 (pid 1311, pftop) with vnet 
0xc35a9000 set in pfioctl
cpuid = 0
KDB: enter: panic
Physical memory: 491 MB
Dumping 55 MB: 40 24 8

>How-To-Repeat:
build a VIMAGE kernel
build pftop port
kldload pf
run pftop and cycle through the views
the kernel will panic
>Fix:
For certain IOCTLs, CURVNET_RESTORE() is not called
upon return from pfioctl():/sys/contrib/pf/net/pf_ioctl.c

Patch attached with submission follows:

Index: sys/contrib/pf/net/pf_ioctl.c
===================================================================
--- sys/contrib/pf/net/pf_ioctl.c       (revision 225405)
+++ sys/contrib/pf/net/pf_ioctl.c       (working copy)
@@ -1517,9 +1517,11 @@
                        if (((struct pfioc_table *)addr)->pfrio_flags &
                            PFR_FLAG_DUMMY)
                                break; /* dummy operation ok */
-                       return (EPERM);
+                       error = EPERM;
+                       goto notpermitted;
                default:
-                       return (EPERM);
+                       error = EPERM;
+                       goto notpermitted;
                }
 
        if (!(flags & FWRITE))
@@ -1564,14 +1566,18 @@
                                flags |= FWRITE; /* need write lock for dummy */
                                break; /* dummy operation ok */
                        }
-                       return (EACCES);
+                       error = EACCES;
+                       goto notpermitted;
                case DIOCGETRULE:
                        if (((struct pfioc_rule *)addr)->action ==
-                           PF_GET_CLR_CNTR)
-                               return (EACCES);
+                           PF_GET_CLR_CNTR) {
+                               error = EACCES;
+                               goto notpermitted;
+                       }
                        break;
                default:
-                       return (EACCES);
+                       error = EACCES;
+                       goto notpermitted;
                }
 
        if (flags & FWRITE)
@@ -3909,6 +3915,8 @@
                rw_exit_read(&pf_consistency_lock);
 #endif
 
+notpermitted:
+       /* EPERM and EACCES jump here */
        CURVNET_RESTORE();
 
        return (error);


>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

Reply via email to