From owner-svn-src-all@freebsd.org  Wed Aug  7 01:08:58 2019
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4CBEDB8FE7;
 Wed,  7 Aug 2019 01:08:58 +0000 (UTC) (envelope-from cy@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 463D0p1J0yz413h;
 Wed,  7 Aug 2019 01:08:58 +0000 (UTC) (envelope-from cy@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 09F814BE5;
 Wed,  7 Aug 2019 01:08:58 +0000 (UTC) (envelope-from cy@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x7718vRv025800;
 Wed, 7 Aug 2019 01:08:57 GMT (envelope-from cy@FreeBSD.org)
Received: (from cy@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id x7718vpc025799;
 Wed, 7 Aug 2019 01:08:57 GMT (envelope-from cy@FreeBSD.org)
Message-Id: <201908070108.x7718vpc025799@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: cy set sender to cy@FreeBSD.org
 using -f
From: Cy Schubert <cy@FreeBSD.org>
Date: Wed, 7 Aug 2019 01:08:57 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r350668 - in stable: 11/sys/contrib/ipfilter/netinet
 12/sys/contrib/ipfilter/netinet
X-SVN-Group: stable-11
X-SVN-Commit-Author: cy
X-SVN-Commit-Paths: in stable: 11/sys/contrib/ipfilter/netinet
 12/sys/contrib/ipfilter/netinet
X-SVN-Commit-Revision: 350668
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2019 01:08:58 -0000

Author: cy
Date: Wed Aug  7 01:08:57 2019
New Revision: 350668
URL: https://svnweb.freebsd.org/changeset/base/350668

Log:
  MFC r350568:
  
  Resolve ipfilter kld unload issues related to VNET jails.
  
  When the ipfilter kld is loaded, used within VNET jail, and unloaded,
  then subsequent loading, use, and unloading of another packet filters
  will cause the subsequently loaded netpfil kld's to panic.
  
  The scenario is as follows:
  
  cd /usr/tests/sys/netpfil/common
  
  kldunload ipl
  kldunload pfsync
  kldunload ipfw
  
  kyua test pass_block
  
  kldload ipl
  kyua test pass_block
  kldunload ipl
  
  kldload pfsync
  kyua test pass_block
  kldunload pfsync
  -- page fault panic occurs here --
  
  Reported by:	"Ahsan Barkati" <ahsanbarkati@g.....com> via kp@
  Discussed with:	kp@
  Tested by:	kp@

Modified:
  stable/11/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
  stable/11/sys/contrib/ipfilter/netinet/mlfk_ipl.c
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/12/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
  stable/12/sys/contrib/ipfilter/netinet/mlfk_ipl.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/11/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
==============================================================================
--- stable/11/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c	Wed Aug  7 01:03:35 2019	(r350667)
+++ stable/11/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c	Wed Aug  7 01:08:57 2019	(r350668)
@@ -98,7 +98,10 @@ VNET_DEFINE(ipf_main_softc_t, ipfmain) = {
 # include <sys/conf.h>
 #  include <net/pfil.h>
 
-static eventhandler_tag ipf_arrivetag, ipf_departtag;
+VNET_DEFINE_STATIC(eventhandler_tag, ipf_arrivetag);
+VNET_DEFINE_STATIC(eventhandler_tag, ipf_departtag);
+#define	V_ipf_arrivetag		VNET(ipf_arrivetag)
+#define	V_ipf_departtag		VNET(ipf_departtag)
 #if 0
 /*
  * Disable the "cloner" event handler;  we are getting interface
@@ -108,7 +111,8 @@ static eventhandler_tag ipf_arrivetag, ipf_departtag;
  * If it turns out to be needed, well need a dedicated event handler
  * for it to deal with the ifc and the correct vnet.
  */
-static eventhandler_tag ipf_clonetag;
+VNET_DEFINE_STATIC(eventhandler_tag, ipf_clonetag);
+#define	V_ipf_clonetag		VNET(ipf_clonetag)
 #endif
 
 static void ipf_ifevent(void *arg, struct ifnet *ifp);
@@ -1384,14 +1388,14 @@ int ipf_pfil_hook(void) {
 void
 ipf_event_reg(void)
 {
-	ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \
+	V_ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \
 					       ipf_ifevent, NULL, \
 					       EVENTHANDLER_PRI_ANY);
-	ipf_departtag = EVENTHANDLER_REGISTER(ifnet_departure_event, \
+	V_ipf_departtag = EVENTHANDLER_REGISTER(ifnet_departure_event, \
 					       ipf_ifevent, NULL, \
 					       EVENTHANDLER_PRI_ANY);
 #if 0
-	ipf_clonetag  = EVENTHANDLER_REGISTER(if_clone_event, ipf_ifevent, \
+	V_ipf_clonetag  = EVENTHANDLER_REGISTER(if_clone_event, ipf_ifevent, \
 					       NULL, EVENTHANDLER_PRI_ANY);
 #endif
 }
@@ -1399,15 +1403,15 @@ ipf_event_reg(void)
 void
 ipf_event_dereg(void)
 {
-	if (ipf_arrivetag != NULL) {
-		EVENTHANDLER_DEREGISTER(ifnet_arrival_event, ipf_arrivetag);
+	if (V_ipf_arrivetag != NULL) {
+		EVENTHANDLER_DEREGISTER(ifnet_arrival_event, V_ipf_arrivetag);
 	}
-	if (ipf_departtag != NULL) {
-		EVENTHANDLER_DEREGISTER(ifnet_departure_event, ipf_departtag);
+	if (V_ipf_departtag != NULL) {
+		EVENTHANDLER_DEREGISTER(ifnet_departure_event, V_ipf_departtag);
 	}
 #if 0
-	if (ipf_clonetag != NULL) {
-		EVENTHANDLER_DEREGISTER(if_clone_event, ipf_clonetag);
+	if (V_ipf_clonetag != NULL) {
+		EVENTHANDLER_DEREGISTER(if_clone_event, V_ipf_clonetag);
 	}
 #endif
 }

Modified: stable/11/sys/contrib/ipfilter/netinet/mlfk_ipl.c
==============================================================================
--- stable/11/sys/contrib/ipfilter/netinet/mlfk_ipl.c	Wed Aug  7 01:03:35 2019	(r350667)
+++ stable/11/sys/contrib/ipfilter/netinet/mlfk_ipl.c	Wed Aug  7 01:08:57 2019	(r350668)
@@ -280,6 +280,10 @@ vnet_ipf_uninit(void)
 		V_ipfmain.ipf_running = -2;
 
 		ipf_destroy_all(&V_ipfmain);
+		if (!IS_DEFAULT_VNET(curvnet)) {
+			ipf_event_dereg();
+			(void)ipf_pfil_unhook();
+		}
 	}
 }
 VNET_SYSUNINIT(vnet_ipf_uninit, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD,