CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: martin Date: Thu May 3 15:02:30 UTC 2018 Modified Files: src/sys/kern [netbsd-6-0]: uipc_mbuf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1547): sys/kern/uipc_mbuf.c: revision 1.211 (via patch) Modify m_defrag, so that it never frees the first mbuf of the chain. While here use the given 'flags' argument, and not M_DONTWAIT. We have a problem with several drivers: they poll an mbuf chain from their queues and call m_defrag on them, but m_defrag could update the mbuf pointer, so the mbuf in the queue is no longer valid. It is not easy to fix each driver, because doing pop+push will reorder the queue, and we don't really want that to happen. This problem was independently spotted by me, Kengo, Masanobu, and other people too it seems (perhaps PR/53218). Now m_defrag leaves the first mbuf in place, and compresses the chain only starting from the second mbuf in the chain. It is important not to compress the first mbuf with hacks, because the storage of this first mbuf may be shared with other mbufs. To generate a diff of this commit: cvs rdiff -u -r1.145 -r1.145.6.1 src/sys/kern/uipc_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: martin
Date: Thu May 3 15:02:30 UTC 2018
Modified Files:
src/sys/kern [netbsd-6-0]: uipc_mbuf.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1547):
sys/kern/uipc_mbuf.c: revision 1.211 (via patch)
Modify m_defrag, so that it never frees the first mbuf of the chain. While
here use the given 'flags' argument, and not M_DONTWAIT.
We have a problem with several drivers: they poll an mbuf chain from their
queues and call m_defrag on them, but m_defrag could update the mbuf
pointer, so the mbuf in the queue is no longer valid. It is not easy to
fix each driver, because doing pop+push will reorder the queue, and we
don't really want that to happen.
This problem was independently spotted by me, Kengo, Masanobu, and other
people too it seems (perhaps PR/53218).
Now m_defrag leaves the first mbuf in place, and compresses the chain
only starting from the second mbuf in the chain.
It is important not to compress the first mbuf with hacks, because the
storage of this first mbuf may be shared with other mbufs.
To generate a diff of this commit:
cvs rdiff -u -r1.145 -r1.145.6.1 src/sys/kern/uipc_mbuf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/uipc_mbuf.c
diff -u src/sys/kern/uipc_mbuf.c:1.145 src/sys/kern/uipc_mbuf.c:1.145.6.1
--- src/sys/kern/uipc_mbuf.c:1.145 Fri Feb 10 17:35:47 2012
+++ src/sys/kern/uipc_mbuf.c Thu May 3 15:02:30 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: uipc_mbuf.c,v 1.145 2012/02/10 17:35:47 para Exp $ */
+/* $NetBSD: uipc_mbuf.c,v 1.145.6.1 2018/05/03 15:02:30 martin Exp $ */
/*-
* Copyright (c) 1999, 2001 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.145 2012/02/10 17:35:47 para Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.145.6.1 2018/05/03 15:02:30 martin Exp $");
#include "opt_mbuftrace.h"
#include "opt_nmbclusters.h"
@@ -1252,30 +1252,35 @@ m_makewritable(struct mbuf **mp, int off
}
/*
- * Copy the mbuf chain to a new mbuf chain that is as short as possible.
- * Return the new mbuf chain on success, NULL on failure. On success,
- * free the old mbuf chain.
+ * Compress the mbuf chain. Return the new mbuf chain on success, NULL on
+ * failure. The first mbuf is preserved, and on success the pointer returned
+ * is the same as the one passed.
*/
struct mbuf *
m_defrag(struct mbuf *mold, int flags)
{
struct mbuf *m0, *mn, *n;
- size_t sz = mold->m_pkthdr.len;
+ int sz;
#ifdef DIAGNOSTIC
if ((mold->m_flags & M_PKTHDR) == 0)
panic("m_defrag: not a mbuf chain header");
#endif
- MGETHDR(m0, flags, MT_DATA);
+ if (mold->m_next == NULL)
+ return mold;
+
+ m0 = m_get(flags, MT_DATA);
if (m0 == NULL)
return NULL;
- M_COPY_PKTHDR(m0, mold);
mn = m0;
+ sz = mold->m_pkthdr.len - mold->m_len;
+ KASSERT(sz >= 0);
+
do {
- if (sz > MHLEN) {
- MCLGET(mn, M_DONTWAIT);
+ if (sz > MLEN) {
+ MCLGET(mn, flags);
if ((mn->m_flags & M_EXT) == 0) {
m_freem(m0);
return NULL;
@@ -1291,7 +1296,7 @@ m_defrag(struct mbuf *mold, int flags)
if (sz > 0) {
/* need more mbufs */
- MGET(n, M_NOWAIT, MT_DATA);
+ n = m_get(flags, MT_DATA);
if (n == NULL) {
m_freem(m0);
return NULL;
@@ -1302,9 +1307,10 @@ m_defrag(struct mbuf *mold, int flags)
}
} while (sz > 0);
- m_freem(mold);
+ m_freem(mold->m_next);
+ mold->m_next = m0;
- return m0;
+ return mold;
}
int
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Sat Aug 19 04:24:20 UTC 2017 Modified Files: src/sys/kern [netbsd-6-0]: kern_ktrace.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1484): sys/kern/kern_ktrace.c: revision 1.171 via patch Clamp the length we use, not the length we don't. Avoids uninitialized memory disclosure to userland. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.160 -r1.160.6.1 src/sys/kern/kern_ktrace.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_ktrace.c diff -u src/sys/kern/kern_ktrace.c:1.160 src/sys/kern/kern_ktrace.c:1.160.6.1 --- src/sys/kern/kern_ktrace.c:1.160 Fri Dec 30 20:33:04 2011 +++ src/sys/kern/kern_ktrace.c Sat Aug 19 04:24:20 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_ktrace.c,v 1.160 2011/12/30 20:33:04 christos Exp $ */ +/* $NetBSD: kern_ktrace.c,v 1.160.6.1 2017/08/19 04:24:20 snj Exp $ */ /*- * Copyright (c) 2006, 2007, 2008 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.160 2011/12/30 20:33:04 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.160.6.1 2017/08/19 04:24:20 snj Exp $"); #include #include @@ -952,7 +952,7 @@ ktruser(const char *id, void *addr, size user_dta = (void *)(ktp + 1); if ((error = copyin(addr, (void *)user_dta, len)) != 0) - len = 0; + kte->kte_kth.ktr_len = 0; ktraddentry(l, kte, KTA_WAITOK); return error;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Sat Aug 19 04:24:20 UTC 2017 Modified Files: src/sys/kern [netbsd-6-0]: kern_ktrace.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1484): sys/kern/kern_ktrace.c: revision 1.171 via patch Clamp the length we use, not the length we don't. Avoids uninitialized memory disclosure to userland. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.160 -r1.160.6.1 src/sys/kern/kern_ktrace.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: snj
Date: Sat Aug 19 04:17:08 UTC 2017
Modified Files:
src/sys/kern [netbsd-6-0]: vfs_getcwd.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1482):
sys/kern/vfs_getcwd.c: revision 1.52
Don't walk off the end of the dirent buffer.
>From Ilja Van Sprundel.
To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.47.20.1 src/sys/kern/vfs_getcwd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/vfs_getcwd.c
diff -u src/sys/kern/vfs_getcwd.c:1.47 src/sys/kern/vfs_getcwd.c:1.47.20.1
--- src/sys/kern/vfs_getcwd.c:1.47 Tue Nov 30 10:30:02 2010
+++ src/sys/kern/vfs_getcwd.c Sat Aug 19 04:17:08 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_getcwd.c,v 1.47 2010/11/30 10:30:02 dholland Exp $ */
+/* $NetBSD: vfs_getcwd.c,v 1.47.20.1 2017/08/19 04:17:08 snj Exp $ */
/*-
* Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.47 2010/11/30 10:30:02 dholland Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.47.20.1 2017/08/19 04:17:08 snj Exp $");
#include
#include
@@ -207,7 +207,8 @@ unionread:
reclen = dp->d_reclen;
/* check for malformed directory.. */
-if (reclen < _DIRENT_MINSIZE(dp)) {
+if (reclen < _DIRENT_MINSIZE(dp) ||
+reclen > len) {
error = EINVAL;
goto out;
}
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Sat Aug 19 04:17:08 UTC 2017 Modified Files: src/sys/kern [netbsd-6-0]: vfs_getcwd.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1482): sys/kern/vfs_getcwd.c: revision 1.52 Don't walk off the end of the dirent buffer. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.47.20.1 src/sys/kern/vfs_getcwd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Fri Aug 18 14:52:09 UTC 2017 Modified Files: src/sys/kern [netbsd-6-0]: kern_malloc.c Log Message: Pull up following revision(s) (requested by martin in ticket #1465): sys/kern/kern_malloc.c: revision 1.146 Avoid integer overflow in kern_malloc(). Reported by Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.138 -r1.138.6.1 src/sys/kern/kern_malloc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: snj
Date: Fri Aug 18 14:52:09 UTC 2017
Modified Files:
src/sys/kern [netbsd-6-0]: kern_malloc.c
Log Message:
Pull up following revision(s) (requested by martin in ticket #1465):
sys/kern/kern_malloc.c: revision 1.146
Avoid integer overflow in kern_malloc(). Reported by Ilja Van Sprundel.
To generate a diff of this commit:
cvs rdiff -u -r1.138 -r1.138.6.1 src/sys/kern/kern_malloc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_malloc.c
diff -u src/sys/kern/kern_malloc.c:1.138 src/sys/kern/kern_malloc.c:1.138.6.1
--- src/sys/kern/kern_malloc.c:1.138 Mon Feb 6 12:13:44 2012
+++ src/sys/kern/kern_malloc.c Fri Aug 18 14:52:09 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_malloc.c,v 1.138 2012/02/06 12:13:44 drochner Exp $ */
+/* $NetBSD: kern_malloc.c,v 1.138.6.1 2017/08/18 14:52:09 snj Exp $ */
/*
* Copyright (c) 1987, 1991, 1993
@@ -66,7 +66,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.138 2012/02/06 12:13:44 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.138.6.1 2017/08/18 14:52:09 snj Exp $");
#include
#include
@@ -113,7 +113,10 @@ kern_malloc(unsigned long size, struct m
void *p;
if (size >= PAGE_SIZE) {
- allocsize = PAGE_SIZE + size; /* for page alignment */
+ if (size > (ULONG_MAX-PAGE_SIZE))
+ allocsize = ULONG_MAX; /* this will fail later */
+ else
+ allocsize = PAGE_SIZE + size; /* for page alignment */
hdroffset = PAGE_SIZE - sizeof(struct malloc_header);
} else {
allocsize = sizeof(struct malloc_header) + size;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Fri Jul 21 03:55:56 UTC 2017 Modified Files: src/sys/kern [netbsd-6-0]: uipc_socket.c uipc_syscalls.c Log Message: Pull up following revision(s) (requested by riastradh in ticket #1453): sys/kern/uipc_socket.c: revision 1.213 sys/kern/uipc_syscalls.c: revision 1.160 PR/47569: Valery Ushakov: SOCK_NONBLOCK does not work because it does not set SS_NBIO. XXX: there are too many flags that mean the same thing in too many places, and too many flags that mean the same thing and are different. To generate a diff of this commit: cvs rdiff -u -r1.209.2.1.4.2 -r1.209.2.1.4.3 src/sys/kern/uipc_socket.c cvs rdiff -u -r1.154.2.1.4.2 -r1.154.2.1.4.3 src/sys/kern/uipc_syscalls.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_socket.c diff -u src/sys/kern/uipc_socket.c:1.209.2.1.4.2 src/sys/kern/uipc_socket.c:1.209.2.1.4.3 --- src/sys/kern/uipc_socket.c:1.209.2.1.4.2 Mon Nov 25 08:27:01 2013 +++ src/sys/kern/uipc_socket.c Fri Jul 21 03:55:56 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_socket.c,v 1.209.2.1.4.2 2013/11/25 08:27:01 bouyer Exp $ */ +/* $NetBSD: uipc_socket.c,v 1.209.2.1.4.3 2017/07/21 03:55:56 snj Exp $ */ /*- * Copyright (c) 2002, 2007, 2008, 2009 The NetBSD Foundation, Inc. @@ -63,7 +63,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_socket.c,v 1.209.2.1.4.2 2013/11/25 08:27:01 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_socket.c,v 1.209.2.1.4.3 2017/07/21 03:55:56 snj Exp $"); #include "opt_compat_netbsd.h" #include "opt_sock_counters.h" @@ -585,6 +585,8 @@ fsocreate(int domain, struct socket **so fp->f_data = so; fd_affix(curproc, fp, fd); *fdout = fd; + if (flags & SOCK_NONBLOCK) + so->so_state |= SS_NBIO; } return error; } Index: src/sys/kern/uipc_syscalls.c diff -u src/sys/kern/uipc_syscalls.c:1.154.2.1.4.2 src/sys/kern/uipc_syscalls.c:1.154.2.1.4.3 --- src/sys/kern/uipc_syscalls.c:1.154.2.1.4.2 Sat Dec 14 19:37:02 2013 +++ src/sys/kern/uipc_syscalls.c Fri Jul 21 03:55:56 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_syscalls.c,v 1.154.2.1.4.2 2013/12/14 19:37:02 bouyer Exp $ */ +/* $NetBSD: uipc_syscalls.c,v 1.154.2.1.4.3 2017/07/21 03:55:56 snj Exp $ */ /*- * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls.c,v 1.154.2.1.4.2 2013/12/14 19:37:02 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls.c,v 1.154.2.1.4.3 2017/07/21 03:55:56 snj Exp $"); #include "opt_pipe.h" @@ -235,6 +235,8 @@ do_sys_accept(struct lwp *l, int sock, s ((flags & SOCK_NOSIGPIPE) ? FNOSIGPIPE : 0); fp2->f_ops = fp2->f_data = so2; + if (flags & SOCK_NONBLOCK) + so2->so_state |= SS_NBIO; error = soaccept(so2, nam); so2->so_cred = kauth_cred_dup(so->so_cred); sounlock(so); @@ -425,6 +427,8 @@ makesocket(struct lwp *l, file_t **fp, i (*fp)->f_type = DTYPE_SOCKET; (*fp)->f_ops = (*fp)->f_data = so; + if (flags & SOCK_NONBLOCK) + so->so_state |= SS_NBIO; return 0; }
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Fri Jul 21 03:55:56 UTC 2017 Modified Files: src/sys/kern [netbsd-6-0]: uipc_socket.c uipc_syscalls.c Log Message: Pull up following revision(s) (requested by riastradh in ticket #1453): sys/kern/uipc_socket.c: revision 1.213 sys/kern/uipc_syscalls.c: revision 1.160 PR/47569: Valery Ushakov: SOCK_NONBLOCK does not work because it does not set SS_NBIO. XXX: there are too many flags that mean the same thing in too many places, and too many flags that mean the same thing and are different. To generate a diff of this commit: cvs rdiff -u -r1.209.2.1.4.2 -r1.209.2.1.4.3 src/sys/kern/uipc_socket.c cvs rdiff -u -r1.154.2.1.4.2 -r1.154.2.1.4.3 src/sys/kern/uipc_syscalls.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: snj
Date: Thu Jul 6 15:18:23 UTC 2017
Modified Files:
src/sys/kern [netbsd-6-0]: subr_xcall.c
Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #1419):
sys/kern/subr_xcall.c: revision 1.19
Fix a race condition of low priority xcall
xc_lowpri and xc_thread are racy and xc_wait may return during/before
executing all xcall callbacks, resulting in a kernel panic at worst.
xc_lowpri serializes multiple jobs by a mutex and a cv. If all xcall
callbacks are done, xc_wait returns and also xc_lowpri accepts a next job.
The problem is that a counter that counts the number of finished xcall
callbacks is incremented *before* actually executing a xcall callback
(see xc_tailp++ in xc_thread). So xc_lowpri accepts a next job before
all xcall callbacks complete and a next job begins to run its xcall callbacks.
Even worse the counter is global and shared between jobs, so if a xcall
callback of the next job completes, the shared counter is incremented,
which confuses wc_wait of the previous job as all xcall callbacks of the
previous job are done and wc_wait of the previous job returns during/before
executing its xcall callbacks.
How to fix: there are actually two counters that count the number of finished
xcall callbacks for low priority xcall for historical reasons (I guess):
xc_tailp and xc_low_pri.xc_donep. xc_low_pri.xc_donep is incremented correctly
while xc_tailp is incremented wrongly, i.e., before executing a xcall callback.
We can fix the issue by dropping xc_tailp and using only xc_low_pri.xc_donep.
PR kern/51632
To generate a diff of this commit:
cvs rdiff -u -r1.13.16.1 -r1.13.16.2 src/sys/kern/subr_xcall.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/subr_xcall.c
diff -u src/sys/kern/subr_xcall.c:1.13.16.1 src/sys/kern/subr_xcall.c:1.13.16.2
--- src/sys/kern/subr_xcall.c:1.13.16.1 Sat Apr 20 10:05:44 2013
+++ src/sys/kern/subr_xcall.c Thu Jul 6 15:18:23 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: subr_xcall.c,v 1.13.16.1 2013/04/20 10:05:44 bouyer Exp $ */
+/* $NetBSD: subr_xcall.c,v 1.13.16.2 2017/07/06 15:18:23 snj Exp $ */
/*-
* Copyright (c) 2007-2010 The NetBSD Foundation, Inc.
@@ -74,7 +74,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: subr_xcall.c,v 1.13.16.1 2013/04/20 10:05:44 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_xcall.c,v 1.13.16.2 2017/07/06 15:18:23 snj Exp $");
#include
#include
@@ -101,7 +101,6 @@ typedef struct {
/* Low priority xcall structures. */
static xc_state_t xc_low_pri __cacheline_aligned;
-static uint64_t xc_tailp __cacheline_aligned;
/* High priority xcall structures. */
static xc_state_t xc_high_pri __cacheline_aligned;
@@ -131,7 +130,6 @@ xc_init(void)
memset(xclo, 0, sizeof(xc_state_t));
mutex_init(>xc_lock, MUTEX_DEFAULT, IPL_NONE);
cv_init(>xc_busy, "xclocv");
- xc_tailp = 0;
memset(xchi, 0, sizeof(xc_state_t));
mutex_init(>xc_lock, MUTEX_DEFAULT, IPL_SOFTCLOCK);
@@ -253,7 +251,7 @@ xc_lowpri(xcfunc_t func, void *arg1, voi
uint64_t where;
mutex_enter(>xc_lock);
- while (xc->xc_headp != xc_tailp) {
+ while (xc->xc_headp != xc->xc_donep) {
cv_wait(>xc_busy, >xc_lock);
}
xc->xc_arg1 = arg1;
@@ -274,7 +272,7 @@ xc_lowpri(xcfunc_t func, void *arg1, voi
ci->ci_data.cpu_xcall_pending = true;
cv_signal(>ci_data.cpu_xcall);
}
- KASSERT(xc_tailp < xc->xc_headp);
+ KASSERT(xc->xc_donep < xc->xc_headp);
where = xc->xc_headp;
mutex_exit(>xc_lock);
@@ -299,7 +297,7 @@ xc_thread(void *cookie)
mutex_enter(>xc_lock);
for (;;) {
while (!ci->ci_data.cpu_xcall_pending) {
- if (xc->xc_headp == xc_tailp) {
+ if (xc->xc_headp == xc->xc_donep) {
cv_broadcast(>xc_busy);
}
cv_wait(>ci_data.cpu_xcall, >xc_lock);
@@ -309,7 +307,6 @@ xc_thread(void *cookie)
func = xc->xc_func;
arg1 = xc->xc_arg1;
arg2 = xc->xc_arg2;
- xc_tailp++;
mutex_exit(>xc_lock);
KASSERT(func != NULL);
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Thu Jul 6 15:18:23 UTC 2017 Modified Files: src/sys/kern [netbsd-6-0]: subr_xcall.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1419): sys/kern/subr_xcall.c: revision 1.19 Fix a race condition of low priority xcall xc_lowpri and xc_thread are racy and xc_wait may return during/before executing all xcall callbacks, resulting in a kernel panic at worst. xc_lowpri serializes multiple jobs by a mutex and a cv. If all xcall callbacks are done, xc_wait returns and also xc_lowpri accepts a next job. The problem is that a counter that counts the number of finished xcall callbacks is incremented *before* actually executing a xcall callback (see xc_tailp++ in xc_thread). So xc_lowpri accepts a next job before all xcall callbacks complete and a next job begins to run its xcall callbacks. Even worse the counter is global and shared between jobs, so if a xcall callback of the next job completes, the shared counter is incremented, which confuses wc_wait of the previous job as all xcall callbacks of the previous job are done and wc_wait of the previous job returns during/before executing its xcall callbacks. How to fix: there are actually two counters that count the number of finished xcall callbacks for low priority xcall for historical reasons (I guess): xc_tailp and xc_low_pri.xc_donep. xc_low_pri.xc_donep is incremented correctly while xc_tailp is incremented wrongly, i.e., before executing a xcall callback. We can fix the issue by dropping xc_tailp and using only xc_low_pri.xc_donep. PR kern/51632 To generate a diff of this commit: cvs rdiff -u -r1.13.16.1 -r1.13.16.2 src/sys/kern/subr_xcall.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: snj
Date: Fri Nov 11 07:05:47 UTC 2016
Modified Files:
src/sys/kern [netbsd-6-0]: uipc_usrreq.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1415):
sys/kern/uipc_usrreq.c: revision 1.181
Memory leak, found by Mootja. It is easily triggerable from userland.
To generate a diff of this commit:
cvs rdiff -u -r1.136.8.2 -r1.136.8.2.2.1 src/sys/kern/uipc_usrreq.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/uipc_usrreq.c
diff -u src/sys/kern/uipc_usrreq.c:1.136.8.2 src/sys/kern/uipc_usrreq.c:1.136.8.2.2.1
--- src/sys/kern/uipc_usrreq.c:1.136.8.2 Tue Oct 9 23:45:21 2012
+++ src/sys/kern/uipc_usrreq.c Fri Nov 11 07:05:47 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: uipc_usrreq.c,v 1.136.8.2 2012/10/09 23:45:21 riz Exp $ */
+/* $NetBSD: uipc_usrreq.c,v 1.136.8.2.2.1 2016/11/11 07:05:47 snj Exp $ */
/*-
* Copyright (c) 1998, 2000, 2004, 2008, 2009 The NetBSD Foundation, Inc.
@@ -96,7 +96,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: uipc_usrreq.c,v 1.136.8.2 2012/10/09 23:45:21 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_usrreq.c,v 1.136.8.2.2.1 2016/11/11 07:05:47 snj Exp $");
#include
#include
@@ -1014,11 +1014,11 @@ unp_connect(struct socket *so, struct mb
goto bad2;
}
vp = nd.ni_vp;
+ pathbuf_destroy(pb);
if (vp->v_type != VSOCK) {
error = ENOTSOCK;
goto bad;
}
- pathbuf_destroy(pb);
if ((error = VOP_ACCESS(vp, VWRITE, l->l_cred)) != 0)
goto bad;
/* Acquire v_interlock to protect against unp_detach(). */
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Fri Nov 11 07:05:47 UTC 2016 Modified Files: src/sys/kern [netbsd-6-0]: uipc_usrreq.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1415): sys/kern/uipc_usrreq.c: revision 1.181 Memory leak, found by Mootja. It is easily triggerable from userland. To generate a diff of this commit: cvs rdiff -u -r1.136.8.2 -r1.136.8.2.2.1 src/sys/kern/uipc_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: snj
Date: Thu Jul 14 06:43:35 UTC 2016
Modified Files:
src/sys/kern [netbsd-6-0]: kern_softint.c
Log Message:
Pull up following revision(s) (requested by knakahara in ticket #1356):
sys/kern/kern_softint.c: revision 1.42
fix the following softint parallel operation problem.
(0) softint handler "handler A" is established
(1) CPU#X does softint_schedule() for "handler A"
- the softhand_t is set SOFTINT_PENDING flag
- the softhand_t is NOT set SOFTINT_ACTIVE flag yet
(2) CPU#X begins other H/W interrupt processing
(3) CPU#Y does softint_disestablish() for "handler A"
- waits until softhand_t's SOFTINT_ACTIVE of all CPUs is clear
- the softhand_t is set not SOFTINT_ACTIVE but SOFTINT_PENDING,
so CPU#Y does not wait
- unset the function of "handler A"
(4) CPU#X does softint_execute()
- the function of "handler A" is already clear, so panic
To generate a diff of this commit:
cvs rdiff -u -r1.38.14.1 -r1.38.14.2 src/sys/kern/kern_softint.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_softint.c
diff -u src/sys/kern/kern_softint.c:1.38.14.1 src/sys/kern/kern_softint.c:1.38.14.2
--- src/sys/kern/kern_softint.c:1.38.14.1 Fri Feb 8 19:31:19 2013
+++ src/sys/kern/kern_softint.c Thu Jul 14 06:43:35 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_softint.c,v 1.38.14.1 2013/02/08 19:31:19 riz Exp $ */
+/* $NetBSD: kern_softint.c,v 1.38.14.2 2016/07/14 06:43:35 snj Exp $ */
/*-
* Copyright (c) 2007, 2008 The NetBSD Foundation, Inc.
@@ -176,7 +176,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: kern_softint.c,v 1.38.14.1 2013/02/08 19:31:19 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_softint.c,v 1.38.14.2 2016/07/14 06:43:35 snj Exp $");
#include
#include
@@ -424,8 +424,8 @@ softint_disestablish(void *arg)
KASSERT(sh->sh_func != NULL);
flags |= sh->sh_flags;
}
- /* Inactive on all CPUs? */
- if ((flags & SOFTINT_ACTIVE) == 0) {
+ /* Neither pending nor active on all CPUs? */
+ if ((flags & (SOFTINT_PENDING | SOFTINT_ACTIVE)) == 0) {
break;
}
/* Oops, still active. Wait for it to clear. */
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Thu Jul 14 06:43:35 UTC 2016 Modified Files: src/sys/kern [netbsd-6-0]: kern_softint.c Log Message: Pull up following revision(s) (requested by knakahara in ticket #1356): sys/kern/kern_softint.c: revision 1.42 fix the following softint parallel operation problem. (0) softint handler "handler A" is established (1) CPU#X does softint_schedule() for "handler A" - the softhand_t is set SOFTINT_PENDING flag - the softhand_t is NOT set SOFTINT_ACTIVE flag yet (2) CPU#X begins other H/W interrupt processing (3) CPU#Y does softint_disestablish() for "handler A" - waits until softhand_t's SOFTINT_ACTIVE of all CPUs is clear - the softhand_t is set not SOFTINT_ACTIVE but SOFTINT_PENDING, so CPU#Y does not wait - unset the function of "handler A" (4) CPU#X does softint_execute() - the function of "handler A" is already clear, so panic To generate a diff of this commit: cvs rdiff -u -r1.38.14.1 -r1.38.14.2 src/sys/kern/kern_softint.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: bouyer
Date: Sun Nov 15 20:38:01 UTC 2015
Modified Files:
src/sys/kern [netbsd-6-0]: kern_exec.c kern_exit.c kern_synch.c
Log Message:
Pull up following revision(s) (requested by pgoyette in ticket #1333):
sys/kern/kern_exec.c: revision 1.420
sys/kern/kern_synch.c: revision 1.309
sys/kern/kern_exit.c: revision 1.246
sys/kern/kern_exit.c: revision 1.247
sys/kern/kern_exec.c: revision 1.419
In execve_runproc(), update the p_waited entry for the process being
moved to SSTOP state, not for its parent. (It is correct to update
the parent's p_nstopchild count.) If the value is not already zero,
it could prevent its parent from waiting for the process.
Fixes PR kern/50298
Pullups will be requested for:
NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2
When clearing out the scheduler queues during system shutdown, we move
all processes to the SSTOP state. Make sure we update each process's
p_waited and the parents' p_nstopchild counters to maintain consistent
values. Should not make any real difference this late in the shutdown
process, but we should still be consistent just in case.
Fixes PR kern/50318
Pullups will be requested for:
NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2
Currently, if a process is exiting and its parent has indicated no intent
of reaping the process (nor any other children), the process wil get
reparented to init. Since the state of the exiting process at this point
is SDEAD, proc_reparent() will not update either the old or new parent's
p_nstopchild counters.
This change causes both old and new parents to be properly updated.
Fixes PR kern/50300
Pullups will be requested for:
NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2
For processes marked with PS_STOPEXIT, update the process's p_waited
value, and update its parent's p_nstopchild value when marking the
process's p_stat to SSTOP. The process needed to be SACTIVE to get
here, so this transition represents an additional process for which
the parent needs to wait.
Fixes PR kern/50308
Pullups will be requested for:
NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2
In spawn_return() we temporarily move the process state to SSTOP, but
without updating its p_waited value or its parent's p_nstopchild
counter. Later, we restore the original state, again without any
adjustment of the related values. This leaves a relatively short
window when the values are inconsistent and could interfere with the
proper operation of sys_wait() for the parent (if it manages to be
scheduled; it's not totally clear what, if anything, prevents
scheduling/execution of the parent).
If during this window, any of the checks being made result in an
error, we call exit1() which will eventually migrate the process's
state to SDEAD (with an intermediate transition to SDYING). At
this point the other variables get updated, and we finally restore
a consistent state.
This change updates the p_waited and parent's p_nstopchild at each
step to eliminate any windows during which the values could lead to
incorrect decisions.
Fixes PR kern/50330
Pullups will be requested for NetBSD-7, -6, -6-0, and -6-1
To generate a diff of this commit:
cvs rdiff -u -r1.339.2.5.4.3 -r1.339.2.5.4.4 src/sys/kern/kern_exec.c
cvs rdiff -u -r1.236.2.2 -r1.236.2.2.2.1 src/sys/kern/kern_exit.c
cvs rdiff -u -r1.297.2.1 -r1.297.2.1.4.1 src/sys/kern/kern_synch.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_exec.c
diff -u src/sys/kern/kern_exec.c:1.339.2.5.4.3 src/sys/kern/kern_exec.c:1.339.2.5.4.4
--- src/sys/kern/kern_exec.c:1.339.2.5.4.3 Mon Apr 21 10:00:35 2014
+++ src/sys/kern/kern_exec.c Sun Nov 15 20:38:01 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_exec.c,v 1.339.2.5.4.3 2014/04/21 10:00:35 bouyer Exp $ */
+/* $NetBSD: kern_exec.c,v 1.339.2.5.4.4 2015/11/15 20:38:01 bouyer Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -59,7 +59,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.339.2.5.4.3 2014/04/21 10:00:35 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.339.2.5.4.4 2015/11/15 20:38:01 bouyer Exp $");
#include "opt_exec.h"
#include "opt_ktrace.h"
@@ -1408,7 +1408,7 @@ execve_runproc(struct lwp *l, struct exe
if (p->p_sflag & PS_STOPEXEC) {
KERNEL_UNLOCK_ALL(l, >l_biglocks);
p->p_pptr->p_nstopchild++;
- p->p_pptr->p_waited = 0;
+ p->p_waited = 0;
mutex_enter(p->p_lock);
ksiginfo_queue_init();
sigclearall(p, , );
@@ -1845,6 +1845,7 @@ spawn_return(void *arg)
struct spawn_exec_data *spawn_data = arg;
struct lwp *l = curlwp;
int error, newfd;
+ int ostat;
size_t i;
const struct posix_spawn_file_actions_entry *fae;
pid_t ppid;
@@ -1917,7 +1918,6 @@ spawn_return(void *arg)
/* handle posix_spawnattr */
if (spawn_data->sed_attrs != NULL) {
- int ostat;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sun Nov 15 20:38:01 UTC 2015 Modified Files: src/sys/kern [netbsd-6-0]: kern_exec.c kern_exit.c kern_synch.c Log Message: Pull up following revision(s) (requested by pgoyette in ticket #1333): sys/kern/kern_exec.c: revision 1.420 sys/kern/kern_synch.c: revision 1.309 sys/kern/kern_exit.c: revision 1.246 sys/kern/kern_exit.c: revision 1.247 sys/kern/kern_exec.c: revision 1.419 In execve_runproc(), update the p_waited entry for the process being moved to SSTOP state, not for its parent. (It is correct to update the parent's p_nstopchild count.) If the value is not already zero, it could prevent its parent from waiting for the process. Fixes PR kern/50298 Pullups will be requested for: NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2 When clearing out the scheduler queues during system shutdown, we move all processes to the SSTOP state. Make sure we update each process's p_waited and the parents' p_nstopchild counters to maintain consistent values. Should not make any real difference this late in the shutdown process, but we should still be consistent just in case. Fixes PR kern/50318 Pullups will be requested for: NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2 Currently, if a process is exiting and its parent has indicated no intent of reaping the process (nor any other children), the process wil get reparented to init. Since the state of the exiting process at this point is SDEAD, proc_reparent() will not update either the old or new parent's p_nstopchild counters. This change causes both old and new parents to be properly updated. Fixes PR kern/50300 Pullups will be requested for: NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2 For processes marked with PS_STOPEXIT, update the process's p_waited value, and update its parent's p_nstopchild value when marking the process's p_stat to SSTOP. The process needed to be SACTIVE to get here, so this transition represents an additional process for which the parent needs to wait. Fixes PR kern/50308 Pullups will be requested for: NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2 In spawn_return() we temporarily move the process state to SSTOP, but without updating its p_waited value or its parent's p_nstopchild counter. Later, we restore the original state, again without any adjustment of the related values. This leaves a relatively short window when the values are inconsistent and could interfere with the proper operation of sys_wait() for the parent (if it manages to be scheduled; it's not totally clear what, if anything, prevents scheduling/execution of the parent). If during this window, any of the checks being made result in an error, we call exit1() which will eventually migrate the process's state to SDEAD (with an intermediate transition to SDYING). At this point the other variables get updated, and we finally restore a consistent state. This change updates the p_waited and parent's p_nstopchild at each step to eliminate any windows during which the values could lead to incorrect decisions. Fixes PR kern/50330 Pullups will be requested for NetBSD-7, -6, -6-0, and -6-1 To generate a diff of this commit: cvs rdiff -u -r1.339.2.5.4.3 -r1.339.2.5.4.4 src/sys/kern/kern_exec.c cvs rdiff -u -r1.236.2.2 -r1.236.2.2.2.1 src/sys/kern/kern_exit.c cvs rdiff -u -r1.297.2.1 -r1.297.2.1.4.1 src/sys/kern/kern_synch.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: bouyer
Date: Sun Nov 15 20:40:26 UTC 2015
Modified Files:
src/sys/kern [netbsd-6-0]: kern_sig.c
Log Message:
Pull up following revision(s) (requested by pgoyette in ticket #1334):
sys/kern/kern_sig.c: revision 1.321
When delivering a signal, it's possible that the process's state in
p_stat is SACTIVE yet p_sflag is PS_STOPPING (while waiting for other
lwp's to stop). In that case, we don't want to adjust the parent's
p_nstopchild count.
Found by Robert Elz.
XXX Pullups to: NetBSD-7, -6{,-0,-1}, and -5{,-0,-1,-2}
To generate a diff of this commit:
cvs rdiff -u -r1.316 -r1.316.12.1 src/sys/kern/kern_sig.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_sig.c
diff -u src/sys/kern/kern_sig.c:1.316 src/sys/kern/kern_sig.c:1.316.12.1
--- src/sys/kern/kern_sig.c:1.316 Fri Sep 16 22:07:17 2011
+++ src/sys/kern/kern_sig.c Sun Nov 15 20:40:26 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_sig.c,v 1.316 2011/09/16 22:07:17 reinoud Exp $ */
+/* $NetBSD: kern_sig.c,v 1.316.12.1 2015/11/15 20:40:26 bouyer Exp $ */
/*-
* Copyright (c) 2006, 2007, 2008 The NetBSD Foundation, Inc.
@@ -70,7 +70,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: kern_sig.c,v 1.316 2011/09/16 22:07:17 reinoud Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_sig.c,v 1.316.12.1 2015/11/15 20:40:26 bouyer Exp $");
#include "opt_ptrace.h"
#include "opt_compat_sunos.h"
@@ -1461,14 +1461,13 @@ kpsignal2(struct proc *p, ksiginfo_t *ks
}
if ((prop & SA_CONT) != 0 || signo == SIGKILL) {
/*
- * Re-adjust p_nstopchild if the process wasn't
- * collected by its parent.
+ * Re-adjust p_nstopchild if the process was
+ * stopped but not yet collected by its parent.
*/
+ if (p->p_stat == SSTOP && !p->p_waited)
+p->p_pptr->p_nstopchild--;
p->p_stat = SACTIVE;
p->p_sflag &= ~PS_STOPPING;
- if (!p->p_waited) {
-p->p_pptr->p_nstopchild--;
- }
if (p->p_slflag & PSL_TRACED) {
KASSERT(signo == SIGKILL);
goto deliver;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: bouyer
Date: Sun Nov 15 20:40:26 UTC 2015
Modified Files:
src/sys/kern [netbsd-6-0]: kern_sig.c
Log Message:
Pull up following revision(s) (requested by pgoyette in ticket #1334):
sys/kern/kern_sig.c: revision 1.321
When delivering a signal, it's possible that the process's state in
p_stat is SACTIVE yet p_sflag is PS_STOPPING (while waiting for other
lwp's to stop). In that case, we don't want to adjust the parent's
p_nstopchild count.
Found by Robert Elz.
XXX Pullups to: NetBSD-7, -6{,-0,-1}, and -5{,-0,-1,-2}
To generate a diff of this commit:
cvs rdiff -u -r1.316 -r1.316.12.1 src/sys/kern/kern_sig.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: bouyer
Date: Sun Nov 15 20:44:10 UTC 2015
Modified Files:
src/sys/kern [netbsd-6-0]: kern_exit.c
Log Message:
Pull up following revision(s) (requested by pgoyette in ticket #1336):
sys/kern/kern_exit.c: revision 1.248
Update value of p_stat before we release the proc_lock. Thanks to
Robert Elz.
XXX Pull-ups for -7, -6{,-0,-1} and -5{,-0,-1,-2}
To generate a diff of this commit:
cvs rdiff -u -r1.236.2.2.2.1 -r1.236.2.2.2.2 src/sys/kern/kern_exit.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_exit.c
diff -u src/sys/kern/kern_exit.c:1.236.2.2.2.1 src/sys/kern/kern_exit.c:1.236.2.2.2.2
--- src/sys/kern/kern_exit.c:1.236.2.2.2.1 Sun Nov 15 20:38:01 2015
+++ src/sys/kern/kern_exit.c Sun Nov 15 20:44:10 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_exit.c,v 1.236.2.2.2.1 2015/11/15 20:38:01 bouyer Exp $ */
+/* $NetBSD: kern_exit.c,v 1.236.2.2.2.2 2015/11/15 20:44:10 bouyer Exp $ */
/*-
* Copyright (c) 1998, 1999, 2006, 2007, 2008 The NetBSD Foundation, Inc.
@@ -67,7 +67,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: kern_exit.c,v 1.236.2.2.2.1 2015/11/15 20:38:01 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_exit.c,v 1.236.2.2.2.2 2015/11/15 20:44:10 bouyer Exp $");
#include "opt_ktrace.h"
#include "opt_perfctrs.h"
@@ -248,8 +248,8 @@ exit1(struct lwp *l, int rv)
}
p->p_waited = 0;
p->p_pptr->p_nstopchild++;
- mutex_exit(proc_lock);
p->p_stat = SSTOP;
+ mutex_exit(proc_lock);
lwp_lock(l);
p->p_nrlwps--;
l->l_stat = LSSTOP;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: bouyer
Date: Sun Nov 15 20:44:10 UTC 2015
Modified Files:
src/sys/kern [netbsd-6-0]: kern_exit.c
Log Message:
Pull up following revision(s) (requested by pgoyette in ticket #1336):
sys/kern/kern_exit.c: revision 1.248
Update value of p_stat before we release the proc_lock. Thanks to
Robert Elz.
XXX Pull-ups for -7, -6{,-0,-1} and -5{,-0,-1,-2}
To generate a diff of this commit:
cvs rdiff -u -r1.236.2.2.2.1 -r1.236.2.2.2.2 src/sys/kern/kern_exit.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: msaitoh
Date: Mon Nov 3 15:31:15 UTC 2014
Modified Files:
src/sys/kern [netbsd-6-0]: kern_rndpool.c kern_rndq.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1118):
sys/kern/kern_rndq.c: revision 1.27
sys/kern/kern_rndpool.c: revision 1.7
buf is not guaranteed to be aligned; don't *(uint32_t *) it in kern_rndq.c.
done is not guaranteed to be aligned; don't *(uint32_t *) it in kern_rndpool.c.
To generate a diff of this commit:
cvs rdiff -u -r1.1.2.1 -r1.1.2.1.4.1 src/sys/kern/kern_rndpool.c
cvs rdiff -u -r1.1.2.2.4.1 -r1.1.2.2.4.2 src/sys/kern/kern_rndq.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_rndpool.c
diff -u src/sys/kern/kern_rndpool.c:1.1.2.1 src/sys/kern/kern_rndpool.c:1.1.2.1.4.1
--- src/sys/kern/kern_rndpool.c:1.1.2.1 Fri Apr 20 23:35:20 2012
+++ src/sys/kern/kern_rndpool.c Mon Nov 3 15:31:15 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_rndpool.c,v 1.1.2.1 2012/04/20 23:35:20 riz Exp $*/
+/* $NetBSD: kern_rndpool.c,v 1.1.2.1.4.1 2014/11/03 15:31:15 msaitoh Exp $*/
/*-
* Copyright (c) 1997 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: kern_rndpool.c,v 1.1.2.1 2012/04/20 23:35:20 riz Exp $);
+__KERNEL_RCSID(0, $NetBSD: kern_rndpool.c,v 1.1.2.1.4.1 2014/11/03 15:31:15 msaitoh Exp $);
#include sys/param.h
#include sys/systm.h
@@ -191,8 +191,7 @@ rndpool_add_data(rndpool_t *rp, void *p,
buf = p;
for (; len 3; len -= 4) {
- val = *((u_int32_t *)buf);
-
+ (void)memcpy(val, buf, 4);
rndpool_add_one_word(rp, val);
buf += 4;
}
Index: src/sys/kern/kern_rndq.c
diff -u src/sys/kern/kern_rndq.c:1.1.2.2.4.1 src/sys/kern/kern_rndq.c:1.1.2.2.4.2
--- src/sys/kern/kern_rndq.c:1.1.2.2.4.1 Fri Feb 8 20:28:22 2013
+++ src/sys/kern/kern_rndq.c Mon Nov 3 15:31:15 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_rndq.c,v 1.1.2.2.4.1 2013/02/08 20:28:22 riz Exp $ */
+/* $NetBSD: kern_rndq.c,v 1.1.2.2.4.2 2014/11/03 15:31:15 msaitoh Exp $ */
/*-
* Copyright (c) 1997-2011 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: kern_rndq.c,v 1.1.2.2.4.1 2013/02/08 20:28:22 riz Exp $);
+__KERNEL_RCSID(0, $NetBSD: kern_rndq.c,v 1.1.2.2.4.2 2014/11/03 15:31:15 msaitoh Exp $);
#include sys/param.h
#include sys/ioctl.h
@@ -658,7 +658,8 @@ rnd_add_data_ts(krndsource_t *rs, const
u_int32_t entropy, uint32_t ts)
{
rnd_sample_t *state = NULL;
- const uint32_t *dint = data;
+ const uint8_t *p = data;
+ uint32_t dint;
int todo, done, filled = 0;
SIMPLEQ_HEAD(, _rnd_sample_t) tmp_samples =
SIMPLEQ_HEAD_INITIALIZER(tmp_samples);
@@ -671,7 +672,7 @@ rnd_add_data_ts(krndsource_t *rs, const
* Loop over data packaging it into sample buffers.
* If a sample buffer allocation fails, drop all data.
*/
- todo = len / sizeof(*dint);
+ todo = len / sizeof(dint);
for (done = 0; done todo ; done++) {
state = rs-state;
if (state == NULL) {
@@ -683,7 +684,8 @@ rnd_add_data_ts(krndsource_t *rs, const
}
state-ts[state-cursor] = ts;
- state-values[state-cursor] = dint[done];
+ (void)memcpy(dint, p[done*4], 4);
+ state-values[state-cursor] = dint;
state-cursor++;
if (state-cursor == RND_SAMPLE_COUNT) {
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: msaitoh Date: Mon Nov 3 15:31:15 UTC 2014 Modified Files: src/sys/kern [netbsd-6-0]: kern_rndpool.c kern_rndq.c Log Message: Pull up following revision(s) (requested by riastradh in ticket #1118): sys/kern/kern_rndq.c: revision 1.27 sys/kern/kern_rndpool.c: revision 1.7 buf is not guaranteed to be aligned; don't *(uint32_t *) it in kern_rndq.c. done is not guaranteed to be aligned; don't *(uint32_t *) it in kern_rndpool.c. To generate a diff of this commit: cvs rdiff -u -r1.1.2.1 -r1.1.2.1.4.1 src/sys/kern/kern_rndpool.c cvs rdiff -u -r1.1.2.2.4.1 -r1.1.2.2.4.2 src/sys/kern/kern_rndq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: msaitoh
Date: Mon Jul 14 06:26:02 UTC 2014
Modified Files:
src/sys/kern [netbsd-6-0]: kern_core.c
Log Message:
Pull up following revision(s) (requested by maxt in ticket #1097):
sys/kern/kern_core.c: revision 1.23
Fix a read-beyond-end string read.
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.20.14.1 src/sys/kern/kern_core.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_core.c
diff -u src/sys/kern/kern_core.c:1.20 src/sys/kern/kern_core.c:1.20.14.1
--- src/sys/kern/kern_core.c:1.20 Sat Sep 24 22:53:50 2011
+++ src/sys/kern/kern_core.c Mon Jul 14 06:26:01 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_core.c,v 1.20 2011/09/24 22:53:50 christos Exp $ */
+/* $NetBSD: kern_core.c,v 1.20.14.1 2014/07/14 06:26:01 msaitoh Exp $ */
/*
* Copyright (c) 1982, 1986, 1989, 1991, 1993
@@ -37,7 +37,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: kern_core.c,v 1.20 2011/09/24 22:53:50 christos Exp $);
+__KERNEL_RCSID(0, $NetBSD: kern_core.c,v 1.20.14.1 2014/07/14 06:26:01 msaitoh Exp $);
#include sys/param.h
#include sys/vnode.h
@@ -155,6 +155,12 @@ coredump(struct lwp *l, const char *patt
error = coredump_buildname(p, name, pattern, MAXPATHLEN);
mutex_exit(lim-pl_lock);
+ if (error) {
+ mutex_exit(p-p_lock);
+ mutex_exit(proc_lock);
+ goto done;
+ }
+
/*
* On a simple filename, see if the filesystem allow us to write
* core dumps there.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: msaitoh
Date: Mon Jul 14 06:33:55 UTC 2014
Modified Files:
src/sys/kern [netbsd-6-0]: sys_module.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1098):
sys/kern/sys_module.c: revision 1.15
Fix a user-controlled memory allocation. kmem_alloc(0) will panic the system.
ok christos@
To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.13.12.1 src/sys/kern/sys_module.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/sys_module.c
diff -u src/sys/kern/sys_module.c:1.13 src/sys/kern/sys_module.c:1.13.12.1
--- src/sys/kern/sys_module.c:1.13 Fri Jul 8 09:32:45 2011
+++ src/sys/kern/sys_module.c Mon Jul 14 06:33:55 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: sys_module.c,v 1.13 2011/07/08 09:32:45 mrg Exp $ */
+/* $NetBSD: sys_module.c,v 1.13.12.1 2014/07/14 06:33:55 msaitoh Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: sys_module.c,v 1.13 2011/07/08 09:32:45 mrg Exp $);
+__KERNEL_RCSID(0, $NetBSD: sys_module.c,v 1.13.12.1 2014/07/14 06:33:55 msaitoh Exp $);
#include sys/param.h
#include sys/systm.h
@@ -43,6 +43,11 @@ __KERNEL_RCSID(0, $NetBSD: sys_module.c
#include sys/syscall.h
#include sys/syscallargs.h
+/*
+ * Arbitrary limit to avoid DoS for excessive memory allocation.
+ */
+#define MAXPROPSLEN 4096
+
static int
handle_modctl_load(modctl_load_t *ml)
{
@@ -64,7 +69,12 @@ handle_modctl_load(modctl_load_t *ml)
goto out2;
if (ml-ml_props != NULL) {
+ if (ml-ml_propslen MAXPROPSLEN) {
+ error = ENOMEM;
+ goto out2;
+ }
propslen = ml-ml_propslen + 1;
+
props = (char *)kmem_alloc(propslen, KM_SLEEP);
if (props == NULL) {
error = ENOMEM;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: msaitoh Date: Mon Jul 14 06:26:02 UTC 2014 Modified Files: src/sys/kern [netbsd-6-0]: kern_core.c Log Message: Pull up following revision(s) (requested by maxt in ticket #1097): sys/kern/kern_core.c: revision 1.23 Fix a read-beyond-end string read. To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.20.14.1 src/sys/kern/kern_core.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: msaitoh Date: Mon Jul 14 06:33:55 UTC 2014 Modified Files: src/sys/kern [netbsd-6-0]: sys_module.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1098): sys/kern/sys_module.c: revision 1.15 Fix a user-controlled memory allocation. kmem_alloc(0) will panic the system. ok christos@ To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.13.12.1 src/sys/kern/sys_module.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Mon Apr 21 10:00:35 UTC 2014 Modified Files: src/sys/kern [netbsd-6-0]: kern_exec.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1048): sys/kern/kern_exec.c: revision 1.403 'error' is not set on failure. This is a true bug: everything is freed and unlocked while zero is returned. Since there's no error, execve_runproc() will get called and will try to use those freed things. To generate a diff of this commit: cvs rdiff -u -r1.339.2.5.4.2 -r1.339.2.5.4.3 src/sys/kern/kern_exec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: msaitoh
Date: Tue Mar 18 09:36:58 UTC 2014
Modified Files:
src/sys/kern [netbsd-6-0]: kern_verifiedexec.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1034):
sys/kern/kern_verifiedexec.c: revision 1.132
Reorder code to avoid use-after-free on error. From Maxime Villard
To generate a diff of this commit:
cvs rdiff -u -r1.128 -r1.128.8.1 src/sys/kern/kern_verifiedexec.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_verifiedexec.c
diff -u src/sys/kern/kern_verifiedexec.c:1.128 src/sys/kern/kern_verifiedexec.c:1.128.8.1
--- src/sys/kern/kern_verifiedexec.c:1.128 Sun Nov 20 10:32:33 2011
+++ src/sys/kern/kern_verifiedexec.c Tue Mar 18 09:36:58 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_verifiedexec.c,v 1.128 2011/11/20 10:32:33 hannken Exp $ */
+/* $NetBSD: kern_verifiedexec.c,v 1.128.8.1 2014/03/18 09:36:58 msaitoh Exp $ */
/*-
* Copyright (c) 2005, 2006 Elad Efrat e...@netbsd.org
@@ -29,7 +29,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: kern_verifiedexec.c,v 1.128 2011/11/20 10:32:33 hannken Exp $);
+__KERNEL_RCSID(0, $NetBSD: kern_verifiedexec.c,v 1.128.8.1 2014/03/18 09:36:58 msaitoh Exp $);
#include opt_veriexec.h
@@ -1281,18 +1281,6 @@ veriexec_file_add(struct lwp *l, prop_di
vfe-npages = 0;
vfe-last_page_size = 0;
- vte = veriexec_table_lookup(vp-v_mount);
- if (vte == NULL)
- vte = veriexec_table_add(l, vp-v_mount);
-
- /* XXX if we bail below this, we might want to gc newly created vtes. */
-
- error = fileassoc_add(vp, veriexec_hook, vfe);
- if (error)
- goto unlock_out;
-
- vte-vte_count++;
-
if (prop_bool_true(prop_dictionary_get(dict, eval-on-load)) ||
(vfe-type VERIEXEC_UNTRUSTED)) {
u_char *digest;
@@ -1314,6 +1302,18 @@ veriexec_file_add(struct lwp *l, prop_di
kmem_free(digest, vfe-ops-hash_len);
}
+ vte = veriexec_table_lookup(vp-v_mount);
+ if (vte == NULL)
+ vte = veriexec_table_add(l, vp-v_mount);
+
+ /* XXX if we bail below this, we might want to gc newly created vtes. */
+
+ error = fileassoc_add(vp, veriexec_hook, vfe);
+ if (error)
+ goto unlock_out;
+
+ vte-vte_count++;
+
veriexec_file_report(NULL, New entry., file, NULL, REPORT_DEBUG);
veriexec_bypass = 0;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: msaitoh Date: Tue Mar 18 09:36:58 UTC 2014 Modified Files: src/sys/kern [netbsd-6-0]: kern_verifiedexec.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1034): sys/kern/kern_verifiedexec.c: revision 1.132 Reorder code to avoid use-after-free on error. From Maxime Villard To generate a diff of this commit: cvs rdiff -u -r1.128 -r1.128.8.1 src/sys/kern/kern_verifiedexec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: bouyer
Date: Fri Feb 14 23:21:28 UTC 2014
Modified Files:
src/sys/kern [netbsd-6-0]: exec_elf.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1028):
sys/kern/exec_elf.c: revision 1.55
Fix memory leak.
ok christos@ agc@
To generate a diff of this commit:
cvs rdiff -u -r1.37.2.1 -r1.37.2.1.4.1 src/sys/kern/exec_elf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/exec_elf.c
diff -u src/sys/kern/exec_elf.c:1.37.2.1 src/sys/kern/exec_elf.c:1.37.2.1.4.1
--- src/sys/kern/exec_elf.c:1.37.2.1 Thu Apr 12 17:05:36 2012
+++ src/sys/kern/exec_elf.c Fri Feb 14 23:21:28 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: exec_elf.c,v 1.37.2.1 2012/04/12 17:05:36 riz Exp $ */
+/* $NetBSD: exec_elf.c,v 1.37.2.1.4.1 2014/02/14 23:21:28 bouyer Exp $ */
/*-
* Copyright (c) 1994, 2000, 2005 The NetBSD Foundation, Inc.
@@ -57,7 +57,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(1, $NetBSD: exec_elf.c,v 1.37.2.1 2012/04/12 17:05:36 riz Exp $);
+__KERNEL_RCSID(1, $NetBSD: exec_elf.c,v 1.37.2.1.4.1 2014/02/14 23:21:28 bouyer Exp $);
#ifdef _KERNEL_OPT
#include opt_pax.h
@@ -820,6 +820,7 @@ exec_elf_makecmds(struct lwp *l, struct
if ((error = elf_load_file(l, epp, interp,
epp-ep_vmcmds, interp_offset, ap, pos)) != 0) {
+ kmem_free(ap, sizeof(*ap));
goto bad;
}
ap-arg_interp = epp-ep_vmcmds.evs_cmds[j].ev_addr;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Fri Feb 14 23:21:28 UTC 2014 Modified Files: src/sys/kern [netbsd-6-0]: exec_elf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1028): sys/kern/exec_elf.c: revision 1.55 Fix memory leak. ok christos@ agc@ To generate a diff of this commit: cvs rdiff -u -r1.37.2.1 -r1.37.2.1.4.1 src/sys/kern/exec_elf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sat Dec 14 19:37:02 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: uipc_syscalls.c Log Message: Pull up following revision(s) (requested by spz in ticket #996): sys/kern/uipc_syscalls.c: revision 1.163 PR/47591: Michael Plass: If the unix socket is closed before accept, unp-unp_conn will be NULL in PRU_ACCEPT, as called from sys_accept-so_accept. This will cause the usrreq to return with no error, leaving the mbuf gotten from m_get() with an uninitialized length, containing junk from a previous call. Initialize m_len to be 0 to handle this case. This is yet another reason why Beverly's idea of setting m_len = 0 in m_get() makes a lot of sense. Arguably this could be an error, since the data we return now has 0 family and length. To generate a diff of this commit: cvs rdiff -u -r1.154.2.1.4.1 -r1.154.2.1.4.2 src/sys/kern/uipc_syscalls.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_syscalls.c diff -u src/sys/kern/uipc_syscalls.c:1.154.2.1.4.1 src/sys/kern/uipc_syscalls.c:1.154.2.1.4.2 --- src/sys/kern/uipc_syscalls.c:1.154.2.1.4.1 Mon Jan 7 16:53:36 2013 +++ src/sys/kern/uipc_syscalls.c Sat Dec 14 19:37:02 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_syscalls.c,v 1.154.2.1.4.1 2013/01/07 16:53:36 riz Exp $ */ +/* $NetBSD: uipc_syscalls.c,v 1.154.2.1.4.2 2013/12/14 19:37:02 bouyer Exp $ */ /*- * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: uipc_syscalls.c,v 1.154.2.1.4.1 2013/01/07 16:53:36 riz Exp $); +__KERNEL_RCSID(0, $NetBSD: uipc_syscalls.c,v 1.154.2.1.4.2 2013/12/14 19:37:02 bouyer Exp $); #include opt_pipe.h @@ -184,6 +184,7 @@ do_sys_accept(struct lwp *l, int sock, s return (error); } nam = m_get(M_WAIT, MT_SONAME); + nam-m_len = 0; *new_sock = fd; so = fp-f_data; solock(so);
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sat Dec 14 19:37:02 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: uipc_syscalls.c Log Message: Pull up following revision(s) (requested by spz in ticket #996): sys/kern/uipc_syscalls.c: revision 1.163 PR/47591: Michael Plass: If the unix socket is closed before accept, unp-unp_conn will be NULL in PRU_ACCEPT, as called from sys_accept-so_accept. This will cause the usrreq to return with no error, leaving the mbuf gotten from m_get() with an uninitialized length, containing junk from a previous call. Initialize m_len to be 0 to handle this case. This is yet another reason why Beverly's idea of setting m_len = 0 in m_get() makes a lot of sense. Arguably this could be an error, since the data we return now has 0 family and length. To generate a diff of this commit: cvs rdiff -u -r1.154.2.1.4.1 -r1.154.2.1.4.2 src/sys/kern/uipc_syscalls.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Mon Nov 25 08:27:01 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: uipc_socket.c Log Message: Pull up following revision(s) (requested by spz in ticket #988): sys/kern/uipc_socket.c: revision 1.220 PR/48098: Brian Marcotte: panic: kernel diagnostic assertion cred != NULL: Fix from Michael van Elst, tcpdrop crashes kernel on ebryonic connections. To generate a diff of this commit: cvs rdiff -u -r1.209.2.1.4.1 -r1.209.2.1.4.2 src/sys/kern/uipc_socket.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_socket.c diff -u src/sys/kern/uipc_socket.c:1.209.2.1.4.1 src/sys/kern/uipc_socket.c:1.209.2.1.4.2 --- src/sys/kern/uipc_socket.c:1.209.2.1.4.1 Fri Aug 2 20:23:11 2013 +++ src/sys/kern/uipc_socket.c Mon Nov 25 08:27:01 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_socket.c,v 1.209.2.1.4.1 2013/08/02 20:23:11 martin Exp $ */ +/* $NetBSD: uipc_socket.c,v 1.209.2.1.4.2 2013/11/25 08:27:01 bouyer Exp $ */ /*- * Copyright (c) 2002, 2007, 2008, 2009 The NetBSD Foundation, Inc. @@ -63,7 +63,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: uipc_socket.c,v 1.209.2.1.4.1 2013/08/02 20:23:11 martin Exp $); +__KERNEL_RCSID(0, $NetBSD: uipc_socket.c,v 1.209.2.1.4.2 2013/11/25 08:27:01 bouyer Exp $); #include opt_compat_netbsd.h #include opt_sock_counters.h @@ -416,7 +416,7 @@ socket_listener_cb(kauth_cred_t cred, ka /* Normal users can only drop their own connections. */ struct socket *so = (struct socket *)arg1; - if (proc_uidmatch(cred, so-so_cred) == 0) + if (so-so_cred proc_uidmatch(cred, so-so_cred) == 0) result = KAUTH_RESULT_ALLOW; break;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Mon Nov 25 08:27:01 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: uipc_socket.c Log Message: Pull up following revision(s) (requested by spz in ticket #988): sys/kern/uipc_socket.c: revision 1.220 PR/48098: Brian Marcotte: panic: kernel diagnostic assertion cred != NULL: Fix from Michael van Elst, tcpdrop crashes kernel on ebryonic connections. To generate a diff of this commit: cvs rdiff -u -r1.209.2.1.4.1 -r1.209.2.1.4.2 src/sys/kern/uipc_socket.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sat Apr 20 10:05:44 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_xcall.c Log Message: Pull up following revision(s) (requested by rmind in ticket #868): sys/kern/subr_xcall.c: revision 1.15 xc_highpri: fix assert. To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.13.16.1 src/sys/kern/subr_xcall.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/subr_xcall.c diff -u src/sys/kern/subr_xcall.c:1.13 src/sys/kern/subr_xcall.c:1.13.16.1 --- src/sys/kern/subr_xcall.c:1.13 Fri May 13 22:16:44 2011 +++ src/sys/kern/subr_xcall.c Sat Apr 20 10:05:44 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_xcall.c,v 1.13 2011/05/13 22:16:44 rmind Exp $ */ +/* $NetBSD: subr_xcall.c,v 1.13.16.1 2013/04/20 10:05:44 bouyer Exp $ */ /*- * Copyright (c) 2007-2010 The NetBSD Foundation, Inc. @@ -74,7 +74,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: subr_xcall.c,v 1.13 2011/05/13 22:16:44 rmind Exp $); +__KERNEL_RCSID(0, $NetBSD: subr_xcall.c,v 1.13.16.1 2013/04/20 10:05:44 bouyer Exp $); #include sys/types.h #include sys/param.h @@ -411,7 +411,7 @@ xc_highpri(xcfunc_t func, void *arg1, vo } kpreempt_enable(); #else - KASSERT(curcpu() == ci); + KASSERT(ci == NULL || curcpu() == ci); xc_ipi_handler(); #endif
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sat Apr 20 10:16:31 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_kmem.c Log Message: Pull up following revision(s) (requested by para in ticket #876): sys/kern/subr_kmem.c: revision 1.47 addresses PR/47512 properly return NULL for failed allocations not 0x8 with size checks enabled. To generate a diff of this commit: cvs rdiff -u -r1.42.2.2 -r1.42.2.2.4.1 src/sys/kern/subr_kmem.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/subr_kmem.c diff -u src/sys/kern/subr_kmem.c:1.42.2.2 src/sys/kern/subr_kmem.c:1.42.2.2.4.1 --- src/sys/kern/subr_kmem.c:1.42.2.2 Sun Aug 12 14:45:31 2012 +++ src/sys/kern/subr_kmem.c Sat Apr 20 10:16:31 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_kmem.c,v 1.42.2.2 2012/08/12 14:45:31 martin Exp $ */ +/* $NetBSD: subr_kmem.c,v 1.42.2.2.4.1 2013/04/20 10:16:31 bouyer Exp $ */ /*- * Copyright (c) 2009 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: subr_kmem.c,v 1.42.2.2 2012/08/12 14:45:31 martin Exp $); +__KERNEL_RCSID(0, $NetBSD: subr_kmem.c,v 1.42.2.2.4.1 2013/04/20 10:16:31 bouyer Exp $); #include sys/param.h #include sys/callback.h @@ -223,8 +223,10 @@ kmem_intr_alloc(size_t size, km_flag_t k kmem_poison_check(p, size); FREECHECK_OUT(kmem_freecheck, p); kmem_size_set(p, size); + + return p + SIZE_SIZE; } - return p + SIZE_SIZE; + return p; } /*
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sat Apr 20 10:05:44 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_xcall.c Log Message: Pull up following revision(s) (requested by rmind in ticket #868): sys/kern/subr_xcall.c: revision 1.15 xc_highpri: fix assert. To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.13.16.1 src/sys/kern/subr_xcall.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sat Apr 20 10:16:31 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_kmem.c Log Message: Pull up following revision(s) (requested by para in ticket #876): sys/kern/subr_kmem.c: revision 1.47 addresses PR/47512 properly return NULL for failed allocations not 0x8 with size checks enabled. To generate a diff of this commit: cvs rdiff -u -r1.42.2.2 -r1.42.2.2.4.1 src/sys/kern/subr_kmem.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: msaitoh
Date: Fri Mar 29 00:46:59 UTC 2013
Modified Files:
src/sys/kern [netbsd-6-0]: subr_cprng.c
Log Message:
Pull up following revision(s) (requested by tls in ticket #859):
sys/kern/subr_cprng.c: revision 1.16
Re-fix 'fix' for SA-2013-003. Because the original fix evaluated a flag
backwards, in low-entropy conditions there was a time interval in which
/dev/urandom could still output bits on an unacceptably short key. Output
from /dev/random was *NOT* impacted.
Eliminate the flag in question -- it's safest to always fill the requested
key buffer with output from the entropy-pool, even if we let the caller
know we couldn't provide bytes with the full entropy it requested.
Advisory will be updated soon with a full worst-case analysis of the
/dev/urandom output path in the presence of either variant of the
SA-2013-003 bug. Fortunately, because a large amount of other input
is mixed in before users can obtain any output, it doesn't look as dangerous
in practice as I'd feared it might be.
To generate a diff of this commit:
cvs rdiff -u -r1.5.2.3.4.1 -r1.5.2.3.4.2 src/sys/kern/subr_cprng.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/subr_cprng.c
diff -u src/sys/kern/subr_cprng.c:1.5.2.3.4.1 src/sys/kern/subr_cprng.c:1.5.2.3.4.2
--- src/sys/kern/subr_cprng.c:1.5.2.3.4.1 Sat Jan 26 21:36:10 2013
+++ src/sys/kern/subr_cprng.c Fri Mar 29 00:46:58 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: subr_cprng.c,v 1.5.2.3.4.1 2013/01/26 21:36:10 bouyer Exp $ */
+/* $NetBSD: subr_cprng.c,v 1.5.2.3.4.2 2013/03/29 00:46:58 msaitoh Exp $ */
/*-
* Copyright (c) 2011 The NetBSD Foundation, Inc.
@@ -46,7 +46,7 @@
#include sys/cprng.h
-__KERNEL_RCSID(0, $NetBSD: subr_cprng.c,v 1.5.2.3.4.1 2013/01/26 21:36:10 bouyer Exp $);
+__KERNEL_RCSID(0, $NetBSD: subr_cprng.c,v 1.5.2.3.4.2 2013/03/29 00:46:58 msaitoh Exp $);
void
cprng_init(void)
@@ -157,11 +157,11 @@ cprng_strong_reseed(void *const arg)
}
static size_t
-cprng_entropy_try(uint8_t *key, size_t keylen, int hard)
+cprng_entropy_try(uint8_t *key, size_t keylen)
{
int r;
r = rnd_extract_data(key, keylen, RND_EXTRACT_GOOD);
- if (r != keylen !hard) {
+ if (r != keylen) { /* Always fill in, for safety */
rnd_extract_data(key + r, keylen - r, RND_EXTRACT_ANY);
}
return r;
@@ -196,7 +196,7 @@ cprng_strong_create(const char *const na
selinit(c-selq);
- r = cprng_entropy_try(key, sizeof(key), c-flags CPRNG_INIT_ANY);
+ r = cprng_entropy_try(key, sizeof(key));
if (r != sizeof(key)) {
if (c-flags CPRNG_INIT_ANY) {
#ifdef DEBUG
@@ -244,7 +244,7 @@ cprng_strong(cprng_strong_t *const c, vo
if (c-flags CPRNG_REKEY_ANY) {
uint8_t key[NIST_BLOCK_KEYLEN_BYTES];
- if (cprng_entropy_try(key, sizeof(key), 0) !=
+ if (cprng_entropy_try(key, sizeof(key)) !=
sizeof(key)) {
printf(cprng %s: WARNING
pseudorandom rekeying.\n, c-name);
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: msaitoh Date: Fri Mar 29 00:46:59 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_cprng.c Log Message: Pull up following revision(s) (requested by tls in ticket #859): sys/kern/subr_cprng.c: revision 1.16 Re-fix 'fix' for SA-2013-003. Because the original fix evaluated a flag backwards, in low-entropy conditions there was a time interval in which /dev/urandom could still output bits on an unacceptably short key. Output from /dev/random was *NOT* impacted. Eliminate the flag in question -- it's safest to always fill the requested key buffer with output from the entropy-pool, even if we let the caller know we couldn't provide bytes with the full entropy it requested. Advisory will be updated soon with a full worst-case analysis of the /dev/urandom output path in the presence of either variant of the SA-2013-003 bug. Fortunately, because a large amount of other input is mixed in before users can obtain any output, it doesn't look as dangerous in practice as I'd feared it might be. To generate a diff of this commit: cvs rdiff -u -r1.5.2.3.4.1 -r1.5.2.3.4.2 src/sys/kern/subr_cprng.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: riz
Date: Mon Feb 11 20:42:51 UTC 2013
Modified Files:
src/sys/kern [netbsd-6-0]: subr_pserialize.c
Log Message:
Pull up following revision(s) (requested by rmind in ticket #811):
sys/kern/subr_pserialize.c: revision 1.7
- pserialize_switchpoint: check for passing twice, not more than needed.
- pserialize_perform: avoid a possible race with softint handler.
Reported by hannken@.
To generate a diff of this commit:
cvs rdiff -u -r1.5.8.1 -r1.5.8.2 src/sys/kern/subr_pserialize.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/subr_pserialize.c
diff -u src/sys/kern/subr_pserialize.c:1.5.8.1 src/sys/kern/subr_pserialize.c:1.5.8.2
--- src/sys/kern/subr_pserialize.c:1.5.8.1 Fri Feb 8 19:31:19 2013
+++ src/sys/kern/subr_pserialize.c Mon Feb 11 20:42:50 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: subr_pserialize.c,v 1.5.8.1 2013/02/08 19:31:19 riz Exp $ */
+/* $NetBSD: subr_pserialize.c,v 1.5.8.2 2013/02/11 20:42:50 riz Exp $ */
/*-
* Copyright (c) 2010, 2011 The NetBSD Foundation, Inc.
@@ -38,7 +38,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: subr_pserialize.c,v 1.5.8.1 2013/02/08 19:31:19 riz Exp $);
+__KERNEL_RCSID(0, $NetBSD: subr_pserialize.c,v 1.5.8.2 2013/02/11 20:42:50 riz Exp $);
#include sys/param.h
@@ -48,13 +48,13 @@ __KERNEL_RCSID(0, $NetBSD: subr_pserial
#include sys/kmem.h
#include sys/mutex.h
#include sys/pserialize.h
+#include sys/proc.h
#include sys/queue.h
#include sys/xcall.h
struct pserialize {
TAILQ_ENTRY(pserialize) psz_chain;
lwp_t * psz_owner;
- kcondvar_t psz_notifier;
kcpuset_t * psz_target;
kcpuset_t * psz_pass;
};
@@ -102,7 +102,6 @@ pserialize_create(void)
pserialize_t psz;
psz = kmem_zalloc(sizeof(struct pserialize), KM_SLEEP);
- cv_init(psz-psz_notifier, psrlz);
kcpuset_create(psz-psz_target, true);
kcpuset_create(psz-psz_pass, true);
psz-psz_owner = NULL;
@@ -121,7 +120,6 @@ pserialize_destroy(pserialize_t psz)
KASSERT(psz-psz_owner == NULL);
- cv_destroy(psz-psz_notifier);
kcpuset_destroy(psz-psz_target);
kcpuset_destroy(psz-psz_pass);
kmem_free(psz, sizeof(struct pserialize));
@@ -163,27 +161,21 @@ pserialize_perform(pserialize_t psz)
mutex_spin_enter(psz_lock);
TAILQ_INSERT_TAIL(psz_queue0, psz, psz_chain);
psz_work_todo++;
- mutex_spin_exit(psz_lock);
- /*
- * Force some context switch activity on every CPU, as the system
- * may not be busy. Note: should pass the point twice.
- */
- xc = xc_broadcast(XC_HIGHPRI, (xcfunc_t)nullop, NULL, NULL);
- xc_wait(xc);
+ do {
+ mutex_spin_exit(psz_lock);
- /* No need to xc_wait() as we implement our own condvar. */
- xc_broadcast(XC_HIGHPRI, (xcfunc_t)nullop, NULL, NULL);
+ /*
+ * Force some context switch activity on every CPU, as
+ * the system may not be busy. Pause to not flood.
+ */
+ xc = xc_broadcast(XC_HIGHPRI, (xcfunc_t)nullop, NULL, NULL);
+ xc_wait(xc);
+ kpause(psrlz, false, 1, NULL);
+
+ mutex_spin_enter(psz_lock);
+ } while (!kcpuset_iszero(psz-psz_target));
- /*
- * Wait for all CPUs to cycle through mi_switch() twice.
- * The last one through will remove our update from the
- * queue and awaken us.
- */
- mutex_spin_enter(psz_lock);
- while (!kcpuset_iszero(psz-psz_target)) {
- cv_wait(psz-psz_notifier, psz_lock);
- }
psz_ev_excl.ev_count++;
mutex_spin_exit(psz_lock);
@@ -236,8 +228,8 @@ pserialize_switchpoint(void)
*/
for (psz = TAILQ_FIRST(psz_queue1); psz != NULL; psz = next) {
next = TAILQ_NEXT(psz, psz_chain);
+ kcpuset_set(psz-psz_pass, cid);
if (!kcpuset_match(psz-psz_pass, psz-psz_target)) {
- kcpuset_set(psz-psz_pass, cid);
continue;
}
kcpuset_zero(psz-psz_pass);
@@ -250,8 +242,8 @@ pserialize_switchpoint(void)
*/
for (psz = TAILQ_FIRST(psz_queue0); psz != NULL; psz = next) {
next = TAILQ_NEXT(psz, psz_chain);
+ kcpuset_set(psz-psz_pass, cid);
if (!kcpuset_match(psz-psz_pass, psz-psz_target)) {
- kcpuset_set(psz-psz_pass, cid);
continue;
}
kcpuset_zero(psz-psz_pass);
@@ -265,7 +257,6 @@ pserialize_switchpoint(void)
while ((psz = TAILQ_FIRST(psz_queue2)) != NULL) {
TAILQ_REMOVE(psz_queue2, psz, psz_chain);
kcpuset_zero(psz-psz_target);
- cv_signal(psz-psz_notifier);
psz_work_todo--;
}
mutex_spin_exit(psz_lock);
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: riz Date: Mon Feb 11 20:42:51 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_pserialize.c Log Message: Pull up following revision(s) (requested by rmind in ticket #811): sys/kern/subr_pserialize.c: revision 1.7 - pserialize_switchpoint: check for passing twice, not more than needed. - pserialize_perform: avoid a possible race with softint handler. Reported by hannken@. To generate a diff of this commit: cvs rdiff -u -r1.5.8.1 -r1.5.8.2 src/sys/kern/subr_pserialize.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: riz
Date: Fri Feb 8 20:22:19 UTC 2013
Modified Files:
src/sys/kern [netbsd-6-0]: subr_vmem.c
Log Message:
Pull up following revision(s) (requested by para in ticket #789):
sys/kern/subr_vmem.c: revision 1.81
sys/kern/subr_vmem.c: revision 1.77
fix a lock order reversal during global boundary tag refill.
thanks to chuq@
xxx: request pullup
Fix release of vmem_btag_lock (don't release twice in error path)
To generate a diff of this commit:
cvs rdiff -u -r1.72.2.1 -r1.72.2.1.4.1 src/sys/kern/subr_vmem.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/subr_vmem.c
diff -u src/sys/kern/subr_vmem.c:1.72.2.1 src/sys/kern/subr_vmem.c:1.72.2.1.4.1
--- src/sys/kern/subr_vmem.c:1.72.2.1 Tue Apr 3 16:14:02 2012
+++ src/sys/kern/subr_vmem.c Fri Feb 8 20:22:18 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: subr_vmem.c,v 1.72.2.1 2012/04/03 16:14:02 riz Exp $ */
+/* $NetBSD: subr_vmem.c,v 1.72.2.1.4.1 2013/02/08 20:22:18 riz Exp $ */
/*-
* Copyright (c)2006,2007,2008,2009 YAMAMOTO Takashi,
@@ -34,7 +34,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: subr_vmem.c,v 1.72.2.1 2012/04/03 16:14:02 riz Exp $);
+__KERNEL_RCSID(0, $NetBSD: subr_vmem.c,v 1.72.2.1.4.1 2013/02/08 20:22:18 riz Exp $);
#if defined(_KERNEL)
#include opt_ddb.h
@@ -263,6 +263,7 @@ static int static_qc_pool_count = STATIC
vmem_t *kmem_va_meta_arena;
vmem_t *kmem_meta_arena;
+static kmutex_t vmem_refill_lock;
static kmutex_t vmem_btag_lock;
static LIST_HEAD(, vmem_btag) vmem_btag_freelist;
static size_t vmem_btag_freelist_count = 0;
@@ -282,19 +283,24 @@ bt_refillglobal(vm_flag_t flags)
bt_t *bt;
int i;
+ mutex_enter(vmem_refill_lock);
+
mutex_enter(vmem_btag_lock);
if (vmem_btag_freelist_count (BT_MINRESERVE * 16)) {
mutex_exit(vmem_btag_lock);
+ mutex_exit(vmem_refill_lock);
return 0;
}
+ mutex_exit(vmem_btag_lock);
if (vmem_alloc(kmem_meta_arena, PAGE_SIZE,
(flags ~VM_FITMASK) | VM_INSTANTFIT | VM_POPULATING, va) != 0) {
- mutex_exit(vmem_btag_lock);
+ mutex_exit(vmem_refill_lock);
return ENOMEM;
}
VMEM_EVCNT_INCR(bt_pages);
+ mutex_enter(vmem_btag_lock);
btp = (void *) va;
for (i = 0; i (BT_PER_PAGE); i++) {
bt = btp;
@@ -308,9 +314,14 @@ bt_refillglobal(vm_flag_t flags)
}
mutex_exit(vmem_btag_lock);
- bt_refill(kmem_arena, (flags ~VM_FITMASK) | VM_INSTANTFIT);
- bt_refill(kmem_va_meta_arena, (flags ~VM_FITMASK) | VM_INSTANTFIT);
- bt_refill(kmem_meta_arena, (flags ~VM_FITMASK) | VM_INSTANTFIT);
+ bt_refill(kmem_arena, (flags ~VM_FITMASK)
+ | VM_INSTANTFIT | VM_POPULATING);
+ bt_refill(kmem_va_meta_arena, (flags ~VM_FITMASK)
+ | VM_INSTANTFIT | VM_POPULATING);
+ bt_refill(kmem_meta_arena, (flags ~VM_FITMASK)
+ | VM_INSTANTFIT | VM_POPULATING);
+
+ mutex_exit(vmem_refill_lock);
return 0;
}
@@ -320,7 +331,9 @@ bt_refill(vmem_t *vm, vm_flag_t flags)
{
bt_t *bt;
- bt_refillglobal(flags);
+ if (!(flags VM_POPULATING)) {
+ bt_refillglobal(flags);
+ }
VMEM_LOCK(vm);
mutex_enter(vmem_btag_lock);
@@ -691,6 +704,7 @@ vmem_bootstrap(void)
{
mutex_init(vmem_list_lock, MUTEX_DEFAULT, IPL_VM);
+ mutex_init(vmem_refill_lock, MUTEX_DEFAULT, IPL_VM);
mutex_init(vmem_btag_lock, MUTEX_DEFAULT, IPL_VM);
while (static_bt_count-- 0) {
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: riz Date: Fri Feb 8 20:28:22 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: kern_rndq.c Log Message: Pull up following revision(s) (requested by msaitoh in ticket #790): sys/kern/kern_rndq.c: revision 1.7 Set resource limit. The rnd_process_events() function is called every tick and process the sample queue. Without limitation, if a lot of rnd_add_*() are called, all kernel memory may be eaten up. To generate a diff of this commit: cvs rdiff -u -r1.1.2.2 -r1.1.2.2.4.1 src/sys/kern/kern_rndq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_rndq.c diff -u src/sys/kern/kern_rndq.c:1.1.2.2 src/sys/kern/kern_rndq.c:1.1.2.2.4.1 --- src/sys/kern/kern_rndq.c:1.1.2.2 Fri Apr 20 23:35:20 2012 +++ src/sys/kern/kern_rndq.c Fri Feb 8 20:28:22 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_rndq.c,v 1.1.2.2 2012/04/20 23:35:20 riz Exp $ */ +/* $NetBSD: kern_rndq.c,v 1.1.2.2.4.1 2013/02/08 20:28:22 riz Exp $ */ /*- * Copyright (c) 1997-2011 The NetBSD Foundation, Inc. @@ -32,7 +32,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: kern_rndq.c,v 1.1.2.2 2012/04/20 23:35:20 riz Exp $); +__KERNEL_RCSID(0, $NetBSD: kern_rndq.c,v 1.1.2.2.4.1 2013/02/08 20:28:22 riz Exp $); #include sys/param.h #include sys/ioctl.h @@ -405,7 +405,17 @@ rnd_init(void) rnd_mempc = pool_cache_init(sizeof(rnd_sample_t), 0, 0, 0, rndsample, NULL, IPL_VM, NULL, NULL, NULL); - /* Mix *something*, *anything* into the pool to help it get started. + + /* + * Set resource limit. The rnd_process_events() function + * is called every tick and process the sample queue. + * Without limitation, if a lot of rnd_add_*() are called, + * all kernel memory may be eaten up. + */ + pool_cache_sethardlimit(rnd_mempc, RND_POOLBITS, NULL, 0); + + /* + * Mix *something*, *anything* into the pool to help it get started. * However, it's not safe for rnd_counter() to call microtime() yet, * so on some platforms we might just end up with zeros anyway. * XXX more things to add would be nice.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: riz Date: Fri Feb 8 20:22:19 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_vmem.c Log Message: Pull up following revision(s) (requested by para in ticket #789): sys/kern/subr_vmem.c: revision 1.81 sys/kern/subr_vmem.c: revision 1.77 fix a lock order reversal during global boundary tag refill. thanks to chuq@ xxx: request pullup Fix release of vmem_btag_lock (don't release twice in error path) To generate a diff of this commit: cvs rdiff -u -r1.72.2.1 -r1.72.2.1.4.1 src/sys/kern/subr_vmem.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: riz Date: Fri Feb 8 20:28:22 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: kern_rndq.c Log Message: Pull up following revision(s) (requested by msaitoh in ticket #790): sys/kern/kern_rndq.c: revision 1.7 Set resource limit. The rnd_process_events() function is called every tick and process the sample queue. Without limitation, if a lot of rnd_add_*() are called, all kernel memory may be eaten up. To generate a diff of this commit: cvs rdiff -u -r1.1.2.2 -r1.1.2.2.4.1 src/sys/kern/kern_rndq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: bouyer
Date: Sat Jan 26 21:36:10 UTC 2013
Modified Files:
src/sys/kern [netbsd-6-0]: subr_cprng.c
Log Message:
Pull up following revision(s) (requested by tls in ticket #800):
sys/kern/subr_cprng.c: revision 1.15
Fix a security issue: when we are reseeding a PRNG seeded early in boot
before we had ever had any entropy, if something else has consumed the
entropy that triggered the immediate reseed, we can reseed with as little
as sizeof(int) bytes of entropy.
To generate a diff of this commit:
cvs rdiff -u -r1.5.2.3 -r1.5.2.3.4.1 src/sys/kern/subr_cprng.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/subr_cprng.c
diff -u src/sys/kern/subr_cprng.c:1.5.2.3 src/sys/kern/subr_cprng.c:1.5.2.3.4.1
--- src/sys/kern/subr_cprng.c:1.5.2.3 Mon May 21 16:49:54 2012
+++ src/sys/kern/subr_cprng.c Sat Jan 26 21:36:10 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: subr_cprng.c,v 1.5.2.3 2012/05/21 16:49:54 jdc Exp $ */
+/* $NetBSD: subr_cprng.c,v 1.5.2.3.4.1 2013/01/26 21:36:10 bouyer Exp $ */
/*-
* Copyright (c) 2011 The NetBSD Foundation, Inc.
@@ -46,7 +46,7 @@
#include sys/cprng.h
-__KERNEL_RCSID(0, $NetBSD: subr_cprng.c,v 1.5.2.3 2012/05/21 16:49:54 jdc Exp $);
+__KERNEL_RCSID(0, $NetBSD: subr_cprng.c,v 1.5.2.3.4.1 2013/01/26 21:36:10 bouyer Exp $);
void
cprng_init(void)
@@ -84,6 +84,8 @@ cprng_strong_doreseed(cprng_strong_t *co
cc, sizeof(cc))) {
panic(cprng %s: nist_ctr_drbg_reseed failed., c-name);
}
+ memset(c-reseed.data, 0, c-reseed.len);
+
#ifdef RND_VERBOSE
printf(cprng %s: reseeded with rnd_filled = %d\n, c-name,
rnd_filled);
@@ -154,6 +156,17 @@ cprng_strong_reseed(void *const arg)
mutex_exit(c-mtx);
}
+static size_t
+cprng_entropy_try(uint8_t *key, size_t keylen, int hard)
+{
+ int r;
+ r = rnd_extract_data(key, keylen, RND_EXTRACT_GOOD);
+ if (r != keylen !hard) {
+ rnd_extract_data(key + r, keylen - r, RND_EXTRACT_ANY);
+ }
+ return r;
+}
+
cprng_strong_t *
cprng_strong_create(const char *const name, int ipl, int flags)
{
@@ -183,15 +196,13 @@ cprng_strong_create(const char *const na
selinit(c-selq);
- r = rnd_extract_data(key, sizeof(key), RND_EXTRACT_GOOD);
+ r = cprng_entropy_try(key, sizeof(key), c-flags CPRNG_INIT_ANY);
if (r != sizeof(key)) {
if (c-flags CPRNG_INIT_ANY) {
#ifdef DEBUG
printf(cprng %s: WARNING insufficient
entropy at creation.\n, name);
#endif
- rnd_extract_data(key + r, sizeof(key - r),
- RND_EXTRACT_ANY);
} else {
hard++;
}
@@ -233,15 +244,18 @@ cprng_strong(cprng_strong_t *const c, vo
if (c-flags CPRNG_REKEY_ANY) {
uint8_t key[NIST_BLOCK_KEYLEN_BYTES];
- printf(cprng %s: WARNING pseudorandom rekeying.\n,
- c-name);
-rnd_extract_data(key, sizeof(key), RND_EXTRACT_ANY);
+ if (cprng_entropy_try(key, sizeof(key), 0) !=
+ sizeof(key)) {
+ printf(cprng %s: WARNING
+ pseudorandom rekeying.\n, c-name);
+ }
cc = cprng_counter();
if (nist_ctr_drbg_reseed(c-drbg, key, sizeof(key),
cc, sizeof(cc))) {
panic(cprng %s: nist_ctr_drbg_reseed
failed., c-name);
}
+ memset(key, 0, sizeof(key));
} else {
int wr;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sat Jan 26 21:36:10 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_cprng.c Log Message: Pull up following revision(s) (requested by tls in ticket #800): sys/kern/subr_cprng.c: revision 1.15 Fix a security issue: when we are reseeding a PRNG seeded early in boot before we had ever had any entropy, if something else has consumed the entropy that triggered the immediate reseed, we can reseed with as little as sizeof(int) bytes of entropy. To generate a diff of this commit: cvs rdiff -u -r1.5.2.3 -r1.5.2.3.4.1 src/sys/kern/subr_cprng.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: riz
Date: Mon Jan 7 16:53:36 UTC 2013
Modified Files:
src/sys/kern [netbsd-6-0]: uipc_syscalls.c
Log Message:
Pull up following revision(s) (requested by mlelstv in ticket #778):
sys/kern/uipc_syscalls.c: revision 1.157
sys/kern/uipc_syscalls.c: revision 1.158
If an untraced process sleeps in recvmsg/sendmsg, the syscall does not
allocate an iov structure for ktrace. When tracing is then enabled
and the process wakes up, it crashes the kernel.
Undo the last commit which introduced this error path.
Avoid the mentioned kmem_alloc assertion by adding a sanity check analog
to similar code in sys_generic.c for I/O on file handles instead of
sockets.
This also causes the syscall to return EMSGSIZE if the msg_iovlen member
of the msg structure is less than or equal to 0, as defined in
recvmsg(2)/sendmsg(2).
The sanity check prevented messages that carry only ancillary data.
To generate a diff of this commit:
cvs rdiff -u -r1.154.2.1 -r1.154.2.1.4.1 src/sys/kern/uipc_syscalls.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/uipc_syscalls.c
diff -u src/sys/kern/uipc_syscalls.c:1.154.2.1 src/sys/kern/uipc_syscalls.c:1.154.2.1.4.1
--- src/sys/kern/uipc_syscalls.c:1.154.2.1 Fri Jul 20 23:10:06 2012
+++ src/sys/kern/uipc_syscalls.c Mon Jan 7 16:53:36 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: uipc_syscalls.c,v 1.154.2.1 2012/07/20 23:10:06 riz Exp $ */
+/* $NetBSD: uipc_syscalls.c,v 1.154.2.1.4.1 2013/01/07 16:53:36 riz Exp $ */
/*-
* Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
@@ -61,7 +61,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: uipc_syscalls.c,v 1.154.2.1 2012/07/20 23:10:06 riz Exp $);
+__KERNEL_RCSID(0, $NetBSD: uipc_syscalls.c,v 1.154.2.1.4.1 2013/01/07 16:53:36 riz Exp $);
#include opt_pipe.h
@@ -640,10 +640,9 @@ do_sys_sendmsg(struct lwp *l, int s, str
*retsize = len - auio.uio_resid;
bad:
- if (ktrpoint(KTR_GENIO)) {
+ if (ktriov != NULL) {
ktrgeniov(s, UIO_WRITE, ktriov, *retsize, error);
- if (ktriov != NULL)
- kmem_free(ktriov, iovsz);
+ kmem_free(ktriov, iovsz);
}
if (iov != aiov)
@@ -897,10 +896,9 @@ do_sys_recvmsg(struct lwp *l, int s, str
/* Some data transferred */
error = 0;
- if (ktrpoint(KTR_GENIO)) {
+ if (ktriov != NULL) {
ktrgeniov(s, UIO_READ, ktriov, len, error);
- if (ktriov != NULL)
- kmem_free(ktriov, iovsz);
+ kmem_free(ktriov, iovsz);
}
if (error != 0) {
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: riz Date: Mon Jan 7 16:53:36 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: uipc_syscalls.c Log Message: Pull up following revision(s) (requested by mlelstv in ticket #778): sys/kern/uipc_syscalls.c: revision 1.157 sys/kern/uipc_syscalls.c: revision 1.158 If an untraced process sleeps in recvmsg/sendmsg, the syscall does not allocate an iov structure for ktrace. When tracing is then enabled and the process wakes up, it crashes the kernel. Undo the last commit which introduced this error path. Avoid the mentioned kmem_alloc assertion by adding a sanity check analog to similar code in sys_generic.c for I/O on file handles instead of sockets. This also causes the syscall to return EMSGSIZE if the msg_iovlen member of the msg structure is less than or equal to 0, as defined in recvmsg(2)/sendmsg(2). The sanity check prevented messages that carry only ancillary data. To generate a diff of this commit: cvs rdiff -u -r1.154.2.1 -r1.154.2.1.4.1 src/sys/kern/uipc_syscalls.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: riz
Date: Thu Nov 22 18:51:14 UTC 2012
Modified Files:
src/sys/kern [netbsd-6-0]: vfs_vnode.c vfs_vnops.c
Log Message:
Pull up following revision(s) (requested by hannken in ticket #692):
sys/kern/vfs_vnode.c: revision 1.17
sys/kern/vfs_vnops.c: revision 1.186
Bring back Manuel Bouyers patch to resolve races between vget() and vrelel()
resulting in vget() returning dead vnodes.
It is impossible to resolve these races in vn_lock().
Needs pullup to NetBSD-6.
To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.15.8.1 src/sys/kern/vfs_vnode.c
cvs rdiff -u -r1.183.8.1 -r1.183.8.1.4.1 src/sys/kern/vfs_vnops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/vfs_vnode.c
diff -u src/sys/kern/vfs_vnode.c:1.15 src/sys/kern/vfs_vnode.c:1.15.8.1
--- src/sys/kern/vfs_vnode.c:1.15 Tue Dec 20 16:49:37 2011
+++ src/sys/kern/vfs_vnode.c Thu Nov 22 18:51:14 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_vnode.c,v 1.15 2011/12/20 16:49:37 hannken Exp $ */
+/* $NetBSD: vfs_vnode.c,v 1.15.8.1 2012/11/22 18:51:14 riz Exp $ */
/*-
* Copyright (c) 1997-2011 The NetBSD Foundation, Inc.
@@ -120,7 +120,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: vfs_vnode.c,v 1.15 2011/12/20 16:49:37 hannken Exp $);
+__KERNEL_RCSID(0, $NetBSD: vfs_vnode.c,v 1.15.8.1 2012/11/22 18:51:14 riz Exp $);
#include sys/param.h
#include sys/kernel.h
@@ -555,6 +555,22 @@ vget(vnode_t *vp, int flags)
return ENOENT;
}
+ if ((vp-v_iflag VI_INACTNOW) != 0) {
+ /*
+ * if it's being desactived, wait for it to complete.
+ * Make sure to not return a clean vnode.
+ */
+ if ((flags LK_NOWAIT) != 0) {
+ vrelel(vp, 0);
+ return EBUSY;
+ }
+ vwait(vp, VI_INACTNOW);
+ if ((vp-v_iflag VI_CLEAN) != 0) {
+ vrelel(vp, 0);
+ return ENOENT;
+ }
+ }
+
/*
* Ok, we got it in good shape. Just locking left.
*/
@@ -665,8 +681,12 @@ retry:
/* The pagedaemon can't wait around; defer. */
defer = true;
} else if (curlwp == vrele_lwp) {
- /* We have to try harder. */
- vp-v_iflag = ~VI_INACTREDO;
+ /*
+ * We have to try harder. But we can't sleep
+ * with VI_INACTNOW as vget() may be waiting on it.
+ */
+ vp-v_iflag = ~(VI_INACTREDO|VI_INACTNOW);
+ cv_broadcast(vp-v_cv);
mutex_exit(vp-v_interlock);
error = vn_lock(vp, LK_EXCLUSIVE);
if (error != 0) {
@@ -674,6 +694,18 @@ retry:
vnpanic(vp, %s: unable to lock %p,
__func__, vp);
}
+ mutex_enter(vp-v_interlock);
+ /*
+ * if we did get another reference while
+ * sleeping, don't try to inactivate it yet.
+ */
+ if (__predict_false(vtryrele(vp))) {
+VOP_UNLOCK(vp);
+mutex_exit(vp-v_interlock);
+return;
+ }
+ vp-v_iflag |= VI_INACTNOW;
+ mutex_exit(vp-v_interlock);
defer = false;
} else if ((vp-v_iflag VI_LAYER) != 0) {
/*
@@ -709,6 +741,7 @@ retry:
if (++vrele_pending (desiredvnodes 8))
cv_signal(vrele_cv);
mutex_exit(vrele_lock);
+ cv_broadcast(vp-v_cv);
mutex_exit(vp-v_interlock);
return;
}
@@ -726,6 +759,7 @@ retry:
VOP_INACTIVE(vp, recycle);
mutex_enter(vp-v_interlock);
vp-v_iflag = ~VI_INACTNOW;
+ cv_broadcast(vp-v_cv);
if (!recycle) {
if (vtryrele(vp)) {
mutex_exit(vp-v_interlock);
Index: src/sys/kern/vfs_vnops.c
diff -u src/sys/kern/vfs_vnops.c:1.183.8.1 src/sys/kern/vfs_vnops.c:1.183.8.1.4.1
--- src/sys/kern/vfs_vnops.c:1.183.8.1 Thu Apr 12 17:15:23 2012
+++ src/sys/kern/vfs_vnops.c Thu Nov 22 18:51:14 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_vnops.c,v 1.183.8.1 2012/04/12 17:15:23 riz Exp $ */
+/* $NetBSD: vfs_vnops.c,v 1.183.8.1.4.1 2012/11/22 18:51:14 riz Exp $ */
/*-
* Copyright (c) 2009 The NetBSD Foundation, Inc.
@@ -66,7 +66,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: vfs_vnops.c,v 1.183.8.1 2012/04/12 17:15:23 riz Exp $);
+__KERNEL_RCSID(0, $NetBSD: vfs_vnops.c,v 1.183.8.1.4.1 2012/11/22 18:51:14 riz Exp $);
#include veriexec.h
@@ -805,15 +805,6 @@ vn_lock(struct vnode *vp, int flags)
} else {
mutex_exit(vp-v_interlock);
error = VOP_LOCK(vp, (flags ~LK_RETRY));
- if (error == 0 (flags LK_RETRY) == 0) {
-mutex_enter(vp-v_interlock);
-if ((vp-v_iflag VI_CLEAN)) {
- mutex_exit(vp-v_interlock);
- VOP_UNLOCK(vp);
- return ENOENT;
-}
-mutex_exit(vp-v_interlock);
- }
if (error == 0 || error == EDEADLK || error == EBUSY)
return (error);
}
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: riz Date: Thu Nov 22 18:51:14 UTC 2012 Modified Files: src/sys/kern [netbsd-6-0]: vfs_vnode.c vfs_vnops.c Log Message: Pull up following revision(s) (requested by hannken in ticket #692): sys/kern/vfs_vnode.c: revision 1.17 sys/kern/vfs_vnops.c: revision 1.186 Bring back Manuel Bouyers patch to resolve races between vget() and vrelel() resulting in vget() returning dead vnodes. It is impossible to resolve these races in vn_lock(). Needs pullup to NetBSD-6. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.15.8.1 src/sys/kern/vfs_vnode.c cvs rdiff -u -r1.183.8.1 -r1.183.8.1.4.1 src/sys/kern/vfs_vnops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src
Committed By: riz
Date: Tue Nov 20 21:32:57 UTC 2012
Modified Files:
src/sys/kern [netbsd-6-0]: kern_exec.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #670):
sys/kern/kern_exec.c: revision 1.358
If you are going to dick around with p_stat, remember to put it
back so that spawn processes with attributes don't end up starting
up stopped!
XXX: pullup to 6.
To generate a diff of this commit:
cvs rdiff -u -r1.339.2.5 -r1.339.2.5.4.1 src/sys/kern/kern_exec.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_exec.c
diff -u src/sys/kern/kern_exec.c:1.339.2.5 src/sys/kern/kern_exec.c:1.339.2.5.4.1
--- src/sys/kern/kern_exec.c:1.339.2.5 Mon Apr 16 15:28:19 2012
+++ src/sys/kern/kern_exec.c Tue Nov 20 21:32:57 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_exec.c,v 1.339.2.5 2012/04/16 15:28:19 riz Exp $ */
+/* $NetBSD: kern_exec.c,v 1.339.2.5.4.1 2012/11/20 21:32:57 riz Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -59,7 +59,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: kern_exec.c,v 1.339.2.5 2012/04/16 15:28:19 riz Exp $);
+__KERNEL_RCSID(0, $NetBSD: kern_exec.c,v 1.339.2.5.4.1 2012/11/20 21:32:57 riz Exp $);
#include opt_exec.h
#include opt_ktrace.h
@@ -1916,6 +1916,7 @@ spawn_return(void *arg)
/* handle posix_spawnattr */
if (spawn_data-sed_attrs != NULL) {
+ int ostat;
struct sigaction sigact;
sigact._sa_u._sa_handler = SIG_DFL;
sigact.sa_flags = 0;
@@ -1924,6 +1925,7 @@ spawn_return(void *arg)
* set state to SSTOP so that this proc can be found by pid.
* see proc_enterprp, do_sched_setparam below
*/
+ ostat = l-l_proc-p_stat;
l-l_proc-p_stat = SSTOP;
/* Set process group */
@@ -1985,6 +1987,7 @@ spawn_return(void *arg)
0);
}
}
+ l-l_proc-p_stat = ostat;
}
/* now do the real exec */
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: riz Date: Tue Nov 20 21:32:57 UTC 2012 Modified Files: src/sys/kern [netbsd-6-0]: kern_exec.c Log Message: Pull up following revision(s) (requested by christos in ticket #670): sys/kern/kern_exec.c: revision 1.358 If you are going to dick around with p_stat, remember to put it back so that spawn processes with attributes don't end up starting up stopped! XXX: pullup to 6. To generate a diff of this commit: cvs rdiff -u -r1.339.2.5 -r1.339.2.5.4.1 src/sys/kern/kern_exec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
