CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: martin Date: Thu May 3 15:02:30 UTC 2018 Modified Files: src/sys/kern [netbsd-6-0]: uipc_mbuf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1547): sys/kern/uipc_mbuf.c: revision 1.211 (via patch) Modify m_defrag, so that it never frees the first mbuf of the chain. While here use the given 'flags' argument, and not M_DONTWAIT. We have a problem with several drivers: they poll an mbuf chain from their queues and call m_defrag on them, but m_defrag could update the mbuf pointer, so the mbuf in the queue is no longer valid. It is not easy to fix each driver, because doing pop+push will reorder the queue, and we don't really want that to happen. This problem was independently spotted by me, Kengo, Masanobu, and other people too it seems (perhaps PR/53218). Now m_defrag leaves the first mbuf in place, and compresses the chain only starting from the second mbuf in the chain. It is important not to compress the first mbuf with hacks, because the storage of this first mbuf may be shared with other mbufs. To generate a diff of this commit: cvs rdiff -u -r1.145 -r1.145.6.1 src/sys/kern/uipc_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: martin Date: Thu May 3 15:02:30 UTC 2018 Modified Files: src/sys/kern [netbsd-6-0]: uipc_mbuf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1547): sys/kern/uipc_mbuf.c: revision 1.211 (via patch) Modify m_defrag, so that it never frees the first mbuf of the chain. While here use the given 'flags' argument, and not M_DONTWAIT. We have a problem with several drivers: they poll an mbuf chain from their queues and call m_defrag on them, but m_defrag could update the mbuf pointer, so the mbuf in the queue is no longer valid. It is not easy to fix each driver, because doing pop+push will reorder the queue, and we don't really want that to happen. This problem was independently spotted by me, Kengo, Masanobu, and other people too it seems (perhaps PR/53218). Now m_defrag leaves the first mbuf in place, and compresses the chain only starting from the second mbuf in the chain. It is important not to compress the first mbuf with hacks, because the storage of this first mbuf may be shared with other mbufs. To generate a diff of this commit: cvs rdiff -u -r1.145 -r1.145.6.1 src/sys/kern/uipc_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_mbuf.c diff -u src/sys/kern/uipc_mbuf.c:1.145 src/sys/kern/uipc_mbuf.c:1.145.6.1 --- src/sys/kern/uipc_mbuf.c:1.145 Fri Feb 10 17:35:47 2012 +++ src/sys/kern/uipc_mbuf.c Thu May 3 15:02:30 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_mbuf.c,v 1.145 2012/02/10 17:35:47 para Exp $ */ +/* $NetBSD: uipc_mbuf.c,v 1.145.6.1 2018/05/03 15:02:30 martin Exp $ */ /*- * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc. @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.145 2012/02/10 17:35:47 para Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.145.6.1 2018/05/03 15:02:30 martin Exp $"); #include "opt_mbuftrace.h" #include "opt_nmbclusters.h" @@ -1252,30 +1252,35 @@ m_makewritable(struct mbuf **mp, int off } /* - * Copy the mbuf chain to a new mbuf chain that is as short as possible. - * Return the new mbuf chain on success, NULL on failure. On success, - * free the old mbuf chain. + * Compress the mbuf chain. Return the new mbuf chain on success, NULL on + * failure. The first mbuf is preserved, and on success the pointer returned + * is the same as the one passed. */ struct mbuf * m_defrag(struct mbuf *mold, int flags) { struct mbuf *m0, *mn, *n; - size_t sz = mold->m_pkthdr.len; + int sz; #ifdef DIAGNOSTIC if ((mold->m_flags & M_PKTHDR) == 0) panic("m_defrag: not a mbuf chain header"); #endif - MGETHDR(m0, flags, MT_DATA); + if (mold->m_next == NULL) + return mold; + + m0 = m_get(flags, MT_DATA); if (m0 == NULL) return NULL; - M_COPY_PKTHDR(m0, mold); mn = m0; + sz = mold->m_pkthdr.len - mold->m_len; + KASSERT(sz >= 0); + do { - if (sz > MHLEN) { - MCLGET(mn, M_DONTWAIT); + if (sz > MLEN) { + MCLGET(mn, flags); if ((mn->m_flags & M_EXT) == 0) { m_freem(m0); return NULL; @@ -1291,7 +1296,7 @@ m_defrag(struct mbuf *mold, int flags) if (sz > 0) { /* need more mbufs */ - MGET(n, M_NOWAIT, MT_DATA); + n = m_get(flags, MT_DATA); if (n == NULL) { m_freem(m0); return NULL; @@ -1302,9 +1307,10 @@ m_defrag(struct mbuf *mold, int flags) } } while (sz > 0); - m_freem(mold); + m_freem(mold->m_next); + mold->m_next = m0; - return m0; + return mold; } int
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Sat Aug 19 04:24:20 UTC 2017 Modified Files: src/sys/kern [netbsd-6-0]: kern_ktrace.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1484): sys/kern/kern_ktrace.c: revision 1.171 via patch Clamp the length we use, not the length we don't. Avoids uninitialized memory disclosure to userland. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.160 -r1.160.6.1 src/sys/kern/kern_ktrace.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_ktrace.c diff -u src/sys/kern/kern_ktrace.c:1.160 src/sys/kern/kern_ktrace.c:1.160.6.1 --- src/sys/kern/kern_ktrace.c:1.160 Fri Dec 30 20:33:04 2011 +++ src/sys/kern/kern_ktrace.c Sat Aug 19 04:24:20 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_ktrace.c,v 1.160 2011/12/30 20:33:04 christos Exp $ */ +/* $NetBSD: kern_ktrace.c,v 1.160.6.1 2017/08/19 04:24:20 snj Exp $ */ /*- * Copyright (c) 2006, 2007, 2008 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.160 2011/12/30 20:33:04 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.160.6.1 2017/08/19 04:24:20 snj Exp $"); #include #include @@ -952,7 +952,7 @@ ktruser(const char *id, void *addr, size user_dta = (void *)(ktp + 1); if ((error = copyin(addr, (void *)user_dta, len)) != 0) - len = 0; + kte->kte_kth.ktr_len = 0; ktraddentry(l, kte, KTA_WAITOK); return error;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Sat Aug 19 04:24:20 UTC 2017 Modified Files: src/sys/kern [netbsd-6-0]: kern_ktrace.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1484): sys/kern/kern_ktrace.c: revision 1.171 via patch Clamp the length we use, not the length we don't. Avoids uninitialized memory disclosure to userland. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.160 -r1.160.6.1 src/sys/kern/kern_ktrace.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Sat Aug 19 04:17:08 UTC 2017 Modified Files: src/sys/kern [netbsd-6-0]: vfs_getcwd.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1482): sys/kern/vfs_getcwd.c: revision 1.52 Don't walk off the end of the dirent buffer. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.47.20.1 src/sys/kern/vfs_getcwd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/vfs_getcwd.c diff -u src/sys/kern/vfs_getcwd.c:1.47 src/sys/kern/vfs_getcwd.c:1.47.20.1 --- src/sys/kern/vfs_getcwd.c:1.47 Tue Nov 30 10:30:02 2010 +++ src/sys/kern/vfs_getcwd.c Sat Aug 19 04:17:08 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_getcwd.c,v 1.47 2010/11/30 10:30:02 dholland Exp $ */ +/* $NetBSD: vfs_getcwd.c,v 1.47.20.1 2017/08/19 04:17:08 snj Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.47 2010/11/30 10:30:02 dholland Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.47.20.1 2017/08/19 04:17:08 snj Exp $"); #include #include @@ -207,7 +207,8 @@ unionread: reclen = dp->d_reclen; /* check for malformed directory.. */ -if (reclen < _DIRENT_MINSIZE(dp)) { +if (reclen < _DIRENT_MINSIZE(dp) || +reclen > len) { error = EINVAL; goto out; }
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Sat Aug 19 04:17:08 UTC 2017 Modified Files: src/sys/kern [netbsd-6-0]: vfs_getcwd.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1482): sys/kern/vfs_getcwd.c: revision 1.52 Don't walk off the end of the dirent buffer. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.47.20.1 src/sys/kern/vfs_getcwd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Fri Aug 18 14:52:09 UTC 2017 Modified Files: src/sys/kern [netbsd-6-0]: kern_malloc.c Log Message: Pull up following revision(s) (requested by martin in ticket #1465): sys/kern/kern_malloc.c: revision 1.146 Avoid integer overflow in kern_malloc(). Reported by Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.138 -r1.138.6.1 src/sys/kern/kern_malloc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Fri Aug 18 14:52:09 UTC 2017 Modified Files: src/sys/kern [netbsd-6-0]: kern_malloc.c Log Message: Pull up following revision(s) (requested by martin in ticket #1465): sys/kern/kern_malloc.c: revision 1.146 Avoid integer overflow in kern_malloc(). Reported by Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.138 -r1.138.6.1 src/sys/kern/kern_malloc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_malloc.c diff -u src/sys/kern/kern_malloc.c:1.138 src/sys/kern/kern_malloc.c:1.138.6.1 --- src/sys/kern/kern_malloc.c:1.138 Mon Feb 6 12:13:44 2012 +++ src/sys/kern/kern_malloc.c Fri Aug 18 14:52:09 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_malloc.c,v 1.138 2012/02/06 12:13:44 drochner Exp $ */ +/* $NetBSD: kern_malloc.c,v 1.138.6.1 2017/08/18 14:52:09 snj Exp $ */ /* * Copyright (c) 1987, 1991, 1993 @@ -66,7 +66,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.138 2012/02/06 12:13:44 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.138.6.1 2017/08/18 14:52:09 snj Exp $"); #include #include @@ -113,7 +113,10 @@ kern_malloc(unsigned long size, struct m void *p; if (size >= PAGE_SIZE) { - allocsize = PAGE_SIZE + size; /* for page alignment */ + if (size > (ULONG_MAX-PAGE_SIZE)) + allocsize = ULONG_MAX; /* this will fail later */ + else + allocsize = PAGE_SIZE + size; /* for page alignment */ hdroffset = PAGE_SIZE - sizeof(struct malloc_header); } else { allocsize = sizeof(struct malloc_header) + size;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Fri Jul 21 03:55:56 UTC 2017 Modified Files: src/sys/kern [netbsd-6-0]: uipc_socket.c uipc_syscalls.c Log Message: Pull up following revision(s) (requested by riastradh in ticket #1453): sys/kern/uipc_socket.c: revision 1.213 sys/kern/uipc_syscalls.c: revision 1.160 PR/47569: Valery Ushakov: SOCK_NONBLOCK does not work because it does not set SS_NBIO. XXX: there are too many flags that mean the same thing in too many places, and too many flags that mean the same thing and are different. To generate a diff of this commit: cvs rdiff -u -r1.209.2.1.4.2 -r1.209.2.1.4.3 src/sys/kern/uipc_socket.c cvs rdiff -u -r1.154.2.1.4.2 -r1.154.2.1.4.3 src/sys/kern/uipc_syscalls.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_socket.c diff -u src/sys/kern/uipc_socket.c:1.209.2.1.4.2 src/sys/kern/uipc_socket.c:1.209.2.1.4.3 --- src/sys/kern/uipc_socket.c:1.209.2.1.4.2 Mon Nov 25 08:27:01 2013 +++ src/sys/kern/uipc_socket.c Fri Jul 21 03:55:56 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_socket.c,v 1.209.2.1.4.2 2013/11/25 08:27:01 bouyer Exp $ */ +/* $NetBSD: uipc_socket.c,v 1.209.2.1.4.3 2017/07/21 03:55:56 snj Exp $ */ /*- * Copyright (c) 2002, 2007, 2008, 2009 The NetBSD Foundation, Inc. @@ -63,7 +63,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_socket.c,v 1.209.2.1.4.2 2013/11/25 08:27:01 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_socket.c,v 1.209.2.1.4.3 2017/07/21 03:55:56 snj Exp $"); #include "opt_compat_netbsd.h" #include "opt_sock_counters.h" @@ -585,6 +585,8 @@ fsocreate(int domain, struct socket **so fp->f_data = so; fd_affix(curproc, fp, fd); *fdout = fd; + if (flags & SOCK_NONBLOCK) + so->so_state |= SS_NBIO; } return error; } Index: src/sys/kern/uipc_syscalls.c diff -u src/sys/kern/uipc_syscalls.c:1.154.2.1.4.2 src/sys/kern/uipc_syscalls.c:1.154.2.1.4.3 --- src/sys/kern/uipc_syscalls.c:1.154.2.1.4.2 Sat Dec 14 19:37:02 2013 +++ src/sys/kern/uipc_syscalls.c Fri Jul 21 03:55:56 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_syscalls.c,v 1.154.2.1.4.2 2013/12/14 19:37:02 bouyer Exp $ */ +/* $NetBSD: uipc_syscalls.c,v 1.154.2.1.4.3 2017/07/21 03:55:56 snj Exp $ */ /*- * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls.c,v 1.154.2.1.4.2 2013/12/14 19:37:02 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls.c,v 1.154.2.1.4.3 2017/07/21 03:55:56 snj Exp $"); #include "opt_pipe.h" @@ -235,6 +235,8 @@ do_sys_accept(struct lwp *l, int sock, s ((flags & SOCK_NOSIGPIPE) ? FNOSIGPIPE : 0); fp2->f_ops = fp2->f_data = so2; + if (flags & SOCK_NONBLOCK) + so2->so_state |= SS_NBIO; error = soaccept(so2, nam); so2->so_cred = kauth_cred_dup(so->so_cred); sounlock(so); @@ -425,6 +427,8 @@ makesocket(struct lwp *l, file_t **fp, i (*fp)->f_type = DTYPE_SOCKET; (*fp)->f_ops = (*fp)->f_data = so; + if (flags & SOCK_NONBLOCK) + so->so_state |= SS_NBIO; return 0; }
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Fri Jul 21 03:55:56 UTC 2017 Modified Files: src/sys/kern [netbsd-6-0]: uipc_socket.c uipc_syscalls.c Log Message: Pull up following revision(s) (requested by riastradh in ticket #1453): sys/kern/uipc_socket.c: revision 1.213 sys/kern/uipc_syscalls.c: revision 1.160 PR/47569: Valery Ushakov: SOCK_NONBLOCK does not work because it does not set SS_NBIO. XXX: there are too many flags that mean the same thing in too many places, and too many flags that mean the same thing and are different. To generate a diff of this commit: cvs rdiff -u -r1.209.2.1.4.2 -r1.209.2.1.4.3 src/sys/kern/uipc_socket.c cvs rdiff -u -r1.154.2.1.4.2 -r1.154.2.1.4.3 src/sys/kern/uipc_syscalls.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Thu Jul 6 15:18:23 UTC 2017 Modified Files: src/sys/kern [netbsd-6-0]: subr_xcall.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1419): sys/kern/subr_xcall.c: revision 1.19 Fix a race condition of low priority xcall xc_lowpri and xc_thread are racy and xc_wait may return during/before executing all xcall callbacks, resulting in a kernel panic at worst. xc_lowpri serializes multiple jobs by a mutex and a cv. If all xcall callbacks are done, xc_wait returns and also xc_lowpri accepts a next job. The problem is that a counter that counts the number of finished xcall callbacks is incremented *before* actually executing a xcall callback (see xc_tailp++ in xc_thread). So xc_lowpri accepts a next job before all xcall callbacks complete and a next job begins to run its xcall callbacks. Even worse the counter is global and shared between jobs, so if a xcall callback of the next job completes, the shared counter is incremented, which confuses wc_wait of the previous job as all xcall callbacks of the previous job are done and wc_wait of the previous job returns during/before executing its xcall callbacks. How to fix: there are actually two counters that count the number of finished xcall callbacks for low priority xcall for historical reasons (I guess): xc_tailp and xc_low_pri.xc_donep. xc_low_pri.xc_donep is incremented correctly while xc_tailp is incremented wrongly, i.e., before executing a xcall callback. We can fix the issue by dropping xc_tailp and using only xc_low_pri.xc_donep. PR kern/51632 To generate a diff of this commit: cvs rdiff -u -r1.13.16.1 -r1.13.16.2 src/sys/kern/subr_xcall.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/subr_xcall.c diff -u src/sys/kern/subr_xcall.c:1.13.16.1 src/sys/kern/subr_xcall.c:1.13.16.2 --- src/sys/kern/subr_xcall.c:1.13.16.1 Sat Apr 20 10:05:44 2013 +++ src/sys/kern/subr_xcall.c Thu Jul 6 15:18:23 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_xcall.c,v 1.13.16.1 2013/04/20 10:05:44 bouyer Exp $ */ +/* $NetBSD: subr_xcall.c,v 1.13.16.2 2017/07/06 15:18:23 snj Exp $ */ /*- * Copyright (c) 2007-2010 The NetBSD Foundation, Inc. @@ -74,7 +74,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: subr_xcall.c,v 1.13.16.1 2013/04/20 10:05:44 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: subr_xcall.c,v 1.13.16.2 2017/07/06 15:18:23 snj Exp $"); #include #include @@ -101,7 +101,6 @@ typedef struct { /* Low priority xcall structures. */ static xc_state_t xc_low_pri __cacheline_aligned; -static uint64_t xc_tailp __cacheline_aligned; /* High priority xcall structures. */ static xc_state_t xc_high_pri __cacheline_aligned; @@ -131,7 +130,6 @@ xc_init(void) memset(xclo, 0, sizeof(xc_state_t)); mutex_init(>xc_lock, MUTEX_DEFAULT, IPL_NONE); cv_init(>xc_busy, "xclocv"); - xc_tailp = 0; memset(xchi, 0, sizeof(xc_state_t)); mutex_init(>xc_lock, MUTEX_DEFAULT, IPL_SOFTCLOCK); @@ -253,7 +251,7 @@ xc_lowpri(xcfunc_t func, void *arg1, voi uint64_t where; mutex_enter(>xc_lock); - while (xc->xc_headp != xc_tailp) { + while (xc->xc_headp != xc->xc_donep) { cv_wait(>xc_busy, >xc_lock); } xc->xc_arg1 = arg1; @@ -274,7 +272,7 @@ xc_lowpri(xcfunc_t func, void *arg1, voi ci->ci_data.cpu_xcall_pending = true; cv_signal(>ci_data.cpu_xcall); } - KASSERT(xc_tailp < xc->xc_headp); + KASSERT(xc->xc_donep < xc->xc_headp); where = xc->xc_headp; mutex_exit(>xc_lock); @@ -299,7 +297,7 @@ xc_thread(void *cookie) mutex_enter(>xc_lock); for (;;) { while (!ci->ci_data.cpu_xcall_pending) { - if (xc->xc_headp == xc_tailp) { + if (xc->xc_headp == xc->xc_donep) { cv_broadcast(>xc_busy); } cv_wait(>ci_data.cpu_xcall, >xc_lock); @@ -309,7 +307,6 @@ xc_thread(void *cookie) func = xc->xc_func; arg1 = xc->xc_arg1; arg2 = xc->xc_arg2; - xc_tailp++; mutex_exit(>xc_lock); KASSERT(func != NULL);
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Thu Jul 6 15:18:23 UTC 2017 Modified Files: src/sys/kern [netbsd-6-0]: subr_xcall.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1419): sys/kern/subr_xcall.c: revision 1.19 Fix a race condition of low priority xcall xc_lowpri and xc_thread are racy and xc_wait may return during/before executing all xcall callbacks, resulting in a kernel panic at worst. xc_lowpri serializes multiple jobs by a mutex and a cv. If all xcall callbacks are done, xc_wait returns and also xc_lowpri accepts a next job. The problem is that a counter that counts the number of finished xcall callbacks is incremented *before* actually executing a xcall callback (see xc_tailp++ in xc_thread). So xc_lowpri accepts a next job before all xcall callbacks complete and a next job begins to run its xcall callbacks. Even worse the counter is global and shared between jobs, so if a xcall callback of the next job completes, the shared counter is incremented, which confuses wc_wait of the previous job as all xcall callbacks of the previous job are done and wc_wait of the previous job returns during/before executing its xcall callbacks. How to fix: there are actually two counters that count the number of finished xcall callbacks for low priority xcall for historical reasons (I guess): xc_tailp and xc_low_pri.xc_donep. xc_low_pri.xc_donep is incremented correctly while xc_tailp is incremented wrongly, i.e., before executing a xcall callback. We can fix the issue by dropping xc_tailp and using only xc_low_pri.xc_donep. PR kern/51632 To generate a diff of this commit: cvs rdiff -u -r1.13.16.1 -r1.13.16.2 src/sys/kern/subr_xcall.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Fri Nov 11 07:05:47 UTC 2016 Modified Files: src/sys/kern [netbsd-6-0]: uipc_usrreq.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1415): sys/kern/uipc_usrreq.c: revision 1.181 Memory leak, found by Mootja. It is easily triggerable from userland. To generate a diff of this commit: cvs rdiff -u -r1.136.8.2 -r1.136.8.2.2.1 src/sys/kern/uipc_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_usrreq.c diff -u src/sys/kern/uipc_usrreq.c:1.136.8.2 src/sys/kern/uipc_usrreq.c:1.136.8.2.2.1 --- src/sys/kern/uipc_usrreq.c:1.136.8.2 Tue Oct 9 23:45:21 2012 +++ src/sys/kern/uipc_usrreq.c Fri Nov 11 07:05:47 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_usrreq.c,v 1.136.8.2 2012/10/09 23:45:21 riz Exp $ */ +/* $NetBSD: uipc_usrreq.c,v 1.136.8.2.2.1 2016/11/11 07:05:47 snj Exp $ */ /*- * Copyright (c) 1998, 2000, 2004, 2008, 2009 The NetBSD Foundation, Inc. @@ -96,7 +96,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_usrreq.c,v 1.136.8.2 2012/10/09 23:45:21 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_usrreq.c,v 1.136.8.2.2.1 2016/11/11 07:05:47 snj Exp $"); #include #include @@ -1014,11 +1014,11 @@ unp_connect(struct socket *so, struct mb goto bad2; } vp = nd.ni_vp; + pathbuf_destroy(pb); if (vp->v_type != VSOCK) { error = ENOTSOCK; goto bad; } - pathbuf_destroy(pb); if ((error = VOP_ACCESS(vp, VWRITE, l->l_cred)) != 0) goto bad; /* Acquire v_interlock to protect against unp_detach(). */
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Fri Nov 11 07:05:47 UTC 2016 Modified Files: src/sys/kern [netbsd-6-0]: uipc_usrreq.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1415): sys/kern/uipc_usrreq.c: revision 1.181 Memory leak, found by Mootja. It is easily triggerable from userland. To generate a diff of this commit: cvs rdiff -u -r1.136.8.2 -r1.136.8.2.2.1 src/sys/kern/uipc_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Thu Jul 14 06:43:35 UTC 2016 Modified Files: src/sys/kern [netbsd-6-0]: kern_softint.c Log Message: Pull up following revision(s) (requested by knakahara in ticket #1356): sys/kern/kern_softint.c: revision 1.42 fix the following softint parallel operation problem. (0) softint handler "handler A" is established (1) CPU#X does softint_schedule() for "handler A" - the softhand_t is set SOFTINT_PENDING flag - the softhand_t is NOT set SOFTINT_ACTIVE flag yet (2) CPU#X begins other H/W interrupt processing (3) CPU#Y does softint_disestablish() for "handler A" - waits until softhand_t's SOFTINT_ACTIVE of all CPUs is clear - the softhand_t is set not SOFTINT_ACTIVE but SOFTINT_PENDING, so CPU#Y does not wait - unset the function of "handler A" (4) CPU#X does softint_execute() - the function of "handler A" is already clear, so panic To generate a diff of this commit: cvs rdiff -u -r1.38.14.1 -r1.38.14.2 src/sys/kern/kern_softint.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_softint.c diff -u src/sys/kern/kern_softint.c:1.38.14.1 src/sys/kern/kern_softint.c:1.38.14.2 --- src/sys/kern/kern_softint.c:1.38.14.1 Fri Feb 8 19:31:19 2013 +++ src/sys/kern/kern_softint.c Thu Jul 14 06:43:35 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_softint.c,v 1.38.14.1 2013/02/08 19:31:19 riz Exp $ */ +/* $NetBSD: kern_softint.c,v 1.38.14.2 2016/07/14 06:43:35 snj Exp $ */ /*- * Copyright (c) 2007, 2008 The NetBSD Foundation, Inc. @@ -176,7 +176,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_softint.c,v 1.38.14.1 2013/02/08 19:31:19 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_softint.c,v 1.38.14.2 2016/07/14 06:43:35 snj Exp $"); #include #include @@ -424,8 +424,8 @@ softint_disestablish(void *arg) KASSERT(sh->sh_func != NULL); flags |= sh->sh_flags; } - /* Inactive on all CPUs? */ - if ((flags & SOFTINT_ACTIVE) == 0) { + /* Neither pending nor active on all CPUs? */ + if ((flags & (SOFTINT_PENDING | SOFTINT_ACTIVE)) == 0) { break; } /* Oops, still active. Wait for it to clear. */
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: snj Date: Thu Jul 14 06:43:35 UTC 2016 Modified Files: src/sys/kern [netbsd-6-0]: kern_softint.c Log Message: Pull up following revision(s) (requested by knakahara in ticket #1356): sys/kern/kern_softint.c: revision 1.42 fix the following softint parallel operation problem. (0) softint handler "handler A" is established (1) CPU#X does softint_schedule() for "handler A" - the softhand_t is set SOFTINT_PENDING flag - the softhand_t is NOT set SOFTINT_ACTIVE flag yet (2) CPU#X begins other H/W interrupt processing (3) CPU#Y does softint_disestablish() for "handler A" - waits until softhand_t's SOFTINT_ACTIVE of all CPUs is clear - the softhand_t is set not SOFTINT_ACTIVE but SOFTINT_PENDING, so CPU#Y does not wait - unset the function of "handler A" (4) CPU#X does softint_execute() - the function of "handler A" is already clear, so panic To generate a diff of this commit: cvs rdiff -u -r1.38.14.1 -r1.38.14.2 src/sys/kern/kern_softint.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sun Nov 15 20:38:01 UTC 2015 Modified Files: src/sys/kern [netbsd-6-0]: kern_exec.c kern_exit.c kern_synch.c Log Message: Pull up following revision(s) (requested by pgoyette in ticket #1333): sys/kern/kern_exec.c: revision 1.420 sys/kern/kern_synch.c: revision 1.309 sys/kern/kern_exit.c: revision 1.246 sys/kern/kern_exit.c: revision 1.247 sys/kern/kern_exec.c: revision 1.419 In execve_runproc(), update the p_waited entry for the process being moved to SSTOP state, not for its parent. (It is correct to update the parent's p_nstopchild count.) If the value is not already zero, it could prevent its parent from waiting for the process. Fixes PR kern/50298 Pullups will be requested for: NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2 When clearing out the scheduler queues during system shutdown, we move all processes to the SSTOP state. Make sure we update each process's p_waited and the parents' p_nstopchild counters to maintain consistent values. Should not make any real difference this late in the shutdown process, but we should still be consistent just in case. Fixes PR kern/50318 Pullups will be requested for: NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2 Currently, if a process is exiting and its parent has indicated no intent of reaping the process (nor any other children), the process wil get reparented to init. Since the state of the exiting process at this point is SDEAD, proc_reparent() will not update either the old or new parent's p_nstopchild counters. This change causes both old and new parents to be properly updated. Fixes PR kern/50300 Pullups will be requested for: NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2 For processes marked with PS_STOPEXIT, update the process's p_waited value, and update its parent's p_nstopchild value when marking the process's p_stat to SSTOP. The process needed to be SACTIVE to get here, so this transition represents an additional process for which the parent needs to wait. Fixes PR kern/50308 Pullups will be requested for: NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2 In spawn_return() we temporarily move the process state to SSTOP, but without updating its p_waited value or its parent's p_nstopchild counter. Later, we restore the original state, again without any adjustment of the related values. This leaves a relatively short window when the values are inconsistent and could interfere with the proper operation of sys_wait() for the parent (if it manages to be scheduled; it's not totally clear what, if anything, prevents scheduling/execution of the parent). If during this window, any of the checks being made result in an error, we call exit1() which will eventually migrate the process's state to SDEAD (with an intermediate transition to SDYING). At this point the other variables get updated, and we finally restore a consistent state. This change updates the p_waited and parent's p_nstopchild at each step to eliminate any windows during which the values could lead to incorrect decisions. Fixes PR kern/50330 Pullups will be requested for NetBSD-7, -6, -6-0, and -6-1 To generate a diff of this commit: cvs rdiff -u -r1.339.2.5.4.3 -r1.339.2.5.4.4 src/sys/kern/kern_exec.c cvs rdiff -u -r1.236.2.2 -r1.236.2.2.2.1 src/sys/kern/kern_exit.c cvs rdiff -u -r1.297.2.1 -r1.297.2.1.4.1 src/sys/kern/kern_synch.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_exec.c diff -u src/sys/kern/kern_exec.c:1.339.2.5.4.3 src/sys/kern/kern_exec.c:1.339.2.5.4.4 --- src/sys/kern/kern_exec.c:1.339.2.5.4.3 Mon Apr 21 10:00:35 2014 +++ src/sys/kern/kern_exec.c Sun Nov 15 20:38:01 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_exec.c,v 1.339.2.5.4.3 2014/04/21 10:00:35 bouyer Exp $ */ +/* $NetBSD: kern_exec.c,v 1.339.2.5.4.4 2015/11/15 20:38:01 bouyer Exp $ */ /*- * Copyright (c) 2008 The NetBSD Foundation, Inc. @@ -59,7 +59,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.339.2.5.4.3 2014/04/21 10:00:35 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.339.2.5.4.4 2015/11/15 20:38:01 bouyer Exp $"); #include "opt_exec.h" #include "opt_ktrace.h" @@ -1408,7 +1408,7 @@ execve_runproc(struct lwp *l, struct exe if (p->p_sflag & PS_STOPEXEC) { KERNEL_UNLOCK_ALL(l, >l_biglocks); p->p_pptr->p_nstopchild++; - p->p_pptr->p_waited = 0; + p->p_waited = 0; mutex_enter(p->p_lock); ksiginfo_queue_init(); sigclearall(p, , ); @@ -1845,6 +1845,7 @@ spawn_return(void *arg) struct spawn_exec_data *spawn_data = arg; struct lwp *l = curlwp; int error, newfd; + int ostat; size_t i; const struct posix_spawn_file_actions_entry *fae; pid_t ppid; @@ -1917,7 +1918,6 @@ spawn_return(void *arg) /* handle posix_spawnattr */ if (spawn_data->sed_attrs != NULL) { - int ostat;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sun Nov 15 20:38:01 UTC 2015 Modified Files: src/sys/kern [netbsd-6-0]: kern_exec.c kern_exit.c kern_synch.c Log Message: Pull up following revision(s) (requested by pgoyette in ticket #1333): sys/kern/kern_exec.c: revision 1.420 sys/kern/kern_synch.c: revision 1.309 sys/kern/kern_exit.c: revision 1.246 sys/kern/kern_exit.c: revision 1.247 sys/kern/kern_exec.c: revision 1.419 In execve_runproc(), update the p_waited entry for the process being moved to SSTOP state, not for its parent. (It is correct to update the parent's p_nstopchild count.) If the value is not already zero, it could prevent its parent from waiting for the process. Fixes PR kern/50298 Pullups will be requested for: NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2 When clearing out the scheduler queues during system shutdown, we move all processes to the SSTOP state. Make sure we update each process's p_waited and the parents' p_nstopchild counters to maintain consistent values. Should not make any real difference this late in the shutdown process, but we should still be consistent just in case. Fixes PR kern/50318 Pullups will be requested for: NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2 Currently, if a process is exiting and its parent has indicated no intent of reaping the process (nor any other children), the process wil get reparented to init. Since the state of the exiting process at this point is SDEAD, proc_reparent() will not update either the old or new parent's p_nstopchild counters. This change causes both old and new parents to be properly updated. Fixes PR kern/50300 Pullups will be requested for: NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2 For processes marked with PS_STOPEXIT, update the process's p_waited value, and update its parent's p_nstopchild value when marking the process's p_stat to SSTOP. The process needed to be SACTIVE to get here, so this transition represents an additional process for which the parent needs to wait. Fixes PR kern/50308 Pullups will be requested for: NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2 In spawn_return() we temporarily move the process state to SSTOP, but without updating its p_waited value or its parent's p_nstopchild counter. Later, we restore the original state, again without any adjustment of the related values. This leaves a relatively short window when the values are inconsistent and could interfere with the proper operation of sys_wait() for the parent (if it manages to be scheduled; it's not totally clear what, if anything, prevents scheduling/execution of the parent). If during this window, any of the checks being made result in an error, we call exit1() which will eventually migrate the process's state to SDEAD (with an intermediate transition to SDYING). At this point the other variables get updated, and we finally restore a consistent state. This change updates the p_waited and parent's p_nstopchild at each step to eliminate any windows during which the values could lead to incorrect decisions. Fixes PR kern/50330 Pullups will be requested for NetBSD-7, -6, -6-0, and -6-1 To generate a diff of this commit: cvs rdiff -u -r1.339.2.5.4.3 -r1.339.2.5.4.4 src/sys/kern/kern_exec.c cvs rdiff -u -r1.236.2.2 -r1.236.2.2.2.1 src/sys/kern/kern_exit.c cvs rdiff -u -r1.297.2.1 -r1.297.2.1.4.1 src/sys/kern/kern_synch.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sun Nov 15 20:40:26 UTC 2015 Modified Files: src/sys/kern [netbsd-6-0]: kern_sig.c Log Message: Pull up following revision(s) (requested by pgoyette in ticket #1334): sys/kern/kern_sig.c: revision 1.321 When delivering a signal, it's possible that the process's state in p_stat is SACTIVE yet p_sflag is PS_STOPPING (while waiting for other lwp's to stop). In that case, we don't want to adjust the parent's p_nstopchild count. Found by Robert Elz. XXX Pullups to: NetBSD-7, -6{,-0,-1}, and -5{,-0,-1,-2} To generate a diff of this commit: cvs rdiff -u -r1.316 -r1.316.12.1 src/sys/kern/kern_sig.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_sig.c diff -u src/sys/kern/kern_sig.c:1.316 src/sys/kern/kern_sig.c:1.316.12.1 --- src/sys/kern/kern_sig.c:1.316 Fri Sep 16 22:07:17 2011 +++ src/sys/kern/kern_sig.c Sun Nov 15 20:40:26 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_sig.c,v 1.316 2011/09/16 22:07:17 reinoud Exp $ */ +/* $NetBSD: kern_sig.c,v 1.316.12.1 2015/11/15 20:40:26 bouyer Exp $ */ /*- * Copyright (c) 2006, 2007, 2008 The NetBSD Foundation, Inc. @@ -70,7 +70,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_sig.c,v 1.316 2011/09/16 22:07:17 reinoud Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_sig.c,v 1.316.12.1 2015/11/15 20:40:26 bouyer Exp $"); #include "opt_ptrace.h" #include "opt_compat_sunos.h" @@ -1461,14 +1461,13 @@ kpsignal2(struct proc *p, ksiginfo_t *ks } if ((prop & SA_CONT) != 0 || signo == SIGKILL) { /* - * Re-adjust p_nstopchild if the process wasn't - * collected by its parent. + * Re-adjust p_nstopchild if the process was + * stopped but not yet collected by its parent. */ + if (p->p_stat == SSTOP && !p->p_waited) +p->p_pptr->p_nstopchild--; p->p_stat = SACTIVE; p->p_sflag &= ~PS_STOPPING; - if (!p->p_waited) { -p->p_pptr->p_nstopchild--; - } if (p->p_slflag & PSL_TRACED) { KASSERT(signo == SIGKILL); goto deliver;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sun Nov 15 20:40:26 UTC 2015 Modified Files: src/sys/kern [netbsd-6-0]: kern_sig.c Log Message: Pull up following revision(s) (requested by pgoyette in ticket #1334): sys/kern/kern_sig.c: revision 1.321 When delivering a signal, it's possible that the process's state in p_stat is SACTIVE yet p_sflag is PS_STOPPING (while waiting for other lwp's to stop). In that case, we don't want to adjust the parent's p_nstopchild count. Found by Robert Elz. XXX Pullups to: NetBSD-7, -6{,-0,-1}, and -5{,-0,-1,-2} To generate a diff of this commit: cvs rdiff -u -r1.316 -r1.316.12.1 src/sys/kern/kern_sig.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sun Nov 15 20:44:10 UTC 2015 Modified Files: src/sys/kern [netbsd-6-0]: kern_exit.c Log Message: Pull up following revision(s) (requested by pgoyette in ticket #1336): sys/kern/kern_exit.c: revision 1.248 Update value of p_stat before we release the proc_lock. Thanks to Robert Elz. XXX Pull-ups for -7, -6{,-0,-1} and -5{,-0,-1,-2} To generate a diff of this commit: cvs rdiff -u -r1.236.2.2.2.1 -r1.236.2.2.2.2 src/sys/kern/kern_exit.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_exit.c diff -u src/sys/kern/kern_exit.c:1.236.2.2.2.1 src/sys/kern/kern_exit.c:1.236.2.2.2.2 --- src/sys/kern/kern_exit.c:1.236.2.2.2.1 Sun Nov 15 20:38:01 2015 +++ src/sys/kern/kern_exit.c Sun Nov 15 20:44:10 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_exit.c,v 1.236.2.2.2.1 2015/11/15 20:38:01 bouyer Exp $ */ +/* $NetBSD: kern_exit.c,v 1.236.2.2.2.2 2015/11/15 20:44:10 bouyer Exp $ */ /*- * Copyright (c) 1998, 1999, 2006, 2007, 2008 The NetBSD Foundation, Inc. @@ -67,7 +67,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_exit.c,v 1.236.2.2.2.1 2015/11/15 20:38:01 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_exit.c,v 1.236.2.2.2.2 2015/11/15 20:44:10 bouyer Exp $"); #include "opt_ktrace.h" #include "opt_perfctrs.h" @@ -248,8 +248,8 @@ exit1(struct lwp *l, int rv) } p->p_waited = 0; p->p_pptr->p_nstopchild++; - mutex_exit(proc_lock); p->p_stat = SSTOP; + mutex_exit(proc_lock); lwp_lock(l); p->p_nrlwps--; l->l_stat = LSSTOP;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sun Nov 15 20:44:10 UTC 2015 Modified Files: src/sys/kern [netbsd-6-0]: kern_exit.c Log Message: Pull up following revision(s) (requested by pgoyette in ticket #1336): sys/kern/kern_exit.c: revision 1.248 Update value of p_stat before we release the proc_lock. Thanks to Robert Elz. XXX Pull-ups for -7, -6{,-0,-1} and -5{,-0,-1,-2} To generate a diff of this commit: cvs rdiff -u -r1.236.2.2.2.1 -r1.236.2.2.2.2 src/sys/kern/kern_exit.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: msaitoh Date: Mon Nov 3 15:31:15 UTC 2014 Modified Files: src/sys/kern [netbsd-6-0]: kern_rndpool.c kern_rndq.c Log Message: Pull up following revision(s) (requested by riastradh in ticket #1118): sys/kern/kern_rndq.c: revision 1.27 sys/kern/kern_rndpool.c: revision 1.7 buf is not guaranteed to be aligned; don't *(uint32_t *) it in kern_rndq.c. done is not guaranteed to be aligned; don't *(uint32_t *) it in kern_rndpool.c. To generate a diff of this commit: cvs rdiff -u -r1.1.2.1 -r1.1.2.1.4.1 src/sys/kern/kern_rndpool.c cvs rdiff -u -r1.1.2.2.4.1 -r1.1.2.2.4.2 src/sys/kern/kern_rndq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_rndpool.c diff -u src/sys/kern/kern_rndpool.c:1.1.2.1 src/sys/kern/kern_rndpool.c:1.1.2.1.4.1 --- src/sys/kern/kern_rndpool.c:1.1.2.1 Fri Apr 20 23:35:20 2012 +++ src/sys/kern/kern_rndpool.c Mon Nov 3 15:31:15 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_rndpool.c,v 1.1.2.1 2012/04/20 23:35:20 riz Exp $*/ +/* $NetBSD: kern_rndpool.c,v 1.1.2.1.4.1 2014/11/03 15:31:15 msaitoh Exp $*/ /*- * Copyright (c) 1997 The NetBSD Foundation, Inc. @@ -31,7 +31,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: kern_rndpool.c,v 1.1.2.1 2012/04/20 23:35:20 riz Exp $); +__KERNEL_RCSID(0, $NetBSD: kern_rndpool.c,v 1.1.2.1.4.1 2014/11/03 15:31:15 msaitoh Exp $); #include sys/param.h #include sys/systm.h @@ -191,8 +191,7 @@ rndpool_add_data(rndpool_t *rp, void *p, buf = p; for (; len 3; len -= 4) { - val = *((u_int32_t *)buf); - + (void)memcpy(val, buf, 4); rndpool_add_one_word(rp, val); buf += 4; } Index: src/sys/kern/kern_rndq.c diff -u src/sys/kern/kern_rndq.c:1.1.2.2.4.1 src/sys/kern/kern_rndq.c:1.1.2.2.4.2 --- src/sys/kern/kern_rndq.c:1.1.2.2.4.1 Fri Feb 8 20:28:22 2013 +++ src/sys/kern/kern_rndq.c Mon Nov 3 15:31:15 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_rndq.c,v 1.1.2.2.4.1 2013/02/08 20:28:22 riz Exp $ */ +/* $NetBSD: kern_rndq.c,v 1.1.2.2.4.2 2014/11/03 15:31:15 msaitoh Exp $ */ /*- * Copyright (c) 1997-2011 The NetBSD Foundation, Inc. @@ -32,7 +32,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: kern_rndq.c,v 1.1.2.2.4.1 2013/02/08 20:28:22 riz Exp $); +__KERNEL_RCSID(0, $NetBSD: kern_rndq.c,v 1.1.2.2.4.2 2014/11/03 15:31:15 msaitoh Exp $); #include sys/param.h #include sys/ioctl.h @@ -658,7 +658,8 @@ rnd_add_data_ts(krndsource_t *rs, const u_int32_t entropy, uint32_t ts) { rnd_sample_t *state = NULL; - const uint32_t *dint = data; + const uint8_t *p = data; + uint32_t dint; int todo, done, filled = 0; SIMPLEQ_HEAD(, _rnd_sample_t) tmp_samples = SIMPLEQ_HEAD_INITIALIZER(tmp_samples); @@ -671,7 +672,7 @@ rnd_add_data_ts(krndsource_t *rs, const * Loop over data packaging it into sample buffers. * If a sample buffer allocation fails, drop all data. */ - todo = len / sizeof(*dint); + todo = len / sizeof(dint); for (done = 0; done todo ; done++) { state = rs-state; if (state == NULL) { @@ -683,7 +684,8 @@ rnd_add_data_ts(krndsource_t *rs, const } state-ts[state-cursor] = ts; - state-values[state-cursor] = dint[done]; + (void)memcpy(dint, p[done*4], 4); + state-values[state-cursor] = dint; state-cursor++; if (state-cursor == RND_SAMPLE_COUNT) {
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: msaitoh Date: Mon Nov 3 15:31:15 UTC 2014 Modified Files: src/sys/kern [netbsd-6-0]: kern_rndpool.c kern_rndq.c Log Message: Pull up following revision(s) (requested by riastradh in ticket #1118): sys/kern/kern_rndq.c: revision 1.27 sys/kern/kern_rndpool.c: revision 1.7 buf is not guaranteed to be aligned; don't *(uint32_t *) it in kern_rndq.c. done is not guaranteed to be aligned; don't *(uint32_t *) it in kern_rndpool.c. To generate a diff of this commit: cvs rdiff -u -r1.1.2.1 -r1.1.2.1.4.1 src/sys/kern/kern_rndpool.c cvs rdiff -u -r1.1.2.2.4.1 -r1.1.2.2.4.2 src/sys/kern/kern_rndq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: msaitoh Date: Mon Jul 14 06:26:02 UTC 2014 Modified Files: src/sys/kern [netbsd-6-0]: kern_core.c Log Message: Pull up following revision(s) (requested by maxt in ticket #1097): sys/kern/kern_core.c: revision 1.23 Fix a read-beyond-end string read. To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.20.14.1 src/sys/kern/kern_core.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_core.c diff -u src/sys/kern/kern_core.c:1.20 src/sys/kern/kern_core.c:1.20.14.1 --- src/sys/kern/kern_core.c:1.20 Sat Sep 24 22:53:50 2011 +++ src/sys/kern/kern_core.c Mon Jul 14 06:26:01 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_core.c,v 1.20 2011/09/24 22:53:50 christos Exp $ */ +/* $NetBSD: kern_core.c,v 1.20.14.1 2014/07/14 06:26:01 msaitoh Exp $ */ /* * Copyright (c) 1982, 1986, 1989, 1991, 1993 @@ -37,7 +37,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: kern_core.c,v 1.20 2011/09/24 22:53:50 christos Exp $); +__KERNEL_RCSID(0, $NetBSD: kern_core.c,v 1.20.14.1 2014/07/14 06:26:01 msaitoh Exp $); #include sys/param.h #include sys/vnode.h @@ -155,6 +155,12 @@ coredump(struct lwp *l, const char *patt error = coredump_buildname(p, name, pattern, MAXPATHLEN); mutex_exit(lim-pl_lock); + if (error) { + mutex_exit(p-p_lock); + mutex_exit(proc_lock); + goto done; + } + /* * On a simple filename, see if the filesystem allow us to write * core dumps there.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: msaitoh Date: Mon Jul 14 06:33:55 UTC 2014 Modified Files: src/sys/kern [netbsd-6-0]: sys_module.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1098): sys/kern/sys_module.c: revision 1.15 Fix a user-controlled memory allocation. kmem_alloc(0) will panic the system. ok christos@ To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.13.12.1 src/sys/kern/sys_module.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/sys_module.c diff -u src/sys/kern/sys_module.c:1.13 src/sys/kern/sys_module.c:1.13.12.1 --- src/sys/kern/sys_module.c:1.13 Fri Jul 8 09:32:45 2011 +++ src/sys/kern/sys_module.c Mon Jul 14 06:33:55 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: sys_module.c,v 1.13 2011/07/08 09:32:45 mrg Exp $ */ +/* $NetBSD: sys_module.c,v 1.13.12.1 2014/07/14 06:33:55 msaitoh Exp $ */ /*- * Copyright (c) 2008 The NetBSD Foundation, Inc. @@ -31,7 +31,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: sys_module.c,v 1.13 2011/07/08 09:32:45 mrg Exp $); +__KERNEL_RCSID(0, $NetBSD: sys_module.c,v 1.13.12.1 2014/07/14 06:33:55 msaitoh Exp $); #include sys/param.h #include sys/systm.h @@ -43,6 +43,11 @@ __KERNEL_RCSID(0, $NetBSD: sys_module.c #include sys/syscall.h #include sys/syscallargs.h +/* + * Arbitrary limit to avoid DoS for excessive memory allocation. + */ +#define MAXPROPSLEN 4096 + static int handle_modctl_load(modctl_load_t *ml) { @@ -64,7 +69,12 @@ handle_modctl_load(modctl_load_t *ml) goto out2; if (ml-ml_props != NULL) { + if (ml-ml_propslen MAXPROPSLEN) { + error = ENOMEM; + goto out2; + } propslen = ml-ml_propslen + 1; + props = (char *)kmem_alloc(propslen, KM_SLEEP); if (props == NULL) { error = ENOMEM;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: msaitoh Date: Mon Jul 14 06:26:02 UTC 2014 Modified Files: src/sys/kern [netbsd-6-0]: kern_core.c Log Message: Pull up following revision(s) (requested by maxt in ticket #1097): sys/kern/kern_core.c: revision 1.23 Fix a read-beyond-end string read. To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.20.14.1 src/sys/kern/kern_core.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: msaitoh Date: Mon Jul 14 06:33:55 UTC 2014 Modified Files: src/sys/kern [netbsd-6-0]: sys_module.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1098): sys/kern/sys_module.c: revision 1.15 Fix a user-controlled memory allocation. kmem_alloc(0) will panic the system. ok christos@ To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.13.12.1 src/sys/kern/sys_module.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Mon Apr 21 10:00:35 UTC 2014 Modified Files: src/sys/kern [netbsd-6-0]: kern_exec.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1048): sys/kern/kern_exec.c: revision 1.403 'error' is not set on failure. This is a true bug: everything is freed and unlocked while zero is returned. Since there's no error, execve_runproc() will get called and will try to use those freed things. To generate a diff of this commit: cvs rdiff -u -r1.339.2.5.4.2 -r1.339.2.5.4.3 src/sys/kern/kern_exec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: msaitoh Date: Tue Mar 18 09:36:58 UTC 2014 Modified Files: src/sys/kern [netbsd-6-0]: kern_verifiedexec.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1034): sys/kern/kern_verifiedexec.c: revision 1.132 Reorder code to avoid use-after-free on error. From Maxime Villard To generate a diff of this commit: cvs rdiff -u -r1.128 -r1.128.8.1 src/sys/kern/kern_verifiedexec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_verifiedexec.c diff -u src/sys/kern/kern_verifiedexec.c:1.128 src/sys/kern/kern_verifiedexec.c:1.128.8.1 --- src/sys/kern/kern_verifiedexec.c:1.128 Sun Nov 20 10:32:33 2011 +++ src/sys/kern/kern_verifiedexec.c Tue Mar 18 09:36:58 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_verifiedexec.c,v 1.128 2011/11/20 10:32:33 hannken Exp $ */ +/* $NetBSD: kern_verifiedexec.c,v 1.128.8.1 2014/03/18 09:36:58 msaitoh Exp $ */ /*- * Copyright (c) 2005, 2006 Elad Efrat e...@netbsd.org @@ -29,7 +29,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: kern_verifiedexec.c,v 1.128 2011/11/20 10:32:33 hannken Exp $); +__KERNEL_RCSID(0, $NetBSD: kern_verifiedexec.c,v 1.128.8.1 2014/03/18 09:36:58 msaitoh Exp $); #include opt_veriexec.h @@ -1281,18 +1281,6 @@ veriexec_file_add(struct lwp *l, prop_di vfe-npages = 0; vfe-last_page_size = 0; - vte = veriexec_table_lookup(vp-v_mount); - if (vte == NULL) - vte = veriexec_table_add(l, vp-v_mount); - - /* XXX if we bail below this, we might want to gc newly created vtes. */ - - error = fileassoc_add(vp, veriexec_hook, vfe); - if (error) - goto unlock_out; - - vte-vte_count++; - if (prop_bool_true(prop_dictionary_get(dict, eval-on-load)) || (vfe-type VERIEXEC_UNTRUSTED)) { u_char *digest; @@ -1314,6 +1302,18 @@ veriexec_file_add(struct lwp *l, prop_di kmem_free(digest, vfe-ops-hash_len); } + vte = veriexec_table_lookup(vp-v_mount); + if (vte == NULL) + vte = veriexec_table_add(l, vp-v_mount); + + /* XXX if we bail below this, we might want to gc newly created vtes. */ + + error = fileassoc_add(vp, veriexec_hook, vfe); + if (error) + goto unlock_out; + + vte-vte_count++; + veriexec_file_report(NULL, New entry., file, NULL, REPORT_DEBUG); veriexec_bypass = 0;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: msaitoh Date: Tue Mar 18 09:36:58 UTC 2014 Modified Files: src/sys/kern [netbsd-6-0]: kern_verifiedexec.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1034): sys/kern/kern_verifiedexec.c: revision 1.132 Reorder code to avoid use-after-free on error. From Maxime Villard To generate a diff of this commit: cvs rdiff -u -r1.128 -r1.128.8.1 src/sys/kern/kern_verifiedexec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Fri Feb 14 23:21:28 UTC 2014 Modified Files: src/sys/kern [netbsd-6-0]: exec_elf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1028): sys/kern/exec_elf.c: revision 1.55 Fix memory leak. ok christos@ agc@ To generate a diff of this commit: cvs rdiff -u -r1.37.2.1 -r1.37.2.1.4.1 src/sys/kern/exec_elf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/exec_elf.c diff -u src/sys/kern/exec_elf.c:1.37.2.1 src/sys/kern/exec_elf.c:1.37.2.1.4.1 --- src/sys/kern/exec_elf.c:1.37.2.1 Thu Apr 12 17:05:36 2012 +++ src/sys/kern/exec_elf.c Fri Feb 14 23:21:28 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: exec_elf.c,v 1.37.2.1 2012/04/12 17:05:36 riz Exp $ */ +/* $NetBSD: exec_elf.c,v 1.37.2.1.4.1 2014/02/14 23:21:28 bouyer Exp $ */ /*- * Copyright (c) 1994, 2000, 2005 The NetBSD Foundation, Inc. @@ -57,7 +57,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(1, $NetBSD: exec_elf.c,v 1.37.2.1 2012/04/12 17:05:36 riz Exp $); +__KERNEL_RCSID(1, $NetBSD: exec_elf.c,v 1.37.2.1.4.1 2014/02/14 23:21:28 bouyer Exp $); #ifdef _KERNEL_OPT #include opt_pax.h @@ -820,6 +820,7 @@ exec_elf_makecmds(struct lwp *l, struct if ((error = elf_load_file(l, epp, interp, epp-ep_vmcmds, interp_offset, ap, pos)) != 0) { + kmem_free(ap, sizeof(*ap)); goto bad; } ap-arg_interp = epp-ep_vmcmds.evs_cmds[j].ev_addr;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Fri Feb 14 23:21:28 UTC 2014 Modified Files: src/sys/kern [netbsd-6-0]: exec_elf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1028): sys/kern/exec_elf.c: revision 1.55 Fix memory leak. ok christos@ agc@ To generate a diff of this commit: cvs rdiff -u -r1.37.2.1 -r1.37.2.1.4.1 src/sys/kern/exec_elf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sat Dec 14 19:37:02 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: uipc_syscalls.c Log Message: Pull up following revision(s) (requested by spz in ticket #996): sys/kern/uipc_syscalls.c: revision 1.163 PR/47591: Michael Plass: If the unix socket is closed before accept, unp-unp_conn will be NULL in PRU_ACCEPT, as called from sys_accept-so_accept. This will cause the usrreq to return with no error, leaving the mbuf gotten from m_get() with an uninitialized length, containing junk from a previous call. Initialize m_len to be 0 to handle this case. This is yet another reason why Beverly's idea of setting m_len = 0 in m_get() makes a lot of sense. Arguably this could be an error, since the data we return now has 0 family and length. To generate a diff of this commit: cvs rdiff -u -r1.154.2.1.4.1 -r1.154.2.1.4.2 src/sys/kern/uipc_syscalls.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_syscalls.c diff -u src/sys/kern/uipc_syscalls.c:1.154.2.1.4.1 src/sys/kern/uipc_syscalls.c:1.154.2.1.4.2 --- src/sys/kern/uipc_syscalls.c:1.154.2.1.4.1 Mon Jan 7 16:53:36 2013 +++ src/sys/kern/uipc_syscalls.c Sat Dec 14 19:37:02 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_syscalls.c,v 1.154.2.1.4.1 2013/01/07 16:53:36 riz Exp $ */ +/* $NetBSD: uipc_syscalls.c,v 1.154.2.1.4.2 2013/12/14 19:37:02 bouyer Exp $ */ /*- * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: uipc_syscalls.c,v 1.154.2.1.4.1 2013/01/07 16:53:36 riz Exp $); +__KERNEL_RCSID(0, $NetBSD: uipc_syscalls.c,v 1.154.2.1.4.2 2013/12/14 19:37:02 bouyer Exp $); #include opt_pipe.h @@ -184,6 +184,7 @@ do_sys_accept(struct lwp *l, int sock, s return (error); } nam = m_get(M_WAIT, MT_SONAME); + nam-m_len = 0; *new_sock = fd; so = fp-f_data; solock(so);
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sat Dec 14 19:37:02 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: uipc_syscalls.c Log Message: Pull up following revision(s) (requested by spz in ticket #996): sys/kern/uipc_syscalls.c: revision 1.163 PR/47591: Michael Plass: If the unix socket is closed before accept, unp-unp_conn will be NULL in PRU_ACCEPT, as called from sys_accept-so_accept. This will cause the usrreq to return with no error, leaving the mbuf gotten from m_get() with an uninitialized length, containing junk from a previous call. Initialize m_len to be 0 to handle this case. This is yet another reason why Beverly's idea of setting m_len = 0 in m_get() makes a lot of sense. Arguably this could be an error, since the data we return now has 0 family and length. To generate a diff of this commit: cvs rdiff -u -r1.154.2.1.4.1 -r1.154.2.1.4.2 src/sys/kern/uipc_syscalls.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Mon Nov 25 08:27:01 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: uipc_socket.c Log Message: Pull up following revision(s) (requested by spz in ticket #988): sys/kern/uipc_socket.c: revision 1.220 PR/48098: Brian Marcotte: panic: kernel diagnostic assertion cred != NULL: Fix from Michael van Elst, tcpdrop crashes kernel on ebryonic connections. To generate a diff of this commit: cvs rdiff -u -r1.209.2.1.4.1 -r1.209.2.1.4.2 src/sys/kern/uipc_socket.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_socket.c diff -u src/sys/kern/uipc_socket.c:1.209.2.1.4.1 src/sys/kern/uipc_socket.c:1.209.2.1.4.2 --- src/sys/kern/uipc_socket.c:1.209.2.1.4.1 Fri Aug 2 20:23:11 2013 +++ src/sys/kern/uipc_socket.c Mon Nov 25 08:27:01 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_socket.c,v 1.209.2.1.4.1 2013/08/02 20:23:11 martin Exp $ */ +/* $NetBSD: uipc_socket.c,v 1.209.2.1.4.2 2013/11/25 08:27:01 bouyer Exp $ */ /*- * Copyright (c) 2002, 2007, 2008, 2009 The NetBSD Foundation, Inc. @@ -63,7 +63,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: uipc_socket.c,v 1.209.2.1.4.1 2013/08/02 20:23:11 martin Exp $); +__KERNEL_RCSID(0, $NetBSD: uipc_socket.c,v 1.209.2.1.4.2 2013/11/25 08:27:01 bouyer Exp $); #include opt_compat_netbsd.h #include opt_sock_counters.h @@ -416,7 +416,7 @@ socket_listener_cb(kauth_cred_t cred, ka /* Normal users can only drop their own connections. */ struct socket *so = (struct socket *)arg1; - if (proc_uidmatch(cred, so-so_cred) == 0) + if (so-so_cred proc_uidmatch(cred, so-so_cred) == 0) result = KAUTH_RESULT_ALLOW; break;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Mon Nov 25 08:27:01 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: uipc_socket.c Log Message: Pull up following revision(s) (requested by spz in ticket #988): sys/kern/uipc_socket.c: revision 1.220 PR/48098: Brian Marcotte: panic: kernel diagnostic assertion cred != NULL: Fix from Michael van Elst, tcpdrop crashes kernel on ebryonic connections. To generate a diff of this commit: cvs rdiff -u -r1.209.2.1.4.1 -r1.209.2.1.4.2 src/sys/kern/uipc_socket.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sat Apr 20 10:05:44 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_xcall.c Log Message: Pull up following revision(s) (requested by rmind in ticket #868): sys/kern/subr_xcall.c: revision 1.15 xc_highpri: fix assert. To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.13.16.1 src/sys/kern/subr_xcall.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/subr_xcall.c diff -u src/sys/kern/subr_xcall.c:1.13 src/sys/kern/subr_xcall.c:1.13.16.1 --- src/sys/kern/subr_xcall.c:1.13 Fri May 13 22:16:44 2011 +++ src/sys/kern/subr_xcall.c Sat Apr 20 10:05:44 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_xcall.c,v 1.13 2011/05/13 22:16:44 rmind Exp $ */ +/* $NetBSD: subr_xcall.c,v 1.13.16.1 2013/04/20 10:05:44 bouyer Exp $ */ /*- * Copyright (c) 2007-2010 The NetBSD Foundation, Inc. @@ -74,7 +74,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: subr_xcall.c,v 1.13 2011/05/13 22:16:44 rmind Exp $); +__KERNEL_RCSID(0, $NetBSD: subr_xcall.c,v 1.13.16.1 2013/04/20 10:05:44 bouyer Exp $); #include sys/types.h #include sys/param.h @@ -411,7 +411,7 @@ xc_highpri(xcfunc_t func, void *arg1, vo } kpreempt_enable(); #else - KASSERT(curcpu() == ci); + KASSERT(ci == NULL || curcpu() == ci); xc_ipi_handler(); #endif
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sat Apr 20 10:16:31 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_kmem.c Log Message: Pull up following revision(s) (requested by para in ticket #876): sys/kern/subr_kmem.c: revision 1.47 addresses PR/47512 properly return NULL for failed allocations not 0x8 with size checks enabled. To generate a diff of this commit: cvs rdiff -u -r1.42.2.2 -r1.42.2.2.4.1 src/sys/kern/subr_kmem.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/subr_kmem.c diff -u src/sys/kern/subr_kmem.c:1.42.2.2 src/sys/kern/subr_kmem.c:1.42.2.2.4.1 --- src/sys/kern/subr_kmem.c:1.42.2.2 Sun Aug 12 14:45:31 2012 +++ src/sys/kern/subr_kmem.c Sat Apr 20 10:16:31 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_kmem.c,v 1.42.2.2 2012/08/12 14:45:31 martin Exp $ */ +/* $NetBSD: subr_kmem.c,v 1.42.2.2.4.1 2013/04/20 10:16:31 bouyer Exp $ */ /*- * Copyright (c) 2009 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: subr_kmem.c,v 1.42.2.2 2012/08/12 14:45:31 martin Exp $); +__KERNEL_RCSID(0, $NetBSD: subr_kmem.c,v 1.42.2.2.4.1 2013/04/20 10:16:31 bouyer Exp $); #include sys/param.h #include sys/callback.h @@ -223,8 +223,10 @@ kmem_intr_alloc(size_t size, km_flag_t k kmem_poison_check(p, size); FREECHECK_OUT(kmem_freecheck, p); kmem_size_set(p, size); + + return p + SIZE_SIZE; } - return p + SIZE_SIZE; + return p; } /*
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sat Apr 20 10:05:44 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_xcall.c Log Message: Pull up following revision(s) (requested by rmind in ticket #868): sys/kern/subr_xcall.c: revision 1.15 xc_highpri: fix assert. To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.13.16.1 src/sys/kern/subr_xcall.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sat Apr 20 10:16:31 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_kmem.c Log Message: Pull up following revision(s) (requested by para in ticket #876): sys/kern/subr_kmem.c: revision 1.47 addresses PR/47512 properly return NULL for failed allocations not 0x8 with size checks enabled. To generate a diff of this commit: cvs rdiff -u -r1.42.2.2 -r1.42.2.2.4.1 src/sys/kern/subr_kmem.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: msaitoh Date: Fri Mar 29 00:46:59 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_cprng.c Log Message: Pull up following revision(s) (requested by tls in ticket #859): sys/kern/subr_cprng.c: revision 1.16 Re-fix 'fix' for SA-2013-003. Because the original fix evaluated a flag backwards, in low-entropy conditions there was a time interval in which /dev/urandom could still output bits on an unacceptably short key. Output from /dev/random was *NOT* impacted. Eliminate the flag in question -- it's safest to always fill the requested key buffer with output from the entropy-pool, even if we let the caller know we couldn't provide bytes with the full entropy it requested. Advisory will be updated soon with a full worst-case analysis of the /dev/urandom output path in the presence of either variant of the SA-2013-003 bug. Fortunately, because a large amount of other input is mixed in before users can obtain any output, it doesn't look as dangerous in practice as I'd feared it might be. To generate a diff of this commit: cvs rdiff -u -r1.5.2.3.4.1 -r1.5.2.3.4.2 src/sys/kern/subr_cprng.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/subr_cprng.c diff -u src/sys/kern/subr_cprng.c:1.5.2.3.4.1 src/sys/kern/subr_cprng.c:1.5.2.3.4.2 --- src/sys/kern/subr_cprng.c:1.5.2.3.4.1 Sat Jan 26 21:36:10 2013 +++ src/sys/kern/subr_cprng.c Fri Mar 29 00:46:58 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_cprng.c,v 1.5.2.3.4.1 2013/01/26 21:36:10 bouyer Exp $ */ +/* $NetBSD: subr_cprng.c,v 1.5.2.3.4.2 2013/03/29 00:46:58 msaitoh Exp $ */ /*- * Copyright (c) 2011 The NetBSD Foundation, Inc. @@ -46,7 +46,7 @@ #include sys/cprng.h -__KERNEL_RCSID(0, $NetBSD: subr_cprng.c,v 1.5.2.3.4.1 2013/01/26 21:36:10 bouyer Exp $); +__KERNEL_RCSID(0, $NetBSD: subr_cprng.c,v 1.5.2.3.4.2 2013/03/29 00:46:58 msaitoh Exp $); void cprng_init(void) @@ -157,11 +157,11 @@ cprng_strong_reseed(void *const arg) } static size_t -cprng_entropy_try(uint8_t *key, size_t keylen, int hard) +cprng_entropy_try(uint8_t *key, size_t keylen) { int r; r = rnd_extract_data(key, keylen, RND_EXTRACT_GOOD); - if (r != keylen !hard) { + if (r != keylen) { /* Always fill in, for safety */ rnd_extract_data(key + r, keylen - r, RND_EXTRACT_ANY); } return r; @@ -196,7 +196,7 @@ cprng_strong_create(const char *const na selinit(c-selq); - r = cprng_entropy_try(key, sizeof(key), c-flags CPRNG_INIT_ANY); + r = cprng_entropy_try(key, sizeof(key)); if (r != sizeof(key)) { if (c-flags CPRNG_INIT_ANY) { #ifdef DEBUG @@ -244,7 +244,7 @@ cprng_strong(cprng_strong_t *const c, vo if (c-flags CPRNG_REKEY_ANY) { uint8_t key[NIST_BLOCK_KEYLEN_BYTES]; - if (cprng_entropy_try(key, sizeof(key), 0) != + if (cprng_entropy_try(key, sizeof(key)) != sizeof(key)) { printf(cprng %s: WARNING pseudorandom rekeying.\n, c-name);
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: msaitoh Date: Fri Mar 29 00:46:59 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_cprng.c Log Message: Pull up following revision(s) (requested by tls in ticket #859): sys/kern/subr_cprng.c: revision 1.16 Re-fix 'fix' for SA-2013-003. Because the original fix evaluated a flag backwards, in low-entropy conditions there was a time interval in which /dev/urandom could still output bits on an unacceptably short key. Output from /dev/random was *NOT* impacted. Eliminate the flag in question -- it's safest to always fill the requested key buffer with output from the entropy-pool, even if we let the caller know we couldn't provide bytes with the full entropy it requested. Advisory will be updated soon with a full worst-case analysis of the /dev/urandom output path in the presence of either variant of the SA-2013-003 bug. Fortunately, because a large amount of other input is mixed in before users can obtain any output, it doesn't look as dangerous in practice as I'd feared it might be. To generate a diff of this commit: cvs rdiff -u -r1.5.2.3.4.1 -r1.5.2.3.4.2 src/sys/kern/subr_cprng.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: riz Date: Mon Feb 11 20:42:51 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_pserialize.c Log Message: Pull up following revision(s) (requested by rmind in ticket #811): sys/kern/subr_pserialize.c: revision 1.7 - pserialize_switchpoint: check for passing twice, not more than needed. - pserialize_perform: avoid a possible race with softint handler. Reported by hannken@. To generate a diff of this commit: cvs rdiff -u -r1.5.8.1 -r1.5.8.2 src/sys/kern/subr_pserialize.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/subr_pserialize.c diff -u src/sys/kern/subr_pserialize.c:1.5.8.1 src/sys/kern/subr_pserialize.c:1.5.8.2 --- src/sys/kern/subr_pserialize.c:1.5.8.1 Fri Feb 8 19:31:19 2013 +++ src/sys/kern/subr_pserialize.c Mon Feb 11 20:42:50 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_pserialize.c,v 1.5.8.1 2013/02/08 19:31:19 riz Exp $ */ +/* $NetBSD: subr_pserialize.c,v 1.5.8.2 2013/02/11 20:42:50 riz Exp $ */ /*- * Copyright (c) 2010, 2011 The NetBSD Foundation, Inc. @@ -38,7 +38,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: subr_pserialize.c,v 1.5.8.1 2013/02/08 19:31:19 riz Exp $); +__KERNEL_RCSID(0, $NetBSD: subr_pserialize.c,v 1.5.8.2 2013/02/11 20:42:50 riz Exp $); #include sys/param.h @@ -48,13 +48,13 @@ __KERNEL_RCSID(0, $NetBSD: subr_pserial #include sys/kmem.h #include sys/mutex.h #include sys/pserialize.h +#include sys/proc.h #include sys/queue.h #include sys/xcall.h struct pserialize { TAILQ_ENTRY(pserialize) psz_chain; lwp_t * psz_owner; - kcondvar_t psz_notifier; kcpuset_t * psz_target; kcpuset_t * psz_pass; }; @@ -102,7 +102,6 @@ pserialize_create(void) pserialize_t psz; psz = kmem_zalloc(sizeof(struct pserialize), KM_SLEEP); - cv_init(psz-psz_notifier, psrlz); kcpuset_create(psz-psz_target, true); kcpuset_create(psz-psz_pass, true); psz-psz_owner = NULL; @@ -121,7 +120,6 @@ pserialize_destroy(pserialize_t psz) KASSERT(psz-psz_owner == NULL); - cv_destroy(psz-psz_notifier); kcpuset_destroy(psz-psz_target); kcpuset_destroy(psz-psz_pass); kmem_free(psz, sizeof(struct pserialize)); @@ -163,27 +161,21 @@ pserialize_perform(pserialize_t psz) mutex_spin_enter(psz_lock); TAILQ_INSERT_TAIL(psz_queue0, psz, psz_chain); psz_work_todo++; - mutex_spin_exit(psz_lock); - /* - * Force some context switch activity on every CPU, as the system - * may not be busy. Note: should pass the point twice. - */ - xc = xc_broadcast(XC_HIGHPRI, (xcfunc_t)nullop, NULL, NULL); - xc_wait(xc); + do { + mutex_spin_exit(psz_lock); - /* No need to xc_wait() as we implement our own condvar. */ - xc_broadcast(XC_HIGHPRI, (xcfunc_t)nullop, NULL, NULL); + /* + * Force some context switch activity on every CPU, as + * the system may not be busy. Pause to not flood. + */ + xc = xc_broadcast(XC_HIGHPRI, (xcfunc_t)nullop, NULL, NULL); + xc_wait(xc); + kpause(psrlz, false, 1, NULL); + + mutex_spin_enter(psz_lock); + } while (!kcpuset_iszero(psz-psz_target)); - /* - * Wait for all CPUs to cycle through mi_switch() twice. - * The last one through will remove our update from the - * queue and awaken us. - */ - mutex_spin_enter(psz_lock); - while (!kcpuset_iszero(psz-psz_target)) { - cv_wait(psz-psz_notifier, psz_lock); - } psz_ev_excl.ev_count++; mutex_spin_exit(psz_lock); @@ -236,8 +228,8 @@ pserialize_switchpoint(void) */ for (psz = TAILQ_FIRST(psz_queue1); psz != NULL; psz = next) { next = TAILQ_NEXT(psz, psz_chain); + kcpuset_set(psz-psz_pass, cid); if (!kcpuset_match(psz-psz_pass, psz-psz_target)) { - kcpuset_set(psz-psz_pass, cid); continue; } kcpuset_zero(psz-psz_pass); @@ -250,8 +242,8 @@ pserialize_switchpoint(void) */ for (psz = TAILQ_FIRST(psz_queue0); psz != NULL; psz = next) { next = TAILQ_NEXT(psz, psz_chain); + kcpuset_set(psz-psz_pass, cid); if (!kcpuset_match(psz-psz_pass, psz-psz_target)) { - kcpuset_set(psz-psz_pass, cid); continue; } kcpuset_zero(psz-psz_pass); @@ -265,7 +257,6 @@ pserialize_switchpoint(void) while ((psz = TAILQ_FIRST(psz_queue2)) != NULL) { TAILQ_REMOVE(psz_queue2, psz, psz_chain); kcpuset_zero(psz-psz_target); - cv_signal(psz-psz_notifier); psz_work_todo--; } mutex_spin_exit(psz_lock);
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: riz Date: Mon Feb 11 20:42:51 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_pserialize.c Log Message: Pull up following revision(s) (requested by rmind in ticket #811): sys/kern/subr_pserialize.c: revision 1.7 - pserialize_switchpoint: check for passing twice, not more than needed. - pserialize_perform: avoid a possible race with softint handler. Reported by hannken@. To generate a diff of this commit: cvs rdiff -u -r1.5.8.1 -r1.5.8.2 src/sys/kern/subr_pserialize.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: riz Date: Fri Feb 8 20:22:19 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_vmem.c Log Message: Pull up following revision(s) (requested by para in ticket #789): sys/kern/subr_vmem.c: revision 1.81 sys/kern/subr_vmem.c: revision 1.77 fix a lock order reversal during global boundary tag refill. thanks to chuq@ xxx: request pullup Fix release of vmem_btag_lock (don't release twice in error path) To generate a diff of this commit: cvs rdiff -u -r1.72.2.1 -r1.72.2.1.4.1 src/sys/kern/subr_vmem.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/subr_vmem.c diff -u src/sys/kern/subr_vmem.c:1.72.2.1 src/sys/kern/subr_vmem.c:1.72.2.1.4.1 --- src/sys/kern/subr_vmem.c:1.72.2.1 Tue Apr 3 16:14:02 2012 +++ src/sys/kern/subr_vmem.c Fri Feb 8 20:22:18 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_vmem.c,v 1.72.2.1 2012/04/03 16:14:02 riz Exp $ */ +/* $NetBSD: subr_vmem.c,v 1.72.2.1.4.1 2013/02/08 20:22:18 riz Exp $ */ /*- * Copyright (c)2006,2007,2008,2009 YAMAMOTO Takashi, @@ -34,7 +34,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: subr_vmem.c,v 1.72.2.1 2012/04/03 16:14:02 riz Exp $); +__KERNEL_RCSID(0, $NetBSD: subr_vmem.c,v 1.72.2.1.4.1 2013/02/08 20:22:18 riz Exp $); #if defined(_KERNEL) #include opt_ddb.h @@ -263,6 +263,7 @@ static int static_qc_pool_count = STATIC vmem_t *kmem_va_meta_arena; vmem_t *kmem_meta_arena; +static kmutex_t vmem_refill_lock; static kmutex_t vmem_btag_lock; static LIST_HEAD(, vmem_btag) vmem_btag_freelist; static size_t vmem_btag_freelist_count = 0; @@ -282,19 +283,24 @@ bt_refillglobal(vm_flag_t flags) bt_t *bt; int i; + mutex_enter(vmem_refill_lock); + mutex_enter(vmem_btag_lock); if (vmem_btag_freelist_count (BT_MINRESERVE * 16)) { mutex_exit(vmem_btag_lock); + mutex_exit(vmem_refill_lock); return 0; } + mutex_exit(vmem_btag_lock); if (vmem_alloc(kmem_meta_arena, PAGE_SIZE, (flags ~VM_FITMASK) | VM_INSTANTFIT | VM_POPULATING, va) != 0) { - mutex_exit(vmem_btag_lock); + mutex_exit(vmem_refill_lock); return ENOMEM; } VMEM_EVCNT_INCR(bt_pages); + mutex_enter(vmem_btag_lock); btp = (void *) va; for (i = 0; i (BT_PER_PAGE); i++) { bt = btp; @@ -308,9 +314,14 @@ bt_refillglobal(vm_flag_t flags) } mutex_exit(vmem_btag_lock); - bt_refill(kmem_arena, (flags ~VM_FITMASK) | VM_INSTANTFIT); - bt_refill(kmem_va_meta_arena, (flags ~VM_FITMASK) | VM_INSTANTFIT); - bt_refill(kmem_meta_arena, (flags ~VM_FITMASK) | VM_INSTANTFIT); + bt_refill(kmem_arena, (flags ~VM_FITMASK) + | VM_INSTANTFIT | VM_POPULATING); + bt_refill(kmem_va_meta_arena, (flags ~VM_FITMASK) + | VM_INSTANTFIT | VM_POPULATING); + bt_refill(kmem_meta_arena, (flags ~VM_FITMASK) + | VM_INSTANTFIT | VM_POPULATING); + + mutex_exit(vmem_refill_lock); return 0; } @@ -320,7 +331,9 @@ bt_refill(vmem_t *vm, vm_flag_t flags) { bt_t *bt; - bt_refillglobal(flags); + if (!(flags VM_POPULATING)) { + bt_refillglobal(flags); + } VMEM_LOCK(vm); mutex_enter(vmem_btag_lock); @@ -691,6 +704,7 @@ vmem_bootstrap(void) { mutex_init(vmem_list_lock, MUTEX_DEFAULT, IPL_VM); + mutex_init(vmem_refill_lock, MUTEX_DEFAULT, IPL_VM); mutex_init(vmem_btag_lock, MUTEX_DEFAULT, IPL_VM); while (static_bt_count-- 0) {
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: riz Date: Fri Feb 8 20:28:22 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: kern_rndq.c Log Message: Pull up following revision(s) (requested by msaitoh in ticket #790): sys/kern/kern_rndq.c: revision 1.7 Set resource limit. The rnd_process_events() function is called every tick and process the sample queue. Without limitation, if a lot of rnd_add_*() are called, all kernel memory may be eaten up. To generate a diff of this commit: cvs rdiff -u -r1.1.2.2 -r1.1.2.2.4.1 src/sys/kern/kern_rndq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_rndq.c diff -u src/sys/kern/kern_rndq.c:1.1.2.2 src/sys/kern/kern_rndq.c:1.1.2.2.4.1 --- src/sys/kern/kern_rndq.c:1.1.2.2 Fri Apr 20 23:35:20 2012 +++ src/sys/kern/kern_rndq.c Fri Feb 8 20:28:22 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_rndq.c,v 1.1.2.2 2012/04/20 23:35:20 riz Exp $ */ +/* $NetBSD: kern_rndq.c,v 1.1.2.2.4.1 2013/02/08 20:28:22 riz Exp $ */ /*- * Copyright (c) 1997-2011 The NetBSD Foundation, Inc. @@ -32,7 +32,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: kern_rndq.c,v 1.1.2.2 2012/04/20 23:35:20 riz Exp $); +__KERNEL_RCSID(0, $NetBSD: kern_rndq.c,v 1.1.2.2.4.1 2013/02/08 20:28:22 riz Exp $); #include sys/param.h #include sys/ioctl.h @@ -405,7 +405,17 @@ rnd_init(void) rnd_mempc = pool_cache_init(sizeof(rnd_sample_t), 0, 0, 0, rndsample, NULL, IPL_VM, NULL, NULL, NULL); - /* Mix *something*, *anything* into the pool to help it get started. + + /* + * Set resource limit. The rnd_process_events() function + * is called every tick and process the sample queue. + * Without limitation, if a lot of rnd_add_*() are called, + * all kernel memory may be eaten up. + */ + pool_cache_sethardlimit(rnd_mempc, RND_POOLBITS, NULL, 0); + + /* + * Mix *something*, *anything* into the pool to help it get started. * However, it's not safe for rnd_counter() to call microtime() yet, * so on some platforms we might just end up with zeros anyway. * XXX more things to add would be nice.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: riz Date: Fri Feb 8 20:22:19 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_vmem.c Log Message: Pull up following revision(s) (requested by para in ticket #789): sys/kern/subr_vmem.c: revision 1.81 sys/kern/subr_vmem.c: revision 1.77 fix a lock order reversal during global boundary tag refill. thanks to chuq@ xxx: request pullup Fix release of vmem_btag_lock (don't release twice in error path) To generate a diff of this commit: cvs rdiff -u -r1.72.2.1 -r1.72.2.1.4.1 src/sys/kern/subr_vmem.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: riz Date: Fri Feb 8 20:28:22 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: kern_rndq.c Log Message: Pull up following revision(s) (requested by msaitoh in ticket #790): sys/kern/kern_rndq.c: revision 1.7 Set resource limit. The rnd_process_events() function is called every tick and process the sample queue. Without limitation, if a lot of rnd_add_*() are called, all kernel memory may be eaten up. To generate a diff of this commit: cvs rdiff -u -r1.1.2.2 -r1.1.2.2.4.1 src/sys/kern/kern_rndq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sat Jan 26 21:36:10 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_cprng.c Log Message: Pull up following revision(s) (requested by tls in ticket #800): sys/kern/subr_cprng.c: revision 1.15 Fix a security issue: when we are reseeding a PRNG seeded early in boot before we had ever had any entropy, if something else has consumed the entropy that triggered the immediate reseed, we can reseed with as little as sizeof(int) bytes of entropy. To generate a diff of this commit: cvs rdiff -u -r1.5.2.3 -r1.5.2.3.4.1 src/sys/kern/subr_cprng.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/subr_cprng.c diff -u src/sys/kern/subr_cprng.c:1.5.2.3 src/sys/kern/subr_cprng.c:1.5.2.3.4.1 --- src/sys/kern/subr_cprng.c:1.5.2.3 Mon May 21 16:49:54 2012 +++ src/sys/kern/subr_cprng.c Sat Jan 26 21:36:10 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_cprng.c,v 1.5.2.3 2012/05/21 16:49:54 jdc Exp $ */ +/* $NetBSD: subr_cprng.c,v 1.5.2.3.4.1 2013/01/26 21:36:10 bouyer Exp $ */ /*- * Copyright (c) 2011 The NetBSD Foundation, Inc. @@ -46,7 +46,7 @@ #include sys/cprng.h -__KERNEL_RCSID(0, $NetBSD: subr_cprng.c,v 1.5.2.3 2012/05/21 16:49:54 jdc Exp $); +__KERNEL_RCSID(0, $NetBSD: subr_cprng.c,v 1.5.2.3.4.1 2013/01/26 21:36:10 bouyer Exp $); void cprng_init(void) @@ -84,6 +84,8 @@ cprng_strong_doreseed(cprng_strong_t *co cc, sizeof(cc))) { panic(cprng %s: nist_ctr_drbg_reseed failed., c-name); } + memset(c-reseed.data, 0, c-reseed.len); + #ifdef RND_VERBOSE printf(cprng %s: reseeded with rnd_filled = %d\n, c-name, rnd_filled); @@ -154,6 +156,17 @@ cprng_strong_reseed(void *const arg) mutex_exit(c-mtx); } +static size_t +cprng_entropy_try(uint8_t *key, size_t keylen, int hard) +{ + int r; + r = rnd_extract_data(key, keylen, RND_EXTRACT_GOOD); + if (r != keylen !hard) { + rnd_extract_data(key + r, keylen - r, RND_EXTRACT_ANY); + } + return r; +} + cprng_strong_t * cprng_strong_create(const char *const name, int ipl, int flags) { @@ -183,15 +196,13 @@ cprng_strong_create(const char *const na selinit(c-selq); - r = rnd_extract_data(key, sizeof(key), RND_EXTRACT_GOOD); + r = cprng_entropy_try(key, sizeof(key), c-flags CPRNG_INIT_ANY); if (r != sizeof(key)) { if (c-flags CPRNG_INIT_ANY) { #ifdef DEBUG printf(cprng %s: WARNING insufficient entropy at creation.\n, name); #endif - rnd_extract_data(key + r, sizeof(key - r), - RND_EXTRACT_ANY); } else { hard++; } @@ -233,15 +244,18 @@ cprng_strong(cprng_strong_t *const c, vo if (c-flags CPRNG_REKEY_ANY) { uint8_t key[NIST_BLOCK_KEYLEN_BYTES]; - printf(cprng %s: WARNING pseudorandom rekeying.\n, - c-name); -rnd_extract_data(key, sizeof(key), RND_EXTRACT_ANY); + if (cprng_entropy_try(key, sizeof(key), 0) != + sizeof(key)) { + printf(cprng %s: WARNING + pseudorandom rekeying.\n, c-name); + } cc = cprng_counter(); if (nist_ctr_drbg_reseed(c-drbg, key, sizeof(key), cc, sizeof(cc))) { panic(cprng %s: nist_ctr_drbg_reseed failed., c-name); } + memset(key, 0, sizeof(key)); } else { int wr;
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sat Jan 26 21:36:10 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: subr_cprng.c Log Message: Pull up following revision(s) (requested by tls in ticket #800): sys/kern/subr_cprng.c: revision 1.15 Fix a security issue: when we are reseeding a PRNG seeded early in boot before we had ever had any entropy, if something else has consumed the entropy that triggered the immediate reseed, we can reseed with as little as sizeof(int) bytes of entropy. To generate a diff of this commit: cvs rdiff -u -r1.5.2.3 -r1.5.2.3.4.1 src/sys/kern/subr_cprng.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: riz Date: Mon Jan 7 16:53:36 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: uipc_syscalls.c Log Message: Pull up following revision(s) (requested by mlelstv in ticket #778): sys/kern/uipc_syscalls.c: revision 1.157 sys/kern/uipc_syscalls.c: revision 1.158 If an untraced process sleeps in recvmsg/sendmsg, the syscall does not allocate an iov structure for ktrace. When tracing is then enabled and the process wakes up, it crashes the kernel. Undo the last commit which introduced this error path. Avoid the mentioned kmem_alloc assertion by adding a sanity check analog to similar code in sys_generic.c for I/O on file handles instead of sockets. This also causes the syscall to return EMSGSIZE if the msg_iovlen member of the msg structure is less than or equal to 0, as defined in recvmsg(2)/sendmsg(2). The sanity check prevented messages that carry only ancillary data. To generate a diff of this commit: cvs rdiff -u -r1.154.2.1 -r1.154.2.1.4.1 src/sys/kern/uipc_syscalls.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_syscalls.c diff -u src/sys/kern/uipc_syscalls.c:1.154.2.1 src/sys/kern/uipc_syscalls.c:1.154.2.1.4.1 --- src/sys/kern/uipc_syscalls.c:1.154.2.1 Fri Jul 20 23:10:06 2012 +++ src/sys/kern/uipc_syscalls.c Mon Jan 7 16:53:36 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_syscalls.c,v 1.154.2.1 2012/07/20 23:10:06 riz Exp $ */ +/* $NetBSD: uipc_syscalls.c,v 1.154.2.1.4.1 2013/01/07 16:53:36 riz Exp $ */ /*- * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: uipc_syscalls.c,v 1.154.2.1 2012/07/20 23:10:06 riz Exp $); +__KERNEL_RCSID(0, $NetBSD: uipc_syscalls.c,v 1.154.2.1.4.1 2013/01/07 16:53:36 riz Exp $); #include opt_pipe.h @@ -640,10 +640,9 @@ do_sys_sendmsg(struct lwp *l, int s, str *retsize = len - auio.uio_resid; bad: - if (ktrpoint(KTR_GENIO)) { + if (ktriov != NULL) { ktrgeniov(s, UIO_WRITE, ktriov, *retsize, error); - if (ktriov != NULL) - kmem_free(ktriov, iovsz); + kmem_free(ktriov, iovsz); } if (iov != aiov) @@ -897,10 +896,9 @@ do_sys_recvmsg(struct lwp *l, int s, str /* Some data transferred */ error = 0; - if (ktrpoint(KTR_GENIO)) { + if (ktriov != NULL) { ktrgeniov(s, UIO_READ, ktriov, len, error); - if (ktriov != NULL) - kmem_free(ktriov, iovsz); + kmem_free(ktriov, iovsz); } if (error != 0) {
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: riz Date: Mon Jan 7 16:53:36 UTC 2013 Modified Files: src/sys/kern [netbsd-6-0]: uipc_syscalls.c Log Message: Pull up following revision(s) (requested by mlelstv in ticket #778): sys/kern/uipc_syscalls.c: revision 1.157 sys/kern/uipc_syscalls.c: revision 1.158 If an untraced process sleeps in recvmsg/sendmsg, the syscall does not allocate an iov structure for ktrace. When tracing is then enabled and the process wakes up, it crashes the kernel. Undo the last commit which introduced this error path. Avoid the mentioned kmem_alloc assertion by adding a sanity check analog to similar code in sys_generic.c for I/O on file handles instead of sockets. This also causes the syscall to return EMSGSIZE if the msg_iovlen member of the msg structure is less than or equal to 0, as defined in recvmsg(2)/sendmsg(2). The sanity check prevented messages that carry only ancillary data. To generate a diff of this commit: cvs rdiff -u -r1.154.2.1 -r1.154.2.1.4.1 src/sys/kern/uipc_syscalls.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: riz Date: Thu Nov 22 18:51:14 UTC 2012 Modified Files: src/sys/kern [netbsd-6-0]: vfs_vnode.c vfs_vnops.c Log Message: Pull up following revision(s) (requested by hannken in ticket #692): sys/kern/vfs_vnode.c: revision 1.17 sys/kern/vfs_vnops.c: revision 1.186 Bring back Manuel Bouyers patch to resolve races between vget() and vrelel() resulting in vget() returning dead vnodes. It is impossible to resolve these races in vn_lock(). Needs pullup to NetBSD-6. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.15.8.1 src/sys/kern/vfs_vnode.c cvs rdiff -u -r1.183.8.1 -r1.183.8.1.4.1 src/sys/kern/vfs_vnops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/vfs_vnode.c diff -u src/sys/kern/vfs_vnode.c:1.15 src/sys/kern/vfs_vnode.c:1.15.8.1 --- src/sys/kern/vfs_vnode.c:1.15 Tue Dec 20 16:49:37 2011 +++ src/sys/kern/vfs_vnode.c Thu Nov 22 18:51:14 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_vnode.c,v 1.15 2011/12/20 16:49:37 hannken Exp $ */ +/* $NetBSD: vfs_vnode.c,v 1.15.8.1 2012/11/22 18:51:14 riz Exp $ */ /*- * Copyright (c) 1997-2011 The NetBSD Foundation, Inc. @@ -120,7 +120,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: vfs_vnode.c,v 1.15 2011/12/20 16:49:37 hannken Exp $); +__KERNEL_RCSID(0, $NetBSD: vfs_vnode.c,v 1.15.8.1 2012/11/22 18:51:14 riz Exp $); #include sys/param.h #include sys/kernel.h @@ -555,6 +555,22 @@ vget(vnode_t *vp, int flags) return ENOENT; } + if ((vp-v_iflag VI_INACTNOW) != 0) { + /* + * if it's being desactived, wait for it to complete. + * Make sure to not return a clean vnode. + */ + if ((flags LK_NOWAIT) != 0) { + vrelel(vp, 0); + return EBUSY; + } + vwait(vp, VI_INACTNOW); + if ((vp-v_iflag VI_CLEAN) != 0) { + vrelel(vp, 0); + return ENOENT; + } + } + /* * Ok, we got it in good shape. Just locking left. */ @@ -665,8 +681,12 @@ retry: /* The pagedaemon can't wait around; defer. */ defer = true; } else if (curlwp == vrele_lwp) { - /* We have to try harder. */ - vp-v_iflag = ~VI_INACTREDO; + /* + * We have to try harder. But we can't sleep + * with VI_INACTNOW as vget() may be waiting on it. + */ + vp-v_iflag = ~(VI_INACTREDO|VI_INACTNOW); + cv_broadcast(vp-v_cv); mutex_exit(vp-v_interlock); error = vn_lock(vp, LK_EXCLUSIVE); if (error != 0) { @@ -674,6 +694,18 @@ retry: vnpanic(vp, %s: unable to lock %p, __func__, vp); } + mutex_enter(vp-v_interlock); + /* + * if we did get another reference while + * sleeping, don't try to inactivate it yet. + */ + if (__predict_false(vtryrele(vp))) { +VOP_UNLOCK(vp); +mutex_exit(vp-v_interlock); +return; + } + vp-v_iflag |= VI_INACTNOW; + mutex_exit(vp-v_interlock); defer = false; } else if ((vp-v_iflag VI_LAYER) != 0) { /* @@ -709,6 +741,7 @@ retry: if (++vrele_pending (desiredvnodes 8)) cv_signal(vrele_cv); mutex_exit(vrele_lock); + cv_broadcast(vp-v_cv); mutex_exit(vp-v_interlock); return; } @@ -726,6 +759,7 @@ retry: VOP_INACTIVE(vp, recycle); mutex_enter(vp-v_interlock); vp-v_iflag = ~VI_INACTNOW; + cv_broadcast(vp-v_cv); if (!recycle) { if (vtryrele(vp)) { mutex_exit(vp-v_interlock); Index: src/sys/kern/vfs_vnops.c diff -u src/sys/kern/vfs_vnops.c:1.183.8.1 src/sys/kern/vfs_vnops.c:1.183.8.1.4.1 --- src/sys/kern/vfs_vnops.c:1.183.8.1 Thu Apr 12 17:15:23 2012 +++ src/sys/kern/vfs_vnops.c Thu Nov 22 18:51:14 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_vnops.c,v 1.183.8.1 2012/04/12 17:15:23 riz Exp $ */ +/* $NetBSD: vfs_vnops.c,v 1.183.8.1.4.1 2012/11/22 18:51:14 riz Exp $ */ /*- * Copyright (c) 2009 The NetBSD Foundation, Inc. @@ -66,7 +66,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: vfs_vnops.c,v 1.183.8.1 2012/04/12 17:15:23 riz Exp $); +__KERNEL_RCSID(0, $NetBSD: vfs_vnops.c,v 1.183.8.1.4.1 2012/11/22 18:51:14 riz Exp $); #include veriexec.h @@ -805,15 +805,6 @@ vn_lock(struct vnode *vp, int flags) } else { mutex_exit(vp-v_interlock); error = VOP_LOCK(vp, (flags ~LK_RETRY)); - if (error == 0 (flags LK_RETRY) == 0) { -mutex_enter(vp-v_interlock); -if ((vp-v_iflag VI_CLEAN)) { - mutex_exit(vp-v_interlock); - VOP_UNLOCK(vp); - return ENOENT; -} -mutex_exit(vp-v_interlock); - } if (error == 0 || error == EDEADLK || error == EBUSY) return (error); }
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: riz Date: Thu Nov 22 18:51:14 UTC 2012 Modified Files: src/sys/kern [netbsd-6-0]: vfs_vnode.c vfs_vnops.c Log Message: Pull up following revision(s) (requested by hannken in ticket #692): sys/kern/vfs_vnode.c: revision 1.17 sys/kern/vfs_vnops.c: revision 1.186 Bring back Manuel Bouyers patch to resolve races between vget() and vrelel() resulting in vget() returning dead vnodes. It is impossible to resolve these races in vn_lock(). Needs pullup to NetBSD-6. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.15.8.1 src/sys/kern/vfs_vnode.c cvs rdiff -u -r1.183.8.1 -r1.183.8.1.4.1 src/sys/kern/vfs_vnops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: riz Date: Tue Nov 20 21:32:57 UTC 2012 Modified Files: src/sys/kern [netbsd-6-0]: kern_exec.c Log Message: Pull up following revision(s) (requested by christos in ticket #670): sys/kern/kern_exec.c: revision 1.358 If you are going to dick around with p_stat, remember to put it back so that spawn processes with attributes don't end up starting up stopped! XXX: pullup to 6. To generate a diff of this commit: cvs rdiff -u -r1.339.2.5 -r1.339.2.5.4.1 src/sys/kern/kern_exec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_exec.c diff -u src/sys/kern/kern_exec.c:1.339.2.5 src/sys/kern/kern_exec.c:1.339.2.5.4.1 --- src/sys/kern/kern_exec.c:1.339.2.5 Mon Apr 16 15:28:19 2012 +++ src/sys/kern/kern_exec.c Tue Nov 20 21:32:57 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_exec.c,v 1.339.2.5 2012/04/16 15:28:19 riz Exp $ */ +/* $NetBSD: kern_exec.c,v 1.339.2.5.4.1 2012/11/20 21:32:57 riz Exp $ */ /*- * Copyright (c) 2008 The NetBSD Foundation, Inc. @@ -59,7 +59,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: kern_exec.c,v 1.339.2.5 2012/04/16 15:28:19 riz Exp $); +__KERNEL_RCSID(0, $NetBSD: kern_exec.c,v 1.339.2.5.4.1 2012/11/20 21:32:57 riz Exp $); #include opt_exec.h #include opt_ktrace.h @@ -1916,6 +1916,7 @@ spawn_return(void *arg) /* handle posix_spawnattr */ if (spawn_data-sed_attrs != NULL) { + int ostat; struct sigaction sigact; sigact._sa_u._sa_handler = SIG_DFL; sigact.sa_flags = 0; @@ -1924,6 +1925,7 @@ spawn_return(void *arg) * set state to SSTOP so that this proc can be found by pid. * see proc_enterprp, do_sched_setparam below */ + ostat = l-l_proc-p_stat; l-l_proc-p_stat = SSTOP; /* Set process group */ @@ -1985,6 +1987,7 @@ spawn_return(void *arg) 0); } } + l-l_proc-p_stat = ostat; } /* now do the real exec */
CVS commit: [netbsd-6-0] src/sys/kern
Module Name:src Committed By: riz Date: Tue Nov 20 21:32:57 UTC 2012 Modified Files: src/sys/kern [netbsd-6-0]: kern_exec.c Log Message: Pull up following revision(s) (requested by christos in ticket #670): sys/kern/kern_exec.c: revision 1.358 If you are going to dick around with p_stat, remember to put it back so that spawn processes with attributes don't end up starting up stopped! XXX: pullup to 6. To generate a diff of this commit: cvs rdiff -u -r1.339.2.5 -r1.339.2.5.4.1 src/sys/kern/kern_exec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.