CVS commit: [netbsd-6-1] src/sys/kern
Module Name:src
Committed By: martin
Date: Thu May 3 15:01:20 UTC 2018
Modified Files:
src/sys/kern [netbsd-6-1]: uipc_mbuf.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1547):
sys/kern/uipc_mbuf.c: revision 1.211 (via patch)
Modify m_defrag, so that it never frees the first mbuf of the chain. While
here use the given 'flags' argument, and not M_DONTWAIT.
We have a problem with several drivers: they poll an mbuf chain from their
queues and call m_defrag on them, but m_defrag could update the mbuf
pointer, so the mbuf in the queue is no longer valid. It is not easy to
fix each driver, because doing pop+push will reorder the queue, and we
don't really want that to happen.
This problem was independently spotted by me, Kengo, Masanobu, and other
people too it seems (perhaps PR/53218).
Now m_defrag leaves the first mbuf in place, and compresses the chain
only starting from the second mbuf in the chain.
It is important not to compress the first mbuf with hacks, because the
storage of this first mbuf may be shared with other mbufs.
To generate a diff of this commit:
cvs rdiff -u -r1.145.2.1 -r1.145.2.1.2.1 src/sys/kern/uipc_mbuf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/uipc_mbuf.c
diff -u src/sys/kern/uipc_mbuf.c:1.145.2.1 src/sys/kern/uipc_mbuf.c:1.145.2.1.2.1
--- src/sys/kern/uipc_mbuf.c:1.145.2.1 Fri Feb 8 19:18:12 2013
+++ src/sys/kern/uipc_mbuf.c Thu May 3 15:01:20 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: uipc_mbuf.c,v 1.145.2.1 2013/02/08 19:18:12 riz Exp $ */
+/* $NetBSD: uipc_mbuf.c,v 1.145.2.1.2.1 2018/05/03 15:01:20 martin Exp $ */
/*-
* Copyright (c) 1999, 2001 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.145.2.1 2013/02/08 19:18:12 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.145.2.1.2.1 2018/05/03 15:01:20 martin Exp $");
#include "opt_mbuftrace.h"
#include "opt_nmbclusters.h"
@@ -1266,30 +1266,35 @@ m_makewritable(struct mbuf **mp, int off
}
/*
- * Copy the mbuf chain to a new mbuf chain that is as short as possible.
- * Return the new mbuf chain on success, NULL on failure. On success,
- * free the old mbuf chain.
+ * Compress the mbuf chain. Return the new mbuf chain on success, NULL on
+ * failure. The first mbuf is preserved, and on success the pointer returned
+ * is the same as the one passed.
*/
struct mbuf *
m_defrag(struct mbuf *mold, int flags)
{
struct mbuf *m0, *mn, *n;
- size_t sz = mold->m_pkthdr.len;
+ int sz;
#ifdef DIAGNOSTIC
if ((mold->m_flags & M_PKTHDR) == 0)
panic("m_defrag: not a mbuf chain header");
#endif
- MGETHDR(m0, flags, MT_DATA);
+ if (mold->m_next == NULL)
+ return mold;
+
+ m0 = m_get(flags, MT_DATA);
if (m0 == NULL)
return NULL;
- M_COPY_PKTHDR(m0, mold);
mn = m0;
+ sz = mold->m_pkthdr.len - mold->m_len;
+ KASSERT(sz >= 0);
+
do {
- if (sz > MHLEN) {
- MCLGET(mn, M_DONTWAIT);
+ if (sz > MLEN) {
+ MCLGET(mn, flags);
if ((mn->m_flags & M_EXT) == 0) {
m_freem(m0);
return NULL;
@@ -1305,7 +1310,7 @@ m_defrag(struct mbuf *mold, int flags)
if (sz > 0) {
/* need more mbufs */
- MGET(n, M_NOWAIT, MT_DATA);
+ n = m_get(flags, MT_DATA);
if (n == NULL) {
m_freem(m0);
return NULL;
@@ -1316,9 +1321,10 @@ m_defrag(struct mbuf *mold, int flags)
}
} while (sz > 0);
- m_freem(mold);
+ m_freem(mold->m_next);
+ mold->m_next = m0;
- return m0;
+ return mold;
}
int
CVS commit: [netbsd-6-1] src/sys/kern
Module Name:src Committed By: snj Date: Sat Aug 19 04:24:22 UTC 2017 Modified Files: src/sys/kern [netbsd-6-1]: kern_ktrace.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1484): sys/kern/kern_ktrace.c: revision 1.171 via patch Clamp the length we use, not the length we don't. Avoids uninitialized memory disclosure to userland. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.160 -r1.160.8.1 src/sys/kern/kern_ktrace.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_ktrace.c diff -u src/sys/kern/kern_ktrace.c:1.160 src/sys/kern/kern_ktrace.c:1.160.8.1 --- src/sys/kern/kern_ktrace.c:1.160 Fri Dec 30 20:33:04 2011 +++ src/sys/kern/kern_ktrace.c Sat Aug 19 04:24:22 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_ktrace.c,v 1.160 2011/12/30 20:33:04 christos Exp $ */ +/* $NetBSD: kern_ktrace.c,v 1.160.8.1 2017/08/19 04:24:22 snj Exp $ */ /*- * Copyright (c) 2006, 2007, 2008 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.160 2011/12/30 20:33:04 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.160.8.1 2017/08/19 04:24:22 snj Exp $"); #include #include @@ -952,7 +952,7 @@ ktruser(const char *id, void *addr, size user_dta = (void *)(ktp + 1); if ((error = copyin(addr, (void *)user_dta, len)) != 0) - len = 0; + kte->kte_kth.ktr_len = 0; ktraddentry(l, kte, KTA_WAITOK); return error;
CVS commit: [netbsd-6-1] src/sys/kern
Module Name:src
Committed By: snj
Date: Sat Aug 19 04:17:10 UTC 2017
Modified Files:
src/sys/kern [netbsd-6-1]: vfs_getcwd.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1482):
sys/kern/vfs_getcwd.c: revision 1.52
Don't walk off the end of the dirent buffer.
>From Ilja Van Sprundel.
To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.47.22.1 src/sys/kern/vfs_getcwd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/vfs_getcwd.c
diff -u src/sys/kern/vfs_getcwd.c:1.47 src/sys/kern/vfs_getcwd.c:1.47.22.1
--- src/sys/kern/vfs_getcwd.c:1.47 Tue Nov 30 10:30:02 2010
+++ src/sys/kern/vfs_getcwd.c Sat Aug 19 04:17:10 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_getcwd.c,v 1.47 2010/11/30 10:30:02 dholland Exp $ */
+/* $NetBSD: vfs_getcwd.c,v 1.47.22.1 2017/08/19 04:17:10 snj Exp $ */
/*-
* Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.47 2010/11/30 10:30:02 dholland Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.47.22.1 2017/08/19 04:17:10 snj Exp $");
#include
#include
@@ -207,7 +207,8 @@ unionread:
reclen = dp->d_reclen;
/* check for malformed directory.. */
-if (reclen < _DIRENT_MINSIZE(dp)) {
+if (reclen < _DIRENT_MINSIZE(dp) ||
+reclen > len) {
error = EINVAL;
goto out;
}
CVS commit: [netbsd-6-1] src/sys/kern
Module Name:src
Committed By: snj
Date: Fri Aug 18 14:52:43 UTC 2017
Modified Files:
src/sys/kern [netbsd-6-1]: kern_malloc.c
Log Message:
Pull up following revision(s) (requested by martin in ticket #1465):
sys/kern/kern_malloc.c: revision 1.146
Avoid integer overflow in kern_malloc(). Reported by Ilja Van Sprundel.
To generate a diff of this commit:
cvs rdiff -u -r1.138 -r1.138.8.1 src/sys/kern/kern_malloc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_malloc.c
diff -u src/sys/kern/kern_malloc.c:1.138 src/sys/kern/kern_malloc.c:1.138.8.1
--- src/sys/kern/kern_malloc.c:1.138 Mon Feb 6 12:13:44 2012
+++ src/sys/kern/kern_malloc.c Fri Aug 18 14:52:43 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_malloc.c,v 1.138 2012/02/06 12:13:44 drochner Exp $ */
+/* $NetBSD: kern_malloc.c,v 1.138.8.1 2017/08/18 14:52:43 snj Exp $ */
/*
* Copyright (c) 1987, 1991, 1993
@@ -66,7 +66,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.138 2012/02/06 12:13:44 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.138.8.1 2017/08/18 14:52:43 snj Exp $");
#include
#include
@@ -113,7 +113,10 @@ kern_malloc(unsigned long size, struct m
void *p;
if (size >= PAGE_SIZE) {
- allocsize = PAGE_SIZE + size; /* for page alignment */
+ if (size > (ULONG_MAX-PAGE_SIZE))
+ allocsize = ULONG_MAX; /* this will fail later */
+ else
+ allocsize = PAGE_SIZE + size; /* for page alignment */
hdroffset = PAGE_SIZE - sizeof(struct malloc_header);
} else {
allocsize = sizeof(struct malloc_header) + size;
CVS commit: [netbsd-6-1] src/sys/kern
Module Name:src
Committed By: snj
Date: Thu Jul 6 15:19:01 UTC 2017
Modified Files:
src/sys/kern [netbsd-6-1]: subr_xcall.c
Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #1419):
sys/kern/subr_xcall.c: revision 1.19
Fix a race condition of low priority xcall
xc_lowpri and xc_thread are racy and xc_wait may return during/before
executing all xcall callbacks, resulting in a kernel panic at worst.
xc_lowpri serializes multiple jobs by a mutex and a cv. If all xcall
callbacks are done, xc_wait returns and also xc_lowpri accepts a next job.
The problem is that a counter that counts the number of finished xcall
callbacks is incremented *before* actually executing a xcall callback
(see xc_tailp++ in xc_thread). So xc_lowpri accepts a next job before
all xcall callbacks complete and a next job begins to run its xcall callbacks.
Even worse the counter is global and shared between jobs, so if a xcall
callback of the next job completes, the shared counter is incremented,
which confuses wc_wait of the previous job as all xcall callbacks of the
previous job are done and wc_wait of the previous job returns during/before
executing its xcall callbacks.
How to fix: there are actually two counters that count the number of finished
xcall callbacks for low priority xcall for historical reasons (I guess):
xc_tailp and xc_low_pri.xc_donep. xc_low_pri.xc_donep is incremented correctly
while xc_tailp is incremented wrongly, i.e., before executing a xcall callback.
We can fix the issue by dropping xc_tailp and using only xc_low_pri.xc_donep.
PR kern/51632
To generate a diff of this commit:
cvs rdiff -u -r1.13.10.1 -r1.13.10.1.2.1 src/sys/kern/subr_xcall.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/subr_xcall.c
diff -u src/sys/kern/subr_xcall.c:1.13.10.1 src/sys/kern/subr_xcall.c:1.13.10.1.2.1
--- src/sys/kern/subr_xcall.c:1.13.10.1 Sat Apr 20 10:05:22 2013
+++ src/sys/kern/subr_xcall.c Thu Jul 6 15:19:01 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: subr_xcall.c,v 1.13.10.1 2013/04/20 10:05:22 bouyer Exp $ */
+/* $NetBSD: subr_xcall.c,v 1.13.10.1.2.1 2017/07/06 15:19:01 snj Exp $ */
/*-
* Copyright (c) 2007-2010 The NetBSD Foundation, Inc.
@@ -74,7 +74,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: subr_xcall.c,v 1.13.10.1 2013/04/20 10:05:22 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_xcall.c,v 1.13.10.1.2.1 2017/07/06 15:19:01 snj Exp $");
#include
#include
@@ -101,7 +101,6 @@ typedef struct {
/* Low priority xcall structures. */
static xc_state_t xc_low_pri __cacheline_aligned;
-static uint64_t xc_tailp __cacheline_aligned;
/* High priority xcall structures. */
static xc_state_t xc_high_pri __cacheline_aligned;
@@ -131,7 +130,6 @@ xc_init(void)
memset(xclo, 0, sizeof(xc_state_t));
mutex_init(&xclo->xc_lock, MUTEX_DEFAULT, IPL_NONE);
cv_init(&xclo->xc_busy, "xclocv");
- xc_tailp = 0;
memset(xchi, 0, sizeof(xc_state_t));
mutex_init(&xchi->xc_lock, MUTEX_DEFAULT, IPL_SOFTCLOCK);
@@ -253,7 +251,7 @@ xc_lowpri(xcfunc_t func, void *arg1, voi
uint64_t where;
mutex_enter(&xc->xc_lock);
- while (xc->xc_headp != xc_tailp) {
+ while (xc->xc_headp != xc->xc_donep) {
cv_wait(&xc->xc_busy, &xc->xc_lock);
}
xc->xc_arg1 = arg1;
@@ -274,7 +272,7 @@ xc_lowpri(xcfunc_t func, void *arg1, voi
ci->ci_data.cpu_xcall_pending = true;
cv_signal(&ci->ci_data.cpu_xcall);
}
- KASSERT(xc_tailp < xc->xc_headp);
+ KASSERT(xc->xc_donep < xc->xc_headp);
where = xc->xc_headp;
mutex_exit(&xc->xc_lock);
@@ -299,7 +297,7 @@ xc_thread(void *cookie)
mutex_enter(&xc->xc_lock);
for (;;) {
while (!ci->ci_data.cpu_xcall_pending) {
- if (xc->xc_headp == xc_tailp) {
+ if (xc->xc_headp == xc->xc_donep) {
cv_broadcast(&xc->xc_busy);
}
cv_wait(&ci->ci_data.cpu_xcall, &xc->xc_lock);
@@ -309,7 +307,6 @@ xc_thread(void *cookie)
func = xc->xc_func;
arg1 = xc->xc_arg1;
arg2 = xc->xc_arg2;
- xc_tailp++;
mutex_exit(&xc->xc_lock);
KASSERT(func != NULL);
CVS commit: [netbsd-6-1] src/sys/kern
Module Name:src
Committed By: snj
Date: Fri Nov 11 07:07:08 UTC 2016
Modified Files:
src/sys/kern [netbsd-6-1]: uipc_usrreq.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1415):
sys/kern/uipc_usrreq.c: revision 1.181
Memory leak, found by Mootja. It is easily triggerable from userland.
To generate a diff of this commit:
cvs rdiff -u -r1.136.8.3 -r1.136.8.3.2.1 src/sys/kern/uipc_usrreq.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/uipc_usrreq.c
diff -u src/sys/kern/uipc_usrreq.c:1.136.8.3 src/sys/kern/uipc_usrreq.c:1.136.8.3.2.1
--- src/sys/kern/uipc_usrreq.c:1.136.8.3 Mon Feb 18 22:00:49 2013
+++ src/sys/kern/uipc_usrreq.c Fri Nov 11 07:07:08 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: uipc_usrreq.c,v 1.136.8.3 2013/02/18 22:00:49 riz Exp $ */
+/* $NetBSD: uipc_usrreq.c,v 1.136.8.3.2.1 2016/11/11 07:07:08 snj Exp $ */
/*-
* Copyright (c) 1998, 2000, 2004, 2008, 2009 The NetBSD Foundation, Inc.
@@ -96,7 +96,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: uipc_usrreq.c,v 1.136.8.3 2013/02/18 22:00:49 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_usrreq.c,v 1.136.8.3.2.1 2016/11/11 07:07:08 snj Exp $");
#include
#include
@@ -1014,11 +1014,11 @@ unp_connect(struct socket *so, struct mb
goto bad2;
}
vp = nd.ni_vp;
+ pathbuf_destroy(pb);
if (vp->v_type != VSOCK) {
error = ENOTSOCK;
goto bad;
}
- pathbuf_destroy(pb);
if ((error = VOP_ACCESS(vp, VWRITE, l->l_cred)) != 0)
goto bad;
/* Acquire v_interlock to protect against unp_detach(). */
CVS commit: [netbsd-6-1] src/sys/kern
Module Name:src
Committed By: snj
Date: Thu Jul 14 06:44:50 UTC 2016
Modified Files:
src/sys/kern [netbsd-6-1]: kern_softint.c
Log Message:
Pull up following revision(s) (requested by knakahara in ticket #1356):
sys/kern/kern_softint.c: revision 1.42
fix the following softint parallel operation problem.
(0) softint handler "handler A" is established
(1) CPU#X does softint_schedule() for "handler A"
- the softhand_t is set SOFTINT_PENDING flag
- the softhand_t is NOT set SOFTINT_ACTIVE flag yet
(2) CPU#X begins other H/W interrupt processing
(3) CPU#Y does softint_disestablish() for "handler A"
- waits until softhand_t's SOFTINT_ACTIVE of all CPUs is clear
- the softhand_t is set not SOFTINT_ACTIVE but SOFTINT_PENDING,
so CPU#Y does not wait
- unset the function of "handler A"
(4) CPU#X does softint_execute()
- the function of "handler A" is already clear, so panic
To generate a diff of this commit:
cvs rdiff -u -r1.38.8.1 -r1.38.8.1.2.1 src/sys/kern/kern_softint.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_softint.c
diff -u src/sys/kern/kern_softint.c:1.38.8.1 src/sys/kern/kern_softint.c:1.38.8.1.2.1
--- src/sys/kern/kern_softint.c:1.38.8.1 Fri Feb 8 19:32:07 2013
+++ src/sys/kern/kern_softint.c Thu Jul 14 06:44:50 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_softint.c,v 1.38.8.1 2013/02/08 19:32:07 riz Exp $ */
+/* $NetBSD: kern_softint.c,v 1.38.8.1.2.1 2016/07/14 06:44:50 snj Exp $ */
/*-
* Copyright (c) 2007, 2008 The NetBSD Foundation, Inc.
@@ -176,7 +176,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: kern_softint.c,v 1.38.8.1 2013/02/08 19:32:07 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_softint.c,v 1.38.8.1.2.1 2016/07/14 06:44:50 snj Exp $");
#include
#include
@@ -424,8 +424,8 @@ softint_disestablish(void *arg)
KASSERT(sh->sh_func != NULL);
flags |= sh->sh_flags;
}
- /* Inactive on all CPUs? */
- if ((flags & SOFTINT_ACTIVE) == 0) {
+ /* Neither pending nor active on all CPUs? */
+ if ((flags & (SOFTINT_PENDING | SOFTINT_ACTIVE)) == 0) {
break;
}
/* Oops, still active. Wait for it to clear. */
CVS commit: [netbsd-6-1] src/sys/kern
Module Name:src
Committed By: bouyer
Date: Sun Nov 15 20:44:13 UTC 2015
Modified Files:
src/sys/kern [netbsd-6-1]: kern_exit.c
Log Message:
Pull up following revision(s) (requested by pgoyette in ticket #1336):
sys/kern/kern_exit.c: revision 1.248
Update value of p_stat before we release the proc_lock. Thanks to
Robert Elz.
XXX Pull-ups for -7, -6{,-0,-1} and -5{,-0,-1,-2}
To generate a diff of this commit:
cvs rdiff -u -r1.236.2.2.4.1 -r1.236.2.2.4.2 src/sys/kern/kern_exit.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_exit.c
diff -u src/sys/kern/kern_exit.c:1.236.2.2.4.1 src/sys/kern/kern_exit.c:1.236.2.2.4.2
--- src/sys/kern/kern_exit.c:1.236.2.2.4.1 Sun Nov 15 20:38:18 2015
+++ src/sys/kern/kern_exit.c Sun Nov 15 20:44:13 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_exit.c,v 1.236.2.2.4.1 2015/11/15 20:38:18 bouyer Exp $ */
+/* $NetBSD: kern_exit.c,v 1.236.2.2.4.2 2015/11/15 20:44:13 bouyer Exp $ */
/*-
* Copyright (c) 1998, 1999, 2006, 2007, 2008 The NetBSD Foundation, Inc.
@@ -67,7 +67,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: kern_exit.c,v 1.236.2.2.4.1 2015/11/15 20:38:18 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_exit.c,v 1.236.2.2.4.2 2015/11/15 20:44:13 bouyer Exp $");
#include "opt_ktrace.h"
#include "opt_perfctrs.h"
@@ -248,8 +248,8 @@ exit1(struct lwp *l, int rv)
}
p->p_waited = 0;
p->p_pptr->p_nstopchild++;
- mutex_exit(proc_lock);
p->p_stat = SSTOP;
+ mutex_exit(proc_lock);
lwp_lock(l);
p->p_nrlwps--;
l->l_stat = LSSTOP;
CVS commit: [netbsd-6-1] src/sys/kern
Module Name:src
Committed By: bouyer
Date: Sun Nov 15 20:40:31 UTC 2015
Modified Files:
src/sys/kern [netbsd-6-1]: kern_sig.c
Log Message:
Pull up following revision(s) (requested by pgoyette in ticket #1334):
sys/kern/kern_sig.c: revision 1.321
When delivering a signal, it's possible that the process's state in
p_stat is SACTIVE yet p_sflag is PS_STOPPING (while waiting for other
lwp's to stop). In that case, we don't want to adjust the parent's
p_nstopchild count.
Found by Robert Elz.
XXX Pullups to: NetBSD-7, -6{,-0,-1}, and -5{,-0,-1,-2}
To generate a diff of this commit:
cvs rdiff -u -r1.316 -r1.316.14.1 src/sys/kern/kern_sig.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_sig.c
diff -u src/sys/kern/kern_sig.c:1.316 src/sys/kern/kern_sig.c:1.316.14.1
--- src/sys/kern/kern_sig.c:1.316 Fri Sep 16 22:07:17 2011
+++ src/sys/kern/kern_sig.c Sun Nov 15 20:40:31 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_sig.c,v 1.316 2011/09/16 22:07:17 reinoud Exp $ */
+/* $NetBSD: kern_sig.c,v 1.316.14.1 2015/11/15 20:40:31 bouyer Exp $ */
/*-
* Copyright (c) 2006, 2007, 2008 The NetBSD Foundation, Inc.
@@ -70,7 +70,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: kern_sig.c,v 1.316 2011/09/16 22:07:17 reinoud Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_sig.c,v 1.316.14.1 2015/11/15 20:40:31 bouyer Exp $");
#include "opt_ptrace.h"
#include "opt_compat_sunos.h"
@@ -1461,14 +1461,13 @@ kpsignal2(struct proc *p, ksiginfo_t *ks
}
if ((prop & SA_CONT) != 0 || signo == SIGKILL) {
/*
- * Re-adjust p_nstopchild if the process wasn't
- * collected by its parent.
+ * Re-adjust p_nstopchild if the process was
+ * stopped but not yet collected by its parent.
*/
+ if (p->p_stat == SSTOP && !p->p_waited)
+p->p_pptr->p_nstopchild--;
p->p_stat = SACTIVE;
p->p_sflag &= ~PS_STOPPING;
- if (!p->p_waited) {
-p->p_pptr->p_nstopchild--;
- }
if (p->p_slflag & PSL_TRACED) {
KASSERT(signo == SIGKILL);
goto deliver;
CVS commit: [netbsd-6-1] src/sys/kern
Module Name:src
Committed By: bouyer
Date: Sun Nov 15 20:38:18 UTC 2015
Modified Files:
src/sys/kern [netbsd-6-1]: kern_exec.c kern_exit.c kern_synch.c
Log Message:
Pull up following revision(s) (requested by pgoyette in ticket #1333):
sys/kern/kern_exec.c: revision 1.420
sys/kern/kern_synch.c: revision 1.309
sys/kern/kern_exit.c: revision 1.246
sys/kern/kern_exit.c: revision 1.247
sys/kern/kern_exec.c: revision 1.419
In execve_runproc(), update the p_waited entry for the process being
moved to SSTOP state, not for its parent. (It is correct to update
the parent's p_nstopchild count.) If the value is not already zero,
it could prevent its parent from waiting for the process.
Fixes PR kern/50298
Pullups will be requested for:
NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2
When clearing out the scheduler queues during system shutdown, we move
all processes to the SSTOP state. Make sure we update each process's
p_waited and the parents' p_nstopchild counters to maintain consistent
values. Should not make any real difference this late in the shutdown
process, but we should still be consistent just in case.
Fixes PR kern/50318
Pullups will be requested for:
NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2
Currently, if a process is exiting and its parent has indicated no intent
of reaping the process (nor any other children), the process wil get
reparented to init. Since the state of the exiting process at this point
is SDEAD, proc_reparent() will not update either the old or new parent's
p_nstopchild counters.
This change causes both old and new parents to be properly updated.
Fixes PR kern/50300
Pullups will be requested for:
NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2
For processes marked with PS_STOPEXIT, update the process's p_waited
value, and update its parent's p_nstopchild value when marking the
process's p_stat to SSTOP. The process needed to be SACTIVE to get
here, so this transition represents an additional process for which
the parent needs to wait.
Fixes PR kern/50308
Pullups will be requested for:
NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2
In spawn_return() we temporarily move the process state to SSTOP, but
without updating its p_waited value or its parent's p_nstopchild
counter. Later, we restore the original state, again without any
adjustment of the related values. This leaves a relatively short
window when the values are inconsistent and could interfere with the
proper operation of sys_wait() for the parent (if it manages to be
scheduled; it's not totally clear what, if anything, prevents
scheduling/execution of the parent).
If during this window, any of the checks being made result in an
error, we call exit1() which will eventually migrate the process's
state to SDEAD (with an intermediate transition to SDYING). At
this point the other variables get updated, and we finally restore
a consistent state.
This change updates the p_waited and parent's p_nstopchild at each
step to eliminate any windows during which the values could lead to
incorrect decisions.
Fixes PR kern/50330
Pullups will be requested for NetBSD-7, -6, -6-0, and -6-1
To generate a diff of this commit:
cvs rdiff -u -r1.339.2.6.2.2 -r1.339.2.6.2.3 src/sys/kern/kern_exec.c
cvs rdiff -u -r1.236.2.2 -r1.236.2.2.4.1 src/sys/kern/kern_exit.c
cvs rdiff -u -r1.297.2.1 -r1.297.2.1.6.1 src/sys/kern/kern_synch.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_exec.c
diff -u src/sys/kern/kern_exec.c:1.339.2.6.2.2 src/sys/kern/kern_exec.c:1.339.2.6.2.3
--- src/sys/kern/kern_exec.c:1.339.2.6.2.2 Mon Apr 21 10:00:33 2014
+++ src/sys/kern/kern_exec.c Sun Nov 15 20:38:17 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_exec.c,v 1.339.2.6.2.2 2014/04/21 10:00:33 bouyer Exp $ */
+/* $NetBSD: kern_exec.c,v 1.339.2.6.2.3 2015/11/15 20:38:17 bouyer Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -59,7 +59,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.339.2.6.2.2 2014/04/21 10:00:33 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.339.2.6.2.3 2015/11/15 20:38:17 bouyer Exp $");
#include "opt_exec.h"
#include "opt_ktrace.h"
@@ -1408,7 +1408,7 @@ execve_runproc(struct lwp *l, struct exe
if (p->p_sflag & PS_STOPEXEC) {
KERNEL_UNLOCK_ALL(l, &l->l_biglocks);
p->p_pptr->p_nstopchild++;
- p->p_pptr->p_waited = 0;
+ p->p_waited = 0;
mutex_enter(p->p_lock);
ksiginfo_queue_init(&kq);
sigclearall(p, &contsigmask, &kq);
@@ -1845,6 +1845,7 @@ spawn_return(void *arg)
struct spawn_exec_data *spawn_data = arg;
struct lwp *l = curlwp;
int error, newfd;
+ int ostat;
size_t i;
const struct posix_spawn_file_actions_entry *fae;
pid_t ppid;
@@ -1917,7 +1918,6 @@ spawn_return(void *arg)
/* handle posix_spawnattr */
if (spawn_data->sed_attrs != NULL) {
-
CVS commit: [netbsd-6-1] src/sys/kern
Module Name:src
Committed By: msaitoh
Date: Mon Nov 3 15:30:10 UTC 2014
Modified Files:
src/sys/kern [netbsd-6-1]: kern_rndpool.c kern_rndq.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1118):
sys/kern/kern_rndq.c: revision 1.27
sys/kern/kern_rndpool.c: revision 1.7
buf is not guaranteed to be aligned; don't *(uint32_t *) it in kern_rndq.c.
done is not guaranteed to be aligned; don't *(uint32_t *) it in kern_rndq.c.
To generate a diff of this commit:
cvs rdiff -u -r1.1.2.1 -r1.1.2.1.6.1 src/sys/kern/kern_rndpool.c
cvs rdiff -u -r1.1.2.5 -r1.1.2.5.2.1 src/sys/kern/kern_rndq.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_rndpool.c
diff -u src/sys/kern/kern_rndpool.c:1.1.2.1 src/sys/kern/kern_rndpool.c:1.1.2.1.6.1
--- src/sys/kern/kern_rndpool.c:1.1.2.1 Fri Apr 20 23:35:20 2012
+++ src/sys/kern/kern_rndpool.c Mon Nov 3 15:30:10 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_rndpool.c,v 1.1.2.1 2012/04/20 23:35:20 riz Exp $*/
+/* $NetBSD: kern_rndpool.c,v 1.1.2.1.6.1 2014/11/03 15:30:10 msaitoh Exp $*/
/*-
* Copyright (c) 1997 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: kern_rndpool.c,v 1.1.2.1 2012/04/20 23:35:20 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_rndpool.c,v 1.1.2.1.6.1 2014/11/03 15:30:10 msaitoh Exp $");
#include
#include
@@ -191,8 +191,7 @@ rndpool_add_data(rndpool_t *rp, void *p,
buf = p;
for (; len > 3; len -= 4) {
- val = *((u_int32_t *)buf);
-
+ (void)memcpy(&val, buf, 4);
rndpool_add_one_word(rp, val);
buf += 4;
}
Index: src/sys/kern/kern_rndq.c
diff -u src/sys/kern/kern_rndq.c:1.1.2.5 src/sys/kern/kern_rndq.c:1.1.2.5.2.1
--- src/sys/kern/kern_rndq.c:1.1.2.5 Fri Feb 8 20:28:07 2013
+++ src/sys/kern/kern_rndq.c Mon Nov 3 15:30:10 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_rndq.c,v 1.1.2.5 2013/02/08 20:28:07 riz Exp $ */
+/* $NetBSD: kern_rndq.c,v 1.1.2.5.2.1 2014/11/03 15:30:10 msaitoh Exp $ */
/*-
* Copyright (c) 1997-2011 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: kern_rndq.c,v 1.1.2.5 2013/02/08 20:28:07 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_rndq.c,v 1.1.2.5.2.1 2014/11/03 15:30:10 msaitoh Exp $");
#include
#include
@@ -663,7 +663,8 @@ rnd_add_data_ts(krndsource_t *rs, const
u_int32_t entropy, uint32_t ts)
{
rnd_sample_t *state = NULL;
- const uint32_t *dint = data;
+ const uint8_t *p = data;
+ uint32_t dint;
int todo, done, filled = 0;
SIMPLEQ_HEAD(, _rnd_sample_t) tmp_samples =
SIMPLEQ_HEAD_INITIALIZER(tmp_samples);
@@ -676,7 +677,7 @@ rnd_add_data_ts(krndsource_t *rs, const
* Loop over data packaging it into sample buffers.
* If a sample buffer allocation fails, drop all data.
*/
- todo = len / sizeof(*dint);
+ todo = len / sizeof(dint);
for (done = 0; done < todo ; done++) {
state = rs->state;
if (state == NULL) {
@@ -688,7 +689,8 @@ rnd_add_data_ts(krndsource_t *rs, const
}
state->ts[state->cursor] = ts;
- state->values[state->cursor] = dint[done];
+ (void)memcpy(&dint, &p[done*4], 4);
+ state->values[state->cursor] = dint;
state->cursor++;
if (state->cursor == RND_SAMPLE_COUNT) {
CVS commit: [netbsd-6-1] src/sys/kern
Module Name:src
Committed By: msaitoh
Date: Mon Jul 14 06:33:33 UTC 2014
Modified Files:
src/sys/kern [netbsd-6-1]: sys_module.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1098):
sys/kern/sys_module.c: revision 1.15
Fix a user-controlled memory allocation. kmem_alloc(0) will panic the system.
ok christos@
To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.13.14.1 src/sys/kern/sys_module.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/sys_module.c
diff -u src/sys/kern/sys_module.c:1.13 src/sys/kern/sys_module.c:1.13.14.1
--- src/sys/kern/sys_module.c:1.13 Fri Jul 8 09:32:45 2011
+++ src/sys/kern/sys_module.c Mon Jul 14 06:33:32 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: sys_module.c,v 1.13 2011/07/08 09:32:45 mrg Exp $ */
+/* $NetBSD: sys_module.c,v 1.13.14.1 2014/07/14 06:33:32 msaitoh Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: sys_module.c,v 1.13 2011/07/08 09:32:45 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sys_module.c,v 1.13.14.1 2014/07/14 06:33:32 msaitoh Exp $");
#include
#include
@@ -43,6 +43,11 @@ __KERNEL_RCSID(0, "$NetBSD: sys_module.c
#include
#include
+/*
+ * Arbitrary limit to avoid DoS for excessive memory allocation.
+ */
+#define MAXPROPSLEN 4096
+
static int
handle_modctl_load(modctl_load_t *ml)
{
@@ -64,7 +69,12 @@ handle_modctl_load(modctl_load_t *ml)
goto out2;
if (ml->ml_props != NULL) {
+ if (ml->ml_propslen > MAXPROPSLEN) {
+ error = ENOMEM;
+ goto out2;
+ }
propslen = ml->ml_propslen + 1;
+
props = (char *)kmem_alloc(propslen, KM_SLEEP);
if (props == NULL) {
error = ENOMEM;
CVS commit: [netbsd-6-1] src/sys/kern
Module Name:src
Committed By: msaitoh
Date: Mon Jul 14 06:24:17 UTC 2014
Modified Files:
src/sys/kern [netbsd-6-1]: kern_core.c
Log Message:
Pull up following revision(s) (requested by maxt in ticket #1097):
sys/kern/kern_core.c: revision 1.23
Fix a read-beyond-end string read.
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.20.22.1 src/sys/kern/kern_core.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_core.c
diff -u src/sys/kern/kern_core.c:1.20 src/sys/kern/kern_core.c:1.20.22.1
--- src/sys/kern/kern_core.c:1.20 Sat Sep 24 22:53:50 2011
+++ src/sys/kern/kern_core.c Mon Jul 14 06:24:17 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_core.c,v 1.20 2011/09/24 22:53:50 christos Exp $ */
+/* $NetBSD: kern_core.c,v 1.20.22.1 2014/07/14 06:24:17 msaitoh Exp $ */
/*
* Copyright (c) 1982, 1986, 1989, 1991, 1993
@@ -37,7 +37,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: kern_core.c,v 1.20 2011/09/24 22:53:50 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_core.c,v 1.20.22.1 2014/07/14 06:24:17 msaitoh Exp $");
#include
#include
@@ -155,6 +155,12 @@ coredump(struct lwp *l, const char *patt
error = coredump_buildname(p, name, pattern, MAXPATHLEN);
mutex_exit(&lim->pl_lock);
+ if (error) {
+ mutex_exit(p->p_lock);
+ mutex_exit(proc_lock);
+ goto done;
+ }
+
/*
* On a simple filename, see if the filesystem allow us to write
* core dumps there.
CVS commit: [netbsd-6-1] src/sys/kern
Module Name:src
Committed By: bouyer
Date: Mon Apr 21 10:00:33 UTC 2014
Modified Files:
src/sys/kern [netbsd-6-1]: kern_exec.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1048):
sys/kern/kern_exec.c: revision 1.403
'error' is not set on failure. This is a true bug: everything is freed
and unlocked while zero is returned. Since there's no error, execve_runproc()
will get called and will try to use those freed things.
To generate a diff of this commit:
cvs rdiff -u -r1.339.2.6.2.1 -r1.339.2.6.2.2 src/sys/kern/kern_exec.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_exec.c
diff -u src/sys/kern/kern_exec.c:1.339.2.6.2.1 src/sys/kern/kern_exec.c:1.339.2.6.2.2
--- src/sys/kern/kern_exec.c:1.339.2.6.2.1 Mon Feb 3 11:57:24 2014
+++ src/sys/kern/kern_exec.c Mon Apr 21 10:00:33 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_exec.c,v 1.339.2.6.2.1 2014/02/03 11:57:24 sborrill Exp $ */
+/* $NetBSD: kern_exec.c,v 1.339.2.6.2.2 2014/04/21 10:00:33 bouyer Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -59,7 +59,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.339.2.6.2.1 2014/02/03 11:57:24 sborrill Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.339.2.6.2.2 2014/04/21 10:00:33 bouyer Exp $");
#include "opt_exec.h"
#include "opt_ktrace.h"
@@ -820,6 +820,7 @@ execve_loadvm(struct lwp *l, const char
if (len > data->ed_pack.ep_ssize) {
/* in effect, compare to initial limit */
DPRINTF(("%s: stack limit exceeded %zu\n", __func__, len));
+ error = ENOMEM;
goto bad;
}
/* adjust "active stack depth" for process VSZ */
CVS commit: [netbsd-6-1] src/sys/kern
Module Name:src
Committed By: msaitoh
Date: Tue Mar 18 09:21:51 UTC 2014
Modified Files:
src/sys/kern [netbsd-6-1]: kern_verifiedexec.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1034):
sys/kern/kern_verifiedexec.c: revision 1.132
Reorder code to avoid use-after-free on error. From Maxime Villard
To generate a diff of this commit:
cvs rdiff -u -r1.128 -r1.128.10.1 src/sys/kern/kern_verifiedexec.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_verifiedexec.c
diff -u src/sys/kern/kern_verifiedexec.c:1.128 src/sys/kern/kern_verifiedexec.c:1.128.10.1
--- src/sys/kern/kern_verifiedexec.c:1.128 Sun Nov 20 10:32:33 2011
+++ src/sys/kern/kern_verifiedexec.c Tue Mar 18 09:21:51 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_verifiedexec.c,v 1.128 2011/11/20 10:32:33 hannken Exp $ */
+/* $NetBSD: kern_verifiedexec.c,v 1.128.10.1 2014/03/18 09:21:51 msaitoh Exp $ */
/*-
* Copyright (c) 2005, 2006 Elad Efrat
@@ -29,7 +29,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.128 2011/11/20 10:32:33 hannken Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.128.10.1 2014/03/18 09:21:51 msaitoh Exp $");
#include "opt_veriexec.h"
@@ -1281,18 +1281,6 @@ veriexec_file_add(struct lwp *l, prop_di
vfe->npages = 0;
vfe->last_page_size = 0;
- vte = veriexec_table_lookup(vp->v_mount);
- if (vte == NULL)
- vte = veriexec_table_add(l, vp->v_mount);
-
- /* XXX if we bail below this, we might want to gc newly created vtes. */
-
- error = fileassoc_add(vp, veriexec_hook, vfe);
- if (error)
- goto unlock_out;
-
- vte->vte_count++;
-
if (prop_bool_true(prop_dictionary_get(dict, "eval-on-load")) ||
(vfe->type & VERIEXEC_UNTRUSTED)) {
u_char *digest;
@@ -1314,6 +1302,18 @@ veriexec_file_add(struct lwp *l, prop_di
kmem_free(digest, vfe->ops->hash_len);
}
+ vte = veriexec_table_lookup(vp->v_mount);
+ if (vte == NULL)
+ vte = veriexec_table_add(l, vp->v_mount);
+
+ /* XXX if we bail below this, we might want to gc newly created vtes. */
+
+ error = fileassoc_add(vp, veriexec_hook, vfe);
+ if (error)
+ goto unlock_out;
+
+ vte->vte_count++;
+
veriexec_file_report(NULL, "New entry.", file, NULL, REPORT_DEBUG);
veriexec_bypass = 0;
CVS commit: [netbsd-6-1] src/sys/kern
Module Name:src
Committed By: bouyer
Date: Fri Feb 14 23:21:25 UTC 2014
Modified Files:
src/sys/kern [netbsd-6-1]: exec_elf.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1028):
sys/kern/exec_elf.c: revision 1.55
Fix memory leak.
ok christos@ agc@
To generate a diff of this commit:
cvs rdiff -u -r1.37.2.1 -r1.37.2.1.6.1 src/sys/kern/exec_elf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/exec_elf.c
diff -u src/sys/kern/exec_elf.c:1.37.2.1 src/sys/kern/exec_elf.c:1.37.2.1.6.1
--- src/sys/kern/exec_elf.c:1.37.2.1 Thu Apr 12 17:05:36 2012
+++ src/sys/kern/exec_elf.c Fri Feb 14 23:21:25 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: exec_elf.c,v 1.37.2.1 2012/04/12 17:05:36 riz Exp $ */
+/* $NetBSD: exec_elf.c,v 1.37.2.1.6.1 2014/02/14 23:21:25 bouyer Exp $ */
/*-
* Copyright (c) 1994, 2000, 2005 The NetBSD Foundation, Inc.
@@ -57,7 +57,7 @@
*/
#include
-__KERNEL_RCSID(1, "$NetBSD: exec_elf.c,v 1.37.2.1 2012/04/12 17:05:36 riz Exp $");
+__KERNEL_RCSID(1, "$NetBSD: exec_elf.c,v 1.37.2.1.6.1 2014/02/14 23:21:25 bouyer Exp $");
#ifdef _KERNEL_OPT
#include "opt_pax.h"
@@ -820,6 +820,7 @@ exec_elf_makecmds(struct lwp *l, struct
if ((error = elf_load_file(l, epp, interp,
&epp->ep_vmcmds, &interp_offset, ap, &pos)) != 0) {
+ kmem_free(ap, sizeof(*ap));
goto bad;
}
ap->arg_interp = epp->ep_vmcmds.evs_cmds[j].ev_addr;
CVS commit: [netbsd-6-1] src/sys/kern
Module Name:src Committed By: bouyer Date: Sat Dec 14 19:36:58 UTC 2013 Modified Files: src/sys/kern [netbsd-6-1]: uipc_syscalls.c Log Message: Pull up following revision(s) (requested by spz in ticket #996): sys/kern/uipc_syscalls.c: revision 1.163 PR/47591: Michael Plass: If the unix socket is closed before accept, unp->unp_conn will be NULL in PRU_ACCEPT, as called from sys_accept->so_accept. This will cause the usrreq to return with no error, leaving the mbuf gotten from m_get() with an uninitialized length, containing junk from a previous call. Initialize m_len to be 0 to handle this case. This is yet another reason why Beverly's idea of setting m_len = 0 in m_get() makes a lot of sense. Arguably this could be an error, since the data we return now has 0 family and length. To generate a diff of this commit: cvs rdiff -u -r1.154.2.4 -r1.154.2.4.2.1 src/sys/kern/uipc_syscalls.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_syscalls.c diff -u src/sys/kern/uipc_syscalls.c:1.154.2.4 src/sys/kern/uipc_syscalls.c:1.154.2.4.2.1 --- src/sys/kern/uipc_syscalls.c:1.154.2.4 Mon Feb 18 22:00:49 2013 +++ src/sys/kern/uipc_syscalls.c Sat Dec 14 19:36:58 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_syscalls.c,v 1.154.2.4 2013/02/18 22:00:49 riz Exp $ */ +/* $NetBSD: uipc_syscalls.c,v 1.154.2.4.2.1 2013/12/14 19:36:58 bouyer Exp $ */ /*- * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls.c,v 1.154.2.4 2013/02/18 22:00:49 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls.c,v 1.154.2.4.2.1 2013/12/14 19:36:58 bouyer Exp $"); #include "opt_pipe.h" @@ -184,6 +184,7 @@ do_sys_accept(struct lwp *l, int sock, s return (error); } nam = m_get(M_WAIT, MT_SONAME); + nam->m_len = 0; *new_sock = fd; so = fp->f_data; solock(so);
CVS commit: [netbsd-6-1] src/sys/kern
Module Name:src Committed By: bouyer Date: Mon Nov 25 08:27:06 UTC 2013 Modified Files: src/sys/kern [netbsd-6-1]: uipc_socket.c Log Message: Pull up following revision(s) (requested by spz in ticket #988): sys/kern/uipc_socket.c: revision 1.220 PR/48098: Brian Marcotte: panic: kernel diagnostic assertion "cred != NULL": Fix from Michael van Elst, tcpdrop crashes kernel on ebryonic connections. To generate a diff of this commit: cvs rdiff -u -r1.209.2.2.2.1 -r1.209.2.2.2.2 src/sys/kern/uipc_socket.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_socket.c diff -u src/sys/kern/uipc_socket.c:1.209.2.2.2.1 src/sys/kern/uipc_socket.c:1.209.2.2.2.2 --- src/sys/kern/uipc_socket.c:1.209.2.2.2.1 Fri Aug 2 20:18:48 2013 +++ src/sys/kern/uipc_socket.c Mon Nov 25 08:27:06 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_socket.c,v 1.209.2.2.2.1 2013/08/02 20:18:48 martin Exp $ */ +/* $NetBSD: uipc_socket.c,v 1.209.2.2.2.2 2013/11/25 08:27:06 bouyer Exp $ */ /*- * Copyright (c) 2002, 2007, 2008, 2009 The NetBSD Foundation, Inc. @@ -63,7 +63,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_socket.c,v 1.209.2.2.2.1 2013/08/02 20:18:48 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_socket.c,v 1.209.2.2.2.2 2013/11/25 08:27:06 bouyer Exp $"); #include "opt_compat_netbsd.h" #include "opt_sock_counters.h" @@ -416,7 +416,7 @@ socket_listener_cb(kauth_cred_t cred, ka /* Normal users can only drop their own connections. */ struct socket *so = (struct socket *)arg1; - if (proc_uidmatch(cred, so->so_cred) == 0) + if (so->so_cred && proc_uidmatch(cred, so->so_cred) == 0) result = KAUTH_RESULT_ALLOW; break;
