From owner-svn-src-releng@freebsd.org Tue Oct 25 16:45:57 2016 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0CDA6C214A2; Tue, 25 Oct 2016 16:45:57 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DB7F0A57; Tue, 25 Oct 2016 16:45:56 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u9PGjtZr064756; Tue, 25 Oct 2016 16:45:55 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u9PGjt8s064751; Tue, 25 Oct 2016 16:45:55 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201610251645.u9PGjt8s064751@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Tue, 25 Oct 2016 16:45:55 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r307929 - in releng/10.3/sys: kern vm X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2016 16:45:57 -0000 Author: glebius Date: Tue Oct 25 16:45:55 2016 New Revision: 307929 URL: https://svnweb.freebsd.org/changeset/base/307929 Log: EN-16:17: virtual memory issues. Due to increased parallelism and optimizations in several parts of the system, the previously latent bugs in VM become much easier to trigger, affecting a significant number of the FreeBSD users. The exact technical details of the issues are provided in the commit messages of the merged revisions, which are listed below with short summaries. r301184 prevent parallel object collapses, fixes object lifecycle r301436 do not leak the vm object lock, fixes overcommit disable r302243 avoid the active object marking for vm.vmtotal sysctl, fixes "vodead" hangs r302513 vm_fault() race with the vm_object_collapse(), fixes spurious SIGSEGV r303291 postpone BO_DEAD, fixes panic on fast vnode reclaim Approved by: so Modified: releng/10.3/sys/kern/vfs_subr.c releng/10.3/sys/vm/vm_fault.c releng/10.3/sys/vm/vm_meter.c releng/10.3/sys/vm/vm_object.c releng/10.3/sys/vm/vm_object.h Directory Properties: releng/10.3/ (props changed) Modified: releng/10.3/sys/kern/vfs_subr.c ============================================================================== --- releng/10.3/sys/kern/vfs_subr.c Tue Oct 25 16:33:05 2016 (r307928) +++ releng/10.3/sys/kern/vfs_subr.c Tue Oct 25 16:45:55 2016 (r307929) @@ -2934,7 +2934,13 @@ vgonel(struct vnode *vp) TAILQ_EMPTY(&vp->v_bufobj.bo_clean.bv_hd) && vp->v_bufobj.bo_clean.bv_cnt == 0, ("vp %p bufobj not invalidated", vp)); - vp->v_bufobj.bo_flag |= BO_DEAD; + + /* + * For VMIO bufobj, BO_DEAD is set in vm_object_terminate() + * after the object's page queue is flushed. + */ + if (vp->v_bufobj.bo_object == NULL) + vp->v_bufobj.bo_flag |= BO_DEAD; BO_UNLOCK(&vp->v_bufobj); /* Modified: releng/10.3/sys/vm/vm_fault.c ============================================================================== --- releng/10.3/sys/vm/vm_fault.c Tue Oct 25 16:33:05 2016 (r307928) +++ releng/10.3/sys/vm/vm_fault.c Tue Oct 25 16:45:55 2016 (r307929) @@ -286,7 +286,7 @@ vm_fault_hold(vm_map_t map, vm_offset_t vm_prot_t prot; long ahead, behind; int alloc_req, era, faultcount, nera, reqpage, result; - boolean_t growstack, is_first_object_locked, wired; + boolean_t dead, growstack, is_first_object_locked, wired; int map_generation; vm_object_t next_object; vm_page_t marray[VM_FAULT_READ_MAX]; @@ -423,11 +423,18 @@ fast_failed: fs.pindex = fs.first_pindex; while (TRUE) { /* - * If the object is dead, we stop here + * If the object is marked for imminent termination, + * we retry here, since the collapse pass has raced + * with us. Otherwise, if we see terminally dead + * object, return fail. */ - if (fs.object->flags & OBJ_DEAD) { + if ((fs.object->flags & OBJ_DEAD) != 0) { + dead = fs.object->type == OBJT_DEAD; unlock_and_deallocate(&fs); - return (KERN_PROTECTION_FAILURE); + if (dead) + return (KERN_PROTECTION_FAILURE); + pause("vmf_de", 1); + goto RetryFault; } /* Modified: releng/10.3/sys/vm/vm_meter.c ============================================================================== --- releng/10.3/sys/vm/vm_meter.c Tue Oct 25 16:33:05 2016 (r307928) +++ releng/10.3/sys/vm/vm_meter.c Tue Oct 25 16:45:55 2016 (r307929) @@ -93,29 +93,31 @@ SYSCTL_PROC(_vm, VM_LOADAVG, loadavg, CT CTLFLAG_MPSAFE, NULL, 0, sysctl_vm_loadavg, "S,loadavg", "Machine loadaverage history"); +/* + * This function aims to determine if the object is mapped, + * specifically, if it is referenced by a vm_map_entry. Because + * objects occasionally acquire transient references that do not + * represent a mapping, the method used here is inexact. However, it + * has very low overhead and is good enough for the advisory + * vm.vmtotal sysctl. + */ +static bool +is_object_active(vm_object_t obj) +{ + + return (obj->ref_count > obj->shadow_count); +} + static int vmtotal(SYSCTL_HANDLER_ARGS) { - struct proc *p; struct vmtotal total; - vm_map_entry_t entry; vm_object_t object; - vm_map_t map; - int paging; + struct proc *p; struct thread *td; - struct vmspace *vm; bzero(&total, sizeof(total)); - /* - * Mark all objects as inactive. - */ - mtx_lock(&vm_object_list_mtx); - TAILQ_FOREACH(object, &vm_object_list, object_list) { - VM_OBJECT_WLOCK(object); - vm_object_clear_flag(object, OBJ_ACTIVE); - VM_OBJECT_WUNLOCK(object); - } - mtx_unlock(&vm_object_list_mtx); + /* * Calculate process statistics. */ @@ -136,11 +138,15 @@ vmtotal(SYSCTL_HANDLER_ARGS) case TDS_INHIBITED: if (TD_IS_SWAPPED(td)) total.t_sw++; - else if (TD_IS_SLEEPING(td) && - td->td_priority <= PZERO) - total.t_dw++; - else - total.t_sl++; + else if (TD_IS_SLEEPING(td)) { + if (td->td_priority <= PZERO) + total.t_dw++; + else + total.t_sl++; + if (td->td_wchan == + &cnt.v_free_count) + total.t_pw++; + } break; case TDS_CAN_RUN: @@ -158,29 +164,6 @@ vmtotal(SYSCTL_HANDLER_ARGS) } } PROC_UNLOCK(p); - /* - * Note active objects. - */ - paging = 0; - vm = vmspace_acquire_ref(p); - if (vm == NULL) - continue; - map = &vm->vm_map; - vm_map_lock_read(map); - for (entry = map->header.next; - entry != &map->header; entry = entry->next) { - if ((entry->eflags & MAP_ENTRY_IS_SUB_MAP) || - (object = entry->object.vm_object) == NULL) - continue; - VM_OBJECT_WLOCK(object); - vm_object_set_flag(object, OBJ_ACTIVE); - paging |= object->paging_in_progress; - VM_OBJECT_WUNLOCK(object); - } - vm_map_unlock_read(map); - vmspace_free(vm); - if (paging) - total.t_pw++; } sx_sunlock(&allproc_lock); /* @@ -206,9 +189,18 @@ vmtotal(SYSCTL_HANDLER_ARGS) */ continue; } + if (object->ref_count == 1 && + (object->flags & OBJ_NOSPLIT) != 0) { + /* + * Also skip otherwise unreferenced swap + * objects backing tmpfs vnodes, and POSIX or + * SysV shared memory. + */ + continue; + } total.t_vm += object->size; total.t_rm += object->resident_page_count; - if (object->flags & OBJ_ACTIVE) { + if (is_object_active(object)) { total.t_avm += object->size; total.t_arm += object->resident_page_count; } @@ -216,7 +208,7 @@ vmtotal(SYSCTL_HANDLER_ARGS) /* shared object */ total.t_vmshr += object->size; total.t_rmshr += object->resident_page_count; - if (object->flags & OBJ_ACTIVE) { + if (is_object_active(object)) { total.t_avmshr += object->size; total.t_armshr += object->resident_page_count; } Modified: releng/10.3/sys/vm/vm_object.c ============================================================================== --- releng/10.3/sys/vm/vm_object.c Tue Oct 25 16:33:05 2016 (r307928) +++ releng/10.3/sys/vm/vm_object.c Tue Oct 25 16:45:55 2016 (r307929) @@ -737,6 +737,10 @@ vm_object_terminate(vm_object_t object) vinvalbuf(vp, V_SAVE, 0, 0); + BO_LOCK(&vp->v_bufobj); + vp->v_bufobj.bo_flag |= BO_DEAD; + BO_UNLOCK(&vp->v_bufobj); + VM_OBJECT_WLOCK(object); } @@ -1722,6 +1726,9 @@ vm_object_collapse(vm_object_t object) * case. */ if (backing_object->ref_count == 1) { + vm_object_pip_add(object, 1); + vm_object_pip_add(backing_object, 1); + /* * If there is exactly one reference to the backing * object, we can collapse it into the parent. @@ -1793,11 +1800,13 @@ vm_object_collapse(vm_object_t object) KASSERT(backing_object->ref_count == 1, ( "backing_object %p was somehow re-referenced during collapse!", backing_object)); + vm_object_pip_wakeup(backing_object); backing_object->type = OBJT_DEAD; backing_object->ref_count = 0; VM_OBJECT_WUNLOCK(backing_object); vm_object_destroy(backing_object); + vm_object_pip_wakeup(object); object_collapses++; } else { vm_object_t new_backing_object; @@ -2130,6 +2139,7 @@ vm_object_coalesce(vm_object_t prev_obje */ if (!reserved && !swap_reserve_by_cred(ptoa(next_size), prev_object->cred)) { + VM_OBJECT_WUNLOCK(prev_object); return (FALSE); } prev_object->charge += ptoa(next_size); Modified: releng/10.3/sys/vm/vm_object.h ============================================================================== --- releng/10.3/sys/vm/vm_object.h Tue Oct 25 16:33:05 2016 (r307928) +++ releng/10.3/sys/vm/vm_object.h Tue Oct 25 16:45:55 2016 (r307929) @@ -181,7 +181,6 @@ struct vm_object { */ #define OBJ_FICTITIOUS 0x0001 /* (c) contains fictitious pages */ #define OBJ_UNMANAGED 0x0002 /* (c) contains unmanaged pages */ -#define OBJ_ACTIVE 0x0004 /* active objects */ #define OBJ_DEAD 0x0008 /* dead objects (during rundown) */ #define OBJ_NOSPLIT 0x0010 /* dont split this object */ #define OBJ_PIPWNT 0x0040 /* paging in progress wanted */ From owner-svn-src-releng@freebsd.org Tue Oct 25 16:50:11 2016 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BAB34C21644; Tue, 25 Oct 2016 16:50:11 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8715AD4B; Tue, 25 Oct 2016 16:50:11 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u9PGoACI064969; Tue, 25 Oct 2016 16:50:10 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u9PGoAAc064968; Tue, 25 Oct 2016 16:50:10 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201610251650.u9PGoAAc064968@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Tue, 25 Oct 2016 16:50:10 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r307930 - releng/11.0/sys/boot/geli X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2016 16:50:11 -0000 Author: glebius Date: Tue Oct 25 16:50:10 2016 New Revision: 307930 URL: https://svnweb.freebsd.org/changeset/base/307930 Log: EN-16:18: loader may hang during boot A programming error in GELIBoot causes the loader to attempt to read past the end of the disk if the size of the final partition is not a multiple of 4 kB. Merge r306834 from stable/11. Approved by: so Modified: releng/11.0/sys/boot/geli/geliboot.c Directory Properties: releng/11.0/ (props changed) Modified: releng/11.0/sys/boot/geli/geliboot.c ============================================================================== --- releng/11.0/sys/boot/geli/geliboot.c Tue Oct 25 16:45:55 2016 (r307929) +++ releng/11.0/sys/boot/geli/geliboot.c Tue Oct 25 16:50:10 2016 (r307930) @@ -77,17 +77,25 @@ geli_taste(int read_func(void *vdev, voi int error; off_t alignsector; - alignsector = (lastsector * DEV_BSIZE) & - ~(off_t)(DEV_GELIBOOT_BSIZE - 1); + alignsector = rounddown2(lastsector * DEV_BSIZE, DEV_GELIBOOT_BSIZE); + if (alignsector + DEV_GELIBOOT_BSIZE > ((lastsector + 1) * DEV_BSIZE)) { + /* Don't read past the end of the disk */ + alignsector = (lastsector * DEV_BSIZE) + DEV_BSIZE + - DEV_GELIBOOT_BSIZE; + } error = read_func(NULL, dskp, alignsector, &buf, DEV_GELIBOOT_BSIZE); if (error != 0) { return (error); } - /* Extract the last DEV_BSIZE bytes from the block. */ - error = eli_metadata_decode(buf + (DEV_GELIBOOT_BSIZE - DEV_BSIZE), - &md); + /* Extract the last 4k sector of the disk. */ + error = eli_metadata_decode(buf, &md); if (error != 0) { - return (error); + /* Try the last 512 byte sector instead. */ + error = eli_metadata_decode(buf + + (DEV_GELIBOOT_BSIZE - DEV_BSIZE), &md); + if (error != 0) { + return (error); + } } if (!(md.md_flags & G_ELI_FLAG_GELIBOOT)) { From owner-svn-src-releng@freebsd.org Tue Oct 25 17:11:04 2016 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6CD23C21E0F; Tue, 25 Oct 2016 17:11:04 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 26324B38; Tue, 25 Oct 2016 17:11:04 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u9PHB31O073296; Tue, 25 Oct 2016 17:11:03 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u9PHB38u073293; Tue, 25 Oct 2016 17:11:03 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201610251711.u9PHB38u073293@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Tue, 25 Oct 2016 17:11:03 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r307931 - in releng/9.3: . sys/amd64/amd64 sys/conf X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2016 17:11:04 -0000 Author: glebius Date: Tue Oct 25 17:11:02 2016 New Revision: 307931 URL: https://svnweb.freebsd.org/changeset/base/307931 Log: Revised SA-16:15. The initial patch didn't cover all possible overflows based on passing incorrect parameters to sysarch(2). Security: SA-16:15 Approved by: so Modified: releng/9.3/UPDATING releng/9.3/sys/amd64/amd64/sys_machdep.c releng/9.3/sys/conf/newvers.sh Modified: releng/9.3/UPDATING ============================================================================== --- releng/9.3/UPDATING Tue Oct 25 16:50:10 2016 (r307930) +++ releng/9.3/UPDATING Tue Oct 25 17:11:02 2016 (r307931) @@ -11,6 +11,10 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20161025 p49 FreeBSD-SA-16:15.sysarch [revised] + + Fix incorrect argument validation in sysarch(2). [SA-16:15] + 20161010 p48 FreeBSD-SA-16:28.bind FreeBSD-SA-16:29.bspatch FreeBSD-SA-16:30.portsnap Modified: releng/9.3/sys/amd64/amd64/sys_machdep.c ============================================================================== --- releng/9.3/sys/amd64/amd64/sys_machdep.c Tue Oct 25 16:50:10 2016 (r307930) +++ releng/9.3/sys/amd64/amd64/sys_machdep.c Tue Oct 25 17:11:02 2016 (r307931) @@ -612,6 +612,8 @@ amd64_set_ldt(td, uap, descs) largest_ld = uap->start + uap->num; if (largest_ld > max_ldt_segment) largest_ld = max_ldt_segment; + if (largest_ld < uap->start) + return (EINVAL); i = largest_ld - uap->start; mtx_lock(&dt_lock); bzero(&((struct user_segment_descriptor *)(pldt->ldt_base)) @@ -624,7 +626,8 @@ amd64_set_ldt(td, uap, descs) /* verify range of descriptors to modify */ largest_ld = uap->start + uap->num; if (uap->start >= max_ldt_segment || - largest_ld > max_ldt_segment) + largest_ld > max_ldt_segment || + largest_ld < uap->start) return (EINVAL); } Modified: releng/9.3/sys/conf/newvers.sh ============================================================================== --- releng/9.3/sys/conf/newvers.sh Tue Oct 25 16:50:10 2016 (r307930) +++ releng/9.3/sys/conf/newvers.sh Tue Oct 25 17:11:02 2016 (r307931) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.3" -BRANCH="RELEASE-p48" +BRANCH="RELEASE-p49" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi From owner-svn-src-releng@freebsd.org Tue Oct 25 17:11:08 2016 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DB79BC21E39; Tue, 25 Oct 2016 17:11:08 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8D712B81; Tue, 25 Oct 2016 17:11:08 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u9PHB7ba073348; Tue, 25 Oct 2016 17:11:07 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u9PHB73k073345; Tue, 25 Oct 2016 17:11:07 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201610251711.u9PHB73k073345@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Tue, 25 Oct 2016 17:11:07 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r307932 - in releng/10.1: . sys/amd64/amd64 sys/conf X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2016 17:11:09 -0000 Author: glebius Date: Tue Oct 25 17:11:07 2016 New Revision: 307932 URL: https://svnweb.freebsd.org/changeset/base/307932 Log: Revised SA-16:15. The initial patch didn't cover all possible overflows based on passing incorrect parameters to sysarch(2). Security: SA-16:15 Approved by: so Modified: releng/10.1/UPDATING releng/10.1/sys/amd64/amd64/sys_machdep.c releng/10.1/sys/conf/newvers.sh Modified: releng/10.1/UPDATING ============================================================================== --- releng/10.1/UPDATING Tue Oct 25 17:11:02 2016 (r307931) +++ releng/10.1/UPDATING Tue Oct 25 17:11:07 2016 (r307932) @@ -16,6 +16,10 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20161025 p41 FreeBSD-SA-16:15.sysarch [revised] + + Fix incorrect argument validation in sysarch(2). [SA-16:15] + 20161010 p40 FreeBSD-SA-16:29.bspatch FreeBSD-SA-16:30.portsnap FreeBSD-SA-16:31.libarchive Modified: releng/10.1/sys/amd64/amd64/sys_machdep.c ============================================================================== --- releng/10.1/sys/amd64/amd64/sys_machdep.c Tue Oct 25 17:11:02 2016 (r307931) +++ releng/10.1/sys/amd64/amd64/sys_machdep.c Tue Oct 25 17:11:07 2016 (r307932) @@ -617,6 +617,8 @@ amd64_set_ldt(td, uap, descs) largest_ld = uap->start + uap->num; if (largest_ld > max_ldt_segment) largest_ld = max_ldt_segment; + if (largest_ld < uap->start) + return (EINVAL); i = largest_ld - uap->start; mtx_lock(&dt_lock); bzero(&((struct user_segment_descriptor *)(pldt->ldt_base)) @@ -629,7 +631,8 @@ amd64_set_ldt(td, uap, descs) /* verify range of descriptors to modify */ largest_ld = uap->start + uap->num; if (uap->start >= max_ldt_segment || - largest_ld > max_ldt_segment) + largest_ld > max_ldt_segment || + largest_ld < uap->start) return (EINVAL); } Modified: releng/10.1/sys/conf/newvers.sh ============================================================================== --- releng/10.1/sys/conf/newvers.sh Tue Oct 25 17:11:02 2016 (r307931) +++ releng/10.1/sys/conf/newvers.sh Tue Oct 25 17:11:07 2016 (r307932) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.1" -BRANCH="RELEASE-p40" +BRANCH="RELEASE-p41" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi From owner-svn-src-releng@freebsd.org Tue Oct 25 17:11:13 2016 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3B471C21E56; Tue, 25 Oct 2016 17:11:13 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CBB52CA0; Tue, 25 Oct 2016 17:11:12 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u9PHBB5A075412; Tue, 25 Oct 2016 17:11:11 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u9PHBBR8075409; Tue, 25 Oct 2016 17:11:11 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201610251711.u9PHBBR8075409@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Tue, 25 Oct 2016 17:11:11 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r307933 - in releng/10.2: . sys/amd64/amd64 sys/conf X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2016 17:11:13 -0000 Author: glebius Date: Tue Oct 25 17:11:11 2016 New Revision: 307933 URL: https://svnweb.freebsd.org/changeset/base/307933 Log: Revised SA-16:15. The initial patch didn't cover all possible overflows based on passing incorrect parameters to sysarch(2). Security: SA-16:15 Approved by: so Modified: releng/10.2/UPDATING releng/10.2/sys/amd64/amd64/sys_machdep.c releng/10.2/sys/conf/newvers.sh Modified: releng/10.2/UPDATING ============================================================================== --- releng/10.2/UPDATING Tue Oct 25 17:11:07 2016 (r307932) +++ releng/10.2/UPDATING Tue Oct 25 17:11:11 2016 (r307933) @@ -16,6 +16,10 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20161025 p24 FreeBSD-SA-16:15.sysarch [revised] + + Fix incorrect argument validation in sysarch(2). [SA-16:15] + 20161010 p23 FreeBSD-SA-16:29.bspatch FreeBSD-SA-16:30.portsnap FreeBSD-SA-16:31.libarchive Modified: releng/10.2/sys/amd64/amd64/sys_machdep.c ============================================================================== --- releng/10.2/sys/amd64/amd64/sys_machdep.c Tue Oct 25 17:11:07 2016 (r307932) +++ releng/10.2/sys/amd64/amd64/sys_machdep.c Tue Oct 25 17:11:11 2016 (r307933) @@ -617,6 +617,8 @@ amd64_set_ldt(td, uap, descs) largest_ld = uap->start + uap->num; if (largest_ld > max_ldt_segment) largest_ld = max_ldt_segment; + if (largest_ld < uap->start) + return (EINVAL); i = largest_ld - uap->start; mtx_lock(&dt_lock); bzero(&((struct user_segment_descriptor *)(pldt->ldt_base)) @@ -629,7 +631,8 @@ amd64_set_ldt(td, uap, descs) /* verify range of descriptors to modify */ largest_ld = uap->start + uap->num; if (uap->start >= max_ldt_segment || - largest_ld > max_ldt_segment) + largest_ld > max_ldt_segment || + largest_ld < uap->start) return (EINVAL); } Modified: releng/10.2/sys/conf/newvers.sh ============================================================================== --- releng/10.2/sys/conf/newvers.sh Tue Oct 25 17:11:07 2016 (r307932) +++ releng/10.2/sys/conf/newvers.sh Tue Oct 25 17:11:11 2016 (r307933) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.2" -BRANCH="RELEASE-p23" +BRANCH="RELEASE-p24" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi From owner-svn-src-releng@freebsd.org Tue Oct 25 17:11:17 2016 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9CB3BC21E93; Tue, 25 Oct 2016 17:11:17 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 19869D88; Tue, 25 Oct 2016 17:11:17 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u9PHBG8k075464; Tue, 25 Oct 2016 17:11:16 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u9PHBFJE075461; Tue, 25 Oct 2016 17:11:15 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201610251711.u9PHBFJE075461@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Tue, 25 Oct 2016 17:11:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r307934 - in releng/10.3: . sys/amd64/amd64 sys/conf X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2016 17:11:17 -0000 Author: glebius Date: Tue Oct 25 17:11:15 2016 New Revision: 307934 URL: https://svnweb.freebsd.org/changeset/base/307934 Log: Revised SA-16:15. The initial patch didn't cover all possible overflows based on passing incorrect parameters to sysarch(2). Security: SA-16:15 Approved by: so Modified: releng/10.3/UPDATING releng/10.3/sys/amd64/amd64/sys_machdep.c releng/10.3/sys/conf/newvers.sh Modified: releng/10.3/UPDATING ============================================================================== --- releng/10.3/UPDATING Tue Oct 25 17:11:11 2016 (r307933) +++ releng/10.3/UPDATING Tue Oct 25 17:11:15 2016 (r307934) @@ -16,6 +16,12 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20161025 p11 FreeBSD-SA-16:15.sysarch [revised] + FreeBSD-EN-16:17.vm + + Fix incorrect argument validation in sysarch(2). [SA-16:15] + Fix virtual memory subsystem bugs. [EN-16:17] + 20161010 p10 FreeBSD-SA-16:29.bspatch FreeBSD-SA-16:30.portsnap FreeBSD-SA-16:31.libarchive Modified: releng/10.3/sys/amd64/amd64/sys_machdep.c ============================================================================== --- releng/10.3/sys/amd64/amd64/sys_machdep.c Tue Oct 25 17:11:11 2016 (r307933) +++ releng/10.3/sys/amd64/amd64/sys_machdep.c Tue Oct 25 17:11:15 2016 (r307934) @@ -617,6 +617,8 @@ amd64_set_ldt(td, uap, descs) largest_ld = uap->start + uap->num; if (largest_ld > max_ldt_segment) largest_ld = max_ldt_segment; + if (largest_ld < uap->start) + return (EINVAL); i = largest_ld - uap->start; mtx_lock(&dt_lock); bzero(&((struct user_segment_descriptor *)(pldt->ldt_base)) @@ -629,7 +631,8 @@ amd64_set_ldt(td, uap, descs) /* verify range of descriptors to modify */ largest_ld = uap->start + uap->num; if (uap->start >= max_ldt_segment || - largest_ld > max_ldt_segment) + largest_ld > max_ldt_segment || + largest_ld < uap->start) return (EINVAL); } Modified: releng/10.3/sys/conf/newvers.sh ============================================================================== --- releng/10.3/sys/conf/newvers.sh Tue Oct 25 17:11:11 2016 (r307933) +++ releng/10.3/sys/conf/newvers.sh Tue Oct 25 17:11:15 2016 (r307934) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.3" -BRANCH="RELEASE-p10" +BRANCH="RELEASE-p11" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi From owner-svn-src-releng@freebsd.org Tue Oct 25 17:11:22 2016 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 12F18C21EBB; Tue, 25 Oct 2016 17:11:22 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A9016E9E; Tue, 25 Oct 2016 17:11:21 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u9PHBKSe075514; Tue, 25 Oct 2016 17:11:20 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u9PHBKXU075510; Tue, 25 Oct 2016 17:11:20 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201610251711.u9PHBKXU075510@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Tue, 25 Oct 2016 17:11:20 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r307935 - in releng/11.0: . sys/amd64/amd64 sys/conf usr.sbin/bhyve X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2016 17:11:22 -0000 Author: glebius Date: Tue Oct 25 17:11:20 2016 New Revision: 307935 URL: https://svnweb.freebsd.org/changeset/base/307935 Log: Revised SA-16:15. The initial patch didn't cover all possible overflows based on passing incorrect parameters to sysarch(2). [1] Fix unchecked array reference in the VGA device emulation code. [2] Security: SA-16:15 [1] Security: SA-16:32 [2] Approved by: so Modified: releng/11.0/UPDATING releng/11.0/sys/amd64/amd64/sys_machdep.c releng/11.0/sys/conf/newvers.sh releng/11.0/usr.sbin/bhyve/vga.c Modified: releng/11.0/UPDATING ============================================================================== --- releng/11.0/UPDATING Tue Oct 25 17:11:15 2016 (r307934) +++ releng/11.0/UPDATING Tue Oct 25 17:11:20 2016 (r307935) @@ -16,6 +16,12 @@ from older versions of FreeBSD, try WITH the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20161025 p2 FreeBSD-SA-16:15.sysarch [revised] + FreeBSD-SA-16:32.bhyve + + Fix incorrect argument validation in sysarch(2). [SA-16:15] + Fix access to host memory from guest in bhyve(8). [SA-16:32] + 20160928: 11.0-RELEASE. Modified: releng/11.0/sys/amd64/amd64/sys_machdep.c ============================================================================== --- releng/11.0/sys/amd64/amd64/sys_machdep.c Tue Oct 25 17:11:15 2016 (r307934) +++ releng/11.0/sys/amd64/amd64/sys_machdep.c Tue Oct 25 17:11:20 2016 (r307935) @@ -608,6 +608,8 @@ amd64_set_ldt(td, uap, descs) largest_ld = uap->start + uap->num; if (largest_ld > max_ldt_segment) largest_ld = max_ldt_segment; + if (largest_ld < uap->start) + return (EINVAL); i = largest_ld - uap->start; mtx_lock(&dt_lock); bzero(&((struct user_segment_descriptor *)(pldt->ldt_base)) @@ -620,7 +622,8 @@ amd64_set_ldt(td, uap, descs) /* verify range of descriptors to modify */ largest_ld = uap->start + uap->num; if (uap->start >= max_ldt_segment || - largest_ld > max_ldt_segment) + largest_ld > max_ldt_segment || + largest_ld < uap->start) return (EINVAL); } Modified: releng/11.0/sys/conf/newvers.sh ============================================================================== --- releng/11.0/sys/conf/newvers.sh Tue Oct 25 17:11:15 2016 (r307934) +++ releng/11.0/sys/conf/newvers.sh Tue Oct 25 17:11:20 2016 (r307935) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="11.0" -BRANCH="RELEASE-p1" +BRANCH="RELEASE-p2" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/11.0/usr.sbin/bhyve/vga.c ============================================================================== --- releng/11.0/usr.sbin/bhyve/vga.c Tue Oct 25 17:11:15 2016 (r307934) +++ releng/11.0/usr.sbin/bhyve/vga.c Tue Oct 25 17:11:20 2016 (r307935) @@ -161,10 +161,10 @@ struct vga_softc { */ struct { uint8_t dac_state; - int dac_rd_index; - int dac_rd_subindex; - int dac_wr_index; - int dac_wr_subindex; + uint8_t dac_rd_index; + uint8_t dac_rd_subindex; + uint8_t dac_wr_index; + uint8_t dac_wr_subindex; uint8_t dac_palette[3 * 256]; uint32_t dac_palette_rgb[256]; } vga_dac;