From owner-svn-src-stable-10@freebsd.org Mon Sep 24 14:50:45 2018 Return-Path: Delivered-To: svn-src-stable-10@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B57F210AE8C4; Mon, 24 Sep 2018 14:50:45 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6BC2D84135; Mon, 24 Sep 2018 14:50:45 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 66BC81AC80; Mon, 24 Sep 2018 14:50:45 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w8OEojL4037097; Mon, 24 Sep 2018 14:50:45 GMT (envelope-from markj@FreeBSD.org) Received: (from markj@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w8OEojw3037096; Mon, 24 Sep 2018 14:50:45 GMT (envelope-from markj@FreeBSD.org) Message-Id: <201809241450.w8OEojw3037096@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: markj set sender to markj@FreeBSD.org using -f From: Mark Johnston Date: Mon, 24 Sep 2018 14:50:45 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r338905 - stable/10/sys/cddl/contrib/opensolaris/uts/common/fs/zfs X-SVN-Group: stable-10 X-SVN-Commit-Author: markj X-SVN-Commit-Paths: stable/10/sys/cddl/contrib/opensolaris/uts/common/fs/zfs X-SVN-Commit-Revision: 338905 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-10@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for only the 10-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2018 14:50:46 -0000 Author: markj Date: Mon Sep 24 14:50:44 2018 New Revision: 338905 URL: https://svnweb.freebsd.org/changeset/base/338905 Log: MFC r338724: Fix an nvpair leak in vdev_geom_read_config(). PR: 230704 Modified: stable/10/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/vdev_geom.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/vdev_geom.c ============================================================================== --- stable/10/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/vdev_geom.c Mon Sep 24 14:48:27 2018 (r338904) +++ stable/10/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/vdev_geom.c Mon Sep 24 14:50:44 2018 (r338905) @@ -417,9 +417,10 @@ vdev_geom_io(struct g_consumer *cp, int *cmds, void ** * least one valid label was found. */ static int -vdev_geom_read_config(struct g_consumer *cp, nvlist_t **config) +vdev_geom_read_config(struct g_consumer *cp, nvlist_t **configp) { struct g_provider *pp; + nvlist_t *config; vdev_phys_t *vdev_lists[VDEV_LABELS]; char *buf; size_t buflen; @@ -444,7 +445,6 @@ vdev_geom_read_config(struct g_consumer *cp, nvlist_t buflen = sizeof(vdev_lists[0]->vp_nvlist); - *config = NULL; /* Create all of the IO requests */ for (l = 0; l < VDEV_LABELS; l++) { cmds[l] = BIO_READ; @@ -460,6 +460,7 @@ vdev_geom_read_config(struct g_consumer *cp, nvlist_t VDEV_LABELS); /* Parse the labels */ + config = *configp = NULL; nlabels = 0; for (l = 0; l < VDEV_LABELS; l++) { if (errors[l] != 0) @@ -467,24 +468,26 @@ vdev_geom_read_config(struct g_consumer *cp, nvlist_t buf = vdev_lists[l]->vp_nvlist; - if (nvlist_unpack(buf, buflen, config, 0) != 0) + if (nvlist_unpack(buf, buflen, &config, 0) != 0) continue; - if (nvlist_lookup_uint64(*config, ZPOOL_CONFIG_POOL_STATE, + if (nvlist_lookup_uint64(config, ZPOOL_CONFIG_POOL_STATE, &state) != 0 || state > POOL_STATE_L2CACHE) { - nvlist_free(*config); - *config = NULL; + nvlist_free(config); continue; } if (state != POOL_STATE_SPARE && state != POOL_STATE_L2CACHE && - (nvlist_lookup_uint64(*config, ZPOOL_CONFIG_POOL_TXG, + (nvlist_lookup_uint64(config, ZPOOL_CONFIG_POOL_TXG, &txg) != 0 || txg == 0)) { - nvlist_free(*config); - *config = NULL; + nvlist_free(config); continue; } + + if (*configp != NULL) + nvlist_free(*configp); + *configp = config; nlabels++; } From owner-svn-src-stable-10@freebsd.org Thu Sep 27 18:44:41 2018 Return-Path: Delivered-To: svn-src-stable-10@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EB20010B5902; Thu, 27 Sep 2018 18:44:40 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9EE5B713CC; Thu, 27 Sep 2018 18:44:40 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 98E5D1F23; Thu, 27 Sep 2018 18:44:40 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w8RIie3b079530; Thu, 27 Sep 2018 18:44:40 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w8RIielG079529; Thu, 27 Sep 2018 18:44:40 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201809271844.w8RIielG079529@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Thu, 27 Sep 2018 18:44:40 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r338984 - stable/10/sys/kern X-SVN-Group: stable-10 X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: stable/10/sys/kern X-SVN-Commit-Revision: 338984 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-10@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for only the 10-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2018 18:44:41 -0000 Author: gordon Date: Thu Sep 27 18:44:40 2018 New Revision: 338984 URL: https://svnweb.freebsd.org/changeset/base/338984 Log: MFC r338982. Clear stack allocated data structure to prevent kernel memory leak. Reported by: Thomas Barabosch, Fraunhofer FKIE Reviewed by: wes@ Approved by: so Security: FreeBSD-EN-18:12.mem Security: CVE-2018-17155 Modified: stable/10/sys/kern/kern_context.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/kern/kern_context.c ============================================================================== --- stable/10/sys/kern/kern_context.c Thu Sep 27 18:42:40 2018 (r338983) +++ stable/10/sys/kern/kern_context.c Thu Sep 27 18:44:40 2018 (r338984) @@ -68,6 +68,7 @@ sys_getcontext(struct thread *td, struct getcontext_ar if (uap->ucp == NULL) ret = EINVAL; else { + bzero(&uc, sizeof(ucontext_t)); get_mcontext(td, &uc.uc_mcontext, GET_MC_CLEAR_RET); PROC_LOCK(td->td_proc); uc.uc_sigmask = td->td_sigmask; @@ -108,6 +109,7 @@ sys_swapcontext(struct thread *td, struct swapcontext_ if (uap->oucp == NULL || uap->ucp == NULL) ret = EINVAL; else { + bzero(&uc, sizeof(ucontext_t)); get_mcontext(td, &uc.uc_mcontext, GET_MC_CLEAR_RET); bzero(uc.__spare__, sizeof(uc.__spare__)); PROC_LOCK(td->td_proc); From owner-svn-src-stable-10@freebsd.org Thu Sep 27 18:48:52 2018 Return-Path: Delivered-To: svn-src-stable-10@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F16ED10B5ABD; Thu, 27 Sep 2018 18:48:51 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A72E571675; Thu, 27 Sep 2018 18:48:51 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9DFA81F29; Thu, 27 Sep 2018 18:48:51 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w8RImpeM079766; Thu, 27 Sep 2018 18:48:51 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w8RImpcj079763; Thu, 27 Sep 2018 18:48:51 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201809271848.w8RImpcj079763@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Thu, 27 Sep 2018 18:48:51 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r338985 - in stable/10/sys: netinet netinet6 X-SVN-Group: stable-10 X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in stable/10/sys: netinet netinet6 X-SVN-Commit-Revision: 338985 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-10@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for only the 10-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2018 18:48:52 -0000 Author: gordon Date: Thu Sep 27 18:48:50 2018 New Revision: 338985 URL: https://svnweb.freebsd.org/changeset/base/338985 Log: There are various cases where we modify the inp_vflag and inp_inc.inc_flags fields during a syscall, but don't restore those fields if the operation fails. This can leave the inp structure in an inconsistent state and cause various problems. Restore the inp_vflag and inp_inc.inc_flags fields when the underlying operation fails and the inp could be in an inconsistent state. This is a direct commit to the branch as the code is different enough in the other branches to make it difficult to resolve a merge. Submitted by: jtl@ Reported by: Jakub Jirasek, Secunia Research at Flexera Reviewed by: jhb@ Approved by: so Security: FreeBSD-EN-18:11.listen Security: CVE-2018-6925 Modified: stable/10/sys/netinet/tcp_usrreq.c stable/10/sys/netinet6/sctp6_usrreq.c stable/10/sys/netinet6/udp6_usrreq.c Modified: stable/10/sys/netinet/tcp_usrreq.c ============================================================================== --- stable/10/sys/netinet/tcp_usrreq.c Thu Sep 27 18:44:40 2018 (r338984) +++ stable/10/sys/netinet/tcp_usrreq.c Thu Sep 27 18:48:50 2018 (r338985) @@ -328,6 +328,7 @@ tcp6_usr_bind(struct socket *so, struct sockaddr *nam, struct inpcb *inp; struct tcpcb *tp = NULL; struct sockaddr_in6 *sin6p; + u_char vflagsav; sin6p = (struct sockaddr_in6 *)nam; if (nam->sa_len != sizeof (*sin6p)) @@ -344,6 +345,7 @@ tcp6_usr_bind(struct socket *so, struct sockaddr *nam, inp = sotoinpcb(so); KASSERT(inp != NULL, ("tcp6_usr_bind: inp == NULL")); INP_WLOCK(inp); + vflagsav = inp->inp_vflag; if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) { error = EINVAL; goto out; @@ -373,6 +375,8 @@ tcp6_usr_bind(struct socket *so, struct sockaddr *nam, error = in6_pcbbind(inp, nam, td->td_ucred); INP_HASH_WUNLOCK(&V_tcbinfo); out: + if (error != 0) + inp->inp_vflag = vflagsav; TCPDEBUG2(PRU_BIND); INP_WUNLOCK(inp); return (error); @@ -434,6 +438,7 @@ tcp6_usr_listen(struct socket *so, int backlog, struct int error = 0; struct inpcb *inp; struct tcpcb *tp = NULL; + u_char vflagsav; TCPDEBUG0; inp = sotoinpcb(so); @@ -443,6 +448,7 @@ tcp6_usr_listen(struct socket *so, int backlog, struct error = EINVAL; goto out; } + vflagsav = inp->inp_vflag; tp = intotcpcb(inp); TCPDEBUG1(); SOCK_LOCK(so); @@ -469,6 +475,9 @@ tcp6_usr_listen(struct socket *so, int backlog, struct if (tp->t_flags & TF_FASTOPEN) tp->t_tfo_pending = tcp_fastopen_alloc_counter(); #endif + if (error != 0) + inp->inp_vflag = vflagsav; + out: TCPDEBUG2(PRU_LISTEN); INP_WUNLOCK(inp); @@ -543,6 +552,8 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n struct inpcb *inp; struct tcpcb *tp = NULL; struct sockaddr_in6 *sin6p; + u_int8_t incflagsav; + u_char vflagsav; TCPDEBUG0; @@ -559,6 +570,8 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n inp = sotoinpcb(so); KASSERT(inp != NULL, ("tcp6_usr_connect: inp == NULL")); INP_WLOCK(inp); + vflagsav = inp->inp_vflag; + incflagsav = inp->inp_inc.inc_flags; if (inp->inp_flags & INP_TIMEWAIT) { error = EADDRINUSE; goto out; @@ -584,11 +597,11 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n } in6_sin6_2_sin(&sin, sin6p); - inp->inp_vflag |= INP_IPV4; - inp->inp_vflag &= ~INP_IPV6; if ((error = prison_remote_ip4(td->td_ucred, &sin.sin_addr)) != 0) goto out; + inp->inp_vflag |= INP_IPV4; + inp->inp_vflag &= ~INP_IPV6; if ((error = tcp_connect(tp, (struct sockaddr *)&sin, td)) != 0) goto out; #ifdef TCP_OFFLOAD @@ -601,11 +614,11 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n goto out; } #endif + if ((error = prison_remote_ip6(td->td_ucred, &sin6p->sin6_addr)) != 0) + goto out; inp->inp_vflag &= ~INP_IPV4; inp->inp_vflag |= INP_IPV6; inp->inp_inc.inc_flags |= INC_ISIPV6; - if ((error = prison_remote_ip6(td->td_ucred, &sin6p->sin6_addr)) != 0) - goto out; if ((error = tcp6_connect(tp, nam, td)) != 0) goto out; #ifdef TCP_OFFLOAD @@ -618,6 +631,15 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n error = tcp_output(tp); out: + /* + * If the implicit bind in the connect call fails, restore + * the flags we modified. + */ + if (error != 0 && inp->inp_lport == 0) { + inp->inp_vflag = vflagsav; + inp->inp_inc.inc_flags = incflagsav; + } + TCPDEBUG2(PRU_CONNECT); INP_WUNLOCK(inp); return (error); Modified: stable/10/sys/netinet6/sctp6_usrreq.c ============================================================================== --- stable/10/sys/netinet6/sctp6_usrreq.c Thu Sep 27 18:44:40 2018 (r338984) +++ stable/10/sys/netinet6/sctp6_usrreq.c Thu Sep 27 18:48:50 2018 (r338985) @@ -608,6 +608,7 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s struct sctp_inpcb *inp; struct in6pcb *inp6; int error; + u_char vflagsav; inp = (struct sctp_inpcb *)so->so_pcb; if (inp == NULL) { @@ -638,6 +639,7 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s } } inp6 = (struct in6pcb *)inp; + vflagsav = inp6->inp_vflag; inp6->inp_vflag &= ~INP_IPV4; inp6->inp_vflag |= INP_IPV6; if ((addr != NULL) && (SCTP_IPV6_V6ONLY(inp6) == 0)) { @@ -667,7 +669,7 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s inp6->inp_vflag |= INP_IPV4; inp6->inp_vflag &= ~INP_IPV6; error = sctp_inpcb_bind(so, (struct sockaddr *)&sin, NULL, p); - return (error); + goto out; } #endif break; @@ -684,7 +686,8 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s if (addr->sa_family == AF_INET) { /* can't bind v4 addr to v6 only socket! */ SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP6_USRREQ, EINVAL); - return (EINVAL); + error = EINVAL; + goto out; } #endif sin6_p = (struct sockaddr_in6 *)addr; @@ -693,10 +696,14 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s /* can't bind v4-mapped addrs either! */ /* NOTE: we don't support SIIT */ SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP6_USRREQ, EINVAL); - return (EINVAL); + error = EINVAL; + goto out; } } error = sctp_inpcb_bind(so, addr, NULL, p); +out: + if (error != 0) + inp6->inp_vflag = vflagsav; return (error); } Modified: stable/10/sys/netinet6/udp6_usrreq.c ============================================================================== --- stable/10/sys/netinet6/udp6_usrreq.c Thu Sep 27 18:44:40 2018 (r338984) +++ stable/10/sys/netinet6/udp6_usrreq.c Thu Sep 27 18:48:50 2018 (r338985) @@ -947,6 +947,7 @@ udp6_bind(struct socket *so, struct sockaddr *nam, str struct inpcb *inp; struct inpcbinfo *pcbinfo; int error; + u_char vflagsav; pcbinfo = get_inpcbinfo(so->so_proto->pr_protocol); inp = sotoinpcb(so); @@ -954,6 +955,7 @@ udp6_bind(struct socket *so, struct sockaddr *nam, str INP_WLOCK(inp); INP_HASH_WLOCK(pcbinfo); + vflagsav = inp->inp_vflag; inp->inp_vflag &= ~INP_IPV4; inp->inp_vflag |= INP_IPV6; if ((inp->inp_flags & IN6P_IPV6_V6ONLY) == 0) { @@ -981,6 +983,8 @@ udp6_bind(struct socket *so, struct sockaddr *nam, str #ifdef INET out: #endif + if (error != 0) + inp->inp_vflag = vflagsav; INP_HASH_WUNLOCK(pcbinfo); INP_WUNLOCK(inp); return (error); @@ -1023,6 +1027,7 @@ udp6_connect(struct socket *so, struct sockaddr *nam, struct inpcbinfo *pcbinfo; struct sockaddr_in6 *sin6; int error; + u_char vflagsav; pcbinfo = get_inpcbinfo(so->so_proto->pr_protocol); inp = sotoinpcb(so); @@ -1046,17 +1051,26 @@ udp6_connect(struct socket *so, struct sockaddr *nam, goto out; } in6_sin6_2_sin(&sin, sin6); - inp->inp_vflag |= INP_IPV4; - inp->inp_vflag &= ~INP_IPV6; error = prison_remote_ip4(td->td_ucred, &sin.sin_addr); if (error != 0) goto out; + vflagsav = inp->inp_vflag; + inp->inp_vflag |= INP_IPV4; + inp->inp_vflag &= ~INP_IPV6; INP_HASH_WLOCK(pcbinfo); error = in_pcbconnect(inp, (struct sockaddr *)&sin, td->td_ucred); INP_HASH_WUNLOCK(pcbinfo); + /* + * If connect succeeds, mark socket as connected. If + * connect fails and socket is unbound, reset inp_vflag + * field. + */ if (error == 0) soisconnected(so); + else if (inp->inp_laddr.s_addr == INADDR_ANY && + inp->inp_lport == 0) + inp->inp_vflag = vflagsav; goto out; } #endif @@ -1064,16 +1078,25 @@ udp6_connect(struct socket *so, struct sockaddr *nam, error = EISCONN; goto out; } - inp->inp_vflag &= ~INP_IPV4; - inp->inp_vflag |= INP_IPV6; error = prison_remote_ip6(td->td_ucred, &sin6->sin6_addr); if (error != 0) goto out; + vflagsav = inp->inp_vflag; + inp->inp_vflag &= ~INP_IPV4; + inp->inp_vflag |= INP_IPV6; INP_HASH_WLOCK(pcbinfo); error = in6_pcbconnect(inp, nam, td->td_ucred); INP_HASH_WUNLOCK(pcbinfo); + /* + * If connect succeeds, mark socket as connected. If + * connect fails and socket is unbound, reset inp_vflag + * field. + */ if (error == 0) soisconnected(so); + else if (IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr) && + inp->inp_lport == 0) + inp->inp_vflag = vflagsav; out: INP_WUNLOCK(inp); return (error); From owner-svn-src-stable-10@freebsd.org Fri Sep 28 17:40:07 2018 Return-Path: Delivered-To: svn-src-stable-10@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E2F4C10B59FC; Fri, 28 Sep 2018 17:40:06 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 97E437B809; Fri, 28 Sep 2018 17:40:06 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 8E82B181A6; Fri, 28 Sep 2018 17:40:06 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w8SHe6c3082476; Fri, 28 Sep 2018 17:40:06 GMT (envelope-from jhb@FreeBSD.org) Received: (from jhb@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w8SHe6Tg082475; Fri, 28 Sep 2018 17:40:06 GMT (envelope-from jhb@FreeBSD.org) Message-Id: <201809281740.w8SHe6Tg082475@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jhb set sender to jhb@FreeBSD.org using -f From: John Baldwin Date: Fri, 28 Sep 2018 17:40:06 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r339003 - in stable: 10/share/man/man9 11/share/man/man9 X-SVN-Group: stable-10 X-SVN-Commit-Author: jhb X-SVN-Commit-Paths: in stable: 10/share/man/man9 11/share/man/man9 X-SVN-Commit-Revision: 339003 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-10@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for only the 10-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Sep 2018 17:40:07 -0000 Author: jhb Date: Fri Sep 28 17:40:06 2018 New Revision: 339003 URL: https://svnweb.freebsd.org/changeset/base/339003 Log: MFC 337673: Add an overview section to bus_dma.9. Describe the role of tags and mapping objects as abstractions. Describe static vs dynamic transaction types and give a brief overview of the set of functions and object life cycles used for static vs dynamic. While here, fix a few other typos and expand a bit on parent tags. Modified: stable/10/share/man/man9/bus_dma.9 Directory Properties: stable/10/ (props changed) Changes in other areas also in this revision: Modified: stable/11/share/man/man9/bus_dma.9 Directory Properties: stable/11/ (props changed) Modified: stable/10/share/man/man9/bus_dma.9 ============================================================================== --- stable/10/share/man/man9/bus_dma.9 Fri Sep 28 17:25:28 2018 (r339002) +++ stable/10/share/man/man9/bus_dma.9 Fri Sep 28 17:40:06 2018 (r339003) @@ -53,7 +53,7 @@ .\" $FreeBSD$ .\" $NetBSD: bus_dma.9,v 1.25 2002/10/14 13:43:16 wiz Exp $ .\" -.Dd July 17, 2013 +.Dd August 11, 2018 .Dt BUS_DMA 9 .Os .Sh NAME @@ -135,11 +135,149 @@ It provides the client with flexibility and simplicity abstracting machine dependent issues like setting up DMA mappings, handling cache issues, bus specific features and limitations. +.Sh OVERVIEW +A tag structure +.Vt ( bus_dma_tag_t ) +is used to describe the properties of a group of related DMA +transactions. +One way to view this is that a tag describes the limitations of a DMA engine. +For example, if a DMA engine in a device is limited to 32-bit addresses, +that limitation is specified by a parameter when creating the tag +for that device. +Similarly, a tag can be marked as requiring buffers whose addresses are +aligned to a specific boundary. +.Pp +Some devices may require multiple tags to describe DMA +transactions with differing properties. +For example, a device might require 16-byte alignment of its descriptor ring +while permitting arbitrary alignment of I/O buffers. +In this case, +the driver must create one tag for the descriptor ring and a separate tag for +I/O buffers. +If a device has restrictions that are common to all DMA transactions +in addition to restrictions that differ between unrelated groups of +transactions, +the driver can first create a +.Dq parent +tag that decribes the common restrictions. +The per-group tags can then inherit these restrictions from this +.Dq parent +tag rather than having to list them explicitly when creating the per-group tags. +.Pp +A mapping structure +.Vt ( bus_dmamap_t ) +represents a mapping of a memory region for DMA. +On systems with I/O MMUs, +the mapping structure tracks any I/O MMU entries used by a request. +For DMA requests that require bounce pages, +the mapping tracks the bounce pages used. +.Pp +To prepare for one or more DMA transactions, +a mapping must be bound to a memory region by calling one of the +.Fn bus_dmamap_load +functions. +These functions configure the mapping which can include programming entries +in an I/O MMU and/or allocating bounce pages. +An output of these functions +(either directly or indirectly by invoking a callback routine) +is the list of scatter/gather address ranges a consumer can pass to a DMA +engine to access the memory region. +When a mapping is no longer needed, +the mapping must be unloaded via +.Fn bus_dmamap_unload . +.Pp +Before and after each DMA transaction, +.Fn bus_dmamap_sync +must be used to ensure that the correct data is used by the DMA engine and +the CPU. +If a mapping uses bounce pages, +the sync operations copy data between the bounce pages and the memory region +bound to the mapping. +Sync operations also handle architecture-specific details such as CPU cache +flushing and CPU memory operation ordering. +.Sh STATIC VS DYNAMIC +.Nm +handles two types of DMA transactions: static and dynamic. +Static transactions are used with a long-lived memory region that is reused +for many transactions such as a descriptor ring. +Dynamic transactions are used for transfers to or from transient buffers +such as I/O buffers holding a network packet or disk block. +Each transaction type uses a different subset of the +.Nm +API. +.Ss Static Transactions +Static transactions use memory regions allocated by +.Nm . +Each static memory region is allocated by calling +.Fn bus_dmamem_alloc . +This function requires a valid tag describing the properties of the +DMA transactions to this region such as alignment or address restrictions. +Multiple regions can share a single tag if they share the same restrictions. +.Pp +.Fn bus_dmamem_alloc +allocates a memory region along with a mapping object. +The associated tag, memory region, and mapping object must then be passed to +.Fn bus_dmamap_load +to bind the mapping to the allocated region and obtain the +scatter/gather list. +.Pp +It is expected that +.Fn bus_dmamem_alloc +will attempt to allocate memory requiring less expensive sync operations +(for example, implementations should not allocate regions requiring bounce +pages), +but sync operations should still be used. +For example, a driver should use +.Fn bus_dmamap_sync +in an interrupt handler before reading descriptor ring entries written by the +device prior to the interrupt. +.Pp +When a consumer is finished with a memory region, +it should unload the mapping via +.Fn bus_dmamap_unload +and then release the memory region and mapping object via +.Fn bus_dmamem_free . +.Ss Dynamic Transactions +Dynamic transactions map memory regions provided by other parts of the system. +A tag must be created via +.Fn bus_dma_tag_create +to describe the DMA transactions to and from these memory regions, +and a pool of mapping objects must be allocated via +.Fn bus_dmamap_create +to track the mappings of any in-flight transactions. +.Pp +When a consumer wishes to schedule a transaction for a memory region, +the consumer must first obtain an unused mapping object from its pool +of mapping objects. +The memory region must be bound to the mapping object via one of the +.Fn bus_dmamap_load +functions. +Before scheduling the transaction, +the consumer should sync the memory region via +.Fn bus_dmamap_sync +with one or more of the +.Dq PRE +flags. +After the transaction has completed, +the consumer should sync the memory region via +.Fn bus_dmamap_sync +with one or more of the +.Dq POST +flags. +The mapping can then be unloaded via +.Fn bus_dmamap_unload , +and the mapping object can be returned to the pool of unused mapping objects. +.Pp +When a consumer is no longer scheduling DMA transactions, +the mapping objects should be freed via +.Fn bus_dmamap_destroy , +and the tag should be freed via +.Fn bus_dma_tag_destroy . .Sh STRUCTURES AND TYPES .Bl -tag -width indent .It Vt bus_dma_tag_t A machine-dependent (MD) opaque type that describes the -characteristics of DMA transactions. +characteristics of a group of DMA transactions. DMA tags are organized into a hierarchy, with each child tag inheriting the restrictions of its parent. This allows all devices along the path of DMA transactions @@ -340,14 +478,18 @@ Releases and/or unlocks the client locking primitive. .It Fn bus_dma_tag_create "parent" "alignment" "boundary" "lowaddr" \ "highaddr" "*filtfunc" "*filtfuncarg" "maxsize" "nsegments" "maxsegsz" \ "flags" "lockfunc" "lockfuncarg" "*dmat" -Allocates a device specific DMA tag, and initializes it according to +Allocates a DMA tag, and initializes it according to the arguments provided: .Bl -tag -width ".Fa filtfuncarg" .It Fa parent -Indicates restrictions between the parent bridge, CPU memory, and the +A parent tag from which to inherit restrictions. +The restrictions passed in other arguments can only further tighten the +restrictions inherited from the parent tag. +.Pp +All tags created by a device driver must inherit from the tag returned by +.Fn bus_get_dma_tag +to honor restrictions between the parent bridge, CPU memory, and the device. -Each device must use a master parent tag by calling -.Fn bus_get_dma_tag . .It Fa alignment Alignment constraint, in bytes, of any mappings created using this tag. The alignment must be a power of 2. @@ -391,7 +533,7 @@ and a .Fa lowaddr of .Dv BUS_SPACE_MAXADDR_24BIT . -Some implementations requires that some region of device visible +Some implementations require that some region of device visible address space, overlapping available host memory, be outside the window. This area of From owner-svn-src-stable-10@freebsd.org Fri Sep 28 22:02:04 2018 Return-Path: Delivered-To: svn-src-stable-10@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3DC8F10BA5FA; Fri, 28 Sep 2018 22:02:04 +0000 (UTC) (envelope-from mm@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C328B83ECF; Fri, 28 Sep 2018 22:02:03 +0000 (UTC) (envelope-from mm@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5242D1AC9E; Fri, 28 Sep 2018 22:02:03 +0000 (UTC) (envelope-from mm@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w8SM23IP020777; Fri, 28 Sep 2018 22:02:03 GMT (envelope-from mm@FreeBSD.org) Received: (from mm@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w8SM216w020769; Fri, 28 Sep 2018 22:02:01 GMT (envelope-from mm@FreeBSD.org) Message-Id: <201809282202.w8SM216w020769@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: mm set sender to mm@FreeBSD.org using -f From: Martin Matuska Date: Fri, 28 Sep 2018 22:02:01 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r339006 - in stable/10/contrib/libarchive: . libarchive libarchive/test test_utils X-SVN-Group: stable-10 X-SVN-Commit-Author: mm X-SVN-Commit-Paths: in stable/10/contrib/libarchive: . libarchive libarchive/test test_utils X-SVN-Commit-Revision: 339006 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-10@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for only the 10-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Sep 2018 22:02:04 -0000 Author: mm Date: Fri Sep 28 22:02:01 2018 New Revision: 339006 URL: https://svnweb.freebsd.org/changeset/base/339006 Log: MFC r338827: Sync libarchive with vendor. Relevant vendor changes: PR #1019: Add allocation check for the zip_entry struct Oss-Fuzz #10192: Handle whitespace-only ACL fields correctly Modified: stable/10/contrib/libarchive/README.md stable/10/contrib/libarchive/libarchive/archive_acl.c stable/10/contrib/libarchive/libarchive/archive_cryptor.c stable/10/contrib/libarchive/libarchive/archive_read_support_format_ar.c stable/10/contrib/libarchive/libarchive/archive_read_support_format_zip.c stable/10/contrib/libarchive/libarchive/test/test_sparse_basic.c stable/10/contrib/libarchive/test_utils/test_main.c Directory Properties: stable/10/ (props changed) Modified: stable/10/contrib/libarchive/README.md ============================================================================== --- stable/10/contrib/libarchive/README.md Fri Sep 28 22:01:53 2018 (r339005) +++ stable/10/contrib/libarchive/README.md Fri Sep 28 22:02:01 2018 (r339006) @@ -78,7 +78,6 @@ Currently, the library automatically detects and reads * POSIX pax interchange format * POSIX octet-oriented cpio * SVR4 ASCII cpio - * POSIX octet-oriented cpio * Binary cpio (big-endian or little-endian) * ISO9660 CD-ROM images (with optional Rockridge or Joliet extensions) * ZIP archives (with uncompressed or "deflate" compressed entries, including support for encrypted Zip archives) Modified: stable/10/contrib/libarchive/libarchive/archive_acl.c ============================================================================== --- stable/10/contrib/libarchive/libarchive/archive_acl.c Fri Sep 28 22:01:53 2018 (r339005) +++ stable/10/contrib/libarchive/libarchive/archive_acl.c Fri Sep 28 22:02:01 2018 (r339006) @@ -2058,6 +2058,12 @@ next_field(const char **p, const char **start, } *sep = **p; + /* If the field is only whitespace, bail out now. */ + if (**p == '\0') { + *end = *p; + return; + } + /* Trim trailing whitespace to locate end of field. */ *end = *p - 1; while (**end == ' ' || **end == '\t' || **end == '\n') { Modified: stable/10/contrib/libarchive/libarchive/archive_cryptor.c ============================================================================== --- stable/10/contrib/libarchive/libarchive/archive_cryptor.c Fri Sep 28 22:01:53 2018 (r339005) +++ stable/10/contrib/libarchive/libarchive/archive_cryptor.c Fri Sep 28 22:02:01 2018 (r339006) @@ -316,7 +316,14 @@ aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *k memcpy(ctx->key, key, key_len); memset(ctx->nonce, 0, sizeof(ctx->nonce)); ctx->encr_pos = AES_BLOCK_SIZE; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + if (!EVP_CIPHER_CTX_reset(ctx->ctx)) { + EVP_CIPHER_CTX_free(ctx->ctx); + ctx->ctx = NULL; + } +#else EVP_CIPHER_CTX_init(ctx->ctx); +#endif return 0; } Modified: stable/10/contrib/libarchive/libarchive/archive_read_support_format_ar.c ============================================================================== --- stable/10/contrib/libarchive/libarchive/archive_read_support_format_ar.c Fri Sep 28 22:01:53 2018 (r339005) +++ stable/10/contrib/libarchive/libarchive/archive_read_support_format_ar.c Fri Sep 28 22:02:01 2018 (r339006) @@ -459,6 +459,7 @@ ar_parse_common_header(struct ar *ar, struct archive_e uint64_t n; /* Copy remaining header */ + archive_entry_set_filetype(entry, AE_IFREG); archive_entry_set_mtime(entry, (time_t)ar_atol10(h + AR_date_offset, AR_date_size), 0L); archive_entry_set_uid(entry, Modified: stable/10/contrib/libarchive/libarchive/archive_read_support_format_zip.c ============================================================================== --- stable/10/contrib/libarchive/libarchive/archive_read_support_format_zip.c Fri Sep 28 22:01:53 2018 (r339005) +++ stable/10/contrib/libarchive/libarchive/archive_read_support_format_zip.c Fri Sep 28 22:02:01 2018 (r339006) @@ -2708,6 +2708,11 @@ slurp_central_directory(struct archive_read *a, struct return ARCHIVE_FATAL; zip_entry = calloc(1, sizeof(struct zip_entry)); + if (zip_entry == NULL) { + archive_set_error(&a->archive, ENOMEM, + "Can't allocate zip entry"); + return ARCHIVE_FATAL; + } zip_entry->next = zip->zip_entries; zip_entry->flags |= LA_FROM_CENTRAL_DIRECTORY; zip->zip_entries = zip_entry; Modified: stable/10/contrib/libarchive/libarchive/test/test_sparse_basic.c ============================================================================== --- stable/10/contrib/libarchive/libarchive/test/test_sparse_basic.c Fri Sep 28 22:01:53 2018 (r339005) +++ stable/10/contrib/libarchive/libarchive/test/test_sparse_basic.c Fri Sep 28 22:02:01 2018 (r339006) @@ -422,6 +422,7 @@ verify_sparse_file(struct archive *a, const char *path assert(sparse->type == END); assertEqualInt(expected_offset, archive_entry_size(ae)); + failure(path); assertEqualInt(holes_seen, expected_holes); assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); @@ -457,6 +458,7 @@ verify_sparse_file2(struct archive *a, const char *pat /* Verify the number of holes only, not its offset nor its * length because those alignments are deeply dependence on * its filesystem. */ + failure(path); assertEqualInt(blocks, archive_entry_sparse_count(ae)); archive_entry_free(ae); } Modified: stable/10/contrib/libarchive/test_utils/test_main.c ============================================================================== --- stable/10/contrib/libarchive/test_utils/test_main.c Fri Sep 28 22:01:53 2018 (r339005) +++ stable/10/contrib/libarchive/test_utils/test_main.c Fri Sep 28 22:02:01 2018 (r339006) @@ -2166,7 +2166,7 @@ void assertVersion(const char *prog, const char *base) /* Skip arbitrary third-party version numbers. */ while (s > 0 && (*q == ' ' || *q == '-' || *q == '/' || *q == '.' || - isalnum(*q))) { + isalnum((unsigned char)*q))) { ++q; --s; }