| Age | Commit message (Collapse) | Author |
|---|
|
claudio figured it out. his clue was that multiple concurrent calls
to tunopen (or tapopen) will share a vnode. because tunopen can sleep,
multiple programs can be inside tunopen for the same tun interface at
the same time, all with references against the same vnode.
at the same time as this another thread/program can call VOP_REVOKE
via tun_clone_destroy (eg, ifconfig tun1 destroy does this).
VOP_REVOKE marks a vnode as bad, which in turn means that subsequent
open()s of a tun interface will get a brand new vnode.
so multiple threads holding references to a vnode can be sleeping in
tun_dev_open on the interface cloner lock. one thread wins and takes
ownership of the tun interface, then another thread can destroy that tun
interface, calls VOP_REVOKE which calls tun_dev_close to tear down the
vnodes association with the tun interface and mark the vnode as bad.
the thread that called tun_clone_destroy then creates another instance
of the interface by calling tun_clone_create immediately.
one of the original threads with the old vnode reference wakes up and
takes ownership of the new tun_softc. however, because the vnode is bad,
all the vnode ops have been replaced with the deadfs ops. the close() op
on the old vnode is now a nop from the point of view of tun interfaces.
the old vnode is no longer associated with tun and tap and will now
never call tun_dev_close (via tunclose or tapclose), which in turn means
sc_dev won't get cleared.
another thread can now call tun_clone_destroy against the new instance
of tun_softc. this instance has sc_dev set, so it tries to revoke it,
but there's no vnode associated with it because the old vnode reference
is dead.
because this second call to VOP_REVOKE couldnt find a vnode, it
can't call tunclose against it, so sc_dev is still set and this
KASSERT fires.
claudio and i came up with the following, which is to have tun_dev_open
check the state of the vnode associated with the current open call
after all the sleeping and potential tun_clone_destroy and
tun_clone_create calls. if the vnode has been made bad/dead after
all the sleeping, it returns with ENXIO.
Reported-by: syzbot+5e13201866c43afbfbf6@syzkaller.appspotmail.com
ok claudio@ visa@
|
|
Revert the pr_usrreqs move: syzkaller found a NULL pointer deref
and I won't be available to monitor for followup issues for a bit
|
|
forwarding, protect tdb flags and lists in pfsync with a mutex.
help and OK sashan@
|
|
ok deraadt
|
|
Pointers from and discussions with millert and deraadt.
Ok millert@, deraadt@, bluhm@
|
|
OK kettenis@
|
|
then be shared among protosw structures, following the same basic
direction as NetBSD and FreeBSD for this.
Split PRU_CONTROL out of pr_usrreq into pru_control, giving it the
proper prototype to eliminate the previously necessary casts.
ok mvs@ bluhm@
|
|
don't declare it again in the .c file
ok dlg@ mvs@ bluhm@
|
|
Pad trapframe and switchframe structs so that their size is a multiple
of 16 bytes. This makes context switching and exception handlers keep
kernel stack properly aligned.
OK kettenis@
|
|
The tp register contains the curcpu pointer in kernel mode. The pointer
has to be saved and replaced with the TCB pointer in the register when
entering user mode. These steps are reversed when returning to kernel.
The curcpu pointer is saved in the u-area. Explicitly reserve room for
the pointer to make the saving more visible.
OK kettenis@
|
|
From Dmytro Laktyushkin
1ddab2ee882900df817dd89882618356b7ecbab3 in linux 5.15.y/5.15.25
60fdf98a774eee244a4e00c34a9e7729b61d0f44 in mainline linux
|
|
From Roman Li
929b2eddebc2cb5ecf220337658f8d8538d4ab9d in linux 5.15.y/5.15.25
328e34a5ad227399391891d454043e5d73e598d2 in mainline linux
|
|
From Mario Limonciello
3fd92f5be6c48cce92c90ecf71719582645da888 in linux 5.15.y/5.15.25
03ad3093c7c069d6ab4403730009ebafeea9ee37 in mainline linux
|
|
From Matthew Auld
79bdf56cc55d103f2a276318fd973a296a110b95 in linux 5.15.y/5.15.25
0bdc0a0699929c814a8aecd55d2accb8c11beae2 in mainline linux
|
|
From Ville Syrjala
fe802b3fe7631c35abbf280702c5d29b867a1150 in linux 5.15.y/5.15.25
8d9d2a723d64b650f2e6423024ccb4a33f0cdc40 in mainline linux
|
|
From Ville Syrjala
34f5556ddf2b5fc25696832fa4a1a7013fc80a05 in linux 5.15.y/5.15.25
698bef8ff5d2edea5d1c9d6e5adf1bfed1e8a106 in mainline linux
|
|
From Jani Nikula
d006f2fe7d627b3ff3f637cf2fa90d30e05887c9 in linux 5.15.y/5.15.25
ea958422291de248b9e2eaaeea36004e84b64043 in mainline linux
|
|
From Rajib Mahapatra
960c8a55016bece26140eef7a8077e9dc3709098 in linux 5.15.y/5.15.25
f8f4e2a518347063179def4e64580b2d28233d03 in mainline linux
|
|
From Yifan Zhang
3851046599c1907c956b126bac18c4b84bf6a16b in linux 5.15.y/5.15.25
9c4f59ea3f865693150edf0c91d1cc6b451360dd in mainline linux
|
|
From Ville Syrjala
a1596e0277ed430dc2f44b61ebc2c1ecdab718e4 in linux 5.15.y/5.15.25
439cf34c8e0a8a33d8c15a31be1b7423426bc765 in mainline linux
|
|
From Nicholas Bishop
68f3a4252e9718843bd172f9761267aa288647d0 in linux 5.15.y/5.15.25
364438fd629f7611a84c8e6d7de91659300f1502 in mainline linux
|
|
From Christian Koenig
0fec53c5dca8a218e20b1d3964db23391a689dff in linux 5.15.y/5.15.25
e8ae38720e1a685fd98cfa5ae118c9d07b45ca79 in mainline linux
|
|
From Mario Limonciello
38108fd273acbc6248870a7a3e61714398af6f94 in linux 5.15.y/5.15.25
04ef860469fda6a646dc841190d05b31fae68e8c in mainline linux
|
|
From Mario Limonciello
72808bb42c87c4887c553ea8d9f4ecaf15d867d3 in linux 5.15.y/5.15.25
f52a2b8badbd24faf73a13c9c07fdb9d07352944 in mainline linux
|
|
From Mario Limonciello
64519c9e32ac548fd47cf16767f4b779a8cbdd14 in linux 5.15.y/5.15.25
a6ed2035878e5ad2e43ed175d8812ac9399d6c40 in mainline linux
|
|
|
|
'sockaddr' structure with socket's address. For key management and route
domain sockets it just returns error.
ok bluhm@
|
|
dependent on __STDC__ and doesn't need the ## operator.
ok jsg@
|
|
ok guenther@
|
|
visa@
|
|
proper strings, adapt dt's exported string in the same way.
Old/new files/tools will not work the same way.
That this interface needs to also change was pointed out by jsg
|
|
proper strings, adapt struct acct's ac_comm similarily. While here increase
ac_mem to 32-bits, increase ac_flag from 8 to 32 bits for future extensions,
add ac_pid for forensics, and reorder the structure to avoid compiler pads.
More work remains in the sa(8) command to use ac_pid better.
This is a flag day for the acct file format, new/old files/tools are incompatible.
ok bluhm millert
|
|
including the NUL), in all internal interafaces, and expose this
in ktrace, core, or proc.h visibility.
ok millert
|
|
because it was padded. Define it in terms of _MAXCOMLEN from syslimits.h
ok millert
|
|
have the terminating NUL). In the near future, fewer programs will use
this yucky non-string, some kernel:userland interfaces will to change to
pass a proper string.
ok millert
|
|
commits will change sys/param.h MAXCOMLEN, sys/sysctl.h KI_MAXCOMLEN,
sys/acct.h ac_comm[], dev/ic/dtvar.h DTMAXCOMLEN to use this, and also
adapt most to the included NUL correctly. This will allow us to remove
sys/param.h include from userland base.
sys/syslimits.h is chosen as the best place for this define because it
has very small namespace which is already pulled in often.
ok millert
|
|
No functional change.
|
|
This ensures the chain of call frames is terminated properly, preventing
errors when unwinding kernel stacks.
OK miod@ kettenis@
|
|
Add logic to navigate across trapframes. Stop unwinding if the frame
pointer is clearly bad. Adjust output, and tweak details.
OK miod@ kettenis@
|
|
Add f_modify and f_process callbacks, and initialize the knote lists
to use audio_lock. This makes audio_lock cover the device's knote
processing.
OK mpi@
|
|
hasn't been included, so the use of MIN() is not legit, and a local
version is required.
|
|
needed it and some no longer need it after moving the externs from
there to <sys/protosw.h>
ok jsg@
|
|
net/if_pppx.c pointed out by jsg@
ok gnezdo@ deraadt@ jsg@ mpi@ millert@
|
|
where the IPv4 versions have been forever
ok gnezdo@ deraadt@ jsg@ mpi@ millert@
|
|
more specific and appropriate, so delete it here
ok gnezdo@ deraadt@ jsg@ mpi@ millert@
|
|
ok mpi@
|
|
ok mpi@
|
|
ok gkoehler@
|
|
ok mpi@
|
|
The drm subsystem implements graphics buffers as uvm objects backed by
anonymous memory, thus drm locks and aobj locks share the same "vmobjlock"
type.
uvm_obj_wire() is only called from sys/dev/pci/drm/, so instead of changing
drm's lock init/alloc routines to mark allow duplicate locks in general,
enter uvm's vmobjlock with RW_DUPOK in this function to allow duplicate
lock types per thread in this specific call path alone.
Fixes the following WITNESS report when booting/starting X (as seen already
in other unrelated bugs@ reports):
wsdisplay0: screen 1-5 added (std, vt100 emulation)
witness: acquiring duplicate lock of same type: "&uobj->vmobjlock"
1st uobjlk
2nd uobjlk
Starting stack trace...
witness_checkorder(fffffd83b625f9b0,9,0) at witness_checkorder+0x8ac
rw_enter(fffffd83b625f9a0,1) at rw_enter+0x68
uvm_obj_wire(fffffd843c39e948,0,40000,ffff800033b70428) at uvm_obj_wire+0x46
shmem_get_pages(ffff800008008500) at shmem_get_pages+0xb8
__i915_gem_object_get_pages(ffff800008008500) at __i915_gem_object_get_pages+0x6d
i915_gem_fault(ffff800008008500,ffff800033b707c0,10009b000,a43d6b1c000,ffff800033b70740,1,35ba896911df1241,ffff8000000aa078,ffff8000000aa178) at i915_gem_fault+0x203
drm_fault(ffff800033b707c0,a43d6b1c000,ffff800033b70740,1,0,0,7eca45006f70ee0,ffff800033b707c0) at drm_fault+0x156
uvm_fault(fffffd843a7cf480,a43d6b1c000,0,2) at uvm_fault+0x179
upageflttrap(ffff800033b70920,a43d6b1c000) at upageflttrap+0x62
usertrap(ffff800033b70920) at usertrap+0x129
recall_trap() at recall_trap+0x8
end of kernel
end trace frame: 0x7f7ffffdc7c0, count: 246
End of stack trace.
Input kettenis
OK mpi
|
