Test that p_textvp is non-NULL be dereferencing, as no executable vnode is
set for kernel processes.
Reported by: Skip Ford <skip at menantico dot com>
Approved by: re (kensmith)
shared lookups are enabled. This closes a few races including a race where
concurrent opens of a fifo could result in different v_fifoinfo structures
in different threads.
and always require the queue to be specified to reduce diffs with HEAD.
These APIs are internal APIs only used to implement higher level primitives
such as locks and condition variables.
Approved by: alfred
where a reader blocked on a lock with no owner and just assert that it
never happens like HEAD.
- Actually set td->td_tsqueue to the sub-queue of a turnstile that a
thread is actually enqueued to. Otherwise, the kernel would always
think that threads were on the queue for exclusive (write) waiters
(queue 0). Thus, if the priority of a thread waiting on a read lock
was adjusted while it was waiting it could result in corrupting the
queue of waiting threads.
turnstile_unpend_queue() drops the lock that turnstile_release()
does. This was triggering a mtx_unlock() of an already unlocked
mutex panic.
Obtained from: Juniper Networks
Fix a kernel panic based on receiving an ICMPv6 Packet too Big message.
(MFC was planned but has been missed)
PR: 99779
Submitted by: Jinmei Tatuya
Reviewed by: clement, rwatson
Approved by: gnn (mentor)
src/sys/kern/uipc_socket.c: 1.280
Change kn_hook value from cdev to struct tty to avoid dereferencing freed
cdev.
In ttygone(), wake up select(), sigio and kevent() users in addition
to the queue sleepers.
Return EV_EOF from kevent filters if TS_GONE is set.
- In preparation of further linuxulator fixes MFC kern_descrip.c rev 1.296 and
syscallsubr.h rev 1.41 by jhb:
Add a kern_close() so that the ABIs can close a file descriptor w/o having
to populate a close_args struct and change some of the places that do.
Tested by: scf (i386, as part of a mega-MFC-patch),
Arno J. Klaassen <arno@heho.snv.jussieu.fr> (amd64)
amd64 including:
- Add 32-bit wrappers for thr_new(), thr_suspend(), and the umtx system
calls.
- Add support to amd64 for constructing thread upcalls for 32-bit
processes.
- Leave %fs and %gs alone in the signal trampoline for 32-bit processes on
amd64.
- Add 'casuword32()' to amd64 and ia64.
Tested by: emaste
rev. 1.11 of src/sys/geom/geom_vfs.c
rev. 1.516 of src/sys/kern/vfs_bio.c
rev. 1.35 of src/sys/nfs4client/nfs4_vnops.c
rev. 1.272 of src/sys/nfsclient/nfs_vnops.c
rev. 1.195 of src/sys/sys/buf.h
rev. 1.18 of src/sys/sys/bufobj.h
rev. 1.73 of src/sys/ufs/ffs/ffs_extern.h
rev. 1.133 of src/sys/ufs/ffs/ffs_snapshot.c
rev. 1.324 of src/sys/ufs/ffs/ffs_vfsops.c
Avoid dealing with buffers in bdwrite() that are from other side of
snaplock divisor in the lock order then the buffer being written. Add
new BOP, bop_bdwrite(), to do dirty buffer flushing for same vnode in
the bdwrite(). Default implementation, bufbdflush(), refactors the code
from bdwrite(). For ffs device buffers, specialized implementation is
used.
This commit changes KPI/KBI, thus recompilation of out of tree kernel
modules is required.
Approved by: re (kensmith)
rev. 1.438 of sys/kern/vfs_syscalls.c,
rev. 1.77 of sys/sys/filedesc.h:
Mark the filedescriptor table entries with VOP_OPEN being performed for them
as UF_OPENING. Disable closing of that entries. This should fix the crashes
caused by devfs_open() (and fifo_open()) dereferencing struct file * by
index, while the filedescriptor is closed by parallel thread.
RELENG_6 testing by: Mark Kane <mark at mkproductions org>
a 64-bit process exec'd by a 32-bit process doesn't end up with 32-bit
limits.
This doesn't break the ABI as neither of the 32-bit ABIs (COMPAT_LINUX32
and COMPAT_IA32) are buildable as modules on 6.x/amd64 and none of the
other ABIs use this hook.
Change unp_mtx to supporting recursion, and do not drop the unp_mtx over
sonewconn() in unp_connect(). This avoids a race that occurs due to
v_socket being an uncounted reference, as the lock was being released in
order to call sonewconn(), which otherwise recurses into the UNIX domain
socket code via pru_attach, as well as holding the lock over a sleeping
memory allocation in uipc_attach(). Switch to a non-sleeping memory
allocation during UNIX domain socket attach.
This fix non-ideal in that it requires enabling recursion, but is a much
smaller change than moving to using true references for v_socket. The
reported panic occurs in unp_connect() following the return of
sonewconn().
Update copyright year.
Panic reported by: jhb
Tested by: jhb
Add an additional MAC check to the UNIX domain socket connect path:
check that the subject has read/write access to the vnode using the
vnode MAC check.
Submitted by: Spencer Minear <spencer_minear at securecomputing dot com>
Obtained from: TrustedBSD Project
from HEAD to RELENG_6:
Move definition of UNIX domain socket protosw and domain entries from
uipc_proto.c to uipc_usrreq.c, making localdomain static. Remove
uipc_proto.c as it's no longer used. With this change, UNIX domain
sockets are entirely encapsulated in uipc_usrreq.c.
Remove UNIX domain socket raw socket support. This feature is documented
as being undocumented in Stevens, and was broken in 1997 during network
stack infrastructure work. It is the one remaining (and incorrect)
direct protocol reference to raw_usrreq.pru_attach; this is incorrect
because the raw socket code assumes that raw_uattach is called only after
the protocol has allocated a PCB.
