FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F10.2 2016-05-31T16:55:45Z 2016-05-31T16:55:45Z Gleb Smirnoff glebius@FreeBSD.org 2016-05-31T16:55:45Z urn:sha1:3b6d05264f164de15224257803c5e9b9d331dbd8 Fix kernel stack disclosure in 4.3BSD compatibility layer. [SA-16:21] Security: SA-16:20 Security: SA-16:21 Approved by: so 2016-05-17T22:28:20Z Gleb Smirnoff glebius@FreeBSD.org 2016-05-17T22:28:20Z urn:sha1:a6df401345b4ad6ca3055f3d3c3962333a11f6e8 - Validate that user supplied control message length in sendmsg(2) is not negative. Security: SA-16:18 Security: CVE-2016-1886 Security: SA-16:19 Security: CVE-2016-1887 Submitted by: C Turt <cturt hardenedbsd.org> Approved by: so 2016-01-14T09:10:46Z Gleb Smirnoff glebius@FreeBSD.org 2016-01-14T09:10:46Z urn:sha1:7f86e2d395476d8856f8ec778b41942180ef632c o Fix invalid TCP checksums with pf(4). [EN-16:02.pf] o Fix YP/NIS client library critical bug. [EN-16:03.yplib] o Fix SCTP ICMPv6 error message vulnerability. [SA-16:01.sctp] o Fix ntp panic threshold bypass vulnerability. [SA-16:02.ntp] o Fix Linux compatibility layer incorrect futex handling. [SA-16:03.linux] o Fix Linux compatibility layer setgroups(2) system call. [SA-16:04.linux] o Fix TCP MD5 signature denial of service. [SA-16:05.tcp] o Fix insecure default bsnmpd.conf permissions. [SA-16:06.bsnmpd] Errata: FreeBSD-EN-16:01.filemon Errata: FreeBSD-EN-16:02.pf Errata: FreeBSD-EN-16:03.yplib Security: FreeBSD-SA-16:01.sctp, CVE-2016-1879 Security: FreeBSD-SA-16:02.ntp, CVE-2015-5300 Security: FreeBSD-SA-16:03.linux, CVE-2016-1880 Security: FreeBSD-SA-16:04.linux, CVE-2016-1881 Security: FreeBSD-SA-16:05.tcp, CVE-2016-1882 Security: FreeBSD-SA-16:06.bsnmpd, CVE-2015-5677 Approved by: so 2015-08-05T16:58:04Z Edward Tomasz Napierala trasz@FreeBSD.org 2015-08-05T16:58:04Z urn:sha1:7eee39f5c651b328bf42844a221a7b749e848e0a Make the kern.racct.enable tunable actually work. This is a direct commit to 10-STABLE - 11-CURRENT is not affected, because tunables are automatically fetched there. Approved by: re (gjb) Sponsored by: The FreeBSD Foundation 2015-07-30T02:45:35Z Marius Strobl marius@FreeBSD.org 2015-07-30T02:45:35Z urn:sha1:48d5f14b8425a191a7fa507e004de96d90f53743 o Revert the other functional half of r239864, i. e. the merge of r134227 from x86 to use smp_ipi_mtx spin lock not only for smp_rendezvous_cpus() but also for the MD cache invalidation, TLB demapping and remote register reading IPIs due to the following reasons: - The cross-IPI SMP deadlock x86 otherwise is subject to can't happen on sparc64. That's because on sparc64, spin locks don't disable interrupts completely but only raise the processor interrupt level to PIL_TICK. This means that IPIs still get delivered and direct dispatch IPIs such as the cache invalidation etc. IPIs in question are still executed. - In smp_rendezvous_cpus(), smp_ipi_mtx is held not only while sending an IPI_RENDEZVOUS, but until all CPUs have processed smp_rendezvous_action(). Consequently, smp_ipi_mtx may be locked for an extended amount of time as queued IPIs (as opposed to the direct ones) such as IPI_RENDEZVOUS are scheduled via a soft interrupt. Moreover, given that this soft interrupt is only delivered at PIL_RENDEZVOUS, processing of smp_rendezvous_action() on a target may be interrupted by f. e. a tick interrupt at PIL_TICK, in turn leading to the target in question trying to send an IPI by itself while IPI_RENDEZVOUS isn't fully handled, yet, and, thus, resulting in a deadlock. o As mentioned in the commit message of r245850, on least some sun4u platforms concurrent sending of IPIs by different CPUs is fatal. Therefore, hold the reintroduced MD ipi_mtx also while delivering cross-traps via MI helpers, i. e. ipi_{all_but_self,cpu,selected}(). o Akin to x86, let the last CPU to process cpu_mp_bootstrap() set smp_started instead of the BSP in cpu_mp_unleash(). This ensures that all APs actually are started, when smp_started is no longer 0. o In all MD and MI IPI helpers, check for smp_started == 1 rather than for smp_cpus > 1 or nothing at all. This avoids races during boot causing IPIs trying to be delivered to APs that in fact aren't up and running, yet. While at it, move setting of the cpu_ipi_{selected,single}() pointers to the appropriate delivery functions from mp_init() to cpu_mp_start() where it's better suited and allows to get rid of the global isjbus variable. o Given that now concurrent IPI delivery no longer is possible, also nuke the delays before completely disabling interrupts again in the CPU-specific cross-trap delivery functions, previously giving other CPUs a window for sending IPIs on their part. Actually, we now should be able to entirely get rid of completely disabling interrupts in these functions. Such a change needs more testing, though. o In {s,}tick_get_timecount_mp(), make the {s,}tick variable static. While not necessary for correctness, this avoids page faults when accessing the stack of a foreign CPU as {s,}tick now is locked into the TLBs as part of static kernel data. Hence, {s,}tick_get_timecount_mp() always execute as fast as possible, avoiding jitter. PR: 201245 Approved by: re (gjb) 2015-07-28T17:00:03Z Konstantin Belousov kib@FreeBSD.org 2015-07-28T17:00:03Z urn:sha1:39e669c66eec738525707f06fb1c25742d70b40d fd: de-k&r-ify functions + some whitespace fixes MFC r285269: Handle copyout for the fcntl(F_OGETLK) using oflock structure. Approved by: re (gjb) 2015-07-21T17:16:37Z Mark Johnston markj@FreeBSD.org 2015-07-21T17:16:37Z urn:sha1:be938fd44f0656669951feda80cec51a9108c947 Ensure that locstat_nsecs() has no effect when lockstat probes are not enabled or when the profiled lock carries the LO_NOPROFILE flag. PR: 201642, 201517 Approved by: re (gjb) Tested by: Jason Unovitch 2015-07-21T15:06:22Z Konstantin Belousov kib@FreeBSD.org 2015-07-21T15:06:22Z urn:sha1:a01f854f2b0e20da45f901ecb3683db1c5c8608c Approved by: re (gjb) 2015-07-15T19:11:43Z Xin LI delphij@FreeBSD.org 2015-07-15T19:11:43Z urn:sha1:e57f86038ca56b3be7d0d81eab57e135da3fbe72 Use the monotonic (uptime) counter rather than time-of-day to measure elapsed time between ntp_adjtime() clock offset adjustments. This eliminates spurious frequency steering after a large clock step (such as a 1970->2015 step on a system with no battery-backed clock hardware). This problem was discovered after the import of ntpd 4.2.8, which does things in a slightly different (but still correct) order than the 4.2.4 we had previously. In particular, 4.2.4 would step the clock then immediately after use ntp_adjtime() to set the frequency and offset to zero, which captured the post-step time-of-day as a side effect. In 4.2.8, ntpd sets frequency and offset to zero before any initial clock step, capturing the time as 1970-ish, then when it next calls ntp_adjtime() it's with a non-zero offset measurement. This non-zero value gets multiplied by the apparent 45-year interval, which blows up into a completely bogus frequency steer. That gets clamped to 500ppm, but that's still enough to make the clock drift so fast that ntpd has to keep stepping it every few minutes to compensate. Approved by: re (gjb) 2015-07-11T19:11:40Z Konstantin Belousov kib@FreeBSD.org 2015-07-11T19:11:40Z urn:sha1:a9830d47c36950a043586305b870d14974b3fb97 Handle errors from background write of the cylinder group blocks. MFC r284927: Simplify code. Approved by: re (gjb)