FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F8.1 2012-06-12T12:10:10Z 2012-06-12T12:10:10Z Bjoern A. Zeeb bz@FreeBSD.org 2012-06-12T12:10:10Z urn:sha1:5c96f75b591dd1e67de381c69a98fc2bb5ceb89e [12:03] Correct a privilege escalation when returning from kernel if running FreeBSD/amd64 on non-AMD processors. [12:04] Fix reference count errors in IPv6 code. [EN-12:02] Security: CVE-2012-1667 Security: FreeBSD-SA-12:03.bind Security: CVE-2012-0217 Security: FreeBSD-SA-12:04.sysret Security: FreeBSD-EN-12:02.ipv6refcount Approved by: so (simon, bz) 2010-06-25T21:26:34Z Qing Li qingli@FreeBSD.org 2010-06-25T21:26:34Z urn:sha1:dd62f5c0e633f2e49c3bec5fbf3b26332a455c2c This patch fixes the problem where proxy ARP entries cannot be added over the if_ng interface. Approved by: re (bz) 2010-06-22T17:45:21Z Michael Tuexen tuexen@FreeBSD.org 2010-06-22T17:45:21Z urn:sha1:5483bc18e4dc0601028167b1366e93a1ad550a4e * Fix a bug where the length of the ASCONF-ACK was calculated wrong due to using an uninitialized variable. * Fix a bug where a NULL pointer was dereferenced when interfaces come and go at a high rate. * Fix a bug where inps where not deregistered from iterators. * Fix a race condition in freeing an association. * Fix a refcount problem related to the iterator. Each of the above bug results in a panic. It shows up when interfaces come and go at a high rate. Approved by: re 2010-06-11T20:38:20Z Michael Tuexen tuexen@FreeBSD.org 2010-06-11T20:38:20Z urn:sha1:cd89751f90eaa4f92a910c032fcc605357253acd 3 Fixes - a) There was a case where a ICMP message could cause us to return leaving a stuck lock on an stcb. b) The iterator needed some tweaks to fix its lock ordering. c) The ITERATOR_LOCK is no longer needed in the freeing of a stcb. Now that the timer based one is gone we don't have a multiple resume situation. Add to that that there was somewhere a path out of the freeing of an assoc that did NOT release the iterator_lock.. it was time to clean this old code up and in the process fix the lock bug. Approved by: re (bz) 2010-06-11T03:13:19Z Randall Stewart rrs@FreeBSD.org 2010-06-11T03:13:19Z urn:sha1:2a0266f7c7b2f408a31dafbe6e246c8e7425b1b0 Fix a number of bugs and race conditions. r208160: Bring back of the iterator thread. It now properly handles VNETS having only one thread. The old timer based code was full of LOR's and other issues. r208852: Cleanup bug. Basically when an un-accepted socket was hanging on a closed listener, we would leak the inp never cleaning it up r208853: Enhance the use under invarients of the audit for locks function and fix a bug where a close collision with a cookie being processed would cause a crash. r208854: Use the proper increment macros when working with the sent_queue_retran_cnt r208855: Align comments properly, Fix a bug where we were NOT looking at the resend markings for control chunks and also not decrementing the retran count which caused extra calls to retransmission. Alos add a valid no locks call to the output routine. r208856: Spacing issues in auth/bsd addr. r208857: Get rid of a windows ifdef that somehow leaked in r208863: Missing error leg returns in some failure cases r208864: LOR fix between the iterator and sctp_inpcb_close r208874: Don't call the sctp_inpcb_free from abort an association since you don't know what locks you hold and a timer will take care of the situation when the gone flag is set r208875: sctp_inpcb_free bug - a socket under the right situation could get stuck (from the accept queue) and never start the proper cleanup timer) r208876: Further enhance invariant lock validation, Fix a bug where a closed socket and a INIT-ACK could collide and cause a crash r208878: Clear up another bug in sctp_inpcb_free where we would end up due to a race in freeing hit a destroy of a contended lock. r208879: Optimize the cleanup and make some additional fixes in the sysctl code so that it won't reference a GONE INP and crash us r208883 & r208891: Fix so we don't open a hole between a sock lock and a call to socantrcvmore.. we could before hit a race that would kill the socket underneath us leading to a crash r208897: CUM-ACK calculation was messed up. So basically large message got broken from the original NR_sack integration. r208902: Make sure that we don't move a bit to the NR array that is behind the cum-ack r208952: Use both bit maps to calculte the cum-ack. r208953: Fix bug having to do with freeing an sctp_inpcb_free(). 1) make sure not to remove the flag until you get the lock again. 2) make sure all log_closing calls hold the lock. 3) Release all the locks when everthing is done and call callout_drain not callout_stop.. r208970: Fix some places on user allocation of a new sctp_inpcb where we run out of resource that we make sure to NULL the so_pcb pointer. Approved by: re - (bz@freebsd.org) 2010-06-03T09:06:50Z Robert Watson rwatson@FreeBSD.org 2010-06-03T09:06:50Z urn:sha1:e5dbe8eca067a55cbb641a0f23ced92656874a8f Locking the tcbinfo structure should not be necessary in tcp_timer_delack(), so don't. Reviewed by: bz Sponsored by: Juniper Networks Approved by: re (kib) 2010-06-03T09:02:53Z Robert Watson rwatson@FreeBSD.org 2010-06-03T09:02:53Z urn:sha1:4b33228640da9deb51db93bb8e1e2c7f06ec33af Make udp_set_kernel_tunneling() less forgiving when its invariants are violated: so_pcb can never be NULL for a valid UDP socket, and it is always SOCK_DGRAM. Use sotoinpcb() as the rest of the UDP code does. Reviewed by: bz Sponsored by: Juniper Networks Approved by: re (kib) 2010-06-03T08:55:45Z Robert Watson rwatson@FreeBSD.org 2010-06-03T08:55:45Z urn:sha1:c00cb785e5254f63a91e8c24c119ada3e1110c26 Remove unnecessary locking of divcbinfo lock from div_output(): this has not been required since FreeBSD 7.0 when the so_pcb pointer leading to inp was guaranteed to be stable when a valid socket reference is held (as it is in the output path). Reviewed by: bz Sponsored by: Juniper Networks Approved by: re (kib) 2010-06-01T14:21:24Z Robert Watson rwatson@FreeBSD.org 2010-06-01T14:21:24Z urn:sha1:03b868be4c129d14d48fdca1afd3c6a84efacafd Add a comment to tcp_usr_accept() to indicate why it is we acquire the tcbinfo lock there: r175612, which re-added it, masked a race between sonewconn(2) and accept(2) that could allow an incompletely initialized address on a newly-created socket on a listen queue to be exposed. Full details can be found in that commit message. Sponsored by: Juniper Networks Approved by: re (bz) 2010-06-01T14:18:44Z Robert Watson rwatson@FreeBSD.org 2010-06-01T14:18:44Z urn:sha1:4fc9f6b81e045d8d6ea0c41f2ec1a8da69278345 Wrap use of rw_try_upgrade() on pcbinfo with macro INP_INFO_TRY_UPGRADE() to match other pcbinfo locking macros. Approved by: re (bz)