Thu, 03 May 2018 15:15:17 +0000 Tickets #1600, #1601, #1602 netbsd-7-1
martin <martin@NetBSD.org> [Thu, 03 May 2018 15:15:17 +0000] rev 318708
Tickets #1600, #1601, #1602
Thu, 03 May 2018 15:14:48 +0000 Pull up following revision(s) (requested by maxv in ticket #1602): netbsd-7-1
martin <martin@NetBSD.org> [Thu, 03 May 2018 15:14:48 +0000] rev 318707
Pull up following revision(s) (requested by maxv in ticket #1602): sys/kern/uipc_mbuf.c: revision 1.211 (via patch) Modify m_defrag, so that it never frees the first mbuf of the chain. While here use the given 'flags' argument, and not M_DONTWAIT. We have a problem with several drivers: they poll an mbuf chain from their queues and call m_defrag on them, but m_defrag could update the mbuf pointer, so the mbuf in the queue is no longer valid. It is not easy to fix each driver, because doing pop+push will reorder the queue, and we don't really want that to happen. This problem was independently spotted by me, Kengo, Masanobu, and other people too it seems (perhaps PR/53218). Now m_defrag leaves the first mbuf in place, and compresses the chain only starting from the second mbuf in the chain. It is important not to compress the first mbuf with hacks, because the storage of this first mbuf may be shared with other mbufs.
Thu, 03 May 2018 15:08:54 +0000 Pull up following revision(s) (requested by spz in ticket #1601): netbsd-7-1
martin <martin@NetBSD.org> [Thu, 03 May 2018 15:08:54 +0000] rev 318706
Pull up following revision(s) (requested by spz in ticket #1601): crypto/external/bsd/heimdal/dist/kdc/connect.c: revision 1.3 avoid busy-waiting on a dead child
Thu, 03 May 2018 14:48:26 +0000 Pull up following revision(s) (requested by maxv in ticket #1600): netbsd-7-1
martin <martin@NetBSD.org> [Thu, 03 May 2018 14:48:26 +0000] rev 318705
Pull up following revision(s) (requested by maxv in ticket #1600): sys/netipsec/ipsec_output.c: revision 1.67,1.75 (via patch) Strengthen this check, to make sure there is room for an ip6_ext structure. Seems possible to crash m_copydata here (but I didn't test more than that). Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I already fixed half of the problem two months ago in rev1.67, back then I thought it was not triggerable because each packet we emit is guaranteed to have correctly formed IPv6 options; but it is actually triggerable via IPv6 forwarding, we emit a packet we just received, and we don't sanitize its options before invoking IPsec. Since it would be wrong to just stop the iteration and continue the IPsec processing, allow compute_ipsec_pos to fail, and when it does, drop the packet entirely.
Thu, 03 May 2018 15:14:14 +0000 Tickets #1600, #1601, #1602 netbsd-7
martin <martin@NetBSD.org> [Thu, 03 May 2018 15:14:14 +0000] rev 318704
Tickets #1600, #1601, #1602
Thu, 03 May 2018 15:13:36 +0000 Pull up following revision(s) (requested by maxv in ticket #1602): netbsd-7
martin <martin@NetBSD.org> [Thu, 03 May 2018 15:13:36 +0000] rev 318703
Pull up following revision(s) (requested by maxv in ticket #1602): sys/kern/uipc_mbuf.c: revision 1.211 (via patch) Modify m_defrag, so that it never frees the first mbuf of the chain. While here use the given 'flags' argument, and not M_DONTWAIT. We have a problem with several drivers: they poll an mbuf chain from their queues and call m_defrag on them, but m_defrag could update the mbuf pointer, so the mbuf in the queue is no longer valid. It is not easy to fix each driver, because doing pop+push will reorder the queue, and we don't really want that to happen. This problem was independently spotted by me, Kengo, Masanobu, and other people too it seems (perhaps PR/53218). Now m_defrag leaves the first mbuf in place, and compresses the chain only starting from the second mbuf in the chain. It is important not to compress the first mbuf with hacks, because the storage of this first mbuf may be shared with other mbufs.
Thu, 03 May 2018 15:08:09 +0000 Pull up following revision(s) (requested by spz in ticket #1601): netbsd-7
martin <martin@NetBSD.org> [Thu, 03 May 2018 15:08:09 +0000] rev 318702
Pull up following revision(s) (requested by spz in ticket #1601): crypto/external/bsd/heimdal/dist/kdc/connect.c: revision 1.3 avoid busy-waiting on a dead child
Thu, 03 May 2018 14:47:22 +0000 Pull up following revision(s) (requested by maxv in ticket #1600): netbsd-7
martin <martin@NetBSD.org> [Thu, 03 May 2018 14:47:22 +0000] rev 318701
Pull up following revision(s) (requested by maxv in ticket #1600): sys/netipsec/ipsec_output.c: revision 1.67,1.75 (via patch) Strengthen this check, to make sure there is room for an ip6_ext structure. Seems possible to crash m_copydata here (but I didn't test more than that). Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I already fixed half of the problem two months ago in rev1.67, back then I thought it was not triggerable because each packet we emit is guaranteed to have correctly formed IPv6 options; but it is actually triggerable via IPv6 forwarding, we emit a packet we just received, and we don't sanitize its options before invoking IPsec. Since it would be wrong to just stop the iteration and continue the IPsec processing, allow compute_ipsec_pos to fail, and when it does, drop the packet entirely.
Thu, 03 May 2018 15:04:51 +0000 Fix entry for ticket #1547 netbsd-6-0
martin <martin@NetBSD.org> [Thu, 03 May 2018 15:04:51 +0000] rev 318700
Fix entry for ticket #1547
Thu, 03 May 2018 15:02:57 +0000 Tickets #1546 and #1547 netbsd-6-0
martin <martin@NetBSD.org> [Thu, 03 May 2018 15:02:57 +0000] rev 318699
Tickets #1546 and #1547
(0) -300000 -100000 -30000 -10000 -3000 -1000 -300 -100 -10 +10 +100 +300 +1000 +3000 +10000 +30000 +100000 tip