backwards, in low-entropy conditions there was a time interval in which
/dev/urandom could still output bits on an unacceptably short key. Output
from /dev/random was *NOT* impacted.
Eliminate the flag in question -- it's safest to always fill the requested
key buffer with output from the entropy-pool, even if we let the caller
know we couldn't provide bytes with the full entropy it requested.
Advisory will be updated soon with a full worst-case analysis of the
/dev/urandom output path in the presence of either variant of the
SA-2013-003 bug. Fortunately, because a large amount of other input
is mixed in before users can obtain any output, it doesn't look as dangerous
in practice as I'd feared it might be.
A type specifier of the form
enum identifier
without an enumerator list shall only appear after the type it
specifies is complete.
which means that we cannot pass an "enum vtype" argument to
kauth_access_action() without fully specifying the type first.
Unfortunately there is a complicated include file loop which
makes that difficult, so convert this minimal function into a
macro (and capitalize it).
(ok elad@)
so we need to retry if curlwp took a context switch during the call.
Otherwise, CPU-local invariants can get screwed up:
panic: kernel diagnostic assertion "cur->pcg_avail == cur->pcg_size" failed
This is (was) very easy to reproduce by just running:
while : ; do RUMP_NCPU=32 ./a.out ; done
where a.out only calls rump_init(). But, any situation there's contention
and a pool doesn't have emptygroups would do.
and {.tv_sec = 0, .tv_nsec=0} means do not block at all. Add a comment
saying so. The code incorrectly treats them both as an infinite timeout,
and that is not fixed by this commit.
- Don't leave garbage in the control buffer if allocating file
descriptors fails in unp_externalize.
- Scrub the space between CMSG_LEN and CMSG_SPACE to avoid kernel
memory disclosure in unp_externalize.
- Don't read past cmsg_len when closing file descriptors that
couldn't get delivered, in free_rights.
ok christos
To retrieve a spec_node, two new lookup functions (by device or by mount)
are implemented. Both return a referenced vnode, for an opened block device
the opened vnode is returned so further diagnostic checks "vp == ... sd_bdevvp"
will not fire. Otherwise any vnode matching the criteria gets returned.
No objections on tech-kern.
Welcome to 6.99.17
defined in ddb/db_panic.c and declared in ddb/ddbvar.h. No functional
change.
The copyright years in db_panic.c are the years in which changes were
made to the code that has now been moved to db_panic.c. No pre-NetBSD
copyright notice is needed because revision 1.12 of subr_prf.c had only
the trivial "#ifdef DDB \\ Debugger(); \\ #endif"
pass memory for vmem structs into the initialization function and
do away with the static pool of vmem structs.
remove special bootstrapping of the quantum cache pools of the kmem_va_arena
as memory for pool_caches is allocated via pool_allocator_meta which is
fully operational at this point.
and process them in bulk, but, always declare hardware RNGs and VM system
sources as "fast" since in these cases efficiency is important and data
will be abundant.
before we had ever had any entropy, if something else has consumed the
entropy that triggered the immediate reseed, we can reseed with as little
as sizeof(int) bytes of entropy.
pass memory for vmem structs into the initialization functions and
do away with the static pools for this.
factor out the vmem internal structures into a private header.
remove special bootstrapping of the kmem_va_arena as all necessary memory
comes from pool_allocator_meta wich is fully operational at this point.
from pserialize(9) and mutex / condvar.
The fast paths (fstrans_start/fstrans_done on a file system not
suspended or suspending and fscow_run with no change pending) now
run without locks or other atomic operations. Suspension and cow
handler insertion and removal is done with mutex / condvars.
The API remains unchanged.
freeing the VA; otherwise there is a window when it can be re-used while
stale TLB entries may be present.
- physmap_fill: use MIN() instead of min(), since vsize_t is used.
- Add RCS ID comment while here and prevent physmap.h inclusion in userland.
from lists of pages or ranges of virtual address. By using these physical
maps, the kernel can avoid mapping physical I/O in the kernel's address space
in most cases.
the *at system calls on November 18th of last year. Reasons to revert
it include:
- it is incorrect in a whole variety of ways (but fortunately, one
of them is that the missing and improper permission checks have
no net effect);
- it was committed without review or discussion;
- core ruled that all the new O_* flags pertaining to the *at calls
needed to wait until their semantics could be clarified.
manu was asked to revert it on these grounds but has ignored the request.
I have left O_SEARCH defined and visible and made open() explicitly
ignore it. This way, most code that tries to use it will continue to
build and run. I've also arranged lib/libc/c063/t_o_search.c so that
the tests that make use of the O_SEARCH semantics will disappear until
O_SEARCH comes back, and fixed some mistakes and/or incorrect hacks
that were causing some of these to succeed despite the broken O_SEARCH
implementation.
finishes (without blocking). Problem reported by hannken@, thanks!
- pserialize_read_enter: use splsoftserial(), not splsoftclock().
- pserialize_perform: add xcall(9) barrier as interrupts may be coalesced.
cause the buffer to stay lock and we end up blocking forever in
VOP_CLOSE->spec_close->vinvalbuf->bbysy since the buffer is marked busy
but there is no I/O pending.
This caused my laptop to hang on boot_findwedge because:
findroot: unable to read block 358331527 of dev dk0 (22)
allocate an iov structure for ktrace. When tracing is then enabled
and the process wakes up, it crashes the kernel.
Undo the last commit which introduced this error path.
Avoid the mentioned kmem_alloc assertion by adding a sanity check analog
to similar code in sys_generic.c for I/O on file handles instead of
sockets.
This also causes the syscall to return EMSGSIZE if the msg_iovlen member
of the msg structure is less than or equal to 0, as defined in
recvmsg(2)/sendmsg(2).
error and modify all callers to not brelse() on error.
Welcome to 6.99.16
PR kern/46282 (6.0_BETA crash: msdosfs_bmap -> pcbmap -> bread -> bio_doread)
This stops being true once a process has allocated (and freed) 2^32 lwps.
(I've not timed it!)
There is also some code lurking (eg ld.elf_so) that doesn't expect the
high be be set.
Once the lwp_id wraps, scan the list to find the first free id higher
than the last one allocated.
Maintain the sort order to make the possible.
Note that if some lwp (but not all) are allocated numbers from the pid
space it will go horribly wrong.
Tested by setting the limit to 128 and getting firefox to create threads.
clearly tells us:
kern_rate.c:98: warning: assuming signed overflow does not
occur when assuming that (X + c) > X is always true
Check value against INT_MAX instead. Also, for good measure throw
in a __predict() to flag the assumed common case.
- in close, invalidate f_data and f_type early to prevent accidental re-use
- add a DIAGNOSTIC for when we use unsupported fd's and a KASSERT for f_event
being NULL.
fds. XXX: We should really fix the fd's to be supported in the future.
Unsupported fd's have a NULL f_event, so registering crashes the kernel with
a NULL function dereference of f_event.
