r357995 lwhsu Feb. 16, 2020, 10:57 a.m.
Sponsored by:	The FreeBSD Foundation
ViewVC
r357991 mjg Feb. 16, 2020, 3:33 a.m.
The routine was checking for ->v_type == VBAD. Since vgone drops the interlock
early sets this type at the end of the process of dooming a vnode, this opens
a time window where it can clear the pointer while the inerlock-holders is
accessing it.

Another note is that the code was:
	   (vp->v_object != NULL &&
	   vp->v_object->resident_page_count > trigger)

With the compiler being fully allowed to emit another read to get the pointer,
and in fact it did on the kernel used by pho.

Use atomic_load_ptr and remember the result.

Note that this depends on type-safety of vm_object.

Reported by:	pho
ViewVC
r357990 mjg Feb. 16, 2020, 3:16 a.m.
Otherwise the compiler inlines v_decr_devcount which keps getting jumped over
in the common case of not dealing with a device.
ViewVC
r357989 mjg Feb. 16, 2020, 3:14 a.m.
The CPU succeeding in releasing the not last reference can still have pending
stores to the object protected by the affected counter. This opens a time
window where another CPU can release the last reference and free the object,
resulting in use-after-free. On top of that this prevents the compiler from
generating more accesses to the object regardless of how atomic_fcmpset_rel_int
is implemented (of course as long as it provides the release semantic).

Reviewed by:	markj
ViewVC
r357988 jeff Feb. 16, 2020, 1:07 a.m.
reduce duplication among zalloc functions.

Reviewed by:	markj
Discussed with:	mjg
Differential Revision:	https://reviews.freebsd.org/D23672
ViewVC
r357987 mmacy Feb. 16, 2020, 12:12 a.m.
Key and cookie management typically wants to
avoid information leaks by explicitly zeroing
before free. This routine simplifies that by
permitting consumers to do so without carrying
the size around.

Reviewed by:	jeff@, jhb@
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC (Netgate)
Differential Revision:	https://reviews.freebsd.org/D22790
ViewVC
r357986 mmacy Feb. 16, 2020, 12:03 a.m.
This is a dependency for in-kernel wireguard.

Reviewed by:	cem@
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC (Netgate)
Differential Revision:	https://reviews.freebsd.org/D23689
ViewVC
r357985 kib Feb. 15, 2020, 11:25 p.m.
The function allows to peek at the thread exit status and even see
return value, without joining (and thus finally destroying) the target
thread.

Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation (kib)
MFC after:	2 weeks
Differential revision:	https://reviews.freebsd.org/D23676
ViewVC
r357984 kib Feb. 15, 2020, 11:19 p.m.
As written now, it copies random kernel memory from beyond the bounds
of the array.

Reported and tested by:	pho
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation (kib)
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D23694
ViewVC
r357983 kib Feb. 15, 2020, 11:18 p.m.
Assert that sema[idx] allocation from sem[] is sane.
Also assert that sem_mtx is owned, it protects the SEM_ALLOC flag.

Reviewed by:	markj
Tested by:	pho
Sponsored by:	The FreeBSD Foundation (kib)
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D23694
ViewVC
r357982 kib Feb. 15, 2020, 11:15 p.m.
Reviewed by:	markj
Tested by:	pho
Sponsored by:	The FreeBSD Foundation (kib)
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D23694
ViewVC
r357981 mjg Feb. 15, 2020, 9:48 p.m.
r357980 kevans Feb. 15, 2020, 9:21 p.m.
r357979 kevans Feb. 15, 2020, 7:47 p.m.
fetch_socks5_getenv will allocate memory for the host (or set it to NULL) in
all cases through the function; the caller is responsible for freeing it if
we end up allocating.

While I'm here, I've eliminated a label that just jumps to the next line...
ViewVC
r357978 kevans Feb. 15, 2020, 7:39 p.m.
In case the port was specified, we never actually populated *host. Do so
now.

Pointy hat:	kevans
ViewVC