Re: kern/155606: commit references a PR
The following reply was made to PR kern/155606; it has been noted by GNATS.
From: dfil...@freebsd.org (dfilter service)
To: bug-follo...@freebsd.org
Cc:
Subject: Re: kern/155606: commit references a PR
Date: Sun, 13 Nov 2011 10:28:15 + (UTC)
Author: kib
Date: Sun Nov 13 10:28:01 2011
New Revision: 227485
URL: http://svn.freebsd.org/changeset/base/227485
Log:
To limit amount of the kernel memory allocated, and to optimize the
iteration over the fdsets, kern_select() limits the length of the
fdsets copied in by the last valid file descriptor index. If any bit
is set in a mask above the limit, current implementation ignores the
filedescriptor, instead of returning EBADF.
Fix the issue by scanning the tails of fdset before entering the
select loop and returning EBADF if any bit above last valid
filedescriptor index is set. The performance impact of the additional
check is only imposed on the (somewhat) buggy applications that pass
bad file descriptors to select(2) or pselect(2).
PR: kern/155606, kern/162379
Discussed with: cognet, glebius
Tested by: andreast (powerpc, all 64/32bit ABI combinations, big-endian),
marius (sparc64, big-endian)
MFC after:2 weeks
Modified:
head/sys/kern/sys_generic.c
Modified: head/sys/kern/sys_generic.c
==
--- head/sys/kern/sys_generic.cSun Nov 13 06:39:49 2011
(r227484)
+++ head/sys/kern/sys_generic.cSun Nov 13 10:28:01 2011
(r227485)
@@ -831,6 +831,54 @@ sys_select(struct thread *td, struct sel
NFDBITS));
}
+/*
+ * In the unlikely case when user specified n greater then the last
+ * open file descriptor, check that no bits are set after the last
+ * valid fd. We must return EBADF if any is set.
+ *
+ * There are applications that rely on the behaviour.
+ *
+ * nd is fd_lastfile + 1.
+ */
+static int
+select_check_badfd(fd_set *fd_in, int nd, int ndu, int abi_nfdbits)
+{
+ char *addr, *oaddr;
+ int b, i, res;
+ uint8_t bits;
+
+ if (nd >= ndu || fd_in == NULL)
+ return (0);
+
+ oaddr = NULL;
+ bits = 0; /* silence gcc */
+ for (i = nd; i < ndu; i++) {
+ b = i / NBBY;
+#if BYTE_ORDER == LITTLE_ENDIAN
+ addr = (char *)fd_in + b;
+#else
+ addr = (char *)fd_in;
+ if (abi_nfdbits == NFDBITS) {
+ addr += rounddown(b, sizeof(fd_mask)) +
+ sizeof(fd_mask) - 1 - b % sizeof(fd_mask);
+ } else {
+ addr += rounddown(b, sizeof(uint32_t)) +
+ sizeof(uint32_t) - 1 - b % sizeof(uint32_t);
+ }
+#endif
+ if (addr != oaddr) {
+ res = fubyte(addr);
+ if (res == -1)
+ return (EFAULT);
+ oaddr = addr;
+ bits = res;
+ }
+ if ((bits & (1 << (i % NBBY))) != 0)
+ return (EBADF);
+ }
+ return (0);
+}
+
int
kern_select(struct thread *td, int nd, fd_set *fd_in, fd_set *fd_ou,
fd_set *fd_ex, struct timeval *tvp, int abi_nfdbits)
@@ -845,14 +893,26 @@ kern_select(struct thread *td, int nd, f
fd_mask s_selbits[howmany(2048, NFDBITS)];
fd_mask *ibits[3], *obits[3], *selbits, *sbp;
struct timeval atv, rtv, ttv;
- int error, timo;
+ int error, lf, ndu, timo;
u_int nbufbytes, ncpbytes, ncpubytes, nfdbits;
if (nd < 0)
return (EINVAL);
fdp = td->td_proc->p_fd;
- if (nd > fdp->fd_lastfile + 1)
- nd = fdp->fd_lastfile + 1;
+ ndu = nd;
+ lf = fdp->fd_lastfile;
+ if (nd > lf + 1)
+ nd = lf + 1;
+
+ error = select_check_badfd(fd_in, nd, ndu, abi_nfdbits);
+ if (error != 0)
+ return (error);
+ error = select_check_badfd(fd_ou, nd, ndu, abi_nfdbits);
+ if (error != 0)
+ return (error);
+ error = select_check_badfd(fd_ex, nd, ndu, abi_nfdbits);
+ if (error != 0)
+ return (error);
/*
* Allocate just enough bits for the non-null fd_sets. Use the
___
svn-src-...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
___
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
Re: kern/162379: commit references a PR
The following reply was made to PR kern/162379; it has been noted by GNATS.
From: dfil...@freebsd.org (dfilter service)
To: bug-follo...@freebsd.org
Cc:
Subject: Re: kern/162379: commit references a PR
Date: Sun, 13 Nov 2011 10:28:15 + (UTC)
Author: kib
Date: Sun Nov 13 10:28:01 2011
New Revision: 227485
URL: http://svn.freebsd.org/changeset/base/227485
Log:
To limit amount of the kernel memory allocated, and to optimize the
iteration over the fdsets, kern_select() limits the length of the
fdsets copied in by the last valid file descriptor index. If any bit
is set in a mask above the limit, current implementation ignores the
filedescriptor, instead of returning EBADF.
Fix the issue by scanning the tails of fdset before entering the
select loop and returning EBADF if any bit above last valid
filedescriptor index is set. The performance impact of the additional
check is only imposed on the (somewhat) buggy applications that pass
bad file descriptors to select(2) or pselect(2).
PR: kern/155606, kern/162379
Discussed with: cognet, glebius
Tested by: andreast (powerpc, all 64/32bit ABI combinations, big-endian),
marius (sparc64, big-endian)
MFC after:2 weeks
Modified:
head/sys/kern/sys_generic.c
Modified: head/sys/kern/sys_generic.c
==
--- head/sys/kern/sys_generic.cSun Nov 13 06:39:49 2011
(r227484)
+++ head/sys/kern/sys_generic.cSun Nov 13 10:28:01 2011
(r227485)
@@ -831,6 +831,54 @@ sys_select(struct thread *td, struct sel
NFDBITS));
}
+/*
+ * In the unlikely case when user specified n greater then the last
+ * open file descriptor, check that no bits are set after the last
+ * valid fd. We must return EBADF if any is set.
+ *
+ * There are applications that rely on the behaviour.
+ *
+ * nd is fd_lastfile + 1.
+ */
+static int
+select_check_badfd(fd_set *fd_in, int nd, int ndu, int abi_nfdbits)
+{
+ char *addr, *oaddr;
+ int b, i, res;
+ uint8_t bits;
+
+ if (nd >= ndu || fd_in == NULL)
+ return (0);
+
+ oaddr = NULL;
+ bits = 0; /* silence gcc */
+ for (i = nd; i < ndu; i++) {
+ b = i / NBBY;
+#if BYTE_ORDER == LITTLE_ENDIAN
+ addr = (char *)fd_in + b;
+#else
+ addr = (char *)fd_in;
+ if (abi_nfdbits == NFDBITS) {
+ addr += rounddown(b, sizeof(fd_mask)) +
+ sizeof(fd_mask) - 1 - b % sizeof(fd_mask);
+ } else {
+ addr += rounddown(b, sizeof(uint32_t)) +
+ sizeof(uint32_t) - 1 - b % sizeof(uint32_t);
+ }
+#endif
+ if (addr != oaddr) {
+ res = fubyte(addr);
+ if (res == -1)
+ return (EFAULT);
+ oaddr = addr;
+ bits = res;
+ }
+ if ((bits & (1 << (i % NBBY))) != 0)
+ return (EBADF);
+ }
+ return (0);
+}
+
int
kern_select(struct thread *td, int nd, fd_set *fd_in, fd_set *fd_ou,
fd_set *fd_ex, struct timeval *tvp, int abi_nfdbits)
@@ -845,14 +893,26 @@ kern_select(struct thread *td, int nd, f
fd_mask s_selbits[howmany(2048, NFDBITS)];
fd_mask *ibits[3], *obits[3], *selbits, *sbp;
struct timeval atv, rtv, ttv;
- int error, timo;
+ int error, lf, ndu, timo;
u_int nbufbytes, ncpbytes, ncpubytes, nfdbits;
if (nd < 0)
return (EINVAL);
fdp = td->td_proc->p_fd;
- if (nd > fdp->fd_lastfile + 1)
- nd = fdp->fd_lastfile + 1;
+ ndu = nd;
+ lf = fdp->fd_lastfile;
+ if (nd > lf + 1)
+ nd = lf + 1;
+
+ error = select_check_badfd(fd_in, nd, ndu, abi_nfdbits);
+ if (error != 0)
+ return (error);
+ error = select_check_badfd(fd_ou, nd, ndu, abi_nfdbits);
+ if (error != 0)
+ return (error);
+ error = select_check_badfd(fd_ex, nd, ndu, abi_nfdbits);
+ if (error != 0)
+ return (error);
/*
* Allocate just enough bits for the non-null fd_sets. Use the
___
svn-src-...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
___
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
misc/162519: [zfs] "zpool import" relies on buggy realpath() behaviour
>Number: 162519 >Category: misc >Synopsis: [zfs] "zpool import" relies on buggy realpath() behaviour >Confidential: no >Severity: non-critical >Priority: low >Responsible:freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Nov 13 14:50:07 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Robert Millan >Release:Debian GNU/kFreeBSD "sid" >Organization: >Environment: >Description: zpool_find_import_impl() in cddl/contrib/opensolaris/lib/libzfs/common/libzfs_import.c is relying on buggy realpath() behaviour. FreeBSD realpath() does not currently conform to SUS specification (see PR 128933). It returns succesfully for invalid paths for which it should return ENOENT. The code in zpool will stop working correctly when this bug is fixed: - By default zpool_find_import_impl() operates on "/dev/dsk/" directory, which on FreeBSD doesn't exist. - It begins by attempting to canonicalize this path using realpath(). This should fail with ENOENT and abort execution, but realpath() returns succesfully. - It then proceeds to replace "/dev/dsk/" with "/dev/". - Finally it opens devices from the (now correct) directory and imports them. >How-To-Repeat: >Fix: The correct solution IMHO is to replace all instances of "/dev/dsk/" with "/dev/". However this could be undesirable wrt new code imports. Other possibilities could be to move the 'rdsk = "/dev/";' correction up so that it happens before realpath() call, or to add "errno != ENOENT" requirement before aborting with error. >Release-Note: >Audit-Trail: >Unformatted: ___ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
Re: kern/119507: [dri] mach64.o kernel module version is 1.0.0, but version 2.x is needed
Synopsis: [dri] mach64.o kernel module version is 1.0.0, but version 2.x is needed State-Changed-From-To: feedback->closed State-Changed-By: jh State-Changed-When: Sun Nov 13 15:26:44 UTC 2011 State-Changed-Why: Not a problem for submitter anymore. http://www.freebsd.org/cgi/query-pr.cgi?pr=119507 ___ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
Re: kern/99538: [keyboard] [atkbdc] while using USB keyboard default params of atkbd and kbdmux lead to long delays on changes of keyboard state
On Sat, Nov 12, 2011 at 5:37 AM, wrote: > Synopsis: [keyboard] [atkbdc] while using USB keyboard default params of > atkbd and kbdmux lead to long delays on changes of keyboard state > > State-Changed-From-To: open->feedback > State-Changed-By: jh > State-Changed-When: Fri Nov 11 19:37:21 UTC 2011 > State-Changed-Why: > Can you still reproduce this on recent FreeBSD versions? > > http://www.freebsd.org/cgi/query-pr.cgi?pr=99538 I have a HP ProLiant ML110 that does this. 9 seconds after pressing Caps-Lock the LED lights. 3 seconds for it to go off. It also takes several seconds to switch consoles. The keyboard is not USB. It has a 'Genius KWD-820' keyboard connected to the PS2 port. No mouse. No USB devices connected at all. Here is some stuff from /var/run/dmesg.boot: FreeBSD 8.2-STABLE #0: Tue Jul 5 19:10:42 EST 2011 ... CPU: Intel(R) Pentium(R) D CPU 2.80GHz (2793.02-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0xf47 Family = f Model = 4 Stepping = 7 ... ACPI APIC Table: FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs FreeBSD/SMP: 1 package(s) x 2 core(s) ... ioapic0 irqs 0-23 on motherboard kbd1 at kbdmux0 iscsi: version 2.2.4.2 acpi0: on motherboard acpi0: [ITHREAD] acpi0: Power Button (fixed) acpi0: reservation of fed13000, 1000 (3) failed ... atkbdc0: at port 0x60,0x64 on isa0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] atkbd0: [ITHREAD] ... ugen3.2: at usbus3 ukbd0: on usbus3 kbd2 at ukbd0 ums0: on usbus3 ums0: 8 buttons and [XYZ] coordinates ID=0 ... I do not know what kbd1 and kbd2 are, nor ums0. -andyf ___ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
Re: kern/162519: [zfs] "zpool import" relies on buggy realpath() behaviour
Synopsis: [zfs] "zpool import" relies on buggy realpath() behaviour Responsible-Changed-From-To: freebsd-bugs->freebsd-fs Responsible-Changed-By: linimon Responsible-Changed-When: Sun Nov 13 20:28:39 UTC 2011 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=162519 ___ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
Re: kern/162509: [re] [panic] Kernel panic may be related to if_re.c (realtek 8168 )
Old Synopsis: Kernel panic may be related to if_re.c (realtek 8168 ) New Synopsis: [re] [panic] Kernel panic may be related to if_re.c (realtek 8168 ) Responsible-Changed-From-To: freebsd-bugs->freebsd-net Responsible-Changed-By: linimon Responsible-Changed-When: Sun Nov 13 20:34:04 UTC 2011 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=162509 ___ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
misc/162547: rtadvd not working, reporting non-zero lifetime RA on RA receiving interface
>Number: 162547 >Category: misc >Synopsis: rtadvd not working, reporting non-zero lifetime RA on RA >receiving interface >Confidential: no >Severity: serious >Priority: medium >Responsible:freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Nov 14 01:40:07 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Matthew Lager >Release:9.0-RC1 >Organization: SDUNIX >Environment: FreeBSD g03.rpsol.net 9.0-RC1 FreeBSD 9.0-RC1 #0: Tue Oct 18 18:30:38 UTC 2011 r...@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: In FreeBSD 8.2-RELEASE, rtadvd is working properly, and clients are receiving IPv6 addresses. When trying the same configuration in 9.0-RC1, rtadvd reports: Nov 13 18:19:31 g03 rtadvd[2818]: non-zero lifetime RA on RA receiving interface re1. Ignored. At this point, rtadvd fails to advertise IPv6 addresses to clients. After reading the man page, it looked like passing the -s flag to rtadvd would suppress this behavior, but that had no effect. To test, I commented out the block of code in /usr/src/usr.sbin/rtadvd/rtadvd.c that handled this, recompiled and installed, and rtadvd works as it did in FreeBSD 8.2-RELEASE. >How-To-Repeat: Enable rtadvd using the following flags in rc.conf: rtadvd_enable="YES" rtadvd_interfaces="re1" >Fix: Lines 1701 through 1724 were commented out in /usr/src/usr.sbin/rtadvd/rtadvd.c. rtadvd was recompiled and installed, then started, which resumed operation as it existed in 8.2-RELEASE. >Release-Note: >Audit-Trail: >Unformatted: ___ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
