LibreSSL: Update ObsoleteFiles.inc #2
Assignees
Labels
Comments
|
Looking into this that would require a switch to default to WITH_LIBRESSL as well? |
|
We have the LIBRESSL knob added to the __DEFAULT_NO_OPTIONS array in src.opts.mk as it stands right now. I don't think we'd need to switch it to __DEFAULT_YES_OPTIONS, though that might be a good idea for the libressl branch, given the point of the libressl branch is for... libressl (tada!). But you bring up a good point. Right now, we're not actually keying off the LIBRESSL knob correctly right now. We should fully hook up to the src.opts.mk framework and key off of MK_LIBRESSL instead of WITH_LIBRESSL. I'll add another ticket. Only complete this ticket after the new one is completed as this one will depend on that one. |
|
This issue depends on #3. |
|
libcrypto man-pages to be added |
lattera
pushed a commit
that referenced
this issue
Jun 26, 2016
Drop scan generation number and node table scan lock - the only place where ni_scangen is checked is in ieee80211_timeout_stations() (and it is used to prevent duplicate checking of the same node); node scan lock protects only this variable + node table scan generation number. This will fix (at least) next LOR (hostap mode): lock order reversal: 1st 0xc175f84c urtwm0_scan_loc (urtwm0_scan_loc) @ /usr/src/sys/modules/wlan/../../net80211/ieee80211_node.c:2019 2nd 0xc175e018 urtwm0_com_lock (urtwm0_com_lock) @ /usr/src/sys/modules/wlan/../../net80211/ieee80211_node.c:2693 stack backtrace: #0 0xa070d1c5 at witness_debugger+0x75 #1 0xa070d0f6 at witness_checkorder+0xd46 #2 0xa0694cce at __mtx_lock_flags+0x9e #3 0xb03ad9ef at ieee80211_node_leave+0x12f #4 0xb03afd13 at ieee80211_timeout_stations+0x483 #5 0xb03aa1c2 at ieee80211_node_timeout+0x42 #6 0xa06c6fa1 at softclock_call_cc+0x1e1 #7 0xa06c7518 at softclock+0xc8 #8 0xa06789ae at intr_event_execute_handlers+0x8e #9 0xa0678fa0 at ithread_loop+0x90 #10 0xa0675fbe at fork_exit+0x7e #11 0xa08af910 at fork_trampoline+0x8 In addition to the above: * switch to ieee80211_iterate_nodes(); * do not assert that node table lock is held, while calling node_age(); that's not really needed (there are no resources, which can be protected by this lock) + this fixes LOR/deadlock between ieee80211_timeout_stations() and ieee80211_set_tim() (easy to reproduce in HOSTAP mode while sending something to an STA with enabled power management). Tested: * (avos) urtwn0, hostap mode * (adrian) AR9380, STA mode * (adrian) AR9380, AR9331, AR9580, hostap mode Notes: * This changes the net80211 internals, so you have to recompile all of it and the wifi drivers. Submitted by: avos Approved by: re (delphij) Differential Revision: https://reviews.freebsd.org/D6833
lattera
pushed a commit
that referenced
this issue
Aug 23, 2016
When I was writing an atomic wrapper for rmfb, I ran into the
following backtrace from lockdep:
=============================================
[ INFO: possible recursive locking detected ]
4.5.0-patser+ #4696 Tainted: G U
---------------------------------------------
kworker/2:2/2608 is trying to acquire lock:
(crtc_ww_class_mutex){+.+.+.}, at: [<ffffffffc00c9ddc>] drm_modeset_lock+0x7c/0x120 [drm]
but task is already holding lock:
(crtc_ww_class_mutex){+.+.+.}, at: [<ffffffffc00c98cd>] modeset_backoff+0x8d/0x220 [drm]
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(crtc_ww_class_mutex);
lock(crtc_ww_class_mutex);
*** DEADLOCK ***
May be due to missing lock nesting notation
4 locks held by kworker/2:2/2608:
#0: ("events"){.+.+.+}, at: [<ffffffff810a5eea>] process_one_work+0x15a/0x6c0
#1: ((&arg.work)){+.+.+.}, at: [<ffffffff810a5eea>] process_one_work+0x15a/0x6c0
#2: (crtc_ww_class_acquire){+.+.+.}, at: [<ffffffffc004532a>] drm_atomic_helper_remove_fb+0x4a/0x1d0 [drm_kms_helper]
#3: (crtc_ww_class_mutex){+.+.+.}, at: [<ffffffffc00c98cd>] modeset_backoff+0x8d/0x220 [drm]
While lockdep probably catches this bug when it happens, it's better
to explicitly warn when state->acquire_ctx is not set.
Signed-off-by: Maarten Lankhorst <[email protected]>
Signed-off-by: Daniel Vetter <[email protected]>
Link: http://patchwork.freedesktop.org/patch/msgid/1462266751-29123-1-git-send-email-maarten.lankhorst@linux.intel.com
lattera
pushed a commit
that referenced
this issue
Aug 23, 2016
drm_connector_register_all requires a few too many locks because our
connector_list locking is busted. Add another FIXME+hack to work
around this. This should address the below lockdep splat:
======================================================
[ INFO: possible circular locking dependency detected ]
4.7.0-rc5+ #524 Tainted: G O
-------------------------------------------------------
kworker/u8:0/6 is trying to acquire lock:
(&dev->mode_config.mutex){+.+.+.}, at: [<ffffffff815afde0>] drm_modeset_lock_all+0x40/0x120
but task is already holding lock:
((fb_notifier_list).rwsem){++++.+}, at: [<ffffffff810ac195>] __blocking_notifier_call_chain+0x35/0x70
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 ((fb_notifier_list).rwsem){++++.+}:
[<ffffffff810df611>] lock_acquire+0xb1/0x200
[<ffffffff819a55b4>] down_write+0x44/0x80
[<ffffffff810abf91>] blocking_notifier_chain_register+0x21/0xb0
[<ffffffff814c7448>] fb_register_client+0x18/0x20
[<ffffffff814c6c86>] backlight_device_register+0x136/0x260
[<ffffffffa0127eb2>] intel_backlight_device_register+0xa2/0x160 [i915]
[<ffffffffa00f46be>] intel_connector_register+0xe/0x10 [i915]
[<ffffffffa0112bfb>] intel_dp_connector_register+0x1b/0x80 [i915]
[<ffffffff8159dfea>] drm_connector_register+0x4a/0x80
[<ffffffff8159fe44>] drm_connector_register_all+0x64/0xf0
[<ffffffff815a2a64>] drm_modeset_register_all+0x174/0x1c0
[<ffffffff81599b72>] drm_dev_register+0xc2/0xd0
[<ffffffffa00621d7>] i915_driver_load+0x1547/0x2200 [i915]
[<ffffffffa006d80f>] i915_pci_probe+0x4f/0x70 [i915]
[<ffffffff814a2135>] local_pci_probe+0x45/0xa0
[<ffffffff814a349b>] pci_device_probe+0xdb/0x130
[<ffffffff815c07e3>] driver_probe_device+0x223/0x440
[<ffffffff815c0ad5>] __driver_attach+0xd5/0x100
[<ffffffff815be386>] bus_for_each_dev+0x66/0xa0
[<ffffffff815c002e>] driver_attach+0x1e/0x20
[<ffffffff815bf9be>] bus_add_driver+0x1ee/0x280
[<ffffffff815c1810>] driver_register+0x60/0xe0
[<ffffffff814a1a10>] __pci_register_driver+0x60/0x70
[<ffffffffa01a905b>] i915_init+0x5b/0x62 [i915]
[<ffffffff8100042d>] do_one_initcall+0x3d/0x150
[<ffffffff811a935b>] do_init_module+0x5f/0x1d9
[<ffffffff81124416>] load_module+0x20e6/0x27e0
[<ffffffff81124d63>] SYSC_finit_module+0xc3/0xf0
[<ffffffff81124dae>] SyS_finit_module+0xe/0x10
[<ffffffff819a83a9>] entry_SYSCALL_64_fastpath+0x1c/0xac
-> #0 (&dev->mode_config.mutex){+.+.+.}:
[<ffffffff810df0ac>] __lock_acquire+0x10fc/0x1260
[<ffffffff810df611>] lock_acquire+0xb1/0x200
[<ffffffff819a3097>] mutex_lock_nested+0x67/0x3c0
[<ffffffff815afde0>] drm_modeset_lock_all+0x40/0x120
[<ffffffff8158f79b>] drm_fb_helper_restore_fbdev_mode_unlocked+0x2b/0x80
[<ffffffff8158f81d>] drm_fb_helper_set_par+0x2d/0x50
[<ffffffffa0105f7a>] intel_fbdev_set_par+0x1a/0x60 [i915]
[<ffffffff814c13c6>] fbcon_init+0x586/0x610
[<ffffffff8154d16a>] visual_init+0xca/0x130
[<ffffffff8154e611>] do_bind_con_driver+0x1c1/0x3a0
[<ffffffff8154eaf6>] do_take_over_console+0x116/0x180
[<ffffffff814bd3a7>] do_fbcon_takeover+0x57/0xb0
[<ffffffff814c1e48>] fbcon_event_notify+0x658/0x750
[<ffffffff810abcae>] notifier_call_chain+0x3e/0xb0
[<ffffffff810ac1ad>] __blocking_notifier_call_chain+0x4d/0x70
[<ffffffff810ac1e6>] blocking_notifier_call_chain+0x16/0x20
[<ffffffff814c748b>] fb_notifier_call_chain+0x1b/0x20
[<ffffffff814c86b1>] register_framebuffer+0x251/0x330
[<ffffffff8158fa9f>] drm_fb_helper_initial_config+0x25f/0x3f0
[<ffffffffa0106b48>] intel_fbdev_initial_config+0x18/0x30 [i915]
[<ffffffff810adfd8>] async_run_entry_fn+0x48/0x150
[<ffffffff810a3947>] process_one_work+0x1e7/0x750
[<ffffffff810a3efb>] worker_thread+0x4b/0x4f0
[<ffffffff810aad4f>] kthread+0xef/0x110
[<ffffffff819a85ef>] ret_from_fork+0x1f/0x40
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock((fb_notifier_list).rwsem);
lock(&dev->mode_config.mutex);
lock((fb_notifier_list).rwsem);
lock(&dev->mode_config.mutex);
*** DEADLOCK ***
6 locks held by kworker/u8:0/6:
#0: ("events_unbound"){.+.+.+}, at: [<ffffffff810a38c9>] process_one_work+0x169/0x750
#1: ((&entry->work)){+.+.+.}, at: [<ffffffff810a38c9>] process_one_work+0x169/0x750
#2: (registration_lock){+.+.+.}, at: [<ffffffff814c8487>] register_framebuffer+0x27/0x330
#3: (console_lock){+.+.+.}, at: [<ffffffff814c86ce>] register_framebuffer+0x26e/0x330
#4: (&fb_info->lock){+.+.+.}, at: [<ffffffff814c78dd>] lock_fb_info+0x1d/0x40
#5: ((fb_notifier_list).rwsem){++++.+}, at: [<ffffffff810ac195>] __blocking_notifier_call_chain+0x35/0x70
stack backtrace:
CPU: 2 PID: 6 Comm: kworker/u8:0 Tainted: G O 4.7.0-rc5+ #524
Hardware name: Intel Corp. Broxton P/NOTEBOOK, BIOS APLKRVPA.X64.0138.B33.1606250842 06/25/2016
Workqueue: events_unbound async_run_entry_fn
0000000000000000 ffff8800758577f0 ffffffff814507a5 ffffffff828b9900
ffffffff828b9900 ffff880075857830 ffffffff810dc6fa ffff880075857880
ffff88007584d688 0000000000000005 0000000000000006 ffff88007584d6b0
Call Trace:
[<ffffffff814507a5>] dump_stack+0x67/0x92
[<ffffffff810dc6fa>] print_circular_bug+0x1aa/0x200
[<ffffffff810df0ac>] __lock_acquire+0x10fc/0x1260
[<ffffffff810df611>] lock_acquire+0xb1/0x200
[<ffffffff815afde0>] ? drm_modeset_lock_all+0x40/0x120
[<ffffffff815afde0>] ? drm_modeset_lock_all+0x40/0x120
[<ffffffff819a3097>] mutex_lock_nested+0x67/0x3c0
[<ffffffff815afde0>] ? drm_modeset_lock_all+0x40/0x120
[<ffffffff810fa85f>] ? rcu_read_lock_sched_held+0x7f/0x90
[<ffffffff81208218>] ? kmem_cache_alloc_trace+0x248/0x2b0
[<ffffffff815afdc5>] ? drm_modeset_lock_all+0x25/0x120
[<ffffffff815afde0>] drm_modeset_lock_all+0x40/0x120
[<ffffffff8158f79b>] drm_fb_helper_restore_fbdev_mode_unlocked+0x2b/0x80
[<ffffffff8158f81d>] drm_fb_helper_set_par+0x2d/0x50
[<ffffffffa0105f7a>] intel_fbdev_set_par+0x1a/0x60 [i915]
[<ffffffff814c13c6>] fbcon_init+0x586/0x610
[<ffffffff8154d16a>] visual_init+0xca/0x130
[<ffffffff8154e611>] do_bind_con_driver+0x1c1/0x3a0
[<ffffffff8154eaf6>] do_take_over_console+0x116/0x180
[<ffffffff814bd3a7>] do_fbcon_takeover+0x57/0xb0
[<ffffffff814c1e48>] fbcon_event_notify+0x658/0x750
[<ffffffff810abcae>] notifier_call_chain+0x3e/0xb0
[<ffffffff810ac1ad>] __blocking_notifier_call_chain+0x4d/0x70
[<ffffffff810ac1e6>] blocking_notifier_call_chain+0x16/0x20
[<ffffffff814c748b>] fb_notifier_call_chain+0x1b/0x20
[<ffffffff814c86b1>] register_framebuffer+0x251/0x330
[<ffffffff815b7e8d>] ? vga_switcheroo_client_fb_set+0x5d/0x70
[<ffffffff8158fa9f>] drm_fb_helper_initial_config+0x25f/0x3f0
[<ffffffffa0106b48>] intel_fbdev_initial_config+0x18/0x30 [i915]
[<ffffffff810adfd8>] async_run_entry_fn+0x48/0x150
[<ffffffff810a3947>] process_one_work+0x1e7/0x750
[<ffffffff810a38c9>] ? process_one_work+0x169/0x750
[<ffffffff810a3efb>] worker_thread+0x4b/0x4f0
[<ffffffff810a3eb0>] ? process_one_work+0x750/0x750
[<ffffffff810aad4f>] kthread+0xef/0x110
[<ffffffff819a85ef>] ret_from_fork+0x1f/0x40
[<ffffffff810aac60>] ? kthread_stop+0x2e0/0x2e0
v2: Rebase onto the right branch (hand-editing patches ftw) and add more
reporters.
Reported-by: Imre Deak <[email protected]>
Cc: Imre Deak <[email protected]>
Cc: Chris Wilson <[email protected]>
Acked-by: Chris Wilson <[email protected]>
Reported-by: Jiri Kosina <[email protected]>
Cc: Jiri Kosina <[email protected]>
Signed-off-by: Daniel Vetter <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
lattera
pushed a commit
that referenced
this issue
Sep 26, 2016
Sync libarchive with vendor including important security fixes. Issues fixed (FreeBSD): PR #778: ACL error handling Issue #745: Symlink check prefix optimization is too aggressive Issue #746: Hard links with data can evade sandboxing restrictions This update fixes the vulnerability #3 and vulnerability #4 as reported in "non-cryptanalytic attacks against FreeBSD update components". https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f Fix for vulnerability #2 has already been merged in r304989. MFC after: 1 week Security: http://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f
lattera
pushed a commit
that referenced
this issue
Oct 6, 2016
Vendor issues fixed (FreeBSD): PR #778: ACL error handling Issue #745: Symlink check prefix optimization is too aggressive Issue #746: Hard links with data can evade sandboxing restrictions This update fixes the vulnerability #3 and vulnerability #4 as reported in the "non-cryptanalytic attacks against FreeBSD update components". https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f Vulnerability #2 has already been fixed in r304866
opntr
added a commit
that referenced
this issue
Feb 16, 2017
unp_dispose and unp_gc could race to teardown the same mbuf chains, which can lead to dereferencing freed filedesc pointers. This patch adds an IGNORE_RIGHTS flag on unpcbs marking the unpcb's RIGHTS as invalid/freed. The flag is protected by UNP_LIST_LOCK. To serialize against unp_gc, unp_dispose needs the socket object. Change the dom_dispose() KPI to take a socket object instead of an mbuf chain directly. PR: 194264 Differential Revision: https://reviews.freebsd.org/D3044 Reviewed by: mjg (earlier version) Approved by: markj (mentor) Obtained from: mjg MFC after: 1 month Sponsored by: EMC / Isilon Storage Division This commit was never MFCd to 10-STABLE, and the issue is still reproducible in 2016, with the linked test program from FreeBSD's phabricator. --8<-- Unread portion of the kernel message buffer: [206] [206] [206] Fatal trap 9: general protection fault while in kernel mode [206] cpuid = 1; apic id = 01 [206] instruction pointer = 0x20:0xffffffff809e10e8 [206] stack pointer = 0x28:0xfffffe002bd96960 [206] frame pointer = 0x28:0xfffffe002bd969e0 [206] code segment = base 0x0, limit 0xfffff, type 0x1b [206] = DPL 0, pres 1, long 1, def32 0, gran 1 [206] processor eflags = interrupt enabled, resume, IOPL = 0 [206] current process = 0 (thread taskq) [206] trap number = 9 [206] panic: general protection fault [206] cpuid = 1 [206] KDB: stack backtrace: [206] #0 0xffffffff8098dc90 at kdb_backtrace+0x60 [206] #1 0xffffffff80953ed6 at vpanic+0x126 [206] #2 0xffffffff80953f63 at panic+0x43 [206] #3 0xffffffff80d6b2cb at trap_fatal+0x36b [206] #4 0xffffffff80d6af49 at trap+0x839 [206] #5 0xffffffff80d4f3ec at calltrap+0x8 [206] #6 0xffffffff809a2940 at taskqueue_run_locked+0xf0 [206] #7 0xffffffff809a32ab at taskqueue_thread_loop+0x9b [206] #8 0xffffffff8091c144 at fork_exit+0x84 [206] #9 0xffffffff80d4f92e at fork_trampoline+0xe [206] Uptime: 3m26s [206] Dumping 73 out of 487 MB:..22%..44%..66%..88% --8<-- (cherry picked from commit 576619e) Signed-off-by: Oliver Pinter <[email protected]> CC: Bryan Drewery <[email protected]> CC: Mark Johnston <[email protected]>
opntr
added a commit
that referenced
this issue
Feb 16, 2017
…unix socket. - by markj@ If the listening socket is closed while sonewconn() is executing, the nascent child socket is aborted, which results in recursion on the unp_link lock when the child's pru_detach method is invoked. Fix this by using a flag to mark such sockets, and skip a part of the socket's teardown during detach. Reported by: Raviprakash Darbha <[email protected]> Tested by: pho MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D7398 --8<-- [128] panic: __rw_wlock_hard: recursing but non-recursive rw unp_link_rwlock @ /usr/src/sys/kern/uipc_usrreq.c:654 [128] [128] cpuid = 1 [128] KDB: stack backtrace: [128] #0 0xffffffff8098dc90 at kdb_backtrace+0x60 [128] #1 0xffffffff80953ed6 at vpanic+0x126 [128] #2 0xffffffff80953da9 at kassert_panic+0x139 [128] #3 0xffffffff80951454 at __rw_wlock_hard+0x394 [128] #4 0xffffffff80951072 at _rw_wlock_cookie+0x92 [128] #5 0xffffffff809de636 at uipc_detach+0x36 [128] #6 0xffffffff809d217a at sofree+0x1da [128] #7 0xffffffff809d1da4 at sonewconn+0x324 [128] #8 0xffffffff809e0496 at unp_connectat+0x326 [128] #9 0xffffffff809de4ac at uipc_connect+0x4c [128] #10 0xffffffff809d8cf6 at kern_connectat+0x126 [128] #11 0xffffffff809d8b87 at sys_connect+0x77 [128] #12 0xffffffff80d6bab4 at amd64_syscall+0x2c4 [128] #13 0xffffffff80d4f6db at Xfast_syscall+0xfb [128] Uptime: 2m8s [128] Dumping 73 out of 487 MB:..22%..44%..66%..88% --8<-- (cherry picked from commit cfea0ef) Signed-off-by: Oliver Pinter <[email protected]>
opntr
pushed a commit
that referenced
this issue
Feb 16, 2017
…xes. (dfb2179) MFV r305816: Sync libarchive with vendor including important security fixes. Issues fixed (FreeBSD): PR #778: ACL error handling Issue #745: Symlink check prefix optimization is too aggressive Issue #746: Hard links with data can evade sandboxing restrictions This update fixes the vulnerability #3 and vulnerability #4 as reported in "non-cryptanalytic attacks against FreeBSD update components". https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f Fix for vulnerability #2 has already been merged in r304989. MFC after: 1 week Security: http://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f (cherry picked from commit dfb2179) Signed-off-by: Oliver Pinter <[email protected]>
opntr
pushed a commit
that referenced
this issue
Feb 16, 2017
Sync libarchive with vendor including important security fixes. Issues fixed (FreeBSD): PR #778: ACL error handling Issue #745: Symlink check prefix optimization is too aggressive Issue #746: Hard links with data can evade sandboxing restrictions This update fixes the vulnerability #3 and vulnerability #4 as reported in "non-cryptanalytic attacks against FreeBSD update components". https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f Fix for vulnerability #2 has already been merged in r305192. Security: http://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f
xmj
pushed a commit
that referenced
this issue
Apr 10, 2017
mode. This works around bugs in at least 2 Intel BIOSes for our subsequent setting of the DAC back to 8-bit mode. The bug caused dark (mostly 1/4-intensity) colors for all except the first setting to a VESA graphics mode (including for settings to the current mode). Remove restoration (with less bits) of the palette in vesa_unload() after resetting the DAC to 6-bit mode. Depend on the BIOS to keep the palette consistent with the DAC for the simpler reset case like we do everywhere else in places that are actually important. Setting the video mode should reset everything to defaults, although we usually don't want that. Even the buggy BIOSes set the DAC to the default 6-bit mode, and set the palette to a default that matches the DAC. We don't undo the reset for most things, but we do undo it for the DAC (more precisely, we change to an 8-bit DAC if possible, and this is the only way that we set to an 8-bit DAC; it is accidental that if the DAC was in 8-bit mode from a previous mode switch then setting it to 8-bit mode is an undo). The buggy BIOSes are confused by our setting of the DAC to 8-bit mode in the "undo" case. They should multiply palette entries by 4 to match, but they actually leave all palette entries except #2 (green) and #248-255 (unused) untouched. Green is mysteriously scaled from 0x2a to 0x6a, and #248-255 are scaled correctly. Our support for the 8-bit DAC had almost no effect except to enable bugs. Syscons barely supports 16 colors, so it doesn't benefit much from having a palette with 16 million colors instead of only 256K. Applications can manage the palette using FBIO_{GET,SET}PALETTE, but the palette managed by this is only used in the less interesting modes (text and non-truecolor graphics modes up to 8 bits wide), and the kernel loses the changes on any mode switch (including to another vt in a different mode).
xmj
pushed a commit
that referenced
this issue
May 6, 2017
-w and -v flag matching was mostly functional but had some minor problems: 1. -w flag processing only allowed one iteration through pattern matching on a line. This was problematic if one pattern could match more than once, or if there were multiple patterns and the earliest/ longest match was not the most ideal, and 2. Previous work "fixed" things to not further process a line if the first iteration through patterns produced no matches. This is clearly wrong if we're dealing with the more restrictive -w matching. #2 breakage could have also occurred before recent broad rewrites, but it would be more arbitrary based on input patterns as to whether or not it actually affected things. Fix both of these by forcing a retry of the patterns after advancing just past the start of the first match if we're doing more restrictive -w matching and we didn't get any hits to start with. Also move -v flag processing outside of the loop so that we have a greater change to match in the more restrictive cases. This wasn't strictly wrong, but it could be a little more error prone. While here, introduce some regressions tests for this behavior and fix some excessive wrapping nearby that hindered readability. GNU grep passes these new tests. PR: 218467, 218811 Submitted by: Kyle Evans <kevans91 at ksu.edu> Reviewed by: cem, ngie Differential Revision: https://reviews.freebsd.org/D10329
hbsd-robot0
pushed a commit
that referenced
this issue
Aug 17, 2017
…erns -w and -v flag matching was mostly functional but had some minor problems: 1. -w flag processing only allowed one iteration through pattern matching on a line. This was problematic if one pattern could match more than once, or if there were multiple patterns and the earliest/ longest match was not the most ideal, and 2. Previous work "fixed" things to not further process a line if the first iteration through patterns produced no matches. This is clearly wrong if we're dealing with the more restrictive -w matching. #2 breakage could have also occurred before recent broad rewrites, but it would be more arbitrary based on input patterns as to whether or not it actually affected things. Fix both of these by forcing a retry of the patterns after advancing just past the start of the first match if we're doing more restrictive -w matching and we didn't get any hits to start with. Also move -v flag processing outside of the loop so that we have a greater change to match in the more restrictive cases. This wasn't strictly wrong, but it could be a little more error prone. While here, introduce some regressions tests for this behavior and fix some excessive wrapping nearby that hindered readability. GNU grep passes these new tests. PR: 218467, 218811 Approved by: emaste (mentor, blanket MFC)
hbsd-robot0
pushed a commit
that referenced
this issue
Nov 1, 2017
* freebsd/current/master: Consistently ensure that we do not load MXCSR with reserved bits set. evdev: Translate KEY_102ND in evdev_scancode2key() namecache: fix .. check broken after r324378 Fixup r325264, take #2 namecache: ncnegfactor 16 -> 12 Fixup r325264 Save on loginclass list locking by checking if caller already uses the struct Save on uihash table locking by checking if the caller already uses the struct
hbsd-robot0
pushed a commit
that referenced
this issue
Nov 6, 2017
Use our ifm_list of supported media types rather than nested switch statements to find the current media type. Find a supported type that matches the current speed. Remove all workarounds while updating ifmr->ifm_active. For BNXT_IFMEDIA_ADD, added Three more speeds IFM_10G_T, IFM_2500_T & IFM_2500_KX. Submitted by: Bhargava Chenna Marreddy <[email protected]> Reviewed by: shurd, sbruno Approved by: sbruno (mentor) Sponsored by: Broadcom Limited Differential Revision: https://reviews.freebsd.org/D12896
hbsd-robot0
pushed a commit
that referenced
this issue
Nov 6, 2017
* freebsd/current/master: bnxt: Add support for new phy_types and speeds - Part #2 Only chain non-LRO mbufs when LRO is not possible Add an UPDATING entry for the posix_fallocate/ZFS change, r325320 Centralize all 32-bit builds on 64-bit platform stuff. Prefer bsd.init.mk to src.opts.mk MACHINE can never be powerpc64, so cleanup code that thinks it can. Move machine and other link creation to defs.mk Prefer bsd.init.mk to other constructs. Use DO32 for all the places that we need to flag we're building a 32 bit version of a library. Use a generic name since this may be usefule elsewhere. Define LIBFICL32 to be libficl.a on i386 and libficl32.a on amd64. Powerpc is a 32-bit boot loader.
hbsd-robot0
pushed a commit
that referenced
this issue
Jan 3, 2018
amd64: remove unused variable from pmap_delayed_invl_genp This is take #2.
lattera
pushed a commit
that referenced
this issue
Jan 13, 2018
Attaching syscon_generic earlier than BUS_PASS_DEFAULT makes it more difficult for specific syscon drivers to attach to the syscon node and to get ordering right. Further discussion yielded the following set of decisions: - Move syscon_generic to BUS_PASS_DEFAULT - If a platform needs a syscon with different attach order or probe behavior, it should subclass syscon_generic and match on the SoC specific compat string - When we come across a need for a syscon that attaches earlier but only specifies compatible = "syscon", we should create a syscon_exclusive driver that provides generic access but probes earlier and only matches if "syscon" is the only compatible. Such fdt nodes do exist in the wild right now, but we don't really use them at the moment. Additionally: - Any syscon provider that has needs any more complex than a spinlock solely for syscon access and a single memory resource should subclass syscon directly rather than attempting to subclass syscon_generic or add complexity to it. syscon_generic's attach/detach methods may be made public should the need arise to subclass it with additional attach/detach behavior. We introduce aw_syscon(4) that just subclasses syscon_generic but probes earlier to meet our requirements for if_awg and implements #2 above for this specific situation. It currently only matches a64/a83t/h3 since these are the only platforms that really need it at the time being. Discussed with: ian Reviewed by: manu, andrew, bcr (manpages, content unchanged since review) Differential Revision: https://reviews.freebsd.org/D13793
hbsd-robot0
pushed a commit
that referenced
this issue
Feb 3, 2018
6.0.0 (branches/release_60 r324090). This introduces retpoline support, with the -mretpoline flag. The upstream initial commit message (r323155 by Chandler Carruth) contains quite a bit of explanation. Quoting: Introduce the "retpoline" x86 mitigation technique for variant #2 of the speculative execution vulnerabilities disclosed today, specifically identified by CVE-2017-5715, "Branch Target Injection", and is one of the two halves to Spectre. Summary: First, we need to explain the core of the vulnerability. Note that this is a very incomplete description, please see the Project Zero blog post for details: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html The basis for branch target injection is to direct speculative execution of the processor to some "gadget" of executable code by poisoning the prediction of indirect branches with the address of that gadget. The gadget in turn contains an operation that provides a side channel for reading data. Most commonly, this will look like a load of secret data followed by a branch on the loaded value and then a load of some predictable cache line. The attacker then uses timing of the processors cache to determine which direction the branch took *in the speculative execution*, and in turn what one bit of the loaded value was. Due to the nature of these timing side channels and the branch predictor on Intel processors, this allows an attacker to leak data only accessible to a privileged domain (like the kernel) back into an unprivileged domain. The goal is simple: avoid generating code which contains an indirect branch that could have its prediction poisoned by an attacker. In many cases, the compiler can simply use directed conditional branches and a small search tree. LLVM already has support for lowering switches in this way and the first step of this patch is to disable jump-table lowering of switches and introduce a pass to rewrite explicit indirectbr sequences into a switch over integers. However, there is no fully general alternative to indirect calls. We introduce a new construct we call a "retpoline" to implement indirect calls in a non-speculatable way. It can be thought of loosely as a trampoline for indirect calls which uses the RET instruction on x86. Further, we arrange for a specific call->ret sequence which ensures the processor predicts the return to go to a controlled, known location. The retpoline then "smashes" the return address pushed onto the stack by the call with the desired target of the original indirect call. The result is a predicted return to the next instruction after a call (which can be used to trap speculative execution within an infinite loop) and an actual indirect branch to an arbitrary address. On 64-bit x86 ABIs, this is especially easily done in the compiler by using a guaranteed scratch register to pass the target into this device. For 32-bit ABIs there isn't a guaranteed scratch register and so several different retpoline variants are introduced to use a scratch register if one is available in the calling convention and to otherwise use direct stack push/pop sequences to pass the target address. This "retpoline" mitigation is fully described in the following blog post: https://support.google.com/faqs/answer/7625886 We also support a target feature that disables emission of the retpoline thunk by the compiler to allow for custom thunks if users want them. These are particularly useful in environments like kernels that routinely do hot-patching on boot and want to hot-patch their thunk to different code sequences. They can write this custom thunk and use `-mretpoline-external-thunk` *in addition* to `-mretpoline`. In this case, on x86-64 thu thunk names must be: ``` __llvm_external_retpoline_r11 ``` or on 32-bit: ``` __llvm_external_retpoline_eax __llvm_external_retpoline_ecx __llvm_external_retpoline_edx __llvm_external_retpoline_push ``` And the target of the retpoline is passed in the named register, or in the case of the `push` suffix on the top of the stack via a `pushl` instruction. There is one other important source of indirect branches in x86 ELF binaries: the PLT. These patches also include support for LLD to generate PLT entries that perform a retpoline-style indirection. The only other indirect branches remaining that we are aware of are from precompiled runtimes (such as crt0.o and similar). The ones we have found are not really attackable, and so we have not focused on them here, but eventually these runtimes should also be replicated for retpoline-ed configurations for completeness. For kernels or other freestanding or fully static executables, the compiler switch `-mretpoline` is sufficient to fully mitigate this particular attack. For dynamic executables, you must compile *all* libraries with `-mretpoline` and additionally link the dynamic executable and all shared libraries with LLD and pass `-z retpolineplt` (or use similar functionality from some other linker). We strongly recommend also using `-z now` as non-lazy binding allows the retpoline-mitigated PLT to be substantially smaller. When manually apply similar transformations to `-mretpoline` to the Linux kernel we observed very small performance hits to applications running typic al workloads, and relatively minor hits (approximately 2%) even for extremely syscall-heavy applications. This is largely due to the small number of indirect branches that occur in performance sensitive paths of the kernel. When using these patches on statically linked applications, especially C++ applications, you should expect to see a much more dramatic performance hit. For microbenchmarks that are switch, indirect-, or virtual-call heavy we have seen overheads ranging from 10% to 50%. However, real-world workloads exhibit substantially lower performance impact. Notably, techniques such as PGO and ThinLTO dramatically reduce the impact of hot indirect calls (by speculatively promoting them to direct calls) and allow optimized search trees to be used to lower switches. If you need to deploy these techniques in C++ applications, we *strongly* recommend that you ensure all hot call targets are statically linked (avoiding PLT indirection) and use both PGO and ThinLTO. Well tuned servers using all of these techniques saw 5% - 10% overhead from the use of retpoline. We will add detailed documentation covering these components in subsequent patches, but wanted to make the core functionality available as soon as possible. Happy for more code review, but we'd really like to get these patches landed and backported ASAP for obvious reasons. We're planning to backport this to both 6.0 and 5.0 release streams and get a 5.0 release with just this cherry picked ASAP for distros and vendors. This patch is the work of a number of people over the past month: Eric, Reid, Rui, and myself. I'm mailing it out as a single commit due to the time sensitive nature of landing this and the need to backport it. Huge thanks to everyone who helped out here, and everyone at Intel who helped out in discussions about how to craft this. Also, credit goes to Paul Turner (at Google, but not an LLVM contributor) for much of the underlying retpoline design. Reviewers: echristo, rnk, ruiu, craig.topper, DavidKreitzer Subscribers: sanjoy, emaste, mcrosier, mgorny, mehdi_amini, hiraditya, llvm-commits Differential Revision: https://reviews.llvm.org/D41723 MFC after: 3 months X-MFC-With: r327952 PR: 224669
hbsd-robot0
pushed a commit
that referenced
this issue
Feb 19, 2018
The suspension counter needs synchronisation through slock, but we don't need it to check if inspecting the counter is necessary to begin with. In the common case it is not, thus avoid the lock if possible. Reviewed by: kib Tested by: pho
hbsd-robot0
pushed a commit
that referenced
this issue
Feb 19, 2018
* freebsd/current/master: exit: get rid of PROC_SLOCK when checking a process to report, take #2 Give the imx_i2c driver its own name, set up its relationship to ofw_iicbus. Previously it called itself 'iichb' to link up with the EARLY_DRIVER_MODULE declaration in ofw_iicbus.c. Fix broken assertion in r329520. Allow i2c hardware drivers to declare their own relationships to ofw_iicbus rather than relying on a set of canned EARLY_DRIVER_MODULE() statements in the ofw_iicbus source. This means hw drivers will no longer be required to use one of a few predefined driver names. They will also now be able to decide themselves if they want to use DRIVER_MODULE or EARLY_DRIVER_MODULE and to set which pass to attach on for early modules. Correct/improve the descriptions if kern.ipc.(shmsegs,sema,msqids). Optimise xchg() to use atomic_swap_32() and atomic_swap_64(). Fix implementation of xchg() function macro in the LinuxKPI. The exchange operation must be atomic.
hbsd-robot0
pushed a commit
that referenced
this issue
Mar 20, 2018
branches. Upstream merge revisions:
r324007: merging r323155 for llvm
r324009: merging r323915 for llvm
r324012: merging r323155 for clang
r324025: merging r323155 for lld, with modifications to
handle int3 fill
r324026: merging r323288 for lld
r325088: merging r324449 for llvm
r325089: merging r324645 for llvm
r325090: merging r325049 for llvm
r325091: merging r325085 for llvm
Original commit messages:
r323155 (by Chandler Carruth):
Introduce the "retpoline" x86 mitigation technique for variant #2 of
the speculative execution vulnerabilities disclosed today,
specifically identified by CVE-2017-5715, "Branch Target Injection",
and is one of the two halves to Spectre.
Summary:
First, we need to explain the core of the vulnerability. Note that
this is a very incomplete description, please see the Project Zero
blog post for details:
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
The basis for branch target injection is to direct speculative
execution of the processor to some "gadget" of executable code by
poisoning the prediction of indirect branches with the address of
that gadget. The gadget in turn contains an operation that provides a
side channel for reading data. Most commonly, this will look like a
load of secret data followed by a branch on the loaded value and then
a load of some predictable cache line. The attacker then uses timing
of the processors cache to determine which direction the branch took
*in the speculative execution*, and in turn what one bit of the
loaded value was. Due to the nature of these timing side channels and
the branch predictor on Intel processors, this allows an attacker to
leak data only accessible to a privileged domain (like the kernel)
back into an unprivileged domain.
The goal is simple: avoid generating code which contains an indirect
branch that could have its prediction poisoned by an attacker. In
many cases, the compiler can simply use directed conditional branches
and a small search tree. LLVM already has support for lowering
switches in this way and the first step of this patch is to disable
jump-table lowering of switches and introduce a pass to rewrite
explicit indirectbr sequences into a switch over integers.
However, there is no fully general alternative to indirect calls. We
introduce a new construct we call a "retpoline" to implement indirect
calls in a non-speculatable way. It can be thought of loosely as a
trampoline for indirect calls which uses the RET instruction on x86.
Further, we arrange for a specific call->ret sequence which ensures
the processor predicts the return to go to a controlled, known
location. The retpoline then "smashes" the return address pushed onto
the stack by the call with the desired target of the original
indirect call. The result is a predicted return to the next
instruction after a call (which can be used to trap speculative
execution within an infinite loop) and an actual indirect branch to
an arbitrary address.
On 64-bit x86 ABIs, this is especially easily done in the compiler by
using a guaranteed scratch register to pass the target into this
device. For 32-bit ABIs there isn't a guaranteed scratch register
and so several different retpoline variants are introduced to use a
scratch register if one is available in the calling convention and to
otherwise use direct stack push/pop sequences to pass the target
address.
This "retpoline" mitigation is fully described in the following blog
post: https://support.google.com/faqs/answer/7625886
We also support a target feature that disables emission of the
retpoline thunk by the compiler to allow for custom thunks if users
want them. These are particularly useful in environments like
kernels that routinely do hot-patching on boot and want to hot-patch
their thunk to different code sequences. They can write this custom
thunk and use `-mretpoline-external-thunk` *in addition* to
`-mretpoline`. In this case, on x86-64 thu thunk names must be:
```
__llvm_external_retpoline_r11
```
or on 32-bit:
```
__llvm_external_retpoline_eax
__llvm_external_retpoline_ecx
__llvm_external_retpoline_edx
__llvm_external_retpoline_push
```
And the target of the retpoline is passed in the named register, or
in the case of the `push` suffix on the top of the stack via a
`pushl` instruction.
There is one other important source of indirect branches in x86 ELF
binaries: the PLT. These patches also include support for LLD to
generate PLT entries that perform a retpoline-style indirection.
The only other indirect branches remaining that we are aware of are
from precompiled runtimes (such as crt0.o and similar). The ones we
have found are not really attackable, and so we have not focused on
them here, but eventually these runtimes should also be replicated
for retpoline-ed configurations for completeness.
For kernels or other freestanding or fully static executables, the
compiler switch `-mretpoline` is sufficient to fully mitigate this
particular attack. For dynamic executables, you must compile *all*
libraries with `-mretpoline` and additionally link the dynamic
executable and all shared libraries with LLD and pass `-z
retpolineplt` (or use similar functionality from some other linker).
We strongly recommend also using `-z now` as non-lazy binding allows
the retpoline-mitigated PLT to be substantially smaller.
When manually apply similar transformations to `-mretpoline` to the
Linux kernel we observed very small performance hits to applications
running typical workloads, and relatively minor hits (approximately
2%) even for extremely syscall-heavy applications. This is largely
due to the small number of indirect branches that occur in
performance sensitive paths of the kernel.
When using these patches on statically linked applications,
especially C++ applications, you should expect to see a much more
dramatic performance hit. For microbenchmarks that are switch,
indirect-, or virtual-call heavy we have seen overheads ranging from
10% to 50%.
However, real-world workloads exhibit substantially lower performance
impact. Notably, techniques such as PGO and ThinLTO dramatically
reduce the impact of hot indirect calls (by speculatively promoting
them to direct calls) and allow optimized search trees to be used to
lower switches. If you need to deploy these techniques in C++
applications, we *strongly* recommend that you ensure all hot call
targets are statically linked (avoiding PLT indirection) and use both
PGO and ThinLTO. Well tuned servers using all of these techniques saw
5% - 10% overhead from the use of retpoline.
We will add detailed documentation covering these components in
subsequent patches, but wanted to make the core functionality
available as soon as possible. Happy for more code review, but we'd
really like to get these patches landed and backported ASAP for
obvious reasons. We're planning to backport this to both 6.0 and 5.0
release streams and get a 5.0 release with just this cherry picked
ASAP for distros and vendors.
This patch is the work of a number of people over the past month:
Eric, Reid, Rui, and myself. I'm mailing it out as a single commit
due to the time sensitive nature of landing this and the need to
backport it. Huge thanks to everyone who helped out here, and
everyone at Intel who helped out in discussions about how to craft
this. Also, credit goes to Paul Turner (at Google, but not an LLVM
contributor) for much of the underlying retpoline design.
Reviewers: echristo, rnk, ruiu, craig.topper, DavidKreitzer
Subscribers: sanjoy, emaste, mcrosier, mgorny, mehdi_amini,
hiraditya, llvm-commits
Differential Revision: https://reviews.llvm.org/D41723
r323915 (by Chandler Carruth):
[x86] Make the retpoline thunk insertion a machine function pass.
Summary:
This removes the need for a machine module pass using some deeply
questionable hacks. This should address PR36123 which is a case where
in full LTO the memory usage of a machine module pass actually ended
up being significant.
We should revert this on trunk as soon as we understand and fix the
memory usage issue, but we should include this in any backports of
retpolines themselves.
Reviewers: echristo, MatzeB
Subscribers: sanjoy, mcrosier, mehdi_amini, hiraditya, llvm-commits
Differential Revision: https://reviews.llvm.org/D42726
r323288 (by Rui Ueyama):
Fix retpoline PLT header size for i386.
Differential Revision: https://reviews.llvm.org/D42397
r324449 (by Chandler Carruth):
[x86/retpoline] Make the external thunk names exactly match the names
that happened to end up in GCC.
This is really unfortunate, as the names don't have much rhyme or
reason to them. Originally in the discussions it seemed fine to rely
on aliases to map different names to whatever external thunk code
developers wished to use but there are practical problems with that
in the kernel it turns out. And since we're discovering this
practical problems late and since GCC has already shipped a release
with one set of names, we are forced, yet again, to blindly match
what is there.
Somewhat rushing this patch out for the Linux kernel folks to test
and so we can get it patched into our releases.
Differential Revision: https://reviews.llvm.org/D42998
r324645 (by David Woodhouse):
[X86] Support 'V' register operand modifier
This allows the register name to be printed without the leading '%'.
This can be used for emitting calls to the retpoline thunks from
inline asm.
r325049 (by Reid Kleckner):
[X86] Use EDI for retpoline when no scratch regs are left
Summary:
Instead of solving the hard problem of how to pass the callee to the
indirect jump thunk without a register, just use a CSR. At a call
boundary, there's nothing stopping us from using a CSR to hold the
callee as long as we save and restore it in the prologue.
Also, add tests for this mregparm=3 case. I wrote execution tests for
__llvm_retpoline_push, but they never got committed as lit tests,
either because I never rewrote them or because they got lost in merge
conflicts.
Reviewers: chandlerc, dwmw2
Subscribers: javed.absar, kristof.beyls, hiraditya, llvm-commits
Differential Revision: https://reviews.llvm.org/D43214
r325085 (by Reid Kleckner):
[X86] Remove dead code from retpoline thunk generation
Differential Revision: https://reviews.freebsd.org/D14720
hbsd-robot0
pushed a commit
that referenced
this issue
Mar 29, 2018
Add a new "interleave" allocation policy which stripes pages across domains with a stride or width keeping contiguity within a multi-page region. Move the kernel to the dedicated numbered cpuset #2 making it possible to assign kernel threads and memory policy separately from user. This also eliminates the need for the complicated interrupt binding code. Add a sysctl API for viewing and manipulating domainsets. Refactor some of the cpuset_t manipulation code using the generic bitset type so that it can be used for both. This probably belongs in a dedicated subr file. Attempt to improve the include situation. Reviewed by: kib Discussed with: jhb (cpuset parts) Tested by: pho (before review feedback) Sponsored by: Netflix, Dell/EMC Isilon Differential Revision: https://reviews.freebsd.org/D14839
hbsd-robot0
pushed a commit
that referenced
this issue
Mar 31, 2018
several follow-up fixes. MFC r327952: Upgrade our copies of clang, llvm, lld, lldb, compiler-rt and libc++ to 6.0.0 (branches/release_60 r321788). Upstream has branched for the 6.0.0 release, which should be in about 6 weeks. Please report bugs and regressions, so we can get them into the release. Please note that from 3.5.0 onwards, clang, llvm and lldb require C++11 support to build; see UPDATING for more information. MFC r328010: Pull in r322473 from upstream llvm trunk (by Andrei Elovikov): [LV] Don't call recordVectorLoopValueForInductionCast for newly-created IV from a trunc. Summary: This method is supposed to be called for IVs that have casts in their use-def chains that are completely ignored after vectorization under PSE. However, for truncates of such IVs the same InductionDescriptor is used during creation/widening of both original IV based on PHINode and new IV based on TruncInst. This leads to unintended second call to recordVectorLoopValueForInductionCast with a VectorLoopVal set to the newly created IV for a trunc and causes an assert due to attempt to store new information for already existing entry in the map. This is wrong and should not be done. Fixes PR35773. Reviewers: dorit, Ayal, mssimpso Reviewed By: dorit Subscribers: RKSimon, dim, dcaballe, hsaito, llvm-commits, hiraditya Differential Revision: https://reviews.llvm.org/D41913 This should fix "Vector value already set for part" assertions when building the net/iodine and sysutils/daa2iso ports. Reported by: jbeich PR: 224867, 224868 MFC r328090: Pull in r322623 from upstream llvm trunk (by Andrew V. Tischenko): Allow usage of X86-prefixes as separate instrs. Differential Revision: https://reviews.llvm.org/D42102 This should fix parse errors when x86 prefixes (such as 'lock' and 'rep') are followed by various non-mnemonic tokens, e.g. comments, .byte directives and labels. PR: 224669, 225054 MFC r328091: Revert r327340, as the workaround for rep prefixes followed by .byte directives is no longer needed after r328090. MFC r328141 (by emaste): lld: Fix for ld.lld does not accept "AT" syntax for declaring LMA region AT> lma_region expression allows to specify the memory region for section load address. Should fix [upstream LLVM] PR35684. LLVM review: https://reviews.llvm.org/D41397 Obtained from: LLVM r322359 by George Rimar MFC r328143 (by emaste): lld: Handle parsing AT(ADDR(.foo-bar)). The problem we had with it is that anything inside an AT is an expression, so we failed to parse the section name because of the - in it. Requested by: royger Obtained from: LLVM r322801 by Rafael Espindola MFC r328144 (by emaste): lld: Fix incorrect physical address on self-referencing AT command. When a section placement (AT) command references the section itself, the physical address of the section in the ELF header was calculated incorrectly due to alignment happening right after the location pointer's value was captured. The problem was diagnosed and the first version of the patch written by Erick Reyes. Obtained from: LLVM r322421 by Rafael Espindola MFC r328145: Pull in r322016 from upstream llvm trunk (by Sanjay Patel): [ValueTracking] remove overzealous assert The test is derived from a failing fuzz test: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5008 Credit to @RKSimon for pointing out the problem. This should fix "Bad flavor while matching min/max" errors when building the graphics/libsixel and science/kst2 ports. Reported by: jbeich PR: 225268, 225269 MFC r328146: Pull in r322106 from upstream llvm trunk (by Alexey Bataev): [COST]Fix PR35865: Fix cost model evaluation for shuffle on X86. Summary: If the vector type is transformed to non-vector single type, the compile may crash trying to get vector information about non-vector type. Reviewers: RKSimon, spatel, mkuper, hfinkel Subscribers: llvm-commits Differential Revision: https://reviews.llvm.org/D41862 This should fix "Not a vector MVT!" errors when building the games/dhewm3 port. Reported by: jbeich PR: 225271 MFC r328286 (by emaste): lld: Don't mark a shared library as needed because of a lazy symbol. Obtained from: LLVM r323221 by Rafael Esp?ndola MFC r328381: Upgrade our copies of clang, llvm, lld, lldb, compiler-rt and libc++ to 6.0.0 (branches/release_60 r323338). PR: 224669 MFC r328513: Pull in r322245 from upstream clang trunk (by Craig Topper): [X86] Make -mavx512f imply -mfma and -mf16c in the frontend like it does in the backend. Similarly, make -mno-fma and -mno-f16c imply -mno-avx512f. Withou this "-mno-sse -mavx512f" ends up with avx512f being enabled in the frontend but disabled in the backend. Reported by: pawel PR: 225488 MFC r328542 (by emaste): lld: Use lookup instead of find. NFC, just simpler. Obtained from: LLVM r323395 by Rafael Espindola MFC r328543 (by emaste): lld: Only lookup LMARegion once. NFC. This is similar to how we handle MemRegion. Obtained from: LLVM r323396 by Rafael Espindola MFC r328544 (by emaste): lld: Remove MemRegionOffset. NFC. We can just use a member variable in MemoryRegion. Obtained from: LLVM r323399 by Rafael Espindola MFC r328545 (by emaste): lld: Simplify. NFC. Obtained from: LLVM r323440 by Rafael Espindola MFC r328546 (by emaste): lld: Improve LMARegion handling. This fixes the crash reported at [LLVM] PR36083. The issue is that we were trying to put all the sections in the same PT_LOAD and crashing trying to write past the end of the file. This also adds accounting for used space in LMARegion, without it all 3 PT_LOADs would have the same physical address. Obtained from: LLVM r323449 by Rafael Espindola MFC r328547 (by emaste): lld: Move LMAOffset from the OutputSection to the PhdrEntry. NFC. If two sections are in the same PT_LOAD, their relatives offsets, virtual address and physical addresses are all the same. [Rafael] initially wanted to have a single global LMAOffset, on the assumption that every ELF file was in practiced loaded contiguously in both physical and virtual memory. Unfortunately that is not the case. The linux kernel has: LOAD 0x200000 0xffffffff81000000 0x0000000001000000 0xced000 0xced000 R E 0x200000 LOAD 0x1000000 0xffffffff81e00000 0x0000000001e00000 0x15f000 0x15f000 RW 0x200000 LOAD 0x1200000 0x0000000000000000 0x0000000001f5f000 0x01b198 0x01b198 RW 0x200000 LOAD 0x137b000 0xffffffff81f7b000 0x0000000001f7b000 0x116000 0x1ec000 RWE 0x200000 The delta for all but the third PT_LOAD is the same: 0xffffffff80000000. [Rafael] thinks the 3rd one is a hack for implementing per cpu data, but we can't break that. Obtained from: LLVM r323456 by Rafael Espindola MFC r328548 (by emaste): lld: Put the header in the first PT_LOAD even if that PT_LOAD has a LMAExpr The root problem is that we were creating a PT_LOAD just for the header. That was technically valid, but inconvenient: we should not be making the ELF discontinuous. The solution is to allow a section with LMAExpr to be added to a PT_LOAD if that PT_LOAD doesn't already have a LMAExpr. LLVM PR: 36017 Obtained from: LLVM r323625 by Rafael Espindola MFC r328594 (by emaste): Pull in r322108 from upstream llvm trunk (by Rafael Esp?ndola): Make one of the emitFill methods non virtual. NFC. This is just preparatory work to fix [LLVM] PR35858. MFC r328595 (by emaste): Pull in r322123 from upstream llvm trunk (by Rafael Esp?ndola): Don't create MCFillFragment directly. Instead use higher level APIs that take care of most bookkeeping. MFC r328596 (by emaste): Pull in r322131 from upstream llvm trunk (by Rafael Esp?ndola): Use a MCExpr for the size of MCFillFragment. This allows the size to be found during ralaxation. This fixes [LLVM] pr35858. Requested by: royger MFC r328753: Upgrade our copies of clang, llvm, lld, lldb, compiler-rt and libc++ to 6.0.0 (branches/release_60 r323948). PR: 224669 MFC r328817: Upgrade our copies of clang, llvm, lld, lldb, compiler-rt and libc++ to 6.0.0 (branches/release_60 r324090). This introduces retpoline support, with the -mretpoline flag. The upstream initial commit message (r323155 by Chandler Carruth) contains quite a bit of explanation. Quoting: Introduce the "retpoline" x86 mitigation technique for variant #2 of the speculative execution vulnerabilities disclosed today, specifically identified by CVE-2017-5715, "Branch Target Injection", and is one of the two halves to Spectre. Summary: First, we need to explain the core of the vulnerability. Note that this is a very incomplete description, please see the Project Zero blog post for details: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html The basis for branch target injection is to direct speculative execution of the processor to some "gadget" of executable code by poisoning the prediction of indirect branches with the address of that gadget. The gadget in turn contains an operation that provides a side channel for reading data. Most commonly, this will look like a load of secret data followed by a branch on the loaded value and then a load of some predictable cache line. The attacker then uses timing of the processors cache to determine which direction the branch took *in the speculative execution*, and in turn what one bit of the loaded value was. Due to the nature of these timing side channels and the branch predictor on Intel processors, this allows an attacker to leak data only accessible to a privileged domain (like the kernel) back into an unprivileged domain. The goal is simple: avoid generating code which contains an indirect branch that could have its prediction poisoned by an attacker. In many cases, the compiler can simply use directed conditional branches and a small search tree. LLVM already has support for lowering switches in this way and the first step of this patch is to disable jump-table lowering of switches and introduce a pass to rewrite explicit indirectbr sequences into a switch over integers. However, there is no fully general alternative to indirect calls. We introduce a new construct we call a "retpoline" to implement indirect calls in a non-speculatable way. It can be thought of loosely as a trampoline for indirect calls which uses the RET instruction on x86. Further, we arrange for a specific call->ret sequence which ensures the processor predicts the return to go to a controlled, known location. The retpoline then "smashes" the return address pushed onto the stack by the call with the desired target of the original indirect call. The result is a predicted return to the next instruction after a call (which can be used to trap speculative execution within an infinite loop) and an actual indirect branch to an arbitrary address. On 64-bit x86 ABIs, this is especially easily done in the compiler by using a guaranteed scratch register to pass the target into this device. For 32-bit ABIs there isn't a guaranteed scratch register and so several different retpoline variants are introduced to use a scratch register if one is available in the calling convention and to otherwise use direct stack push/pop sequences to pass the target address. This "retpoline" mitigation is fully described in the following blog post: https://support.google.com/faqs/answer/7625886 We also support a target feature that disables emission of the retpoline thunk by the compiler to allow for custom thunks if users want them. These are particularly useful in environments like kernels that routinely do hot-patching on boot and want to hot-patch their thunk to different code sequences. They can write this custom thunk and use `-mretpoline-external-thunk` *in addition* to `-mretpoline`. In this case, on x86-64 thu thunk names must be: ``` __llvm_external_retpoline_r11 ``` or on 32-bit: ``` __llvm_external_retpoline_eax __llvm_external_retpoline_ecx __llvm_external_retpoline_edx __llvm_external_retpoline_push ``` And the target of the retpoline is passed in the named register, or in the case of the `push` suffix on the top of the stack via a `pushl` instruction. There is one other important source of indirect branches in x86 ELF binaries: the PLT. These patches also include support for LLD to generate PLT entries that perform a retpoline-style indirection. The only other indirect branches remaining that we are aware of are from precompiled runtimes (such as crt0.o and similar). The ones we have found are not really attackable, and so we have not focused on them here, but eventually these runtimes should also be replicated for retpoline-ed configurations for completeness. For kernels or other freestanding or fully static executables, the compiler switch `-mretpoline` is sufficient to fully mitigate this particular attack. For dynamic executables, you must compile *all* libraries with `-mretpoline` and additionally link the dynamic executable and all shared libraries with LLD and pass `-z retpolineplt` (or use similar functionality from some other linker). We strongly recommend also using `-z now` as non-lazy binding allows the retpoline-mitigated PLT to be substantially smaller. When manually apply similar transformations to `-mretpoline` to the Linux kernel we observed very small performance hits to applications running typic al workloads, and relatively minor hits (approximately 2%) even for extremely syscall-heavy applications. This is largely due to the small number of indirect branches that occur in performance sensitive paths of the kernel. When using these patches on statically linked applications, especially C++ applications, you should expect to see a much more dramatic performance hit. For microbenchmarks that are switch, indirect-, or virtual-call heavy we have seen overheads ranging from 10% to 50%. However, real-world workloads exhibit substantially lower performance impact. Notably, techniques such as PGO and ThinLTO dramatically reduce the impact of hot indirect calls (by speculatively promoting them to direct calls) and allow optimized search trees to be used to lower switches. If you need to deploy these techniques in C++ applications, we *strongly* recommend that you ensure all hot call targets are statically linked (avoiding PLT indirection) and use both PGO and ThinLTO. Well tuned servers using all of these techniques saw 5% - 10% overhead from the use of retpoline. We will add detailed documentation covering these components in subsequent patches, but wanted to make the core functionality available as soon as possible. Happy for more code review, but we'd really like to get these patches landed and backported ASAP for obvious reasons. We're planning to backport this to both 6.0 and 5.0 release streams and get a 5.0 release with just this cherry picked ASAP for distros and vendors. This patch is the work of a number of people over the past month: Eric, Reid, Rui, and myself. I'm mailing it out as a single commit due to the time sensitive nature of landing this and the need to backport it. Huge thanks to everyone who helped out here, and everyone at Intel who helped out in discussions about how to craft this. Also, credit goes to Paul Turner (at Google, but not an LLVM contributor) for much of the underlying retpoline design. Reviewers: echristo, rnk, ruiu, craig.topper, DavidKreitzer Subscribers: sanjoy, emaste, mcrosier, mgorny, mehdi_amini, hiraditya, llvm-commits Differential Revision: https://reviews.llvm.org/D41723 PR: 224669 MFC r329033: Pull in r324594 from upstream clang trunk (by Alexander Ivchenko): Fix for #31362 - ms_abi is implemented incorrectly for values >=16 bytes. Summary: This patch is a fix for following issue: https://bugs.llvm.org/show_bug.cgi?id=31362 The problem was caused by front end lowering C calling conventions without taking into account calling conventions enforced by attribute. In this case win64cc was no correctly lowered on targets other than Windows. Reviewed By: rnk (Reid Kleckner) Differential Revision: https://reviews.llvm.org/D43016 Author: belickim <[email protected]> This fixes clang 6.0.0 assertions when building the emulators/wine and emulators/wine-devel ports, and should also make it use the correct Windows calling conventions. Bump __FreeBSD_version to make the fix easy to detect. PR: 224863 MFC r329223: Pull in r323998 from upstream clang trunk (by Richard Smith): PR36157: When injecting an implicit function declaration in C89, find the right DeclContext rather than injecting it wherever we happen to be. This avoids creating functions whose DeclContext is a struct or similar. This fixes assertion failures when parsing certain not-completely-valid struct declarations. Reported by: ae PR: 225862 MFC r329410: Upgrade our copies of clang, llvm, lld, lldb, compiler-rt and libc++ to 6.0.0 (branches/release_60 r325330). PR: 224669 MFC r329983: Upgrade our copies of clang, llvm, lld, lldb, compiler-rt and libc++ to 6.0.0 (branches/release_60 r325932). This corresponds to 6.0.0 rc3. PR: 224669 MFC r330384: Upgrade our copies of clang, llvm, lld, lldb, compiler-rt and libc++ to 6.0.0 release (upstream r326565). Release notes for llvm, clang and lld will be available here soon: <http://releases.llvm.org/6.0.0/docs/ReleaseNotes.html> <http://releases.llvm.org/6.0.0/tools/clang/docs/ReleaseNotes.html> <http://releases.llvm.org/6.0.0/tools/lld/docs/ReleaseNotes.html> Relnotes: yes PR: 224669 MFC r330686: Pull in r326882 from upstream llvm trunk (by Sjoerd Meijer): [ARM] Fix for PR36577 Don't PerformSHLSimplify if the given node is used by a node that also uses a constant because we may get stuck in an infinite combine loop. bugzilla: https://bugs.llvm.org/show_bug.cgi?id=36577 Patch by Sam Parker. Differential Revision: https://reviews.llvm.org/D44097 This fixes a hang when compiling one particular file in java/openjdk8 for armv6 and armv7. Reported by: swills PR: 226388 MFC r331065: Pull in r327638 from upstream llvm trunk (by Matthew Simpson): [ConstantFolding, InstSimplify] Handle more vector GEPs This patch addresses some additional cases where the compiler crashes upon encountering vector GEPs. This should fix PR36116. Differential Revision: https://reviews.llvm.org/D44219 Reference: https://bugs.llvm.org/show_bug.cgi?id=36116 This fixes an assertion when building the emulators/snes9x port. Reported by: jbeich PR: 225471 MFC r331066: Pull in r321999 from upstream clang trunk (by Ivan A. Kosarev): [CodeGen] Fix TBAA info for accesses to members of base classes Resolves: Bug 35724 - regression (r315984): fatal error: error in backend: Broken function found (Did not see access type in access path!) https://bugs.llvm.org/show_bug.cgi?id=35724 Differential Revision: https://reviews.llvm.org/D41547 This fixes "Did not see access type in access path" fatal errors when building the devel/gdb port (version 8.1). Reported by: jbeich PR: 226658 MFC r331366: Pull in r327101 from upstream llvm trunk (by Rafael Espindola): Don't treat .symver as a regular alias definition. This patch starts simplifying the handling of .symver. For now it just moves the responsibility for creating an alias down to the streamer. With that the asm streamer can pass a .symver unchanged, which is nice since gas cannot parse "foo@bar = zed". In a followup I hope to move the handling down to the writer so that we don't need special hacks for avoiding breaking names with @@@ on windows. Pull in r327160 from upstream llvm trunk (by Rafael Espindola): Delay creating an alias for @@@. With this we only create an alias for @@@ once we know if it should use @ or @@. This avoids last minutes renames and hacks to handle MS names. This only handles the ELF writer. LTO still has issues with @@@ aliases. Pull in r327928 from upstream llvm trunk (by Vitaly Buka): Object: Move attribute calculation into RecordStreamer. NFC Summary: Preparation for D44274 Reviewers: pcc, espindola Subscribers: hiraditya Differential Revision: https://reviews.llvm.org/D44276 Pull in r327930 from upstream llvm trunk (by Vitaly Buka): Object: Fix handling of @@@ in .symver directive Summary: name@@@nodename is going to be replaced with name@@nodename if symbols is defined in the assembled file, or name@nodename if undefined. https://sourceware.org/binutils/docs/as/Symver.html Fixes PR36623 Reviewers: pcc, espindola Subscribers: mehdi_amini, hiraditya Differential Revision: https://reviews.llvm.org/D44274 Together, these changes fix handling of @@@ in .symver directives when doing Link Time Optimization. Reported by: Shawn Webb <[email protected]> MFC r331731: Pull in r328738 from upstream lld trunk (by Rafael Espindola): Strip @ver suffices from the LTO output. This fixes pr36623. The problem is that we have to parse versions out of names before LTO so that LTO can use that information. When we get the LTO produced .o files, we replace the previous symbols with the LTO produced ones, but they still have @ in their names. We could just trim the name directly, but calling parseSymbolVersion to do it is simpler. This is a follow-up to r331366, since we discovered that lld could append version strings to symbols twice, when using Link Time Optimization.
hbsd-robot0
pushed a commit
that referenced
this issue
Apr 25, 2018
Compression was removed so #2 goes away and everything else needs renumbered to match, and the usage string was also updated due to removed options. X-MFC-With: r332995
hbsd-robot0
pushed a commit
that referenced
this issue
May 24, 2018
There's no need to perform the interrupt unbind while holding the blkback lock, and doing so leads to the following LOR: lock order reversal: (sleepable after non-sleepable) 1st 0xfffff8000802fe90 xbbd1 (xbbd1) @ /usr/src/sys/dev/xen/blkback/blkback.c:3423 2nd 0xffffffff81fdf890 intrsrc (intrsrc) @ /usr/src/sys/x86/x86/intr_machdep.c:224 stack backtrace: #0 0xffffffff80bdd993 at witness_debugger+0x73 #1 0xffffffff80bdd814 at witness_checkorder+0xe34 #2 0xffffffff80b7d798 at _sx_xlock+0x68 #3 0xffffffff811b3913 at intr_remove_handler+0x43 #4 0xffffffff811c63ef at xen_intr_unbind+0x10f #5 0xffffffff80a12ecf at xbb_disconnect+0x2f #6 0xffffffff80a12e54 at xbb_shutdown+0x1e4 #7 0xffffffff80a10be4 at xbb_frontend_changed+0x54 #8 0xffffffff80ed66a4 at xenbusb_back_otherend_changed+0x14 #9 0xffffffff80a2a382 at xenwatch_thread+0x182 #10 0xffffffff80b34164 at fork_exit+0x84 #11 0xffffffff8101ec9e at fork_trampoline+0xe Reported by: Nathan Friess <[email protected]> Sponsored by: Citrix Systems R&D
hbsd-robot0
pushed a commit
that referenced
this issue
Jun 8, 2018
(or peel off the band-aid, whatever floats your boat) This addresses two separate issues: 1.) Nothing within bsdgrep actually knew whether it cared about line numbers or not. 2.) The file layer knew nothing about the context in which it was being called. #1 is only important when we're *not* processing line-by-line. #2 is debatably a good idea; the parsing context is only handy because that's where we store current offset information and, as of this commit, whether or not it needs to be line-aware.
hbsd-robot0
pushed a commit
that referenced
this issue
Jan 20, 2019
From the commit in libarchive:
```
Fuzzing with CRCs disabled revealed that a call to get_uncompressed_data()
would sometimes fail to return at least 'minimum' bytes. This can cause
the crc32() invocation in header_bytes to read off into invalid memory.
A specially crafted archive can use this to cause a crash.
An ASAN trace is below, but ASAN is not required - an uninstrumented
binary will also crash.
==7719==ERROR: AddressSanitizer: SEGV on unknown address 0x631000040000 (pc 0x7fbdb3b3ec1d bp 0x7ffe77a51310 sp 0x7ffe77a51150 T0)
==7719==The signal is caused by a READ memory access.
#0 0x7fbdb3b3ec1c in crc32_z (/lib/x86_64-linux-gnu/libz.so.1+0x2c1c)
#1 0x84f5eb in header_bytes (/tmp/libarchive/bsdtar+0x84f5eb)
#2 0x856156 in read_Header (/tmp/libarchive/bsdtar+0x856156)
#3 0x84e134 in slurp_central_directory (/tmp/libarchive/bsdtar+0x84e134)
#4 0x849690 in archive_read_format_7zip_read_header (/tmp/libarchive/bsdtar+0x849690)
#5 0x5713b7 in _archive_read_next_header2 (/tmp/libarchive/bsdtar+0x5713b7)
#6 0x570e63 in _archive_read_next_header (/tmp/libarchive/bsdtar+0x570e63)
#7 0x6f08bd in archive_read_next_header (/tmp/libarchive/bsdtar+0x6f08bd)
#8 0x52373f in read_archive (/tmp/libarchive/bsdtar+0x52373f)
#9 0x5257be in tar_mode_x (/tmp/libarchive/bsdtar+0x5257be)
#10 0x51daeb in main (/tmp/libarchive/bsdtar+0x51daeb)
#11 0x7fbdb27cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x41dd09 in _start (/tmp/libarchive/bsdtar+0x41dd09)
This was primarly done with afl and FairFuzz. Some early corpus entries
may have been generated by qsym.
```
Signed-off-by: Shawn Webb <[email protected]>
Sponsored-by: SoldierX
hbsd-robot0
pushed a commit
that referenced
this issue
May 28, 2019
It appeared that using NET_EPOCH_WAIT() while holding global BPF lock can lead to another panic: spin lock 0xfffff800183c9840 (turnstile lock) held by 0xfffff80018e2c5a0 (tid 100325) too long panic: spin lock held too long ... #0 sched_switch (td=0xfffff80018e2c5a0, newtd=0xfffff8000389e000, flags=<optimized out>) at /usr/src/sys/kern/sched_ule.c:2133 #1 0xffffffff80bf9912 in mi_switch (flags=256, newtd=0x0) at /usr/src/sys/kern/kern_synch.c:439 #2 0xffffffff80c21db7 in sched_bind (td=<optimized out>, cpu=<optimized out>) at /usr/src/sys/kern/sched_ule.c:2704 #3 0xffffffff80c34c33 in epoch_block_handler_preempt (global=<optimized out>, cr=0xfffffe00005a1a00, arg=<optimized out>) at /usr/src/sys/kern/subr_epoch.c:394 #4 0xffffffff803c741b in epoch_block (global=<optimized out>, cr=<optimized out>, cb=<optimized out>, ct=<optimized out>) at /usr/src/sys/contrib/ck/src/ck_epoch.c:416 #5 ck_epoch_synchronize_wait (global=0xfffff8000380cd80, cb=<optimized out>, ct=<optimized out>) at /usr/src/sys/contrib/ck/src/ck_epoch.c:465 #6 0xffffffff80c3475e in epoch_wait_preempt (epoch=0xfffff8000380cd80) at /usr/src/sys/kern/subr_epoch.c:513 #7 0xffffffff80ce970b in bpf_detachd_locked (d=0xfffff801d309cc00, detached_ifp=<optimized out>) at /usr/src/sys/net/bpf.c:856 #8 0xffffffff80ced166 in bpf_detachd (d=<optimized out>) at /usr/src/sys/net/bpf.c:836 #9 bpf_dtor (data=0xfffff801d309cc00) at /usr/src/sys/net/bpf.c:914 To fix this add the check to the catchpacket() that BPF descriptor was not detached just before we acquired BPFD_LOCK(). Reported by: slavash Tested by: slavash MFC after: 1 week
hbsd-robot0
pushed a commit
that referenced
this issue
Aug 8, 2019
For some inexplicable reason, C++ compilers reject the -Wno- flag, and also (ab)use CWARNFLAGS. Reported by: imp
hbsd-robot0
pushed a commit
that referenced
this issue
Aug 8, 2019
* freebsd/current/master: r350739 try #2 Disable useless -Wformat-zero-length powerpc/pmap: Minor optimizations to 64-bit booke pmap Change autounmountd(8) to use time_t for duration instead of double Fix !DDB kernel configurations after r350713 Follow r350693 to add a link for sbuf_nl_terminate(9) ddb(4): Add 'sysctl' command
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For the LibreSSL branch, we should add the old OpenSSL files to ObsoleteFiles.inc.
The text was updated successfully, but these errors were encountered: