From dillon at crater.dragonflybsd.org Tue Nov 5 08:13:35 2024 From: dillon at crater.dragonflybsd.org (Matthew Dillon) Date: Tue, 5 Nov 2024 08:13:35 -0800 (PST) Subject: git: kernel - Fix auto port assignment collision in network code Message-ID: <20241105161335.444ED2816738@crater.dragonflybsd.org> commit 84646c2989fb6978ded9d3ce41be1628389b376a Author: Matthew Dillon Date: Tue Nov 5 08:05:14 2024 -0800 kernel - Fix auto port assignment collision in network code * When the SO_REUSEADDR or SO_REUSEPORT socket option is set on a socket undergoing automatic lport assignment, the auto network port assignment code in the kernel improperly ignores collisions against ports assigned to wildcard sockets and may assign the same port. This causes later connect() calls to fail. * Can cause gdb services to sometimes fail to connect. * Fixed by ignoring the options for the purposes of finding an unused port. Reported-by: Sergey Zigachev (servik) Summary of changes: sys/netinet/in_pcb.c | 7 +++++++ sys/netinet6/in6_src.c | 10 ++++++++++ 2 files changed, 17 insertions(+) http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/84646c2989fb6978ded9d3ce41be1628389b376a -- DragonFly BSD source repository From tkusumi at crater.dragonflybsd.org Sun Nov 17 00:31:09 2024 From: tkusumi at crater.dragonflybsd.org (Tomohiro Kusumi) Date: Sun, 17 Nov 2024 00:31:09 -0800 (PST) Subject: git: sbin/hammer2: Fix usage() Message-ID: <20241117083109.EC9862841984@crater.dragonflybsd.org> commit 6cd7b6532631428e69a83c882781e039f88550f6 Author: Tomohiro Kusumi Date: Sun Nov 17 00:21:12 2024 -0800 sbin/hammer2: Fix usage() Summary of changes: sbin/hammer2/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/6cd7b6532631428e69a83c882781e039f88550f6 -- DragonFly BSD source repository From tkusumi at crater.dragonflybsd.org Wed Nov 20 02:50:27 2024 From: tkusumi at crater.dragonflybsd.org (Tomohiro Kusumi) Date: Wed, 20 Nov 2024 02:50:27 -0800 (PST) Subject: git: sbin/hammer2/cmd_snapshot.c: Fix error handling Message-ID: <20241120105027.496A0284E1FB@crater.dragonflybsd.org> commit a6741f0b07e157e9e4ae2e8e9d6c5d1717b64e24 Author: Tomohiro Kusumi Date: Wed Nov 20 01:10:12 2024 -0800 sbin/hammer2/cmd_snapshot.c: Fix error handling pfs.name is not valid when ioctl(HAMMER2IOC_PFS_GET) failed. Summary of changes: sbin/hammer2/cmd_snapshot.c | 1 + 1 file changed, 1 insertion(+) http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/a6741f0b07e157e9e4ae2e8e9d6c5d1717b64e24 -- DragonFly BSD source repository From dillon at crater.dragonflybsd.org Fri Nov 29 10:24:34 2024 From: dillon at crater.dragonflybsd.org (Matthew Dillon) Date: Fri, 29 Nov 2024 10:24:34 -0800 (PST) Subject: git: kernel - Fix signal / signal-mask-change race Message-ID: <20241129182434.E7AE32875E44@crater.dragonflybsd.org> commit bbd7e13329c5bb82b8ee744e2c8780d994efbfbf Author: Matthew Dillon Date: Fri Nov 29 10:16:53 2024 -0800 kernel - Fix signal / signal-mask-change race * Fix race between incoming signals and sigsuspend(), ppoll(), or pselect() when used to change the signal mask. A signal can be received and queued to a process that is in the middle of unmasking said signal without triggering signal processing. * Our kernel *sleep*() and wakeup functions avoid whole-process locks to ensure high thread performance, but this can result in a race when a signal cannot be delivered to a thread and gets queued to the process instead. In order to keep the high-performance sleep, we instead use atomic ops and a ref-counter only in code paths related to general signal delivery to the process. Code which changes the signal mask then waits for the ref-counter to become zero as needed to ensure proper interlocked tests across signal mask changes to close the race. Summary of changes: sys/kern/kern_sig.c | 34 ++++++++++++++++++++++++++++------ sys/kern/sys_generic.c | 5 +++++ sys/sys/proc.h | 3 ++- sys/sys/signal2.h | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 85 insertions(+), 7 deletions(-) http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/bbd7e13329c5bb82b8ee744e2c8780d994efbfbf -- DragonFly BSD source repository From marino at crater.dragonflybsd.org Sat Nov 30 11:06:02 2024 From: marino at crater.dragonflybsd.org (John Marino) Date: Sat, 30 Nov 2024 11:06:02 -0800 (PST) Subject: git: libstdc++: Fix unsigned wraparound in codecvt::do_length [PR105857] Message-ID: <20241130190602.B141C2879783@crater.dragonflybsd.org> commit bd23261bc0d14eee4147ed68391498b1c45ec286 Author: John Marino Date: Sat Nov 30 12:58:54 2024 +0100 libstdc++: Fix unsigned wraparound in codecvt::do_length [PR105857] When the max argument to std::codecvt::length is SIZE_MAX/4+1 or greater the multiplication with sizeof(wchar_t) will wrap to a small value, and the alloca call will have a buffer that's smaller than requested. The call to mbsnrtowcs then has a buffer that is smaller than the value passed as the buffer length. When libstdc++.so is built with -D_FORTIFY_SOURCE=3 the mismatched buffer and length will get detected and will abort inside Glibc. When it doesn't abort, there's no buffer overflow because Glibc's mbsnrtowcs has the same len * sizeof(wchar_t) calculation to determine the size of the buffer in bytes, and that will wrap to the same small number as the alloca argument. So luckily Glibc agrees with the caller about the real size of the buffer, and won't overflow it. Even when the max argument isn't large enough to wrap, it can still be much too large to safely pass to alloca, so we should limit that. We already have a loop that processes chunks so that we can handle null characters in the middle of the input. If we limit the alloca buffer to 4kB then we'll just loop each time that buffer is filled. Reported-by: Jonathan Wakely (GNU GCC) Summary of changes: .../libstdc++-v3/config/locale/dragonfly/codecvt_members.cc | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/bd23261bc0d14eee4147ed68391498b1c45ec286 -- DragonFly BSD source repository