OpenBSD cvs log

created 2019-02-09T16:06:28Z
begin 2019-02-04T00:00:00Z
end 2019-02-05T00:00:00Z
path src/sys
commits 4

date 2019-02-04T07:04:28Z
author anton
files src/sys/kern/sysv_sem.c log diff annotate
message When freeing the sem_undo structure in semundo_adjust(), update the
caller supplied pointer. Otherwise, the caller is left with a dangling
pointer that could lead to a use-after-free panic.

ok millert@ visa@

Reported-by: syzbot+ac1d7685deab53b95ace@syzkaller.appspotmail.com
Reported-by: syzbot+dbe8f002f8051f26f6fe@syzkaller.appspotmail.com

date 2019-02-04T10:33:56Z
author kettenis
files src/sys/dev/sdmmc/if_bwfm_sdio.c log diff annotate
message Turns out we do need to handle control messages that exceed MLEN, so
allocate a cluster if the message is larger than that. Fixes a panic
on shutdown on my Asus X205TA.

ok patrick@, stsp@

date 2019-02-04T13:28:55Z
author visa
files src/sys/kern/subr_witness.c log diff annotate
message Make callers of witness_lock_list_{get,free}() responsible of raising
the system priority level to IPL_HIGH. This simplifies the code a bit
relative to calling from witness_lock() and witness_unlock().

OK mpi@

date 2019-02-04T21:40:52Z
author bluhm
files src/sys/kern/uipc_usrreq.c log diff annotate
src/sys/net/pfkeyv2.c log diff annotate
src/sys/net/rtsock.c log diff annotate
src/sys/netinet/ip_divert.c log diff annotate
src/sys/netinet/raw_ip.c log diff annotate
src/sys/netinet/udp_usrreq.c log diff annotate
src/sys/netinet6/ip6_divert.c log diff annotate
src/sys/netinet6/raw_ip6.c log diff annotate
message Avoid an mbuf double free in the oob soreceive() path. In the
usrreq functions move the mbuf m_freem() logic to the release block
instead of distributing it over the switch statement. Then the
goto release in the initial check, whether the pcb still exists,
will not free the mbuf for the PRU_RCVD, PRU_RVCOOB, PRU_SENSE
command.
OK claudio@ mpi@ visa@
Reported-by: syzbot+8e7997d4036ae523c79c@syzkaller.appspotmail.com