xnu-2422.90.20

Imported from https://opensource.apple.com/tarballs/xnu/xnu-2422.90.20.tar.gz
yeshuibo · Jun 4, 2017 · 777415e · 777415e
1 parent ff3a0c1
commit 777415e
Show file tree

Hide file tree

Showing 63 changed files with 943 additions and 580 deletions.
diff --git a/bsd/dev/dtrace/dtrace.c b/bsd/dev/dtrace/dtrace.c
@@ -2127,7 +2127,7 @@ dtrace_aggregate_llquantize(uint64_t *llquanta, uint64_t nval, uint64_t incr)
 	uint16_t factor = DTRACE_LLQUANTIZE_FACTOR(arg);
 	uint16_t low    = DTRACE_LLQUANTIZE_LOW(arg);
 	uint16_t high   = DTRACE_LLQUANTIZE_HIGH(arg);
-	uint16_t nsteps = DTRACE_LLQUANTIZE_NSTEPS(arg);
+	uint16_t nsteps = DTRACE_LLQUANTIZE_NSTEP(arg);
 
 	llquanta[dtrace_aggregate_llquantize_bucket(factor, low, high, nsteps, nval)] += incr;
 }
@@ -10642,7 +10642,7 @@ dtrace_ecb_aggregation_create(dtrace_ecb_t *ecb, dtrace_actdesc_t *desc)
 		uint16_t factor = DTRACE_LLQUANTIZE_FACTOR(desc->dtad_arg);
 		uint16_t low    = DTRACE_LLQUANTIZE_LOW(desc->dtad_arg);
 		uint16_t high   = DTRACE_LLQUANTIZE_HIGH(desc->dtad_arg);
-		uint16_t nsteps = DTRACE_LLQUANTIZE_NSTEPS(desc->dtad_arg);
+		uint16_t nsteps = DTRACE_LLQUANTIZE_NSTEP(desc->dtad_arg);
 		int64_t v;
 
 		agg->dtag_initial = desc->dtad_arg;

diff --git a/bsd/kern/decmpfs.c b/bsd/kern/decmpfs.c
@@ -1049,7 +1049,7 @@ commit_upl(upl_t upl, upl_offset_t pl_offset, size_t uplSize, int flags, int abo
             ErrorLog("ubc_upl_commit_range error %d\n", (int)kr);
     } else {
         VerboseLog("committing upl, flags 0x%08x\n", flags | UPL_COMMIT_CLEAR_DIRTY);
-		kr = ubc_upl_commit_range(upl, pl_offset, uplSize, flags | UPL_COMMIT_CLEAR_DIRTY);
+		kr = ubc_upl_commit_range(upl, pl_offset, uplSize, flags | UPL_COMMIT_CLEAR_DIRTY | UPL_COMMIT_WRITTEN_BY_KERNEL);
         if (kr != KERN_SUCCESS)
             ErrorLog("ubc_upl_commit_range error %d\n", (int)kr);
     }

diff --git a/bsd/kern/kern_cs.c b/bsd/kern/kern_cs.c
@@ -70,6 +70,8 @@
 
 #include <pexpert/pexpert.h>
 
+#include <mach/shared_region.h>
+
 unsigned long cs_procs_killed = 0;
 unsigned long cs_procs_invalidated = 0;
 
@@ -102,9 +104,15 @@ SYSCTL_INT(_vm, OID_AUTO, cs_enforcement, CTLFLAG_RW | CTLFLAG_LOCKED, &cs_enfor
 SYSCTL_INT(_vm, OID_AUTO, cs_enforcement_panic, CTLFLAG_RW | CTLFLAG_LOCKED, &cs_enforcement_panic, 0, "");
 #endif
 
+int panic_on_cs_killed = 0;
 void
 cs_init(void)
 {
+#if MACH_ASSERT
+	panic_on_cs_killed = 1;
+#endif
+	PE_parse_boot_argn("panic_on_cs_killed", &panic_on_cs_killed,
+			   sizeof (panic_on_cs_killed));
 #if !SECURE_KERNEL
 	int disable_cs_enforcement = 0;
 	PE_parse_boot_argn("cs_enforcement_disable", &disable_cs_enforcement, 
@@ -182,12 +190,25 @@ cs_invalid_page(
 
 	/* CS_KILL triggers a kill signal, and no you can't have the page. Nothing else. */
 	if (p->p_csflags & CS_KILL) {
+		if (panic_on_cs_killed &&
+		    vaddr >= SHARED_REGION_BASE &&
+		    vaddr < SHARED_REGION_BASE + SHARED_REGION_SIZE) {
+			panic("<rdar://14393620> cs_invalid_page(va=0x%llx): killing p=%p\n", (uint64_t) vaddr, p);
+		}
 		p->p_csflags |= CS_KILLED;
 		cs_procs_killed++;
 		send_kill = 1;
 		retval = 1;
 	}
 
+#if __x86_64__
+	if (panic_on_cs_killed &&
+	    vaddr >= SHARED_REGION_BASE &&
+	    vaddr < SHARED_REGION_BASE + SHARED_REGION_SIZE) {
+		panic("<rdar://14393620> cs_invalid_page(va=0x%llx): cs error p=%p\n", (uint64_t) vaddr, p);
+	}
+#endif /* __x86_64__ */
+
 	/* CS_HARD means fail the mapping operation so the process stays valid. */
 	if (p->p_csflags & CS_HARD) {
 		retval = 1;
@@ -214,14 +235,14 @@ cs_invalid_page(
 			NULL
 		);
 		printf("CODE SIGNING: cs_invalid_page(0x%llx): "
-		       "p=%d[%s] final status 0x%x, %sing page%s\n",
+		       "p=%d[%s] final status 0x%x, %s page%s\n",
 		       vaddr, p->p_pid, p->p_comm, p->p_csflags,
-		       retval ? "deny" : "allow (remove VALID)",
+		       retval ? "denying" : "allowing (remove VALID)",
 		       send_kill ? " sending SIGKILL" : "");
 	}
 
 	if (send_kill)
-		psignal(p, SIGKILL);
+		threadsignal(current_thread(), SIGKILL, EXC_BAD_ACCESS);
 
 
 	return retval;

diff --git a/bsd/kern/kern_symfile.c b/bsd/kern/kern_symfile.c
@@ -268,20 +268,30 @@ kern_open_file_for_direct_io(const char * name,
 
 	if (set_file_size && (set_file_size != (off_t) va.va_data_alloc))
 	{
-	    off_t     bytesallocated = 0;
 	    u_int32_t alloc_flags = PREALLOCATE | ALLOCATEFROMPEOF | ALLOCATEALL;
 
 	    vnode_lock_spin(ref->vp);
 	    CLR(ref->vp->v_flag, VSWAP);
 	    vnode_unlock(ref->vp);
 
-	    error = VNOP_ALLOCATE(ref->vp, set_file_size, alloc_flags,
-				  &bytesallocated, 0 /*fst_offset*/,
-				  ref->ctx);
+            if (set_file_size < (off_t) va.va_data_alloc)
+            {
+                struct vnode_attr setva;
+                VATTR_INIT(&setva);
+                VATTR_SET(&setva, va_data_size, set_file_size);
+                error = vnode_setattr(ref->vp, &setva, ref->ctx);
+            }
+            else
+            {
+                off_t bytesallocated = set_file_size - va.va_data_alloc;
+                error = VNOP_ALLOCATE(ref->vp, bytesallocated, alloc_flags,
+                                      &bytesallocated, 0 /*fst_offset*/,
+                                      ref->ctx);
+                HIBLOG("VNOP_ALLOCATE(%d) %qd\n", error, bytesallocated);
+            }
 	    // F_SETSIZE:
-	    if (!error) error = vnode_setsize(ref->vp, set_file_size, IO_NOZEROFILL, ref->ctx);
-	    kprintf("vnode_setsize(%d) %qd\n", error, set_file_size);
-	    ref->filelength = bytesallocated;
+	    (void) vnode_setsize(ref->vp, set_file_size, IO_NOZEROFILL, ref->ctx);
+	    ref->filelength = set_file_size;
 
 	    vnode_lock_spin(ref->vp);
 	    SET(ref->vp->v_flag, VSWAP);

diff --git a/bsd/kern/trace.codes b/bsd/kern/trace.codes
@@ -1391,6 +1391,12 @@
 0x531024C	CPUPM_PST_QOS_RATEUNLIMIT
 0x5310250	CPUPM_PST_QOS_SWITCH
 0x5310254	CPUPM_FORCED_IDLE
+0x5310258	CPUPM_PST_RAW_PERF
+0x531025C	CPUPM_CPU_HALT_DEEP
+0x5310260	CPUPM_CPU_HALT
+0x5310264	CPUPM_CPU_OFFLINE
+0x5310268	CPUPM_CPU_EXIT_HALT
+0x531026C	CPUPM_PST_QOS_CHARGE
 0x5330000	HIBERNATE
 0x5330004	HIBERNATE_WRITE_IMAGE
 0x5330008	HIBERNATE_MACHINE_INIT

diff --git a/bsd/kern/ubc_subr.c b/bsd/kern/ubc_subr.c
@@ -2778,6 +2778,9 @@ ubc_cs_blob_add(
 	const CS_CodeDirectory *cd;
 	off_t			blob_start_offset, blob_end_offset;
 	SHA1_CTX		sha1ctxt;
+	boolean_t		record_mtime;
+
+	record_mtime = FALSE;
 
 	blob_handle = IPC_PORT_NULL;
 
@@ -2981,6 +2984,11 @@ ubc_cs_blob_add(
 		goto out;
 	}
 
+	if (uip->cs_blobs == NULL) {
+		/* loading 1st blob: record the file's current "modify time" */
+		record_mtime = TRUE;
+	}
+
 	/*
 	 * Add this blob to the list of blobs for this vnode.
 	 * We always add at the front of the list and we never remove a
@@ -3021,6 +3029,10 @@ ubc_cs_blob_add(
 
 	vnode_unlock(vp);
 
+	if (record_mtime) {
+		vnode_mtime(vp, &uip->cs_mtime, vfs_context_current());
+	}
+
 	error = 0;	/* success ! */
 
 out:
@@ -3158,6 +3170,24 @@ ubc_get_cs_blobs(
 	return blobs;
 }
 
+void
+ubc_get_cs_mtime(
+	struct vnode	*vp,
+	struct timespec	*cs_mtime)
+{
+	struct ubc_info	*uip;
+
+	if (! UBCINFOEXISTS(vp)) {
+		cs_mtime->tv_sec = 0;
+		cs_mtime->tv_nsec = 0;
+		return;
+	}
+
+	uip = vp->v_ubcinfo;
+	cs_mtime->tv_sec = uip->cs_mtime.tv_sec;
+	cs_mtime->tv_nsec = uip->cs_mtime.tv_nsec;
+}
+
 unsigned long cs_validate_page_no_hash = 0;
 unsigned long cs_validate_page_bad_hash = 0;
 boolean_t

diff --git a/bsd/net/if_gif.c b/bsd/net/if_gif.c
@@ -586,11 +586,11 @@ gif_output(
 #endif
 	default:
 		error = ENETDOWN;
-		goto end;
+		break;
 	}
 
-end:
 	GIF_UNLOCK(sc);
+end:        
 	if (error) {
 		/* the mbuf was freed either by in_gif_output or in here */
 		ifnet_stat_increment_out(ifp, 0, 0, 1);

diff --git a/bsd/netinet/in_arp.c b/bsd/netinet/in_arp.c
@@ -532,7 +532,7 @@ arptfree(struct llinfo_arp *la, void *arg)
 	if (rt->rt_expire == 0 || (rt->rt_flags & RTF_STATIC)) {
 		ap->sticky++;
 		/* ARP entry is permanent? */
-		if (!(rt->rt_flags & RTF_STATIC)) {
+		if (rt->rt_expire == 0) {
 			RT_UNLOCK(rt);
 			return;
 		}

diff --git a/bsd/netinet/in_pcb.c b/bsd/netinet/in_pcb.c
@@ -1104,7 +1104,7 @@ in_pcbladdr(struct inpcb *inp, struct sockaddr *nam, struct in_addr *laddr,
 	 * interface has been set as a multicast option, use the
 	 * address of that interface as our source address.
 	 */
-	if (error == 0 && IN_MULTICAST(ntohl(SIN(nam)->sin_addr.s_addr)) &&
+	if (IN_MULTICAST(ntohl(SIN(nam)->sin_addr.s_addr)) &&
 	    inp->inp_moptions != NULL) {
 		struct ip_moptions *imo;
 		struct ifnet *ifp;
@@ -1126,6 +1126,8 @@ in_pcbladdr(struct inpcb *inp, struct sockaddr *nam, struct in_addr *laddr,
 			lck_rw_done(in_ifaddr_rwlock);
 			if (ia == NULL)
 				error = EADDRNOTAVAIL;
+			else
+				error = 0;
 		}
 		IMO_UNLOCK(imo);
 	}

diff --git a/bsd/netinet/tcp_timer.c b/bsd/netinet/tcp_timer.c
@@ -520,12 +520,15 @@ tcp_gc(struct inpcbinfo *ipi)
 		 * socket lock for better performance. If there are
 		 * any pcbs in time-wait, the timer will get rescheduled.
 		 * Hence some error in this check can be tolerated.
+		 *
+		 * Sometimes a socket on time-wait queue can be closed if
+		 * 2MSL timer expired but the application still has a
+		 * usecount on it. 
 		 */
-		if (TSTMP_GEQ(tcp_now, tw_tp->t_timer[TCPT_2MSL])) {
+		if (tw_tp->t_state == TCPS_CLOSED ||  
+		    TSTMP_GEQ(tcp_now, tw_tp->t_timer[TCPT_2MSL])) {
 			if (tcp_garbage_collect(tw_tp->t_inpcb, 1))
 				atomic_add_32(&ipi->ipi_gc_req.intimer_lazy, 1);
-		} else {
-			break;
 		}
 	}
 

diff --git a/bsd/netinet6/esp_rijndael.c b/bsd/netinet6/esp_rijndael.c
@@ -81,8 +81,8 @@
 
 #include <net/net_osdep.h>
 
+#define MAX_REALIGN_LEN 2000
 #define AES_BLOCKLEN 16
-#define MAX_SBUF_LEN 2000
 
 extern lck_mtx_t *sadb_mutex;
 
@@ -152,7 +152,7 @@ esp_cbc_decrypt_aes(m, off, sav, algo, ivlen)
 	int sn, dn;	/* offset from the head of the mbuf, to meat */
 	size_t ivoff, bodyoff;
 	u_int8_t iv[AES_BLOCKLEN] __attribute__((aligned(4))), *dptr;
-	u_int8_t sbuf[MAX_SBUF_LEN] __attribute__((aligned(4))), *sp, *sp_unaligned;
+	u_int8_t sbuf[AES_BLOCKLEN] __attribute__((aligned(4))), *sp, *sp_unaligned, *sp_aligned = NULL;
 	struct mbuf *scut;
 	int scutoff;
 	int	i, len;
@@ -277,7 +277,15 @@ esp_cbc_decrypt_aes(m, off, sav, algo, ivlen)
 			sp_unaligned = NULL;
 		} else {
 			sp_unaligned = sp;
-			sp = sbuf;
+			if (len > MAX_REALIGN_LEN) {
+				return ENOBUFS;
+			}
+			if (sp_aligned == NULL) {
+				sp_aligned = (u_int8_t *)_MALLOC(MAX_REALIGN_LEN, M_SECA, M_DONTWAIT);
+				if (sp_aligned == NULL)
+					return ENOMEM;
+			}
+			sp = sp_aligned;
 			memcpy(sp, sp_unaligned, len);
 		}
 		// no need to check output pointer alignment
@@ -310,6 +318,12 @@ esp_cbc_decrypt_aes(m, off, sav, algo, ivlen)
 	scut->m_len = scutoff;
 	scut->m_next = d0;
 
+	// free memory
+	if (sp_aligned != NULL) {
+		FREE(sp_aligned, M_SECA);
+		sp_aligned = NULL;
+	}
+
 	/* just in case */
 	bzero(iv, sizeof(iv));
 	bzero(sbuf, sizeof(sbuf));
@@ -332,7 +346,7 @@ esp_cbc_encrypt_aes(
 	int sn, dn;	/* offset from the head of the mbuf, to meat */
 	size_t ivoff, bodyoff;
 	u_int8_t *ivp, *dptr, *ivp_unaligned;
-	u_int8_t sbuf[MAX_SBUF_LEN] __attribute__((aligned(4))), *sp, *sp_unaligned;
+	u_int8_t sbuf[AES_BLOCKLEN] __attribute__((aligned(4))), *sp, *sp_unaligned, *sp_aligned = NULL;
 	u_int8_t ivp_aligned_buf[AES_BLOCKLEN] __attribute__((aligned(4)));
 	struct mbuf *scut;
 	int scutoff;
@@ -458,7 +472,15 @@ esp_cbc_encrypt_aes(
 			sp_unaligned = NULL;
 		} else {
 			sp_unaligned = sp;
-			sp = sbuf;
+			if (len > MAX_REALIGN_LEN) {
+				return ENOBUFS;
+			}
+			if (sp_aligned == NULL) {
+				sp_aligned = (u_int8_t *)_MALLOC(MAX_REALIGN_LEN, M_SECA, M_DONTWAIT);
+				if (sp_aligned == NULL)
+					return ENOMEM;
+			}
+			sp = sp_aligned;
 			memcpy(sp, sp_unaligned, len);
 		}
 		// check ivp pointer alignment and use a separate aligned buffer (if ivp is not aligned on 4-byte boundary).
@@ -467,7 +489,7 @@ esp_cbc_encrypt_aes(
 		} else {
 			ivp_unaligned = ivp;
 			ivp = ivp_aligned_buf;
-			memcpy(ivp, ivp_unaligned, len);
+			memcpy(ivp, ivp_unaligned, AES_BLOCKLEN);
 		}
 		// no need to check output pointer alignment
 		aes_encrypt_cbc(sp, ivp, len >> 4, dptr + dn, 
@@ -494,13 +516,18 @@ esp_cbc_encrypt_aes(
 			soff += s->m_len;
 			s = s->m_next;
 		}
-
 	}
 
 	/* free un-needed source mbufs and add dest mbufs to chain */
 	m_freem(scut->m_next);
 	scut->m_len = scutoff;
 	scut->m_next = d0;
+
+	// free memory
+	if (sp_aligned != NULL) {
+		FREE(sp_aligned, M_SECA);
+		sp_aligned = NULL;
+	}
 
 	/* just in case */
 	bzero(sbuf, sizeof(sbuf));