os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add two recent errata notices.

Browse source
This commit is contained in:
Xin LI 2015-05-13 23:07:20 +00:00
parent 753e608164
commit 04b2605719
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=46693
9 changed files with 1284 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

156
share/security/advisories/FreeBSD-EN-15:04.freebsd-update.asc Normal file
View file

@ -0,0 +1,156 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-15:04.freebsd-update Errata Notice
The FreeBSD Project
Topic: freebsd-update(8) does not ensure the previous upgrade was
completed
Category: core
Module: freebsd-update
Announced: 2015-05-13
Credits: Allan Jude
Affects: All supported versions of FreeBSD.
Corrected: 2015-05-13 22:36:00 UTC (stable/10, 10.1-STABLE)
2015-05-13 22:52:35 UTC (releng/10.1, 10.1-RELEASE-p10)
2015-05-13 22:36:52 UTC (stable/9, 9.3-STABLE)
2015-05-13 22:52:51 UTC (releng/9.3, 9.3-RELEASE-p14)
2015-05-13 22:39:29 UTC (stable/8, 8.4-STABLE)
2015-05-13 22:52:51 UTC (releng/8.4, 8.4-RELEASE-p28)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.freebsd.org/>.
I. Background
The freebsd-update(8) utility is used to apply binary patches to FreeBSD
systems installed from official release images, as an alternative to
rebuilding from source. A freebsd-update(8) build server generates the
signed update packages, consisting of an index of files and directories
with checksums before the update, a set of binary patches, and an
index of files and directories with checksums after the update. The
client downloads the indexes, verifies the signatures and checksums,
then downloads and applies the required patches.
II. Problem Description
Binary upgrades using the freebsd-update(8) utility consist of several
invocations of the freebsd-update(8) utility itself. Each invocation
performs a different task that depends on the previous invocation being
successfully completed.
If an upgrade is not thoroughly completed, it is possible for the
freebsd-update(8) utility to download a subsequent patchset to a system
with an inconsistent userland and/or kernel. In the case of such an
incomplete upgrade, the freebsd-update(8) utility may incorrectly
evaluate the running userland and/or kernel, which can cause binary
patches to be incorrectly applied. In some situations, it is possible
for patches to be applied for the incorrect FreeBSD version.
III. Impact
If incorrect patches are applied to the system as a result of a previous
incomplete upgrade, it is possible that some system services may fail to
start after rebooting the system, such as if the service is started by an
executable that depends on a shared library that has been relocated as
part of the upgrade.
IV. Workaround
No workaround is available, but systems that do not use FreeBSD-provided
binary updates to upgrade are not affected.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your present system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 9.3 and 10.1]
# fetch https://security.FreeBSD.org/patches/EN-15:04/freebsd-update.patch
# fetch https://security.FreeBSD.org/patches/EN-15:04/freebsd-update.patch.asc
# gpg --verify freebsd-update.patch.asc
[FreeBSD 8.4]
# fetch https://security.FreeBSD.org/patches/EN-15:04/freebsd-update-8.patch
# fetch https://security.FreeBSD.org/patches/EN-15:04/freebsd-update-8.patch.asc
# gpg --verify freebsd-update-8.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r282872
releng/8.4/ r282874
stable/9/ r282871
releng/9.3/ r282874
stable/10/ r282870
releng/10.1/ r282873
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/196760>
The latest revision of this Errata Notice is available at
https://security.FreeBSD.org/advisories/FreeBSD-EN-15:04.freebsd-update.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)
iQIcBAEBCgAGBQJVU9dbAAoJEO1n7NZdz2rnCewQAM51TcFY4IZvSJbSe5RLDGRr
4KsAwkgNW45Z+iUjvg5wnnkXZYau1fadMyQilbrKLk9d0MY1dQlJ7lW0Jkk9q+Oq
JhXjanQYvIZKK9eYi0gpVVqp9sN57dpv96ZP+CDiJX9FDow7OPGKmEiJgoavahpb
kg5kOywjDEv/DkttLJgHHmEBK41Gad2Jrz16N6k7mlHFSpFmEGRefaqqPqmLdzs0
t0liDFI+fIAYOOKgIDG8Gqe3FCqbhnAf3bmkU/gyJKf1o5vPWowo9O5CvGH+mHPl
hmQBD70d+6kkv6ZH5RxMa38Vc3FpZXmaipdObJyoIoOjBw1UqEV6OwS+810xNDCx
bwN5q8QP5l/M7SHDO1n/FyP8BVbk6TXVKJ1R+t1bsKd07synL12gVTe0VVm+w0rh
+TVdF7cFRWB1Rp3JFw7cGz47ZFv08AaZ3CzdoH9qCEKOTnJnkyW3L4hceTWjkF8H
c5gas5Wp3UZeUZ2LT+LcB89W4LSn3Xv3y7AJDsVP9MGHSkjSDGIJKfWiXl/GWHql
M/zT6WeraOZyOwNr4F9QFp1hYSxvR+Izh7C0nFefBNf8YID3/hiKYNjxkf5Dz+fN
4A+RVt3COUteAeF5ikPVUiMfJljubingmN5NvTVmKQN6nRm5Pn6rrOouJqf3W0Mh
QE8Ps/3y/Sw1e/m45snD
=IdxG
-----END PGP SIGNATURE-----

138
share/security/advisories/FreeBSD-EN-15:05.ufs.asc Normal file
View file

@ -0,0 +1,138 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-15:05.ufs Errata Notice
The FreeBSD Project
Topic: Deadlock on reboot with UFS tuned with SU+J
Category: core
Module: ufs
Announced: 2015-05-13
Credits: Konstantin Belousov
Affects: FreeBSD 10.1
Corrected: 2015-04-10 02:23:44 UTC (stable/10, 10.1-STABLE)
2015-05-13 22:52:35 UTC (releng/10.1, 10.1-RELEASE-p10)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.freebsd.org/>.
I. Background
The Unix File System (UFS) is one of several filesystems available on
FreeBSD. UFS supports several optimization features, such as soft updates
and journaling, both of which keep track of filesystem metadata to ensure
a consistent state in the event of a crash or power failure.
II. Problem Description
When the root filesystem is configured with soft updates and journaling
both enabled, which is the default for FreeBSD 10.1-RELEASE installations,
the system may deadlock after a source-based or binary upgrade when the
init(8) binary is replaced. The deadlock occurs when issuing reboot(8)
or shutdown(8), after which the system becomes unresponsive when syncing
the filesystem.
III. Impact
When the deadlock occurs, a hard system reset or power cycle may be
required.
IV. Workaround
Systems that do not have soft updates and journaling enabled on a UFS root
filesystem are unaffected.
It is possible to work around the issue by waiting before issuing reboot(8)
or shutdown(8) after upgrading the userland. It has been observed that
deferring the reboot(8) for a period of 60 seconds to be sufficient. It is
encouraged to issue several sync(8) commands during this period, to help
ensure the filesystem writes have completed.
Additionally, disabling soft update journaling on the root filesystem can
also work around the issue.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your present system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-15:05/ufs.patch
# fetch https://security.FreeBSD.org/patches/EN-15:05/ufs.patch.asc
# gpg --verify ufs.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r281350
releng/10.1/ r282873
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/195458>
The latest revision of this Errata Notice is available at
https://security.FreeBSD.org/advisories/FreeBSD-EN-15:05.ufs.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)
iQIcBAEBCgAGBQJVU9dbAAoJEO1n7NZdz2rn3JYP/2HeyHsGEAwl+1NCVLu/Eimj
wl/jK7Pl2SMWCEAkynkP8Cs5ibCbtzA4SV1RP8OPCF42yQJmk/kzR0Rmuq+LboFC
QGmus/0Q/JCXqabDEzNx7/tHibeJInveGDf4a4/rg38Q+zO7MYZFmGsWoFEC2RKn
lEWb/kh5AxMagaj5lns4WHmo0TFlyOUFaJijGxXhHu3IFZwuZB60a5cXJ8OjBulk
FO7uIcZ7OTP43y4VvvBsFV6bxeFyoMNF8tgB+dsBzatNQhl7yAxWMMEiDUNBEaqV
mfjKZxHRkB+GGjQwv2Cq4463kNQvwknN9vms536fS7HuecFMITbyD37ySR3pSRoi
KVGopfpDr0NWjn1/N7UyAsY+6CAYqpsilYvq2slBu2J/Aj6jCyDhPUTnjHKz1m91
rdyBjkHod9XkLYqwCkJlWjIxnLxCDlv8vwUjOe2/TjCUFO6FIO6lgvCVkgekIlwG
rPxx+bqfKSarQQSL6a4MWFFYwt79c292A3nodS0sLIL4YRNwQnFvuYVB/qxIWD1x
ecKJmbL0bm3S1T/qWa89Xh55NWFKs0bxVmjQCWu84re/20+oWcaXFg8Oeqnq+xFV
ke4EzbxhoU4KWzvsFbc+U+EZhTVLVlnjbAW073Z6QyykfBs2RhudUGB51T/3XB3I
jAU8LNkMBjZhe7khLFLD
=BTx0
-----END PGP SIGNATURE-----

458
share/security/patches/EN-15:04/freebsd-update-8.patch Normal file
View file

@ -0,0 +1,458 @@
Index: usr.sbin/freebsd-update/freebsd-update.8
===================================================================
--- usr.sbin/freebsd-update/freebsd-update.8 (revision 282245)
+++ usr.sbin/freebsd-update/freebsd-update.8 (working copy)
@@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd July 14, 2010
+.Dd March 2, 2015
.Dt FREEBSD-UPDATE 8
.Os FreeBSD
.Sh NAME
@@ -36,10 +36,12 @@
.Op Fl b Ar basedir
.Op Fl d Ar workdir
.Op Fl f Ar conffile
+.Op Fl F
.Op Fl k Ar KEY
.Op Fl r Ar newrelease
.Op Fl s Ar server
.Op Fl t Ar address
+.Op Fl -not-running-from-cron
.Cm command ...
.Sh DESCRIPTION
The
@@ -49,21 +51,21 @@ updates to the FreeBSD base system.
Note that updates are only available if they are being built for the
FreeBSD release and architecture being used; in particular, the
.Fx
-Security Team only builds updates for releases shipped in binary form
+Security Team only builds updates for releases shipped in binary form
by the
.Fx
Release Engineering Team, e.g.,
.Fx
-7.3-RELEASE and
+9.3-RELEASE and
.Fx
-8.0, but not
+10.1-RELEASE, but not
.Fx
-6.3-STABLE or
+9.3-STABLE or
.Fx
-9.0-CURRENT.
+11-CURRENT.
.Sh OPTIONS
The following options are supported:
-.Bl -tag -width "-f conffile"
+.Bl -tag -width "-r newrelease"
.It Fl b Ar basedir
Operate on a system mounted at
.Ar basedir .
@@ -81,6 +83,10 @@ Read configuration options from
.Ar conffile .
(default:
.Pa /etc/freebsd-update.conf )
+.It Fl F
+Force
+.Nm Cm fetch
+to proceed where it normally would not, such as an unfinished upgrade
.It Fl k Ar KEY
Trust an RSA key with SHA256 of
.Ar KEY .
@@ -98,13 +104,21 @@ Mail output of
command, if any, to
.Ar address .
(default: root, or as given in the configuration file.)
+.It Fl -not-running-from-cron
+Force
+.Nm Cm fetch
+to proceed when there is no controlling tty.
+This is for use by automated scripts and orchestration tools.
+Please do not run
+.Nm Cm fetch
+from crontab or similar using this flag, see:
+.Nm Cm cron
.El
.Sh COMMANDS
The
.Cm command
can be any one of the following:
-.Pp
-.Bl -tag -width "-f conffile"
+.Bl -tag -width "rollback"
.It Cm fetch
Based on the currently installed world and the configuration
options set, fetch all available binary updates.
@@ -128,6 +142,11 @@ Fetch files necessary for upgrading to a
Before using this command, make sure that you read the
announcement and release notes for the new release in
case there are any special steps needed for upgrading.
+Note that this command may require up to 500 MB of space in
+.Ar workdir
+depending on which components of the
+.Fx
+base system are installed.
.It Cm install
Install the most recently fetched updates or upgrade.
.It Cm rollback
@@ -149,7 +168,7 @@ other than 3AM, to avoid overly imposing
on the server(s) hosting the updates.
.It
In spite of its name,
-.Cm
+.Nm
IDS should not be relied upon as an "Intrusion Detection
System", since if the system has been tampered with
it cannot be trusted to operate correctly.
@@ -158,11 +177,11 @@ purposes, make sure you boot from a secu
.El
.Sh FILES
.Bl -tag -width "/etc/freebsd-update.conf"
-.It /etc/freebsd-update.conf
+.It Pa /etc/freebsd-update.conf
Default location of the
.Nm
configuration file.
-.It /var/db/freebsd-update/
+.It Pa /var/db/freebsd-update/
Default location where
.Nm
stores temporary files and downloaded updates.
@@ -170,4 +189,4 @@ stores temporary files and downloaded up
.Sh SEE ALSO
.Xr freebsd-update.conf 5
.Sh AUTHORS
-.An Colin Percival Aq cperciva@FreeBSD.org
+.An Colin Percival Aq Mt cperciva@FreeBSD.org
Index: usr.sbin/freebsd-update/freebsd-update.sh
===================================================================
--- usr.sbin/freebsd-update/freebsd-update.sh (revision 282245)
+++ usr.sbin/freebsd-update/freebsd-update.sh (working copy)
@@ -43,12 +43,15 @@ Options:
(default: /var/db/freebsd-update/)
-f conffile -- Read configuration options from conffile
(default: /etc/freebsd-update.conf)
+ -F -- Force a fetch operation to proceed
-k KEY -- Trust an RSA key with SHA256 hash of KEY
-r release -- Target for upgrade (e.g., 6.2-RELEASE)
-s server -- Server from which to fetch updates
(default: update.FreeBSD.org)
-t address -- Mail output of cron command, if any, to address
(default: root)
+ --not-running-from-cron
+ -- Run without a tty, for use by automated tools
Commands:
fetch -- Fetch updates from server
cron -- Sleep rand(3600) seconds, fetch updates, and send an
@@ -284,6 +287,9 @@ config_TargetRelease () {
else
return 1
fi
+ if echo ${TARGETRELEASE} | grep -qE '^[0-9.]+$'; then
+ TARGETRELEASE="${TARGETRELEASE}-RELEASE"
+ fi
}
# Define what happens to output of utilities
@@ -396,6 +402,12 @@ init_params () {
# No commands specified yet
COMMANDS=""
+
+ # Force fetch to proceed
+ FORCEFETCH=0
+
+ # Run without a TTY
+ NOTTYOK=0
}
# Parse the command line
@@ -408,6 +420,12 @@ parse_cmdline () {
if [ ! -z "${CONFFILE}" ]; then usage; fi
shift; CONFFILE="$1"
;;
+ -F)
+ FORCEFETCH=1
+ ;;
+ --not-running-from-cron)
+ NOTTYOK=1
+ ;;
# Configuration file equivalents
-b)
@@ -569,7 +587,7 @@ fetch_setup_verboselevel () {
# running *-p[0-9]+, strip off the last part; if the
# user is running -SECURITY, call it -RELEASE. Chdir
# into the working directory.
-fetch_check_params () {
+fetchupgrade_check_params () {
export HTTP_USER_AGENT="freebsd-update (${COMMAND}, `uname -r`)"
_SERVERNAME_z=\
@@ -577,6 +595,7 @@ fetch_check_params () {
_KEYPRINT_z="Key must be given via -k option or configuration file."
_KEYPRINT_bad="Invalid key fingerprint: "
_WORKDIR_bad="Directory does not exist or is not writable: "
+ _WORKDIR_bad2="Directory is not on a persistent filesystem: "
if [ -z "${SERVERNAME}" ]; then
echo -n "`basename $0`: "
@@ -600,6 +619,13 @@ fetch_check_params () {
echo ${WORKDIR}
exit 1
fi
+ case `df -T ${WORKDIR}` in */dev/md[0-9]* | *tmpfs*)
+ echo -n "`basename $0`: "
+ echo -n "${_WORKDIR_bad2}"
+ echo ${WORKDIR}
+ exit 1
+ ;;
+ esac
chmod 700 ${WORKDIR}
cd ${WORKDIR} || exit 1
@@ -652,9 +678,29 @@ fetch_check_params () {
BDHASH=`echo ${BASEDIR} | sha256 -q`
}
+# Perform sanity checks etc. before fetching updates.
+fetch_check_params () {
+ fetchupgrade_check_params
+
+ if ! [ -z "${TARGETRELEASE}" ]; then
+ echo -n "`basename $0`: "
+ echo -n "-r option is meaningless with 'fetch' command. "
+ echo "(Did you mean 'upgrade' instead?)"
+ exit 1
+ fi
+
+ # Check that we have updates ready to install
+ if [ -f ${BDHASH}-install/kerneldone -a $FORCEFETCH -eq 0 ]; then
+ echo "You have a partially completed upgrade pending"
+ echo "Run '$0 install' first."
+ echo "Run '$0 fetch -F' to proceed anyway."
+ exit 1
+ fi
+}
+
# Perform sanity checks etc. before fetching upgrades.
upgrade_check_params () {
- fetch_check_params
+ fetchupgrade_check_params
# Unless set otherwise, we're upgrading to the same kernel config.
NKERNCONF=${KERNCONF}
@@ -1185,7 +1231,7 @@ fetch_metadata_sanity () {
# Some aliases to save space later: ${P} is a character which can
# appear in a path; ${M} is the four numeric metadata fields; and
# ${H} is a sha256 hash.
- P="[-+./:=%@_[~[:alnum:]]"
+ P="[-+./:=,%@_[~[:alnum:]]"
M="[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+"
H="[0-9a-f]{64}"
@@ -1456,7 +1502,7 @@ fetch_inspect_system () {
sort -k 3,3 -t '|' > $2.tmp
rm filelist
- # Check if an error occured during system inspection
+ # Check if an error occurred during system inspection
if [ -f .err ]; then
return 1
fi
@@ -2240,6 +2286,19 @@ upgrade_oldall_to_oldnew () {
mv $2 $3
}
+# Helper for upgrade_merge: Return zero true iff the two files differ only
+# in the contents of their RCS tags.
+samef () {
+ X=`sed -E 's/\\$FreeBSD.*\\$/\$FreeBSD\$/' < $1 | ${SHA256}`
+ Y=`sed -E 's/\\$FreeBSD.*\\$/\$FreeBSD\$/' < $2 | ${SHA256}`
+
+ if [ $X = $Y ]; then
+ return 0;
+ else
+ return 1;
+ fi
+}
+
# From the list of "old" files in $1, merge changes in $2 with those in $3,
# and update $3 to reflect the hashes of merged files.
upgrade_merge () {
@@ -2323,6 +2382,14 @@ upgrade_merge () {
# Ask the user to handle any files which didn't merge.
while read F; do
+ # If the installed file differs from the version in
+ # the old release only due to RCS tag expansion
+ # then just use the version in the new release.
+ if samef merge/old/${F} merge/${OLDRELNUM}/${F}; then
+ cp merge/${RELNUM}/${F} merge/new/${F}
+ continue
+ fi
+
cat <<-EOF
The following file could not be merged automatically: ${F}
@@ -2337,9 +2404,18 @@ manually...
# Ask the user to confirm that he likes how the result
# of merging files.
while read F; do
- # Skip files which haven't changed.
- if [ -f merge/new/${F} ] &&
- cmp -s merge/old/${F} merge/new/${F}; then
+ # Skip files which haven't changed except possibly
+ # in their RCS tags.
+ if [ -f merge/old/${F} ] && [ -f merge/new/${F} ] &&
+ samef merge/old/${F} merge/new/${F}; then
+ continue
+ fi
+
+ # Skip files where the installed file differs from
+ # the old file only due to RCS tags.
+ if [ -f merge/old/${F} ] &&
+ [ -f merge/${OLDRELNUM}/${F} ] &&
+ samef merge/old/${F} merge/${OLDRELNUM}/${F}; then
continue
fi
@@ -2526,6 +2602,10 @@ upgrade_run () {
# Leave a note behind to tell the "install" command that the kernel
# needs to be installed before the world.
touch ${BDHASH}-install/kernelfirst
+
+ # Remind the user that they need to run "freebsd-update install"
+ # to install the downloaded bits, in case they didn't RTFM.
+ echo "To install the downloaded upgrades, run \"$0 install\"."
}
# Make sure that all the file hashes mentioned in $@ have corresponding
@@ -2577,14 +2657,14 @@ backup_kernel_finddir () {
while true ; do
# Pathname does not exist, so it is OK use that name
# for backup directory.
- if [ ! -e $BACKUPKERNELDIR ]; then
+ if [ ! -e $BASEDIR/$BACKUPKERNELDIR ]; then
return 0
fi
# If directory do exist, we only use if it has our
# marker file.
- if [ -d $BACKUPKERNELDIR -a \
- -e $BACKUPKERNELDIR/.freebsd-update ]; then
+ if [ -d $BASEDIR/$BACKUPKERNELDIR -a \
+ -e $BASEDIR/$BACKUPKERNELDIR/.freebsd-update ]; then
return 0
fi
@@ -2592,7 +2672,7 @@ backup_kernel_finddir () {
# the end and try again.
CNT=$((CNT + 1))
if [ $CNT -gt 9 ]; then
- echo "Could not find valid backup dir ($BACKUPKERNELDIR)"
+ echo "Could not find valid backup dir ($BASEDIR/$BACKUPKERNELDIR)"
exit 1
fi
BACKUPKERNELDIR="`echo $BACKUPKERNELDIR | sed -Ee 's/[0-9]\$//'`"
@@ -2619,17 +2699,17 @@ backup_kernel () {
# Remove old kernel backup files. If $BACKUPKERNELDIR was
# "not ours", backup_kernel_finddir would have exited, so
# deleting the directory content is as safe as we can make it.
- if [ -d $BACKUPKERNELDIR ]; then
- rm -fr $BACKUPKERNELDIR
+ if [ -d $BASEDIR/$BACKUPKERNELDIR ]; then
+ rm -fr $BASEDIR/$BACKUPKERNELDIR
fi
# Create directories for backup.
- mkdir -p $BACKUPKERNELDIR
- mtree -cdn -p "${KERNELDIR}" | \
- mtree -Ue -p "${BACKUPKERNELDIR}" > /dev/null
+ mkdir -p $BASEDIR/$BACKUPKERNELDIR
+ mtree -cdn -p "${BASEDIR}/${KERNELDIR}" | \
+ mtree -Ue -p "${BASEDIR}/${BACKUPKERNELDIR}" > /dev/null
# Mark the directory as having been created by freebsd-update.
- touch $BACKUPKERNELDIR/.freebsd-update
+ touch $BASEDIR/$BACKUPKERNELDIR/.freebsd-update
if [ $? -ne 0 ]; then
echo "Could not create kernel backup directory"
exit 1
@@ -2647,8 +2727,8 @@ backup_kernel () {
fi
# Backup all the kernel files using hardlinks.
- (cd $KERNELDIR && find . -type f $FINDFILTER -exec \
- cp -pl '{}' ${BACKUPKERNELDIR}/'{}' \;)
+ (cd ${BASEDIR}/${KERNELDIR} && find . -type f $FINDFILTER -exec \
+ cp -pl '{}' ${BASEDIR}/${BACKUPKERNELDIR}/'{}' \;)
# Re-enable patchname expansion.
set +f
@@ -2746,7 +2826,7 @@ install_files () {
# Update linker.hints if necessary
if [ -s INDEX-OLD -o -s INDEX-NEW ]; then
- kldxref -R /boot/ 2>/dev/null
+ kldxref -R ${BASEDIR}/boot/ 2>/dev/null
fi
# We've finished updating the kernel.
@@ -2797,14 +2877,14 @@ Kernel updates have been installed. Ple
install_delete INDEX-OLD INDEX-NEW || return 1
# Rebuild /etc/spwd.db and /etc/pwd.db if necessary.
- if [ /etc/master.passwd -nt /etc/spwd.db ] ||
- [ /etc/master.passwd -nt /etc/pwd.db ]; then
- pwd_mkdb /etc/master.passwd
+ if [ ${BASEDIR}/etc/master.passwd -nt ${BASEDIR}/etc/spwd.db ] ||
+ [ ${BASEDIR}/etc/master.passwd -nt ${BASEDIR}/etc/pwd.db ]; then
+ pwd_mkdb -d ${BASEDIR}/etc ${BASEDIR}/etc/master.passwd
fi
# Rebuild /etc/login.conf.db if necessary.
- if [ /etc/login.conf -nt /etc/login.conf.db ]; then
- cap_mkdb /etc/login.conf
+ if [ ${BASEDIR}/etc/login.conf -nt ${BASEDIR}/etc/login.conf.db ]; then
+ cap_mkdb ${BASEDIR}/etc/login.conf
fi
# We've finished installing the world and deleting old files
@@ -3011,21 +3091,8 @@ IDS_compare () {
mv INDEX-NOTMATCHING.tmp INDEX-NOTMATCHING
# Go through the lines and print warnings.
- while read LINE; do
- FPATH=`echo "${LINE}" | cut -f 1 -d '|'`
- TYPE=`echo "${LINE}" | cut -f 2 -d '|'`
- OWNER=`echo "${LINE}" | cut -f 3 -d '|'`
- GROUP=`echo "${LINE}" | cut -f 4 -d '|'`
- PERM=`echo "${LINE}" | cut -f 5 -d '|'`
- HASH=`echo "${LINE}" | cut -f 6 -d '|'`
- LINK=`echo "${LINE}" | cut -f 7 -d '|'`
- P_TYPE=`echo "${LINE}" | cut -f 8 -d '|'`
- P_OWNER=`echo "${LINE}" | cut -f 9 -d '|'`
- P_GROUP=`echo "${LINE}" | cut -f 10 -d '|'`
- P_PERM=`echo "${LINE}" | cut -f 11 -d '|'`
- P_HASH=`echo "${LINE}" | cut -f 12 -d '|'`
- P_LINK=`echo "${LINE}" | cut -f 13 -d '|'`
-
+ local IFS='|'
+ while read FPATH TYPE OWNER GROUP PERM HASH LINK P_TYPE P_OWNER P_GROUP P_PERM P_HASH P_LINK; do
# Warn about different object types.
if ! [ "${TYPE}" = "${P_TYPE}" ]; then
echo -n "${FPATH} is a "
@@ -3153,7 +3220,7 @@ get_params () {
# Fetch command. Make sure that we're being called
# interactively, then run fetch_check_params and fetch_run
cmd_fetch () {
- if [ ! -t 0 ]; then
+ if [ ! -t 0 -a $NOTTYOK -eq 0 ]; then
echo -n "`basename $0` fetch should not "
echo "be run non-interactively."
echo "Run `basename $0` cron instead."

17
share/security/patches/EN-15:04/freebsd-update-8.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)
iQIcBAABCgAGBQJVU9dpAAoJEO1n7NZdz2rnLP8QAIxBQd1NKef3YVnFMGuppEoy
Tc9/vhtEZfiI78fvMaLK9uLwKZWLx+JS6HTXNmEWzy6Tg+WX4pYMzGGDxGG2RVSz
C/Ur1bZVqNvcyKPK5+xO94asFVYcrcuYSbxMbjYPUjH5WTrySznPvjCF3E4puGvZ
e+FFTvoQ7bwY/qs5drAYo6nK74/rm4YuESxH/3t056vuhSVj8bM12ADHZ+evOzRE
4DFtxDB+9CdtGmqCfvaF0kJn+6IhwqGsRx1pUvriYdvVYzDa+tJBPDk82P0xphgq
Lsid+fjQl/3q0c8CgNNvDArYQACqZUZtqrDzxIx+UOvCz5FeowIhWypEPy5Je2YK
Qnzj6bd4cwF/WwncXGnZDj4Sybv+EJAF+l4s18B9B4v84/M91Gmq+9JgjJQtWPw7
mI/G7jD3TrYXzzfyIBJJV/6yH/oOwZXZrhHaHHb6s2PuOhEZw5RzG2qXaWhvVQ3p
3X6+zs2okCrzOm9VYDFJIgVJOo8zVjgX+rqH0A/qjhcZK64sr5gh6F0I4LNwE+AV
9DFC9ysIG+Cay28XnEQy0lHpA6MBFWpDZnm/qX4jhIscPGG/3mhLpn7N+L62pgxu
eCAO8wW11w2fcJ575SADcHmQa8rXR/wIbDIx2tmgOFDmJI6MGKj4tU4SUJCm5Blf
GPWANnnxoBwF2Pe/NLCs
=vvQY
-----END PGP SIGNATURE-----

152
share/security/patches/EN-15:04/freebsd-update.patch Normal file
View file

@ -0,0 +1,152 @@
Index: usr.sbin/freebsd-update/freebsd-update.8
===================================================================
--- usr.sbin/freebsd-update/freebsd-update.8 (revision 282245)
+++ usr.sbin/freebsd-update/freebsd-update.8 (working copy)
@@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd July 14, 2010
+.Dd March 2, 2015
.Dt FREEBSD-UPDATE 8
.Os FreeBSD
.Sh NAME
@@ -36,10 +36,12 @@
.Op Fl b Ar basedir
.Op Fl d Ar workdir
.Op Fl f Ar conffile
+.Op Fl F
.Op Fl k Ar KEY
.Op Fl r Ar newrelease
.Op Fl s Ar server
.Op Fl t Ar address
+.Op Fl -not-running-from-cron
.Cm command ...
.Sh DESCRIPTION
The
@@ -54,16 +56,16 @@ by the
.Fx
Release Engineering Team, e.g.,
.Fx
-7.3-RELEASE and
+9.3-RELEASE and
.Fx
-8.0-RELEASE, but not
+10.1-RELEASE, but not
.Fx
-6.3-STABLE or
+9.3-STABLE or
.Fx
-9.0-CURRENT.
+11-CURRENT.
.Sh OPTIONS
The following options are supported:
-.Bl -tag -width "-f conffile"
+.Bl -tag -width "-r newrelease"
.It Fl b Ar basedir
Operate on a system mounted at
.Ar basedir .
@@ -81,6 +83,10 @@ Read configuration options from
.Ar conffile .
(default:
.Pa /etc/freebsd-update.conf )
+.It Fl F
+Force
+.Nm Cm fetch
+to proceed where it normally would not, such as an unfinished upgrade
.It Fl k Ar KEY
Trust an RSA key with SHA256 of
.Ar KEY .
@@ -98,12 +104,21 @@ Mail output of
command, if any, to
.Ar address .
(default: root, or as given in the configuration file.)
+.It Fl -not-running-from-cron
+Force
+.Nm Cm fetch
+to proceed when there is no controlling tty.
+This is for use by automated scripts and orchestration tools.
+Please do not run
+.Nm Cm fetch
+from crontab or similar using this flag, see:
+.Nm Cm cron
.El
.Sh COMMANDS
The
.Cm command
can be any one of the following:
-.Bl -tag -width "-f conffile"
+.Bl -tag -width "rollback"
.It Cm fetch
Based on the currently installed world and the configuration
options set, fetch all available binary updates.
Index: usr.sbin/freebsd-update/freebsd-update.sh
===================================================================
--- usr.sbin/freebsd-update/freebsd-update.sh (revision 282245)
+++ usr.sbin/freebsd-update/freebsd-update.sh (working copy)
@@ -43,12 +43,15 @@ Options:
(default: /var/db/freebsd-update/)
-f conffile -- Read configuration options from conffile
(default: /etc/freebsd-update.conf)
+ -F -- Force a fetch operation to proceed
-k KEY -- Trust an RSA key with SHA256 hash of KEY
-r release -- Target for upgrade (e.g., 6.2-RELEASE)
-s server -- Server from which to fetch updates
(default: update.FreeBSD.org)
-t address -- Mail output of cron command, if any, to address
(default: root)
+ --not-running-from-cron
+ -- Run without a tty, for use by automated tools
Commands:
fetch -- Fetch updates from server
cron -- Sleep rand(3600) seconds, fetch updates, and send an
@@ -399,6 +402,12 @@ init_params () {
# No commands specified yet
COMMANDS=""
+
+ # Force fetch to proceed
+ FORCEFETCH=0
+
+ # Run without a TTY
+ NOTTYOK=0
}
# Parse the command line
@@ -411,6 +420,12 @@ parse_cmdline () {
if [ ! -z "${CONFFILE}" ]; then usage; fi
shift; CONFFILE="$1"
;;
+ -F)
+ FORCEFETCH=1
+ ;;
+ --not-running-from-cron)
+ NOTTYOK=1
+ ;;
# Configuration file equivalents
-b)
@@ -665,6 +680,14 @@ fetch_check_params () {
echo "(Did you mean 'upgrade' instead?)"
exit 1
fi
+
+ # Check that we have updates ready to install
+ if [ -f ${BDHASH}-install/kerneldone -a $FORCEFETCH -eq 0 ]; then
+ echo "You have a partially completed upgrade pending"
+ echo "Run '$0 install' first."
+ echo "Run '$0 fetch -F' to proceed anyway."
+ exit 1
+ fi
}
# Perform sanity checks etc. before fetching upgrades.
@@ -3202,7 +3225,7 @@ get_params () {
# Fetch command. Make sure that we're being called
# interactively, then run fetch_check_params and fetch_run
cmd_fetch () {
- if [ ! -t 0 ]; then
+ if [ ! -t 0 -a $NOTTYOK -eq 0 ]; then
echo -n "`basename $0` fetch should not "
echo "be run non-interactively."
echo "Run `basename $0` cron instead."

17
share/security/patches/EN-15:04/freebsd-update.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)
iQIcBAABCgAGBQJVU9dqAAoJEO1n7NZdz2rnZggQAKiJ0+2WY1gDvdWDkj0BcIcY
OCig1qDeuZLwDEFfqdqwoEJb7XoYI2tRQu4D/edxe5WAGQNOdIe3cOk/hIvC0Ozi
O/EpsZSf1RBrDBXdIDXc8C3BPeqcr5OYdc/XMZAoW14BTKU8K6ZsZyvoFcEInp5y
Qf0MvMB5QwO4e1LSJEVaT3kNLJuEVdoFzYh6h1e5Tlh7tcnrys9eReKO1SsRIEmp
zmCjfxaAjtftJyw+hxDuid0xkyyi8azPnl3U4JeIMsZE/KIrpAiMTjfnUPznIaai
x6SgIkKQaK7+43mZ92UOqWM3ELHaxWx55aNfX49aDWBIw4SpFqZAkfKt0FPd3Ws1
Qdo06D8861mT9klQUsYNPrLed6cku6T1PA+bY6dBE3HpL0wlzm8PGdbPe3lLTcM9
SP5SMMg8Jwy8oi7foyWeD2cibU5VzZRQEIwcQoI/d0Cayj85Oz6KDEtgwpUYDVL/
sjrRr6ViA8b3qoS7+Ek9nksGUHg5DPOV9sllWZi2JWYn5tR0boRe16Ecb92chylS
VIEz0gwCy46VxAXmrTSa4qUM6uIeoMZXx84b/E8R92KvPXdBGMNhCXoEqEFYertd
prk3LlwUyXbuhkgziBJK6b+zN9ZshL/jY4kjjHCpjd7aNruRnUr9qr43dEJuMOPj
DuwqCaCT3VTyEObhW6Io
=bxKG
-----END PGP SIGNATURE-----

313
share/security/patches/EN-15:05/ufs.patch Normal file
View file

@ -0,0 +1,313 @@
Index: sys/ufs/ffs/ffs_softdep.c
===================================================================
--- sys/ufs/ffs/ffs_softdep.c (revision 282245)
+++ sys/ufs/ffs/ffs_softdep.c (working copy)
@@ -735,9 +735,10 @@ static struct malloc_type *memtype[] = {
static void check_clear_deps(struct mount *);
static void softdep_error(char *, int);
static int softdep_process_worklist(struct mount *, int);
-static int softdep_waitidle(struct mount *);
+static int softdep_waitidle(struct mount *, int);
static void drain_output(struct vnode *);
static struct buf *getdirtybuf(struct buf *, struct rwlock *, int);
+static int check_inodedep_free(struct inodedep *);
static void clear_remove(struct mount *);
static void clear_inodedeps(struct mount *);
static void unlinked_inodedep(struct mount *, struct inodedep *);
@@ -1377,6 +1378,10 @@ softdep_flush(addr)
mp = (struct mount *)addr;
ump = VFSTOUFS(mp);
atomic_add_int(&stat_flush_threads, 1);
+ ACQUIRE_LOCK(ump);
+ ump->softdep_flags &= ~FLUSH_STARTING;
+ wakeup(&ump->softdep_flushtd);
+ FREE_LOCK(ump);
if (print_threads) {
if (stat_flush_threads == 1)
printf("Running %s at pid %d\n", bufdaemonproc->p_comm,
@@ -1389,7 +1394,7 @@ softdep_flush(addr)
VFSTOUFS(mp)->softdep_jblocks->jb_suspended))
kthread_suspend_check();
ACQUIRE_LOCK(ump);
- if ((ump->softdep_flags & FLUSH_CLEANUP) == 0)
+ if ((ump->softdep_flags & (FLUSH_CLEANUP | FLUSH_EXIT)) == 0)
msleep(&ump->softdep_flushtd, LOCK_PTR(ump), PVM,
"sdflush", hz / 2);
ump->softdep_flags &= ~FLUSH_CLEANUP;
@@ -1419,11 +1424,9 @@ worklist_speedup(mp)
ump = VFSTOUFS(mp);
LOCK_OWNED(ump);
- if ((ump->softdep_flags & (FLUSH_CLEANUP | FLUSH_EXIT)) == 0) {
+ if ((ump->softdep_flags & (FLUSH_CLEANUP | FLUSH_EXIT)) == 0)
ump->softdep_flags |= FLUSH_CLEANUP;
- if (ump->softdep_flushtd->td_wchan == &ump->softdep_flushtd)
- wakeup(&ump->softdep_flushtd);
- }
+ wakeup(&ump->softdep_flushtd);
}
static int
@@ -1468,14 +1471,10 @@ softdep_speedup(ump)
TAILQ_INSERT_TAIL(&softdepmounts, sdp, sd_next);
FREE_GBLLOCK(&lk);
if ((altump->softdep_flags &
- (FLUSH_CLEANUP | FLUSH_EXIT)) == 0) {
+ (FLUSH_CLEANUP | FLUSH_EXIT)) == 0)
altump->softdep_flags |= FLUSH_CLEANUP;
- altump->um_softdep->sd_cleanups++;
- if (altump->softdep_flushtd->td_wchan ==
- &altump->softdep_flushtd) {
- wakeup(&altump->softdep_flushtd);
- }
- }
+ altump->um_softdep->sd_cleanups++;
+ wakeup(&altump->softdep_flushtd);
FREE_LOCK(altump);
}
}
@@ -1887,8 +1886,8 @@ softdep_flushworklist(oldmnt, countp, td
struct thread *td;
{
struct vnode *devvp;
- int count, error = 0;
struct ufsmount *ump;
+ int count, error;
/*
* Alternately flush the block device associated with the mount
@@ -1897,6 +1896,7 @@ softdep_flushworklist(oldmnt, countp, td
* are found.
*/
*countp = 0;
+ error = 0;
ump = VFSTOUFS(oldmnt);
devvp = ump->um_devvp;
while ((count = softdep_process_worklist(oldmnt, 1)) > 0) {
@@ -1904,36 +1904,47 @@ softdep_flushworklist(oldmnt, countp, td
vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY);
error = VOP_FSYNC(devvp, MNT_WAIT, td);
VOP_UNLOCK(devvp, 0);
- if (error)
+ if (error != 0)
break;
}
return (error);
}
+#define SU_WAITIDLE_RETRIES 20
static int
-softdep_waitidle(struct mount *mp)
+softdep_waitidle(struct mount *mp, int flags __unused)
{
struct ufsmount *ump;
- int error;
- int i;
+ struct vnode *devvp;
+ struct thread *td;
+ int error, i;
ump = VFSTOUFS(mp);
+ devvp = ump->um_devvp;
+ td = curthread;
+ error = 0;
ACQUIRE_LOCK(ump);
- for (i = 0; i < 10 && ump->softdep_deps; i++) {
+ for (i = 0; i < SU_WAITIDLE_RETRIES && ump->softdep_deps != 0; i++) {
ump->softdep_req = 1;
- if (ump->softdep_on_worklist)
- panic("softdep_waitidle: work added after flush.");
- msleep(&ump->softdep_deps, LOCK_PTR(ump), PVM, "softdeps", 1);
+ KASSERT((flags & FORCECLOSE) == 0 ||
+ ump->softdep_on_worklist == 0,
+ ("softdep_waitidle: work added after flush"));
+ msleep(&ump->softdep_deps, LOCK_PTR(ump), PVM | PDROP,
+ "softdeps", 10 * hz);
+ vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY);
+ error = VOP_FSYNC(devvp, MNT_WAIT, td);
+ VOP_UNLOCK(devvp, 0);
+ if (error != 0)
+ break;
+ ACQUIRE_LOCK(ump);
}
ump->softdep_req = 0;
- FREE_LOCK(ump);
- error = 0;
- if (i == 10) {
+ if (i == SU_WAITIDLE_RETRIES && error == 0 && ump->softdep_deps != 0) {
error = EBUSY;
printf("softdep_waitidle: Failed to flush worklist for %p\n",
mp);
}
-
+ FREE_LOCK(ump);
return (error);
}
@@ -1990,7 +2001,7 @@ retry_flush:
error = EBUSY;
}
if (!error)
- error = softdep_waitidle(oldmnt);
+ error = softdep_waitidle(oldmnt, flags);
if (!error) {
if (oldmnt->mnt_kern_flag & MNTK_UNMOUNT) {
retry = 0;
@@ -2490,9 +2501,18 @@ softdep_mount(devvp, mp, fs, cred)
/*
* Start our flushing thread in the bufdaemon process.
*/
+ ACQUIRE_LOCK(ump);
+ ump->softdep_flags |= FLUSH_STARTING;
+ FREE_LOCK(ump);
kproc_kthread_add(&softdep_flush, mp, &bufdaemonproc,
&ump->softdep_flushtd, 0, 0, "softdepflush", "%s worker",
mp->mnt_stat.f_mntonname);
+ ACQUIRE_LOCK(ump);
+ while ((ump->softdep_flags & FLUSH_STARTING) != 0) {
+ msleep(&ump->softdep_flushtd, LOCK_PTR(ump), PVM, "sdstart",
+ hz / 2);
+ }
+ FREE_LOCK(ump);
/*
* When doing soft updates, the counters in the
* superblock may have gotten out of sync. Recomputation
@@ -7629,17 +7649,13 @@ check_inode_unwritten(inodedep)
return (1);
}
-/*
- * Try to free an inodedep structure. Return 1 if it could be freed.
- */
static int
-free_inodedep(inodedep)
+check_inodedep_free(inodedep)
struct inodedep *inodedep;
{
LOCK_OWNED(VFSTOUFS(inodedep->id_list.wk_mp));
- if ((inodedep->id_state & (ONWORKLIST | UNLINKED)) != 0 ||
- (inodedep->id_state & ALLCOMPLETE) != ALLCOMPLETE ||
+ if ((inodedep->id_state & ALLCOMPLETE) != ALLCOMPLETE ||
!LIST_EMPTY(&inodedep->id_dirremhd) ||
!LIST_EMPTY(&inodedep->id_pendinghd) ||
!LIST_EMPTY(&inodedep->id_bufwait) ||
@@ -7654,6 +7670,21 @@ free_inodedep(inodedep)
inodedep->id_nlinkdelta != 0 ||
inodedep->id_savedino1 != NULL)
return (0);
+ return (1);
+}
+
+/*
+ * Try to free an inodedep structure. Return 1 if it could be freed.
+ */
+static int
+free_inodedep(inodedep)
+ struct inodedep *inodedep;
+{
+
+ LOCK_OWNED(VFSTOUFS(inodedep->id_list.wk_mp));
+ if ((inodedep->id_state & (ONWORKLIST | UNLINKED)) != 0 ||
+ !check_inodedep_free(inodedep))
+ return (0);
if (inodedep->id_state & ONDEPLIST)
LIST_REMOVE(inodedep, id_deps);
LIST_REMOVE(inodedep, id_hash);
@@ -13838,7 +13869,8 @@ softdep_check_suspend(struct mount *mp,
{
struct bufobj *bo;
struct ufsmount *ump;
- int error;
+ struct inodedep *inodedep;
+ int error, unlinked;
bo = &devvp->v_bufobj;
ASSERT_BO_WLOCKED(bo);
@@ -13899,6 +13931,20 @@ softdep_check_suspend(struct mount *mp,
break;
}
+ unlinked = 0;
+ if (MOUNTEDSUJ(mp)) {
+ for (inodedep = TAILQ_FIRST(&ump->softdep_unlinked);
+ inodedep != NULL;
+ inodedep = TAILQ_NEXT(inodedep, id_unlinked)) {
+ if ((inodedep->id_state & (UNLINKED | UNLINKLINKS |
+ UNLINKONLIST)) != (UNLINKED | UNLINKLINKS |
+ UNLINKONLIST) ||
+ !check_inodedep_free(inodedep))
+ continue;
+ unlinked++;
+ }
+ }
+
/*
* Reasons for needing more work before suspend:
* - Dirty buffers on devvp.
@@ -13908,8 +13954,8 @@ softdep_check_suspend(struct mount *mp,
error = 0;
if (bo->bo_numoutput > 0 ||
bo->bo_dirty.bv_cnt > 0 ||
- softdep_depcnt != 0 ||
- ump->softdep_deps != 0 ||
+ softdep_depcnt != unlinked ||
+ ump->softdep_deps != unlinked ||
softdep_accdepcnt != ump->softdep_accdeps ||
secondary_writes != 0 ||
mp->mnt_secondary_writes != 0 ||
Index: sys/ufs/ffs/ffs_vfsops.c
===================================================================
--- sys/ufs/ffs/ffs_vfsops.c (revision 282245)
+++ sys/ufs/ffs/ffs_vfsops.c (working copy)
@@ -1502,8 +1502,11 @@ ffs_sync(mp, waitfor)
if (fs->fs_fmod != 0 && fs->fs_ronly != 0 && ump->um_fsckpid == 0)
panic("%s: ffs_sync: modification on read-only filesystem",
fs->fs_fsmnt);
- if (waitfor == MNT_LAZY)
- return (ffs_sync_lazy(mp));
+ if (waitfor == MNT_LAZY) {
+ if (!rebooting)
+ return (ffs_sync_lazy(mp));
+ waitfor = MNT_NOWAIT;
+ }
/*
* Write back each (modified) inode.
@@ -1560,7 +1563,7 @@ loop:
/*
* Force stale filesystem control information to be flushed.
*/
- if (waitfor == MNT_WAIT) {
+ if (waitfor == MNT_WAIT || rebooting) {
if ((error = softdep_flushworklist(ump->um_mountp, &count, td)))
allerror = error;
/* Flushed work items may create new vnodes to clean */
@@ -1577,9 +1580,12 @@ loop:
if (bo->bo_numoutput > 0 || bo->bo_dirty.bv_cnt > 0) {
BO_UNLOCK(bo);
vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY);
- if ((error = VOP_FSYNC(devvp, waitfor, td)) != 0)
- allerror = error;
+ error = VOP_FSYNC(devvp, waitfor, td);
VOP_UNLOCK(devvp, 0);
+ if (MOUNTEDSOFTDEP(mp) && (error == 0 || error == EAGAIN))
+ error = ffs_sbupdate(ump, waitfor, 0);
+ if (error != 0)
+ allerror = error;
if (allerror == 0 && waitfor == MNT_WAIT)
goto loop;
} else if (suspend != 0) {
Index: sys/ufs/ffs/softdep.h
===================================================================
--- sys/ufs/ffs/softdep.h (revision 282245)
+++ sys/ufs/ffs/softdep.h (working copy)
@@ -1063,6 +1063,8 @@ struct mount_softdeps {
*/
#define FLUSH_EXIT 0x0001 /* time to exit */
#define FLUSH_CLEANUP 0x0002 /* need to clear out softdep structures */
+#define FLUSH_STARTING 0x0004 /* flush thread not yet started */
+
/*
* Keep the old names from when these were in the ufsmount structure.
*/

17
share/security/patches/EN-15:05/ufs.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)
iQIcBAABCgAGBQJVU9dqAAoJEO1n7NZdz2rn4AsP/1YMzPQWyU+S2wKQ22VWkD2+
xk/sPNdvX76ADLgT9Ig0BbvotH0fHL2MP/w/1HtWxxlSPBRqz8bnFZC3wMT6olYu
Dg1z7kdg5kQjQkfii0zjZeQxGp5GnsLM9gZHTytX384rc6W6fZ0ty7iQIwQGyix5
8deIafhloJZ5qs4uVDvzAwjDWfqzIEpGRuMnNqv0BYZIEZBALvkOTTMbp3QCxdoF
11Uze730XDYuo0i8fHlvsFdFcorChkvQIC5yNBmi6w03WY09b6LMIQd/c4jq9K+O
at8kOG61a9eLj6+zKhUIDlWamVowTxYglqUE3HnlRnARAU7lIFoFmwl+JIGLmYPk
pz6UlyA6Bw3RWwoKmPYjTzlm2DUMjxHcA/zrbzugMa2bJr2Ia1hFMPk4xy8OVRyB
earApidrkWJfN0R1kXiVNhSHqMSbwWp2Tt8hdd9xzt6bS2+NXbfL0lXOCwXuuf2k
EJKA1+7+Qc5/u82ZgO+OiXTecdUhj861d8u858KqOknRXpVu07U2FQ1zHcvJbrET
mxQ1deIOYTt9GXXSV6TV30+LF+NlwgnW1WGgk9/PZC6BgMSrbU92H6JZHSuB2dyl
TSkgFc8Dgj7LHk/2eIGctUZUFIQ2L0S3+lWjzuZ7cssuFs5dxXpaX8owR46cEZSp
P4ySVF+hVkcbSSeMNDXg
=7cpN
-----END PGP SIGNATURE-----

16
share/xml/notices.xml
View file

@ -7,6 +7,22 @@
<year>
<name>2015</name>
<month>
<name>5</name>
<day>
<name>25</name>
<notice>
<name>FreeBSD-EN-15:05.ufs</name>
</notice>
<notice>
<name>FreeBSD-EN-15:04.freebsd-update</name>
</notice>
</day>
</month>
<month>
<name>2</name>