From owner-svn-src-head@freebsd.org  Tue Aug  9 18:25:06 2016
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 36A0BBB443C;
 Tue,  9 Aug 2016 18:25:06 +0000 (UTC)
 (envelope-from markjdb@gmail.com)
Received: from mail-pa0-x242.google.com (mail-pa0-x242.google.com
 [IPv6:2607:f8b0:400e:c03::242])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 0CC6A1E37;
 Tue,  9 Aug 2016 18:25:05 +0000 (UTC)
 (envelope-from markjdb@gmail.com)
Received: by mail-pa0-x242.google.com with SMTP id ez1so1324842pab.3;
 Tue, 09 Aug 2016 11:25:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=sender:date:from:to:cc:subject:message-id:references:mime-version
 :content-disposition:in-reply-to:user-agent;
 bh=h0dFd1o+LX9g2K1g+6ObQRSPL0sRBRm1xIu1sKuw5eM=;
 b=dqL/Pn23IpxNjWutolyungQyskF+2+OszuWkNGnpQdUwukuNw8vwpZjgHELyULL0ns
 BhJj5Fbyrbs0jeYaw2Kx8LHzJ96QwgpW9gPbaJdnrczNyOFFSSb71QqB8Ad5hTqpPbzt
 4FkR5TvNDYndOQspzk2VOqt47aLD2Brg4wJCDXltRNrL2ZaQPOgDznbKy4FDRrXqkSGn
 Iy80xhyoSO2X7OZiY/qYOgC/s/Oy0dzOhCd5vR3lPtMV2eHXNuP3GSimyqgLYWf9bUVt
 Ho5ihBgSHABtshg9X6C/QXhtcMg0frMW4IDPe8a3/k8FdN0uMLG8s2D1lC7+SjpT9cY6
 16wg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:sender:date:from:to:cc:subject:message-id
 :references:mime-version:content-disposition:in-reply-to:user-agent;
 bh=h0dFd1o+LX9g2K1g+6ObQRSPL0sRBRm1xIu1sKuw5eM=;
 b=BHvJ1LTFYfgMXqBRYkC6XOrc5m9S1QldkRdDiriejc5UUn5/w99QlXf/XsglWx7Aek
 CgBmi1+ZDwzaoeBHzxZ7aAszQkPhaMFn6Tb4pnIM3vlTMCDVMBo2b6tKl6HKFwAoPAB/
 Z4SrOas2+82FcKieC289kCcK+asdK3/zCcZjRXBMgXuBEskY82m9VMNDYbdl5Rd28z+4
 MmWLeZMbNPeDIdm2sRuKOZKnf64iGaUkGzGxTW7XQ5wFvGSNdY3Dm41y92PfgXhc83qQ
 ikUuGCeEiHrks/j8y2TcKcoju9Rr9Zz2hz+3u7E13oHB+NkuhdEVeTGeoj+mQEQ9W2rF
 lbmg==
X-Gm-Message-State: AEkoouvBDiVG3H6MUWD6j270QeLIwHxXgwyRRWvGJtB895qd3gLJBRYYKvjwkvvlWfOBJQ==
X-Received: by 10.66.189.104 with SMTP id gh8mr173149898pac.125.1470767105544; 
 Tue, 09 Aug 2016 11:25:05 -0700 (PDT)
Received: from wkstn-mjohnston.west.isilon.com
 (c-76-104-201-218.hsd1.wa.comcast.net. [76.104.201.218])
 by smtp.gmail.com with ESMTPSA id m78sm57681375pfj.66.2016.08.09.11.25.04
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 09 Aug 2016 11:25:05 -0700 (PDT)
Sender: Mark Johnston <markjdb@gmail.com>
Date: Tue, 9 Aug 2016 11:29:56 -0700
From: Mark Johnston <markj@freebsd.org>
To: Oliver Pinter <oliver.pinter@hardenedbsd.org>
Cc: "src-committers@freebsd.org" <src-committers@freebsd.org>,
 "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>,
 "svn-src-head@freebsd.org" <svn-src-head@freebsd.org>,
 Bryan Drewery <bdrewery@freebsd.org>
Subject: Re: svn commit: r303855 - in head/sys: kern sys
Message-ID: <20160809182956.GA91785@wkstn-mjohnston.west.isilon.com>
References: <201608082025.u78KP4aE048791@repo.freebsd.org>
 <CAPQ4ffsmwTAL+v9RgY8e_+n5CZKKL9ejNntuSNM71MQma5_o2w@mail.gmail.com>
 <20160808234332.GA22449@wkstn-mjohnston.west.isilon.com>
 <CAPQ4ffsm6NBC+OT0pU21hTvZgQ9eD9KqQiA4hhDHP1oG=8c8yQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAPQ4ffsm6NBC+OT0pU21hTvZgQ9eD9KqQiA4hhDHP1oG=8c8yQ@mail.gmail.com>
User-Agent: Mutt/1.6.1 (2016-04-27)
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2016 18:25:06 -0000

On Tue, Aug 09, 2016 at 01:51:35AM +0200, Oliver Pinter wrote:
> (Added bdrewery to CC, since I'm talking with him on IRC.)
> 
> On Tue, Aug 9, 2016 at 1:43 AM, Mark Johnston <markj@freebsd.org> wrote:
> > On Tue, Aug 09, 2016 at 12:53:47AM +0200, Oliver Pinter wrote:
> >> Hi!
> >>
> >> Can you please MFC back this change 10-STABLE together with the
> >> following: https://github.com/HardenedBSD/hardenedBSD/commit/576619e564618bca3675db57580d8e1f76bd2ac7
> >>
> >> This issue is still exists on 10-STABLE, as you can test with the
> >> linked program from phabricator:
> >> https://people.freebsd.org/~mjg/reproducers/unp-gc-panic.c
> >
> > Hm, I don't think this could be MFCed directly. It changes the kernel
> > ABI by modifying the argument of dom_dispose(). This could be fixed in
> > stable/10 with a hack to call the unix domain socket code directly when
> > appropriate, which I think is preferable to the current state of things.
> > I'll look into it further.
> 
> The question is how much external / out of tree components would use
> this ABI or how acceptable to break this ABI.
> I just grepped through the src tree for internal uses, and I found only these:

I don't think it's acceptable. This could be side-stepped with a hack:

if (pr->pr_domain->dom_family == AF_LOCAL)
	unp_dispose_wrapper(so);
else if (pr->pr_flags & PR_RIGHTS && pr->pr_domain->dom_dispose != NULL)
	(*pr->pr_domain->dom_dispose)(so->so_rcv.sb_mb);
...

So I'm inclined to just do that and avoid the issue.

> 
> op@opn hardenedBSD.git> git grep dom_dispose
> share/doc/smm/18.net/6.t:       int     (*dom_dispose)();       /*
> dispose of internalized rights */
> share/man/man9/domain.9:        void    (*dom_dispose)          /*
> dispose of internalized rights */
> sys/kern/uipc_debug.c:  db_printf("dom_dispose: %p\n", d->dom_dispose);
> sys/kern/uipc_socket.c: if (pr->pr_flags & PR_RIGHTS &&
> pr->pr_domain->dom_dispose != NULL)
> sys/kern/uipc_socket.c:         (*pr->pr_domain->dom_dispose)(so);
> sys/kern/uipc_socket.c:  * dom_dispose() and sbrelease_internal() are
> an inlining of what was
> sys/kern/uipc_socket.c:  * In order to avoid calling dom_dispose with
> the socket buffer mutex
> sys/kern/uipc_socket.c: if (pr->pr_flags & PR_RIGHTS &&
> pr->pr_domain->dom_dispose != NULL)
> sys/kern/uipc_socket.c:         (*pr->pr_domain->dom_dispose)(&aso);
> sys/kern/uipc_usrreq.c: .dom_dispose =          unp_dispose_so,
> sys/sys/domain.h:       void    (*dom_dispose)          /* dispose of
> internalized rights */