11.1/releng-p15.diff - freebsd-patches - Rivoreo Source Code Repositories

 Index: UPDATING
 ===================================================================
 --- UPDATING	(版本 338606)
 +++ UPDATING	(版本 338978)
 @@ -16,6 +16,19 @@
  the tip of head, and then rebuild without this option. The bootstrap process
  from older version of current across the gcc/clang cutover is a bit fragile.

 +20180927	p15	FreeBSD-EN-18:09.ip
 +			FreeBSD-EN-18:10.syscall
 +			FreeBSD-EN-18:11.listen
 +			FreeBSD-EN-18:12.mem
 +
 +	Fix regression in IPv6 fragment reassembly. [EN-18:09.ip]
 +
 +	Fix NULL pointer dereference in freebsd4_getfsstat. [EN-18:10.syscall]
 +
 +	Fix DoS in listen syscall over IPv6 socket. [EN-18:11.listen]
 +
 +	Fix small kernel memory disclosures. [EN-18:12.mem]
 +
  20180912	p14	FreeBSD-SA-18:12.elf
  			FreeBSD-EN-18:08.lazyfpu

 Index: sys/conf/newvers.sh
 ===================================================================
 --- sys/conf/newvers.sh	(版本 338606)
 +++ sys/conf/newvers.sh	(版本 338978)
 @@ -44,7 +44,7 @@

  TYPE="FreeBSD"
  REVISION="11.1"
 -BRANCH="RELEASE-p14"
 +BRANCH="RELEASE-p15"
  if [ -n "${BRANCH_OVERRIDE}" ]; then
  	BRANCH=${BRANCH_OVERRIDE}
  fi
 Index: sys/netinet6/frag6.c
 ===================================================================
 --- sys/netinet6/frag6.c	(版本 338606)
 +++ sys/netinet6/frag6.c	(版本 338978)
 @@ -216,7 +216,9 @@
  	int offset = *offp, nxt, i, next;
  	int first_frag = 0;
  	int fragoff, frgpartlen;	/* must be larger than u_int16_t */
 -	uint32_t hash, hashkey[sizeof(struct in6_addr) * 2 + 1], *hashkeyp;
 +	uint32_t hashkey[(sizeof(struct in6_addr) * 2 +
 +		    sizeof(ip6f->ip6f_ident)) / sizeof(uint32_t)];
 +	uint32_t hash, *hashkeyp;
  	struct ifnet *dstifp;
  	u_int8_t ecn, ecn0;
  #ifdef RSS
 Index: sys/amd64/amd64/fpu.c
 ===================================================================
 --- sys/amd64/amd64/fpu.c	(版本 338606)
 +++ sys/amd64/amd64/fpu.c	(版本 338978)
 @@ -743,6 +743,7 @@
  	int max_ext_n, i, owned;

  	pcb = td->td_pcb;
 +	critical_enter();
  	if ((pcb->pcb_flags & PCB_USERFPUINITDONE) == 0) {
  		bcopy(fpu_initialstate, get_pcb_user_save_pcb(pcb),
  		    cpu_max_ext_state_size);
 @@ -749,9 +750,9 @@
  		get_pcb_user_save_pcb(pcb)->sv_env.en_cw =
  		    pcb->pcb_initial_fpucw;
  		fpuuserinited(td);
 +		critical_exit();
  		return (_MC_FPOWNED_PCB);
  	}
 -	critical_enter();
  	if (td == PCPU_GET(fpcurthread) && PCB_USER_FPU(pcb)) {
  		fpusave(get_pcb_user_save_pcb(pcb));
  		owned = _MC_FPOWNED_FPU;
 @@ -758,7 +759,6 @@
  	} else {
  		owned = _MC_FPOWNED_PCB;
  	}
 -	critical_exit();
  	if (use_xsave) {
  		/*
  		 * Handle partially saved state.
 @@ -778,6 +778,7 @@
  			*xstate_bv |= bit;
  		}
  	}
 +	critical_exit();
  	return (owned);
  }

 @@ -786,6 +787,7 @@
  {
  	struct pcb *pcb;

 +	CRITICAL_ASSERT(td);
  	pcb = td->td_pcb;
  	if (PCB_USER_FPU(pcb))
  		set_pcb_flags(pcb,
 @@ -843,26 +845,25 @@
  	int error;

  	pcb = td->td_pcb;
 +	error = 0;
  	critical_enter();
  	if (td == PCPU_GET(fpcurthread) && PCB_USER_FPU(pcb)) {
  		error = fpusetxstate(td, xfpustate, xfpustate_size);
 -		if (error != 0) {
 -			critical_exit();
 -			return (error);
 +		if (error == 0) {
 +			bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
 +			fpurestore(get_pcb_user_save_td(td));
 +			set_pcb_flags(pcb, PCB_FPUINITDONE |
 +			    PCB_USERFPUINITDONE);
  		}
 -		bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
 -		fpurestore(get_pcb_user_save_td(td));
 -		critical_exit();
 -		set_pcb_flags(pcb, PCB_FPUINITDONE | PCB_USERFPUINITDONE);
  	} else {
 -		critical_exit();
  		error = fpusetxstate(td, xfpustate, xfpustate_size);
 -		if (error != 0)
 -			return (error);
 -		bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
 -		fpuuserinited(td);
 +		if (error == 0) {
 +			bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
 +			fpuuserinited(td);
 +		}
  	}
 -	return (0);
 +	critical_exit();
 +	return (error);
  }

  /*
 @@ -1035,6 +1036,7 @@
  		ctx->flags = FPU_KERN_CTX_DUMMY | FPU_KERN_CTX_INUSE;
  		return (0);
  	}
 +	critical_enter();
  	KASSERT(!PCB_USER_FPU(pcb) || pcb->pcb_save ==
  	    get_pcb_user_save_pcb(pcb), ("mangled pcb_save"));
  	ctx->flags = FPU_KERN_CTX_INUSE;
 @@ -1045,6 +1047,7 @@
  	pcb->pcb_save = fpu_kern_ctx_savefpu(ctx);
  	set_pcb_flags(pcb, PCB_KERNFPU);
  	clear_pcb_flags(pcb, PCB_FPUINITDONE);
 +	critical_exit();
  	return (0);
  }

 @@ -1063,7 +1066,6 @@

  		clear_pcb_flags(pcb,  PCB_FPUNOSAVE | PCB_FPUINITDONE);
  		start_emulating();
 -		critical_exit();
  	} else {
  		KASSERT((ctx->flags & FPU_KERN_CTX_INUSE) != 0,
  		    ("leaving not inuse ctx"));
 @@ -1077,7 +1079,6 @@
  		critical_enter();
  		if (curthread == PCPU_GET(fpcurthread))
  			fpudrop();
 -		critical_exit();
  		pcb->pcb_save = ctx->prev;
  	}

 @@ -1094,6 +1095,7 @@
  			clear_pcb_flags(pcb, PCB_FPUINITDONE);
  		KASSERT(!PCB_USER_FPU(pcb), ("unpaired fpu_kern_leave"));
  	}
 +	critical_exit();
  	return (0);
  }

 Index: sys/amd64/amd64/machdep.c
 ===================================================================
 --- sys/amd64/amd64/machdep.c	(版本 338606)
 +++ sys/amd64/amd64/machdep.c	(版本 338978)
 @@ -2148,8 +2148,10 @@
  set_fpregs(struct thread *td, struct fpreg *fpregs)
  {

 +	critical_enter();
  	set_fpregs_xmm(fpregs, get_pcb_user_save_td(td));
  	fpuuserinited(td);
 +	critical_exit();
  	return (0);
  }

 Index: sys/i386/i386/machdep.c
 ===================================================================
 --- sys/i386/i386/machdep.c	(版本 338606)
 +++ sys/i386/i386/machdep.c	(版本 338978)
 @@ -2998,6 +2998,7 @@
  set_fpregs(struct thread *td, struct fpreg *fpregs)
  {

 +	critical_enter();
  	if (cpu_fxsr)
  		npx_set_fpregs_xmm((struct save87 *)fpregs,
  		    &get_pcb_user_save_td(td)->sv_xmm);
 @@ -3005,6 +3006,7 @@
  		bcopy(fpregs, &get_pcb_user_save_td(td)->sv_87,
  		    sizeof(*fpregs));
  	npxuserinited(td);
 +	critical_exit();
  	return (0);
  }

 Index: sys/i386/isa/npx.c
 ===================================================================
 --- sys/i386/isa/npx.c	(版本 338606)
 +++ sys/i386/isa/npx.c	(版本 338978)
 @@ -974,14 +974,15 @@
  		return (_MC_FPOWNED_NONE);

  	pcb = td->td_pcb;
 +	critical_enter();
  	if ((pcb->pcb_flags & PCB_NPXINITDONE) == 0) {
  		bcopy(npx_initialstate, get_pcb_user_save_pcb(pcb),
  		    cpu_max_ext_state_size);
  		SET_FPU_CW(get_pcb_user_save_pcb(pcb), pcb->pcb_initial_npxcw);
  		npxuserinited(td);
 +		critical_exit();
  		return (_MC_FPOWNED_PCB);
  	}
 -	critical_enter();
  	if (td == PCPU_GET(fpcurthread)) {
  		fpusave(get_pcb_user_save_pcb(pcb));
  		if (!cpu_fxsr)
 @@ -995,7 +996,6 @@
  	} else {
  		owned = _MC_FPOWNED_PCB;
  	}
 -	critical_exit();
  	if (use_xsave) {
  		/*
  		 * Handle partially saved state.
 @@ -1018,6 +1018,7 @@
  			*xstate_bv |= bit;
  		}
  	}
 +	critical_exit();
  	return (owned);
  }

 @@ -1026,6 +1027,7 @@
  {
  	struct pcb *pcb;

 +	CRITICAL_ASSERT(td);
  	pcb = td->td_pcb;
  	if (PCB_USER_FPU(pcb))
  		pcb->pcb_flags |= PCB_NPXINITDONE;
 @@ -1081,28 +1083,26 @@
  		return (ENXIO);

  	pcb = td->td_pcb;
 +	error = 0;
  	critical_enter();
  	if (td == PCPU_GET(fpcurthread) && PCB_USER_FPU(pcb)) {
  		error = npxsetxstate(td, xfpustate, xfpustate_size);
 -		if (error != 0) {
 -			critical_exit();
 -			return (error);
 +		if (error == 0) {
 +			if (!cpu_fxsr)
 +				fnclex();	/* As in npxdrop(). */
 +			bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
 +			fpurstor(get_pcb_user_save_td(td));
 +			pcb->pcb_flags |= PCB_NPXUSERINITDONE | PCB_NPXINITDONE;
  		}
 -		if (!cpu_fxsr)
 -			fnclex();	/* As in npxdrop(). */
 -		bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
 -		fpurstor(get_pcb_user_save_td(td));
 -		critical_exit();
 -		pcb->pcb_flags |= PCB_NPXUSERINITDONE | PCB_NPXINITDONE;
  	} else {
 -		critical_exit();
  		error = npxsetxstate(td, xfpustate, xfpustate_size);
 -		if (error != 0)
 -			return (error);
 -		bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
 -		npxuserinited(td);
 +		if (error == 0) {
 +			bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
 +			npxuserinited(td);
 +		}
  	}
 -	return (0);
 +	critical_exit();
 +	return (error);
  }

  static void
 @@ -1371,6 +1371,7 @@
  		return (0);
  	}
  	pcb = td->td_pcb;
 +	critical_enter();
  	KASSERT(!PCB_USER_FPU(pcb) || pcb->pcb_save ==
  	    get_pcb_user_save_pcb(pcb), ("mangled pcb_save"));
  	ctx->flags = FPU_KERN_CTX_INUSE;
 @@ -1381,6 +1382,7 @@
  	pcb->pcb_save = fpu_kern_ctx_savefpu(ctx);
  	pcb->pcb_flags |= PCB_KERNNPX;
  	pcb->pcb_flags &= ~PCB_NPXINITDONE;
 +	critical_exit();
  	return (0);
  }

 @@ -1399,7 +1401,6 @@
  	critical_enter();
  	if (curthread == PCPU_GET(fpcurthread))
  		npxdrop();
 -	critical_exit();
  	pcb->pcb_save = ctx->prev;
  	if (pcb->pcb_save == get_pcb_user_save_pcb(pcb)) {
  		if ((pcb->pcb_flags & PCB_NPXUSERINITDONE) != 0)
 @@ -1414,6 +1415,7 @@
  			pcb->pcb_flags &= ~PCB_NPXINITDONE;
  		KASSERT(!PCB_USER_FPU(pcb), ("unpaired fpu_kern_leave"));
  	}
 +	critical_exit();
  	return (0);
  }
	Index: UPDATING
	===================================================================
	--- UPDATING (版本 338606)
	+++ UPDATING (版本 338978)
	@@ -16,6 +16,19 @@
	the tip of head, and then rebuild without this option. The bootstrap process
	from older version of current across the gcc/clang cutover is a bit fragile.

	+20180927 p15 FreeBSD-EN-18:09.ip
	+ FreeBSD-EN-18:10.syscall
	+ FreeBSD-EN-18:11.listen
	+ FreeBSD-EN-18:12.mem
	+
	+ Fix regression in IPv6 fragment reassembly. [EN-18:09.ip]
	+
	+ Fix NULL pointer dereference in freebsd4_getfsstat. [EN-18:10.syscall]
	+
	+ Fix DoS in listen syscall over IPv6 socket. [EN-18:11.listen]
	+
	+ Fix small kernel memory disclosures. [EN-18:12.mem]
	+
	20180912 p14 FreeBSD-SA-18:12.elf
	FreeBSD-EN-18:08.lazyfpu

	Index: sys/conf/newvers.sh
	===================================================================
	--- sys/conf/newvers.sh (版本 338606)
	+++ sys/conf/newvers.sh (版本 338978)
	@@ -44,7 +44,7 @@

	TYPE="FreeBSD"
	REVISION="11.1"
	-BRANCH="RELEASE-p14"
	+BRANCH="RELEASE-p15"
	if [ -n "${BRANCH_OVERRIDE}" ]; then
	BRANCH=${BRANCH_OVERRIDE}
	fi
	Index: sys/netinet6/frag6.c
	===================================================================
	--- sys/netinet6/frag6.c (版本 338606)
	+++ sys/netinet6/frag6.c (版本 338978)
	@@ -216,7 +216,9 @@
	int offset = *offp, nxt, i, next;
	int first_frag = 0;
	int fragoff, frgpartlen; /* must be larger than u_int16_t */
	- uint32_t hash, hashkey[sizeof(struct in6_addr) * 2 + 1], *hashkeyp;
	+ uint32_t hashkey[(sizeof(struct in6_addr) * 2 +
	+ sizeof(ip6f->ip6f_ident)) / sizeof(uint32_t)];
	+ uint32_t hash, *hashkeyp;
	struct ifnet *dstifp;
	u_int8_t ecn, ecn0;
	#ifdef RSS
	Index: sys/amd64/amd64/fpu.c
	===================================================================
	--- sys/amd64/amd64/fpu.c (版本 338606)
	+++ sys/amd64/amd64/fpu.c (版本 338978)
	@@ -743,6 +743,7 @@
	int max_ext_n, i, owned;

	pcb = td->td_pcb;
	+ critical_enter();
	if ((pcb->pcb_flags & PCB_USERFPUINITDONE) == 0) {
	bcopy(fpu_initialstate, get_pcb_user_save_pcb(pcb),
	cpu_max_ext_state_size);
	@@ -749,9 +750,9 @@
	get_pcb_user_save_pcb(pcb)->sv_env.en_cw =
	pcb->pcb_initial_fpucw;
	fpuuserinited(td);
	+ critical_exit();
	return (_MC_FPOWNED_PCB);
	}
	- critical_enter();
	if (td == PCPU_GET(fpcurthread) && PCB_USER_FPU(pcb)) {
	fpusave(get_pcb_user_save_pcb(pcb));
	owned = _MC_FPOWNED_FPU;
	@@ -758,7 +759,6 @@
	} else {
	owned = _MC_FPOWNED_PCB;
	}
	- critical_exit();
	if (use_xsave) {
	/*
	* Handle partially saved state.
	@@ -778,6 +778,7 @@
	*xstate_bv \|= bit;
	}
	}
	+ critical_exit();
	return (owned);
	}

	@@ -786,6 +787,7 @@
	{
	struct pcb *pcb;

	+ CRITICAL_ASSERT(td);
	pcb = td->td_pcb;
	if (PCB_USER_FPU(pcb))
	set_pcb_flags(pcb,
	@@ -843,26 +845,25 @@
	int error;

	pcb = td->td_pcb;
	+ error = 0;
	critical_enter();
	if (td == PCPU_GET(fpcurthread) && PCB_USER_FPU(pcb)) {
	error = fpusetxstate(td, xfpustate, xfpustate_size);
	- if (error != 0) {
	- critical_exit();
	- return (error);
	+ if (error == 0) {
	+ bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
	+ fpurestore(get_pcb_user_save_td(td));
	+ set_pcb_flags(pcb, PCB_FPUINITDONE \|
	+ PCB_USERFPUINITDONE);
	}
	- bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
	- fpurestore(get_pcb_user_save_td(td));
	- critical_exit();
	- set_pcb_flags(pcb, PCB_FPUINITDONE \| PCB_USERFPUINITDONE);
	} else {
	- critical_exit();
	error = fpusetxstate(td, xfpustate, xfpustate_size);
	- if (error != 0)
	- return (error);
	- bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
	- fpuuserinited(td);
	+ if (error == 0) {
	+ bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
	+ fpuuserinited(td);
	+ }
	}
	- return (0);
	+ critical_exit();
	+ return (error);
	}

	/*
	@@ -1035,6 +1036,7 @@
	ctx->flags = FPU_KERN_CTX_DUMMY \| FPU_KERN_CTX_INUSE;
	return (0);
	}
	+ critical_enter();
	KASSERT(!PCB_USER_FPU(pcb) \|\| pcb->pcb_save ==
	get_pcb_user_save_pcb(pcb), ("mangled pcb_save"));
	ctx->flags = FPU_KERN_CTX_INUSE;
	@@ -1045,6 +1047,7 @@
	pcb->pcb_save = fpu_kern_ctx_savefpu(ctx);
	set_pcb_flags(pcb, PCB_KERNFPU);
	clear_pcb_flags(pcb, PCB_FPUINITDONE);
	+ critical_exit();
	return (0);
	}

	@@ -1063,7 +1066,6 @@

	clear_pcb_flags(pcb, PCB_FPUNOSAVE \| PCB_FPUINITDONE);
	start_emulating();
	- critical_exit();
	} else {
	KASSERT((ctx->flags & FPU_KERN_CTX_INUSE) != 0,
	("leaving not inuse ctx"));
	@@ -1077,7 +1079,6 @@
	critical_enter();
	if (curthread == PCPU_GET(fpcurthread))
	fpudrop();
	- critical_exit();
	pcb->pcb_save = ctx->prev;
	}

	@@ -1094,6 +1095,7 @@
	clear_pcb_flags(pcb, PCB_FPUINITDONE);
	KASSERT(!PCB_USER_FPU(pcb), ("unpaired fpu_kern_leave"));
	}
	+ critical_exit();
	return (0);
	}

	Index: sys/amd64/amd64/machdep.c
	===================================================================
	--- sys/amd64/amd64/machdep.c (版本 338606)
	+++ sys/amd64/amd64/machdep.c (版本 338978)
	@@ -2148,8 +2148,10 @@
	set_fpregs(struct thread td, struct fpreg fpregs)
	{

	+ critical_enter();
	set_fpregs_xmm(fpregs, get_pcb_user_save_td(td));
	fpuuserinited(td);
	+ critical_exit();
	return (0);
	}

	Index: sys/i386/i386/machdep.c
	===================================================================
	--- sys/i386/i386/machdep.c (版本 338606)
	+++ sys/i386/i386/machdep.c (版本 338978)
	@@ -2998,6 +2998,7 @@
	set_fpregs(struct thread td, struct fpreg fpregs)
	{

	+ critical_enter();
	if (cpu_fxsr)
	npx_set_fpregs_xmm((struct save87 *)fpregs,
	&get_pcb_user_save_td(td)->sv_xmm);
	@@ -3005,6 +3006,7 @@
	bcopy(fpregs, &get_pcb_user_save_td(td)->sv_87,
	sizeof(*fpregs));
	npxuserinited(td);
	+ critical_exit();
	return (0);
	}

	Index: sys/i386/isa/npx.c
	===================================================================
	--- sys/i386/isa/npx.c (版本 338606)
	+++ sys/i386/isa/npx.c (版本 338978)
	@@ -974,14 +974,15 @@
	return (_MC_FPOWNED_NONE);

	pcb = td->td_pcb;
	+ critical_enter();
	if ((pcb->pcb_flags & PCB_NPXINITDONE) == 0) {
	bcopy(npx_initialstate, get_pcb_user_save_pcb(pcb),
	cpu_max_ext_state_size);
	SET_FPU_CW(get_pcb_user_save_pcb(pcb), pcb->pcb_initial_npxcw);
	npxuserinited(td);
	+ critical_exit();
	return (_MC_FPOWNED_PCB);
	}
	- critical_enter();
	if (td == PCPU_GET(fpcurthread)) {
	fpusave(get_pcb_user_save_pcb(pcb));
	if (!cpu_fxsr)
	@@ -995,7 +996,6 @@
	} else {
	owned = _MC_FPOWNED_PCB;
	}
	- critical_exit();
	if (use_xsave) {
	/*
	* Handle partially saved state.
	@@ -1018,6 +1018,7 @@
	*xstate_bv \|= bit;
	}
	}
	+ critical_exit();
	return (owned);
	}

	@@ -1026,6 +1027,7 @@
	{
	struct pcb *pcb;

	+ CRITICAL_ASSERT(td);
	pcb = td->td_pcb;
	if (PCB_USER_FPU(pcb))
	pcb->pcb_flags \|= PCB_NPXINITDONE;
	@@ -1081,28 +1083,26 @@
	return (ENXIO);

	pcb = td->td_pcb;
	+ error = 0;
	critical_enter();
	if (td == PCPU_GET(fpcurthread) && PCB_USER_FPU(pcb)) {
	error = npxsetxstate(td, xfpustate, xfpustate_size);
	- if (error != 0) {
	- critical_exit();
	- return (error);
	+ if (error == 0) {
	+ if (!cpu_fxsr)
	+ fnclex(); /* As in npxdrop(). */
	+ bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
	+ fpurstor(get_pcb_user_save_td(td));
	+ pcb->pcb_flags \|= PCB_NPXUSERINITDONE \| PCB_NPXINITDONE;
	}
	- if (!cpu_fxsr)
	- fnclex(); /* As in npxdrop(). */
	- bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
	- fpurstor(get_pcb_user_save_td(td));
	- critical_exit();
	- pcb->pcb_flags \|= PCB_NPXUSERINITDONE \| PCB_NPXINITDONE;
	} else {
	- critical_exit();
	error = npxsetxstate(td, xfpustate, xfpustate_size);
	- if (error != 0)
	- return (error);
	- bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
	- npxuserinited(td);
	+ if (error == 0) {
	+ bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
	+ npxuserinited(td);
	+ }
	}
	- return (0);
	+ critical_exit();
	+ return (error);
	}

	static void
	@@ -1371,6 +1371,7 @@
	return (0);
	}
	pcb = td->td_pcb;
	+ critical_enter();
	KASSERT(!PCB_USER_FPU(pcb) \|\| pcb->pcb_save ==
	get_pcb_user_save_pcb(pcb), ("mangled pcb_save"));
	ctx->flags = FPU_KERN_CTX_INUSE;
	@@ -1381,6 +1382,7 @@
	pcb->pcb_save = fpu_kern_ctx_savefpu(ctx);
	pcb->pcb_flags \|= PCB_KERNNPX;
	pcb->pcb_flags &= ~PCB_NPXINITDONE;
	+ critical_exit();
	return (0);
	}

	@@ -1399,7 +1401,6 @@
	critical_enter();
	if (curthread == PCPU_GET(fpcurthread))
	npxdrop();
	- critical_exit();
	pcb->pcb_save = ctx->prev;
	if (pcb->pcb_save == get_pcb_user_save_pcb(pcb)) {
	if ((pcb->pcb_flags & PCB_NPXUSERINITDONE) != 0)
	@@ -1414,6 +1415,7 @@
	pcb->pcb_flags &= ~PCB_NPXINITDONE;
	KASSERT(!PCB_USER_FPU(pcb), ("unpaired fpu_kern_leave"));
	}
	+ critical_exit();
	return (0);
	}