CVS commit: [netbsd-6] src/sys/arch/sparc64/conf
Module Name:src Committed By: martin Date: Thu Jun 7 18:01:51 UTC 2018 Modified Files: src/sys/arch/sparc64/conf [netbsd-6]: GENERIC32 NONPLUS Log Message: Fix fallout from ticket #1500: COMPAT_SVR4* has been disabled, do not disable it here again. To generate a diff of this commit: cvs rdiff -u -r1.140 -r1.140.102.1 src/sys/arch/sparc64/conf/GENERIC32 cvs rdiff -u -r1.58 -r1.58.102.1 src/sys/arch/sparc64/conf/NONPLUS Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/sparc64/conf/GENERIC32 diff -u src/sys/arch/sparc64/conf/GENERIC32:1.140 src/sys/arch/sparc64/conf/GENERIC32:1.140.102.1 --- src/sys/arch/sparc64/conf/GENERIC32:1.140 Fri Jun 30 10:27:48 2006 +++ src/sys/arch/sparc64/conf/GENERIC32 Thu Jun 7 18:01:51 2018 @@ -1,13 +1,13 @@ -# $NetBSD: GENERIC32,v 1.140 2006/06/30 10:27:48 tsutsui Exp $ +# $NetBSD: GENERIC32,v 1.140.102.1 2018/06/07 18:01:51 martin Exp $ # # GENERIC machine description file for 32-bit kernel # include "arch/sparc64/conf/GENERIC" -#ident "GENERIC32-$Revision: 1.140 $" +#ident "GENERIC32-$Revision: 1.140.102.1 $" include "arch/sparc64/conf/std.sparc64-32" no options COMPAT_NETBSD32 -no options COMPAT_SVR4_32 +#no options COMPAT_SVR4_32 Index: src/sys/arch/sparc64/conf/NONPLUS diff -u src/sys/arch/sparc64/conf/NONPLUS:1.58 src/sys/arch/sparc64/conf/NONPLUS:1.58.102.1 --- src/sys/arch/sparc64/conf/NONPLUS:1.58 Fri Jun 30 10:27:48 2006 +++ src/sys/arch/sparc64/conf/NONPLUS Thu Jun 7 18:01:51 2018 @@ -1,9 +1,9 @@ -# $NetBSD: NONPLUS,v 1.58 2006/06/30 10:27:48 tsutsui Exp $ +# $NetBSD: NONPLUS,v 1.58.102.1 2018/06/07 18:01:51 martin Exp $ include "arch/sparc64/conf/NONPLUS64" include "arch/sparc64/conf/std.sparc64-32" -#ident "NONPLUS-$Revision: 1.58 $" +#ident "NONPLUS-$Revision: 1.58.102.1 $" no options COMPAT_NETBSD32 # NetBSD/sparc binary compatibility -no options COMPAT_SVR4_32 # 32-bit SVR4 binaries +#no options COMPAT_SVR4_32 # 32-bit SVR4 binaries
CVS commit: [netbsd-6] src/sys
Module Name:src Committed By: martin Date: Tue May 22 14:38:20 UTC 2018 Modified Files: src/sys/arch/amiga/conf [netbsd-6]: DRACO GENERIC GENERIC.in src/sys/arch/hp300/conf [netbsd-6]: GENERIC src/sys/arch/i386/conf [netbsd-6]: GENERIC XEN3_DOM0 XEN3_DOMU src/sys/arch/sparc/conf [netbsd-6]: BILL-THE-CAT GENERIC KRUPS MRCOFFEE TADPOLE3GX src/sys/arch/sparc64/conf [netbsd-6]: GENERIC NONPLUS64 src/sys/kern [netbsd-6]: kern_exec.c Log Message: Apply patch requested by maxv in ticket #1500: * disable compat_svr4 and compat_svr4_32 everywhere * disable compat_ibcs2 everywhere but on Vax * remove the svr4/svr4_32/ibcs2/freebsd entries from the autoload list To generate a diff of this commit: cvs rdiff -u -r1.154 -r1.154.2.1 src/sys/arch/amiga/conf/DRACO cvs rdiff -u -r1.284 -r1.284.2.1 src/sys/arch/amiga/conf/GENERIC cvs rdiff -u -r1.96 -r1.96.2.1 src/sys/arch/amiga/conf/GENERIC.in cvs rdiff -u -r1.169.2.1 -r1.169.2.2 src/sys/arch/hp300/conf/GENERIC cvs rdiff -u -r1.1066.2.8 -r1.1066.2.9 src/sys/arch/i386/conf/GENERIC cvs rdiff -u -r1.60.2.7 -r1.60.2.8 src/sys/arch/i386/conf/XEN3_DOM0 cvs rdiff -u -r1.41.2.2 -r1.41.2.3 src/sys/arch/i386/conf/XEN3_DOMU cvs rdiff -u -r1.51 -r1.51.4.1 src/sys/arch/sparc/conf/BILL-THE-CAT cvs rdiff -u -r1.230 -r1.230.2.1 src/sys/arch/sparc/conf/GENERIC cvs rdiff -u -r1.56.4.1 -r1.56.4.2 src/sys/arch/sparc/conf/KRUPS cvs rdiff -u -r1.34 -r1.34.4.1 src/sys/arch/sparc/conf/MRCOFFEE cvs rdiff -u -r1.54.4.1 -r1.54.4.2 src/sys/arch/sparc/conf/TADPOLE3GX cvs rdiff -u -r1.148.2.2 -r1.148.2.3 src/sys/arch/sparc64/conf/GENERIC cvs rdiff -u -r1.34 -r1.34.4.1 src/sys/arch/sparc64/conf/NONPLUS64 cvs rdiff -u -r1.339.2.10 -r1.339.2.11 src/sys/kern/kern_exec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/amiga/conf/DRACO diff -u src/sys/arch/amiga/conf/DRACO:1.154 src/sys/arch/amiga/conf/DRACO:1.154.2.1 --- src/sys/arch/amiga/conf/DRACO:1.154 Tue Jan 24 00:19:39 2012 +++ src/sys/arch/amiga/conf/DRACO Tue May 22 14:38:20 2018 @@ -1,4 +1,4 @@ -# $NetBSD: DRACO,v 1.154 2012/01/24 00:19:39 rkujawa Exp $ +# $NetBSD: DRACO,v 1.154.2.1 2018/05/22 14:38:20 martin Exp $ # # This file was automatically created. # Changes will be lost when make is run in this directory. @@ -29,7 +29,7 @@ include "arch/amiga/conf/std.amiga" options INCLUDE_CONFIG_FILE # embed config file in kernel binary -#ident "GENERIC-$Revision: 1.154 $" +#ident "GENERIC-$Revision: 1.154.2.1 $" maxusers 8 @@ -143,7 +143,7 @@ options COMPAT_30 # NetBSD 3.0 compatib options COMPAT_40 # NetBSD 4.0 compatibility. options COMPAT_50 # NetBSD 5.0 compatibility. options COMPAT_SUNOS # Support to run Sun (m68k) executables -options COMPAT_SVR4 # Support to run SVR4 (m68k) executables +#options COMPAT_SVR4 # Support to run SVR4 (m68k) executables options COMPAT_NOMID # allow nonvalid machine id executables #options COMPAT_LINUX # Support to run Linux/m68k executables Index: src/sys/arch/amiga/conf/GENERIC diff -u src/sys/arch/amiga/conf/GENERIC:1.284 src/sys/arch/amiga/conf/GENERIC:1.284.2.1 --- src/sys/arch/amiga/conf/GENERIC:1.284 Tue Jan 24 00:19:39 2012 +++ src/sys/arch/amiga/conf/GENERIC Tue May 22 14:38:20 2018 @@ -1,4 +1,4 @@ -# $NetBSD: GENERIC,v 1.284 2012/01/24 00:19:39 rkujawa Exp $ +# $NetBSD: GENERIC,v 1.284.2.1 2018/05/22 14:38:20 martin Exp $ # # This file was automatically created. # Changes will be lost when make is run in this directory. @@ -29,7 +29,7 @@ include "arch/amiga/conf/std.amiga" options INCLUDE_CONFIG_FILE # embed config file in kernel binary -#ident "GENERIC-$Revision: 1.284 $" +#ident "GENERIC-$Revision: 1.284.2.1 $" maxusers 8 @@ -155,7 +155,7 @@ options COMPAT_30 # NetBSD 3.0 compatib options COMPAT_40 # NetBSD 4.0 compatibility. options COMPAT_50 # NetBSD 5.0 compatibility. options COMPAT_SUNOS # Support to run Sun (m68k) executables -options COMPAT_SVR4 # Support to run SVR4 (m68k) executables +#options COMPAT_SVR4 # Support to run SVR4 (m68k) executables options COMPAT_NOMID # allow nonvalid machine id executables #options COMPAT_LINUX # Support to run Linux/m68k executables Index: src/sys/arch/amiga/conf/GENERIC.in diff -u src/sys/arch/amiga/conf/GENERIC.in:1.96 src/sys/arch/amiga/conf/GENERIC.in:1.96.2.1 --- src/sys/arch/amiga/conf/GENERIC.in:1.96 Tue Jan 24 00:19:39 2012 +++ src/sys/arch/amiga/conf/GENERIC.in Tue May 22 14:38:20 2018 @@ -1,4 +1,4 @@ -# $NetBSD: GENERIC.in,v 1.96 2012/01/24 00:19:39 rkujawa Exp $ +# $NetBSD: GENERIC.in,v 1.96.2.1 2018/05/22 14:38:20 martin Exp $ # ## # GENERIC machine description file @@ -52,7 +52,7 @@ include "arch/amiga/conf/std.amiga" options INCLUDE_CONFIG_FILE # embed config file in kernel binary -#ident "GENERIC-$Revision: 1.96 $" +#ident "GENERIC-$Revision: 1.96.2.1 $" m4_ifdef(`INSTALL_CONFIGURATION',
CVS commit: [netbsd-6] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu May 17 13:45:15 UTC 2018 Modified Files: src/sys/net/npf [netbsd-6]: npf_alg_icmp.c npf_inet.c Log Message: Pull up following revision(s) via patch (requested by maxv in ticket #1549): sys/net/npf/npf_inet.c: revision 1.45 sys/net/npf/npf_alg_icmp.c: revision 1.27,1.28 Fix use-after-free. The nbuf can be reallocated as a result of caching 'enpc', so it is necessary to recache 'npc', otherwise it contains pointers to the freed mbuf - pointers which are then used in the ruleset machinery. We recache 'npc' when we are sure we won't use 'enpc' anymore, because 'enpc' can be clobbered as a result of caching 'npc' (in other words, only one of the two can be cached at the same time). Also, we recache 'npc' unconditionally, because there is no way to know whether the nbuf got clobbered relatively to it. We can't use the NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the cache. Discussed with rmind@. Change npf_cache_all so that it ensures the potential ICMP Query Id is in the nbuf. In such a way that we don't need to ensure that later. Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither the nbuf nor npc. Adapt their callers accordingly. In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave right away, without recaching npc (not needed since we didn't touch the nbuf). This fixes the handling of Query Id packets (that I broke in my previous commit), and also fixes another possible use-after-free. To generate a diff of this commit: cvs rdiff -u -r1.8.4.7 -r1.8.4.8 src/sys/net/npf/npf_alg_icmp.c cvs rdiff -u -r1.10.4.10 -r1.10.4.11 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_alg_icmp.c diff -u src/sys/net/npf/npf_alg_icmp.c:1.8.4.7 src/sys/net/npf/npf_alg_icmp.c:1.8.4.8 --- src/sys/net/npf/npf_alg_icmp.c:1.8.4.7 Mon Feb 11 21:49:49 2013 +++ src/sys/net/npf/npf_alg_icmp.c Thu May 17 13:45:15 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_alg_icmp.c,v 1.8.4.7 2013/02/11 21:49:49 riz Exp $ */ +/* $NetBSD: npf_alg_icmp.c,v 1.8.4.8 2018/05/17 13:45:15 martin Exp $ */ /*- * Copyright (c) 2010 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.8.4.7 2013/02/11 21:49:49 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.8.4.8 2018/05/17 13:45:15 martin Exp $"); #include #include @@ -162,12 +162,14 @@ npfa_icmp_match(npf_cache_t *npc, nbuf_t /* * npfa_icmp{4,6}_inspect: retrieve unique identifiers - either ICMP query * ID or TCP/UDP ports of the original packet, which is embedded. + * + * => Sets hasqid=true if the packet has a Query Id. In this case neither + *the nbuf nor npc is touched. */ static bool -npfa_icmp4_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf) +npfa_icmp4_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf, bool *hasqid) { - u_int offby; /* Per RFC 792. */ switch (type) { @@ -191,12 +193,8 @@ npfa_icmp4_inspect(const int type, npf_c case ICMP_TSTAMPREPLY: case ICMP_IREQ: case ICMP_IREQREPLY: - /* Should contain ICMP query ID - ensure. */ - offby = offsetof(struct icmp, icmp_id); - if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) { - return false; - } - npc->npc_info |= NPC_ICMP_ID; + /* Contains ICMP query ID. */ + *hasqid = true; return true; default: break; @@ -205,9 +203,8 @@ npfa_icmp4_inspect(const int type, npf_c } static bool -npfa_icmp6_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf) +npfa_icmp6_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf, bool *hasqid) { - u_int offby; /* Per RFC 4443. */ switch (type) { @@ -226,12 +223,8 @@ npfa_icmp6_inspect(const int type, npf_c case ICMP6_ECHO_REQUEST: case ICMP6_ECHO_REPLY: - /* Should contain ICMP query ID - ensure. */ - offby = offsetof(struct icmp6_hdr, icmp6_id); - if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) { - return false; - } - npc->npc_info |= NPC_ICMP_ID; + /* Contains ICMP query ID. */ + *hasqid = true; return true; default: break; @@ -242,12 +235,12 @@ npfa_icmp6_inspect(const int type, npf_c /* * npfa_icmp_session: ALG ICMP inspector. * - * => Returns true if "enpc" is filled. + * => Returns false if there is a problem with the format. */ static bool npfa_icmp_inspect(npf_cache_t *npc, nbuf_t *nbuf, npf_cache_t *enpc) { - bool ret; + bool ret, hasqid = false; KASSERT(npf_iscached(npc, NPC_IP46)); KASSERT(npf_iscached(npc, NPC_ICMP)); @@ -265,10 +258,10 @@ npfa_icmp_inspect(npf_cache_t *npc, nbuf */ if (npf_iscached(npc, NPC_IP4)) { const struct icmp *ic = npc->npc_l4.icmp; - ret = npfa_icmp4_inspect(ic->icmp_type, enpc, nbuf); + ret = npfa_icmp4_inspect(ic->icmp_type, enpc, nbuf, ); } else if (npf_iscached(npc, NPC_IP6)) { const
CVS commit: [netbsd-6] src/sys/dev/ic
Module Name:src Committed By: martin Date: Mon May 14 16:07:06 UTC 2018 Modified Files: src/sys/dev/ic [netbsd-6]: hme.c Log Message: Pull up following revision(s) (requested by pgoyette in ticket #1548): sys/dev/ic/hme.c: revision 1.97 Fix mis-placed right paren. kern/53271 To generate a diff of this commit: cvs rdiff -u -r1.87.2.1 -r1.87.2.2 src/sys/dev/ic/hme.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/hme.c diff -u src/sys/dev/ic/hme.c:1.87.2.1 src/sys/dev/ic/hme.c:1.87.2.2 --- src/sys/dev/ic/hme.c:1.87.2.1 Wed Jul 4 19:43:10 2012 +++ src/sys/dev/ic/hme.c Mon May 14 16:07:06 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: hme.c,v 1.87.2.1 2012/07/04 19:43:10 riz Exp $ */ +/* $NetBSD: hme.c,v 1.87.2.2 2018/05/14 16:07:06 martin Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: hme.c,v 1.87.2.1 2012/07/04 19:43:10 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: hme.c,v 1.87.2.2 2018/05/14 16:07:06 martin Exp $"); /* #define HMEDEBUG */ @@ -752,7 +752,7 @@ hme_get(struct hme_softc *sc, int ri, ui pktlen = m0->m_pkthdr.len - ETHER_HDR_LEN; } else if (ntohs(eh->ether_type) == ETHERTYPE_VLAN) { evh = (struct ether_vlan_header *)eh; - if (ntohs(evh->evl_proto != ETHERTYPE_IP)) + if (ntohs(evh->evl_proto) != ETHERTYPE_IP) goto swcsum; ip = (struct ip *)((char *)eh + ETHER_HDR_LEN + ETHER_VLAN_ENCAP_LEN);
CVS commit: [netbsd-6] src/sys/kern
Module Name:src Committed By: martin Date: Thu May 3 15:00:38 UTC 2018 Modified Files: src/sys/kern [netbsd-6]: uipc_mbuf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1547): sys/kern/uipc_mbuf.c: revision 1.211 (via patch) Modify m_defrag, so that it never frees the first mbuf of the chain. While here use the given 'flags' argument, and not M_DONTWAIT. We have a problem with several drivers: they poll an mbuf chain from their queues and call m_defrag on them, but m_defrag could update the mbuf pointer, so the mbuf in the queue is no longer valid. It is not easy to fix each driver, because doing pop+push will reorder the queue, and we don't really want that to happen. This problem was independently spotted by me, Kengo, Masanobu, and other people too it seems (perhaps PR/53218). Now m_defrag leaves the first mbuf in place, and compresses the chain only starting from the second mbuf in the chain. It is important not to compress the first mbuf with hacks, because the storage of this first mbuf may be shared with other mbufs. To generate a diff of this commit: cvs rdiff -u -r1.145.2.1 -r1.145.2.2 src/sys/kern/uipc_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_mbuf.c diff -u src/sys/kern/uipc_mbuf.c:1.145.2.1 src/sys/kern/uipc_mbuf.c:1.145.2.2 --- src/sys/kern/uipc_mbuf.c:1.145.2.1 Fri Feb 8 19:18:12 2013 +++ src/sys/kern/uipc_mbuf.c Thu May 3 15:00:37 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_mbuf.c,v 1.145.2.1 2013/02/08 19:18:12 riz Exp $ */ +/* $NetBSD: uipc_mbuf.c,v 1.145.2.2 2018/05/03 15:00:37 martin Exp $ */ /*- * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc. @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.145.2.1 2013/02/08 19:18:12 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.145.2.2 2018/05/03 15:00:37 martin Exp $"); #include "opt_mbuftrace.h" #include "opt_nmbclusters.h" @@ -1266,30 +1266,35 @@ m_makewritable(struct mbuf **mp, int off } /* - * Copy the mbuf chain to a new mbuf chain that is as short as possible. - * Return the new mbuf chain on success, NULL on failure. On success, - * free the old mbuf chain. + * Compress the mbuf chain. Return the new mbuf chain on success, NULL on + * failure. The first mbuf is preserved, and on success the pointer returned + * is the same as the one passed. */ struct mbuf * m_defrag(struct mbuf *mold, int flags) { struct mbuf *m0, *mn, *n; - size_t sz = mold->m_pkthdr.len; + int sz; #ifdef DIAGNOSTIC if ((mold->m_flags & M_PKTHDR) == 0) panic("m_defrag: not a mbuf chain header"); #endif - MGETHDR(m0, flags, MT_DATA); + if (mold->m_next == NULL) + return mold; + + m0 = m_get(flags, MT_DATA); if (m0 == NULL) return NULL; - M_COPY_PKTHDR(m0, mold); mn = m0; + sz = mold->m_pkthdr.len - mold->m_len; + KASSERT(sz >= 0); + do { - if (sz > MHLEN) { - MCLGET(mn, M_DONTWAIT); + if (sz > MLEN) { + MCLGET(mn, flags); if ((mn->m_flags & M_EXT) == 0) { m_freem(m0); return NULL; @@ -1305,7 +1310,7 @@ m_defrag(struct mbuf *mold, int flags) if (sz > 0) { /* need more mbufs */ - MGET(n, M_NOWAIT, MT_DATA); + n = m_get(flags, MT_DATA); if (n == NULL) { m_freem(m0); return NULL; @@ -1316,9 +1321,10 @@ m_defrag(struct mbuf *mold, int flags) } } while (sz > 0); - m_freem(mold); + m_freem(mold->m_next); + mold->m_next = m0; - return m0; + return mold; } int
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: martin Date: Thu May 3 14:33:30 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: ipsec_output.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1546): sys/netipsec/ipsec_output.c: revision 1.67,1.75 (via patch) Strengthen this check, to make sure there is room for an ip6_ext structure. Seems possible to crash m_copydata here (but I didn't test more than that). Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I already fixed half of the problem two months ago in rev1.67, back then I thought it was not triggerable because each packet we emit is guaranteed to have correctly formed IPv6 options; but it is actually triggerable via IPv6 forwarding, we emit a packet we just received, and we don't sanitize its options before invoking IPsec. Since it would be wrong to just stop the iteration and continue the IPsec processing, allow compute_ipsec_pos to fail, and when it does, drop the packet entirely. To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.38.2.1 src/sys/netipsec/ipsec_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_output.c diff -u src/sys/netipsec/ipsec_output.c:1.38 src/sys/netipsec/ipsec_output.c:1.38.2.1 --- src/sys/netipsec/ipsec_output.c:1.38 Tue Jan 10 20:01:57 2012 +++ src/sys/netipsec/ipsec_output.c Thu May 3 14:33:30 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_output.c,v 1.38 2012/01/10 20:01:57 drochner Exp $ */ +/* $NetBSD: ipsec_output.c,v 1.38.2.1 2018/05/03 14:33:30 martin Exp $ */ /*- * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.38 2012/01/10 20:01:57 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.38.2.1 2018/05/03 14:33:30 martin Exp $"); /* * IPsec output processing. @@ -632,7 +632,7 @@ bad: #endif #ifdef INET6 -static void +static int compute_ipsec_pos(struct mbuf *m, int *i, int *off) { int nxt; @@ -649,7 +649,11 @@ compute_ipsec_pos(struct mbuf *m, int *i * put AH/ESP/IPcomp header. * IPv6 hbh dest1 rthdr ah* [esp* dest2 payload] */ - do { + while (1) { + if (*i + sizeof(ip6e) > m->m_pkthdr.len) { + return EINVAL; + } + switch (nxt) { case IPPROTO_AH: case IPPROTO_ESP: @@ -658,7 +662,7 @@ compute_ipsec_pos(struct mbuf *m, int *i * we should not skip security header added * beforehand. */ - return; + return 0; case IPPROTO_HOPOPTS: case IPPROTO_DSTOPTS: @@ -668,7 +672,7 @@ compute_ipsec_pos(struct mbuf *m, int *i * we should stop there. */ if (nxt == IPPROTO_DSTOPTS && dstopt) -return; +return 0; if (nxt == IPPROTO_DSTOPTS) { /* @@ -688,16 +692,14 @@ compute_ipsec_pos(struct mbuf *m, int *i m_copydata(m, *i, sizeof(ip6e), ); nxt = ip6e.ip6e_nxt; *off = *i + offsetof(struct ip6_ext, ip6e_nxt); - /* - * we will never see nxt == IPPROTO_AH - * so it is safe to omit AH case. - */ *i += (ip6e.ip6e_len + 1) << 3; break; default: - return; + return 0; } - } while (*i < m->m_pkthdr.len); + } + + return 0; } static int @@ -799,7 +801,9 @@ ipsec6_process_packet( i = ip->ip_hl << 2; off = offsetof(struct ip, ip_p); } else { - compute_ipsec_pos(m, , ); + error = compute_ipsec_pos(m, , ); + if (error) + goto bad; } error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off); splx(s);
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: msaitoh Date: Wed Apr 18 06:59:10 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: ipsec_mbuf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1545): sys/netipsec/ipsec_mbuf.c: revision 1.23 sys/netipsec/ipsec_mbuf.c: revision 1.24 Don't assume M_PKTHDR is set only on the first mbuf of the chain. It should, but it looks like there are several places that can put M_PKTHDR on secondary mbufs (PR/53189), so drop this assumption right now to prevent further bugs. The check is replaced by (m1 != m), which is equivalent to the previous code: we want to modify m->m_pkthdr.len only when 'm' was not passed in m_adj(). Fix a pretty bad mistake, that has always been there. m_adj(m1, -(m1->m_len - roff)); if (m1 != m) m->m_pkthdr.len -= (m1->m_len - roff); This is wrong: m_adj will modify m1->m_len, so we're using a wrong value when manually adjusting m->m_pkthdr.len. Because of that, it is possible to exploit the attack I described in uipc_mbuf.c::rev1.182. The exploit is more complicated, but works 100% reliably. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.12.10.1 src/sys/netipsec/ipsec_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_mbuf.c diff -u src/sys/netipsec/ipsec_mbuf.c:1.12 src/sys/netipsec/ipsec_mbuf.c:1.12.10.1 --- src/sys/netipsec/ipsec_mbuf.c:1.12 Mon May 16 10:05:23 2011 +++ src/sys/netipsec/ipsec_mbuf.c Wed Apr 18 06:59:10 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_mbuf.c,v 1.12 2011/05/16 10:05:23 drochner Exp $ */ +/* $NetBSD: ipsec_mbuf.c,v 1.12.10.1 2018/04/18 06:59:10 msaitoh Exp $ */ /*- * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting * All rights reserved. @@ -28,7 +28,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.12 2011/05/16 10:05:23 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.12.10.1 2018/04/18 06:59:10 msaitoh Exp $"); /* * IPsec-specific mbuf routines. @@ -407,10 +407,11 @@ m_striphdr(struct mbuf *m, int skip, int /* The header was at the beginning of the mbuf */ IPSEC_STATINC(IPSEC_STAT_INPUT_FRONT); m_adj(m1, hlen); - if ((m1->m_flags & M_PKTHDR) == 0) + if (m1 != m) m->m_pkthdr.len -= hlen; } else if (roff + hlen >= m1->m_len) { struct mbuf *mo; + int adjlen; /* * Part or all of the header is at the end of this mbuf, @@ -419,11 +420,13 @@ m_striphdr(struct mbuf *m, int skip, int */ IPSEC_STATINC(IPSEC_STAT_INPUT_END); if (roff + hlen > m1->m_len) { + adjlen = roff + hlen - m1->m_len; + /* Adjust the next mbuf by the remainder */ - m_adj(m1->m_next, roff + hlen - m1->m_len); + m_adj(m1->m_next, adjlen); /* The second mbuf is guaranteed not to have a pkthdr... */ - m->m_pkthdr.len -= (roff + hlen - m1->m_len); + m->m_pkthdr.len -= adjlen; } /* Now, let's unlink the mbuf chain for a second...*/ @@ -431,9 +434,10 @@ m_striphdr(struct mbuf *m, int skip, int m1->m_next = NULL; /* ...and trim the end of the first part of the chain...sick */ - m_adj(m1, -(m1->m_len - roff)); - if ((m1->m_flags & M_PKTHDR) == 0) - m->m_pkthdr.len -= (m1->m_len - roff); + adjlen = m1->m_len - roff; + m_adj(m1, -adjlen); + if (m1 != m) + m->m_pkthdr.len -= adjlen; /* Finally, let's relink */ m1->m_next = mo;
CVS commit: [netbsd-6] src/sys/arch/amiga/amiga
Module Name:src Committed By: martin Date: Tue Apr 10 11:27:55 UTC 2018 Modified Files: src/sys/arch/amiga/amiga [netbsd-6]: cc.c Log Message: Pull up following revision(s) (requested by msaitoh in ticket #1544): sys/arch/amiga/amiga/cc.c: revision 1.27 (patch) spl leak, found by mootja To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.22.14.1 src/sys/arch/amiga/amiga/cc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/amiga/amiga/cc.c diff -u src/sys/arch/amiga/amiga/cc.c:1.22 src/sys/arch/amiga/amiga/cc.c:1.22.14.1 --- src/sys/arch/amiga/amiga/cc.c:1.22 Mon Dec 20 00:25:25 2010 +++ src/sys/arch/amiga/amiga/cc.c Tue Apr 10 11:27:55 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: cc.c,v 1.22 2010/12/20 00:25:25 matt Exp $ */ +/* $NetBSD: cc.c,v 1.22.14.1 2018/04/10 11:27:55 martin Exp $ */ /* * Copyright (c) 1994 Christian E. Hopps @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: cc.c,v 1.22 2010/12/20 00:25:25 matt Exp $"); +__KERNEL_RCSID(0, "$NetBSD: cc.c,v 1.22.14.1 2018/04/10 11:27:55 martin Exp $"); #include #include @@ -504,9 +504,10 @@ alloc_chipmem(u_long size) while (size > mn->size && mn != (void *)_list) mn = mn->free_link.cqe_next; - if (mn == (void *)_list) + if (mn == (void *)_list) { + splx(s); return(NULL); - + } if ((mn->size - size) <= sizeof (*mn)) { /* * our allocation would not leave room
CVS commit: [netbsd-6] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:34:17 UTC 2018 Modified Files: src/sys/net/npf [netbsd-6]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1542: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.14.2.12 -r1.14.2.13 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.14.2.12 src/sys/net/npf/npf.h:1.14.2.13 --- src/sys/net/npf/npf.h:1.14.2.12 Mon Feb 11 21:49:49 2013 +++ src/sys/net/npf/npf.h Thu Apr 5 11:34:17 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.14.2.12 2013/02/11 21:49:49 riz Exp $ */ +/* $NetBSD: npf.h,v 1.14.2.13 2018/04/05 11:34:17 martin Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -99,7 +99,7 @@ typedef struct { npf_addr_t * npc_dstip; /* Size (v4 or v6) of IP addresses. */ uint8_t npc_alen; - uint8_t npc_hlen; + uint32_t npc_hlen; uint16_t npc_proto; /* IPv4, IPv6. */ union {
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Sun Apr 1 09:22:37 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1541): sys/netinet6/raw_ip6.c: revision 1.161 Fix use-after-free, the first m_copyback_cow may have freed the mbuf, so it is wrong to read ip6->ip6_nxt. To generate a diff of this commit: cvs rdiff -u -r1.109.2.1 -r1.109.2.2 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/raw_ip6.c diff -u src/sys/netinet6/raw_ip6.c:1.109.2.1 src/sys/netinet6/raw_ip6.c:1.109.2.2 --- src/sys/netinet6/raw_ip6.c:1.109.2.1 Tue Jan 30 18:44:22 2018 +++ src/sys/netinet6/raw_ip6.c Sun Apr 1 09:22:37 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: raw_ip6.c,v 1.109.2.1 2018/01/30 18:44:22 martin Exp $ */ +/* $NetBSD: raw_ip6.c,v 1.109.2.2 2018/04/01 09:22:37 martin Exp $ */ /* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.109.2.1 2018/01/30 18:44:22 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.109.2.2 2018/04/01 09:22:37 martin Exp $"); #include "opt_ipsec.h" @@ -502,6 +502,7 @@ rip6_output(struct mbuf *m, struct socke if (so->so_proto->pr_protocol == IPPROTO_ICMPV6 || in6p->in6p_cksum != -1) { + const uint8_t nxt = ip6->ip6_nxt; int off; u_int16_t sum; @@ -523,7 +524,7 @@ rip6_output(struct mbuf *m, struct socke error = ENOBUFS; goto bad; } - sum = in6_cksum(m, ip6->ip6_nxt, sizeof(*ip6), plen); + sum = in6_cksum(m, nxt, sizeof(*ip6), plen); m = m_copyback_cow(m, off, sizeof(sum), (void *), M_DONTWAIT); if (m == NULL) {
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Sun Apr 1 09:18:54 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: ip6_forward.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1540): sys/netinet6/ip6_forward.c: revision 1.91 (via patch) Fix two pretty bad mistakes. If ipsec6_check_policy fails m is not freed, and a 'goto out' is missing after ipsec6_process_packet. To generate a diff of this commit: cvs rdiff -u -r1.69.2.1 -r1.69.2.2 src/sys/netinet6/ip6_forward.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_forward.c diff -u src/sys/netinet6/ip6_forward.c:1.69.2.1 src/sys/netinet6/ip6_forward.c:1.69.2.2 --- src/sys/netinet6/ip6_forward.c:1.69.2.1 Tue Mar 13 16:43:06 2018 +++ src/sys/netinet6/ip6_forward.c Sun Apr 1 09:18:54 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_forward.c,v 1.69.2.1 2018/03/13 16:43:06 snj Exp $ */ +/* $NetBSD: ip6_forward.c,v 1.69.2.2 2018/04/01 09:18:54 martin Exp $ */ /* $KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69.2.1 2018/03/13 16:43:06 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69.2.2 2018/04/01 09:18:54 martin Exp $"); #include "opt_gateway.h" #include "opt_ipsec.h" @@ -361,9 +361,10 @@ ip6_forward(struct mbuf *m, int srcrt) * because we asked key management for an SA and * it was delayed (e.g. kicked up to IKE). */ - if (error == -EINVAL) - error = 0; - goto freecopy; + if (error == -EINVAL) + error = 0; + m_freem(m); + goto freecopy; } #endif /* FAST_IPSEC */ @@ -467,8 +468,10 @@ ip6_forward(struct mbuf *m, int srcrt) s = splsoftnet(); error = ipsec6_process_packet(m,sp->req); splx(s); + /* m is freed */ if (mcopy) goto freecopy; + return; } #endif
CVS commit: [netbsd-6] src/sys/dev/ppbus
Module Name:src Committed By: snj Date: Tue Mar 13 17:48:21 UTC 2018 Modified Files: src/sys/dev/ppbus [netbsd-6]: if_plip.c Log Message: Pull up following revision(s) (requested by msaitoh in ticket #1537): sys/dev/ppbus/if_plip.c: 1.28 spl leak, found by Mootja To generate a diff of this commit: cvs rdiff -u -r1.24 -r1.24.14.1 src/sys/dev/ppbus/if_plip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ppbus/if_plip.c diff -u src/sys/dev/ppbus/if_plip.c:1.24 src/sys/dev/ppbus/if_plip.c:1.24.14.1 --- src/sys/dev/ppbus/if_plip.c:1.24 Mon Apr 5 07:21:47 2010 +++ src/sys/dev/ppbus/if_plip.c Tue Mar 13 17:48:21 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: if_plip.c,v 1.24 2010/04/05 07:21:47 joerg Exp $ */ +/* $NetBSD: if_plip.c,v 1.24.14.1 2018/03/13 17:48:21 snj Exp $ */ /*- * Copyright (c) 1997 Poul-Henning Kamp @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_plip.c,v 1.24 2010/04/05 07:21:47 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_plip.c,v 1.24.14.1 2018/03/13 17:48:21 snj Exp $"); /* * Parallel port TCP/IP interfaces added. I looked at the driver from @@ -445,6 +445,7 @@ lpioctl(struct ifnet *ifp, u_long cmd, v case AF_INET: break; default: + splx(s); return EAFNOSUPPORT; } break;
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: snj Date: Tue Mar 13 17:47:14 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: ipsec_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1536): sys/netipsec/ipsec_input.c: 1.57-1.58 Extend these #ifdef notyet. The m_copydata's in these branches are wrong, we are not guaranteed to have enough room for another struct ip, and we may crash here. Triggerable remotely, but after authentication, by sending an AH packet that has a one-byte-sized IPIP payload. -- Argh, in my previous commit in this file I forgot to fix the IPv6 entry point; apply the same fix there. To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.2.1 src/sys/netipsec/ipsec_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_input.c diff -u src/sys/netipsec/ipsec_input.c:1.29 src/sys/netipsec/ipsec_input.c:1.29.2.1 --- src/sys/netipsec/ipsec_input.c:1.29 Wed Jan 25 21:58:10 2012 +++ src/sys/netipsec/ipsec_input.c Tue Mar 13 17:47:14 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_input.c,v 1.29 2012/01/25 21:58:10 drochner Exp $ */ +/* $NetBSD: ipsec_input.c,v 1.29.2.1 2018/03/13 17:47:14 snj Exp $ */ /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */ /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.29 2012/01/25 21:58:10 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.29.2.1 2018/03/13 17:47:14 snj Exp $"); /* * IPsec input processing. @@ -332,14 +332,15 @@ ipsec4_common_input_cb(struct mbuf *m, s ip->ip_len = htons(m->m_pkthdr.len); prot = ip->ip_p; +#ifdef notyet /* IP-in-IP encapsulation */ if (prot == IPPROTO_IPIP) { struct ip ipn; /* ipn will now contain the inner IPv4 header */ + /* XXX: check m_pkthdr.len */ m_copydata(m, ip->ip_hl << 2, sizeof(struct ip), ); -#ifdef notyet /* XXX PROXY address isn't recorded in SAH */ /* * Check that the inner source address is the same as @@ -367,7 +368,6 @@ ipsec4_common_input_cb(struct mbuf *m, s error = EACCES; goto bad; } -#endif /*XXX*/ } #if INET6 /* IPv6-in-IP encapsulation. */ @@ -375,9 +375,9 @@ ipsec4_common_input_cb(struct mbuf *m, s struct ip6_hdr ip6n; /* ip6n will now contain the inner IPv6 header. */ + /* XXX: check m_pkthdr.len */ m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr), ); -#ifdef notyet /* * Check that the inner source address is the same as * the proxy address, if available. @@ -403,9 +403,9 @@ ipsec4_common_input_cb(struct mbuf *m, s error = EACCES; goto bad; } -#endif /*XXX*/ } #endif /* INET6 */ +#endif /* notyet */ /* * Record what we've done to the packet (under what SA it was @@ -651,15 +651,16 @@ ipsec6_common_input_cb(struct mbuf *m, s /* Save protocol */ m_copydata(m, protoff, 1, ); +#ifdef notyet #ifdef INET /* IP-in-IP encapsulation */ if (prot == IPPROTO_IPIP) { struct ip ipn; /* ipn will now contain the inner IPv4 header */ + /* XXX: check m_pkthdr.len */ m_copydata(m, skip, sizeof(struct ip), ); -#ifdef notyet /* * Check that the inner source address is the same as * the proxy address, if available. @@ -683,18 +684,16 @@ ipsec6_common_input_cb(struct mbuf *m, s error = EACCES; goto bad; } -#endif /*XXX*/ } #endif /* INET */ - /* IPv6-in-IP encapsulation */ if (prot == IPPROTO_IPV6) { struct ip6_hdr ip6n; /* ip6n will now contain the inner IPv6 header. */ + /* XXX: check m_pkthdr.len */ m_copydata(m, skip, sizeof(struct ip6_hdr), ); -#ifdef notyet /* * Check that the inner source address is the same as * the proxy address, if available. @@ -719,8 +718,8 @@ ipsec6_common_input_cb(struct mbuf *m, s error = EACCES; goto bad; } -#endif /*XXX*/ } +#endif /* notyet */ /* * Record what we've done to the packet (under what SA it was
CVS commit: [netbsd-6] src/sys
Module Name:src Committed By: snj Date: Tue Mar 13 17:42:41 UTC 2018 Modified Files: src/sys/net [netbsd-6]: if_mpls.c src/sys/netmpls [netbsd-6]: mpls_ttl.c Log Message: Pull up following revision(s) (requested by uwe in ticket #1534): sys/net/if_mpls.c: 1.31-1.33 via patch sys/netmpls/mpls_ttl.c: 1.9 via patch Style, and fix several bugs: - ip4_check(), mpls_unlabel_inet() and mpls_unlabel_inet6() perform pullups, so we need to pass the updated pointers back - in mpls_lse() the route is not always freed Looks a little better now. -- Kick MPLS packets earlier. -- Several changes: * In mpls_unlabel_inet, copy the label locally. It's not incorrect to keep a pointer on the mbuf, but it's bug-friendly. * In mpls_label_inetX, fix the length check. Meanwhile add an XXX: we just want to make sure that m_copydata won't fail, but if we were guaranteed that m has M_PKTHDR set, we could simply check the length against m->m_pkthdr.len. To generate a diff of this commit: cvs rdiff -u -r1.8.8.1 -r1.8.8.2 src/sys/net/if_mpls.c cvs rdiff -u -r1.3 -r1.3.18.1 src/sys/netmpls/mpls_ttl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/if_mpls.c diff -u src/sys/net/if_mpls.c:1.8.8.1 src/sys/net/if_mpls.c:1.8.8.2 --- src/sys/net/if_mpls.c:1.8.8.1 Tue Jul 30 03:05:39 2013 +++ src/sys/net/if_mpls.c Tue Mar 13 17:42:41 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: if_mpls.c,v 1.8.8.1 2013/07/30 03:05:39 msaitoh Exp $ */ +/* $NetBSD: if_mpls.c,v 1.8.8.2 2018/03/13 17:42:41 snj Exp $ */ /* * Copyright (c) 2010 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_mpls.c,v 1.8.8.1 2013/07/30 03:05:39 msaitoh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_mpls.c,v 1.8.8.2 2018/03/13 17:42:41 snj Exp $"); #include "opt_inet.h" #include "opt_mpls.h" @@ -83,12 +83,12 @@ static int mpls_send_frame(struct mbuf * static int mpls_lse(struct mbuf *); #ifdef INET -static int mpls_unlabel_inet(struct mbuf *); +static struct mbuf *mpls_unlabel_inet(struct mbuf *, int *error); static struct mbuf *mpls_label_inet(struct mbuf *, union mpls_shim *, uint); #endif #ifdef INET6 -static int mpls_unlabel_inet6(struct mbuf *); +static struct mbuf *mpls_unlabel_inet6(struct mbuf *, int *error); static struct mbuf *mpls_label_inet6(struct mbuf *, union mpls_shim *, uint); #endif @@ -308,6 +308,12 @@ mpls_lse(struct mbuf *m) int error = ENOBUFS; uint psize = sizeof(struct sockaddr_mpls); + /* If we're not accepting MPLS frames, leave now. */ + if (!mpls_accept) { + error = EINVAL; + goto done; + } + if (m->m_len < sizeof(union mpls_shim) && (m = m_pullup(m, sizeof(union mpls_shim))) == NULL) goto done; @@ -316,10 +322,7 @@ mpls_lse(struct mbuf *m) dst.smpls_family = AF_MPLS; dst.smpls_addr.s_addr = ntohl(mtod(m, union mpls_shim *)->s_addr); - /* Check if we're accepting MPLS Frames */ error = EINVAL; - if (!mpls_accept) - goto done; /* TTL decrement */ if ((m = mpls_ttl_dec(m)) == NULL) @@ -331,15 +334,17 @@ mpls_lse(struct mbuf *m) #ifdef INET case MPLS_LABEL_IPV4NULL: /* Pop shim and push mbuf to IP stack */ - if (dst.smpls_addr.shim.bos) -error = mpls_unlabel_inet(m); + if (dst.smpls_addr.shim.bos) { +m = mpls_unlabel_inet(m, ); + } break; #endif #ifdef INET6 case MPLS_LABEL_IPV6NULL: /* Pop shim and push mbuf to IPv6 stack */ - if (dst.smpls_addr.shim.bos) -error = mpls_unlabel_inet6(m); + if (dst.smpls_addr.shim.bos) { +m = mpls_unlabel_inet6(m, ); + } break; #endif case MPLS_LABEL_RTALERT: /* Yeah, I'm all alerted */ @@ -393,8 +398,10 @@ mpls_lse(struct mbuf *m) tshim.shim.bos = tshim.shim.exp = 0; tshim.shim.ttl = mpls_defttl; if (tshim.shim.label != MPLS_LABEL_IMPLNULL && - ((m = mpls_prepend_shim(m, )) == NULL)) - return ENOBUFS; + ((m = mpls_prepend_shim(m, )) == NULL)) { + error = ENOBUFS; + goto done; + } psize += sizeof(tshim); } @@ -439,11 +446,9 @@ mpls_send_frame(struct mbuf *m, struct i return 0; } - - #ifdef INET -static int -mpls_unlabel_inet(struct mbuf *m) +static struct mbuf * +mpls_unlabel_inet(struct mbuf *m, int *error) { int s, iphlen; struct ip *iph; @@ -451,7 +456,6 @@ mpls_unlabel_inet(struct mbuf *m) struct ifqueue *inq; if (mpls_mapttl_inet || mpls_mapprec_inet) { - /* get shim info */ ms = mtod(m, union mpls_shim *); ms->s_addr = ntohl(ms->s_addr); @@ -460,23 +464,29 @@ mpls_unlabel_inet(struct mbuf *m) m_adj(m, sizeof(union mpls_shim)); /* get ip header */ - if (m->m_len < sizeof (struct ip) && - (m = m_pullup(m, sizeof(struct ip))) == NULL) - return ENOBUFS; + if (m->m_len < sizeof(struct ip) && + (m = m_pullup(m, sizeof(struct ip))) == NULL) { + *error = ENOBUFS; + return NULL; + } + iph = mtod(m, struct ip *); iphlen =
CVS commit: [netbsd-6] src/sys/dev/sbus
Module Name:src Committed By: snj Date: Tue Mar 13 17:20:25 UTC 2018 Modified Files: src/sys/dev/sbus [netbsd-6]: be.c Log Message: Pull up following revision(s) (requested by msaitoh in ticket #1533): sys/dev/sbus/be.c: 1.86 spl leak, found by Mootja a long time ago To generate a diff of this commit: cvs rdiff -u -r1.78 -r1.78.2.1 src/sys/dev/sbus/be.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/sbus/be.c diff -u src/sys/dev/sbus/be.c:1.78 src/sys/dev/sbus/be.c:1.78.2.1 --- src/sys/dev/sbus/be.c:1.78 Thu Feb 2 19:43:06 2012 +++ src/sys/dev/sbus/be.c Tue Mar 13 17:20:25 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: be.c,v 1.78 2012/02/02 19:43:06 tls Exp $ */ +/* $NetBSD: be.c,v 1.78.2.1 2018/03/13 17:20:25 snj Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -57,7 +57,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: be.c,v 1.78 2012/02/02 19:43:06 tls Exp $"); +__KERNEL_RCSID(0, "$NetBSD: be.c,v 1.78.2.1 2018/03/13 17:20:25 snj Exp $"); #include "opt_ddb.h" #include "opt_inet.h" @@ -1126,6 +1126,7 @@ beinit(struct ifnet *ifp) callout_reset(>sc_tick_ch, hz, be_tick, sc); + splx(s); return 0; out: splx(s);
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: snj Date: Tue Mar 13 17:18:16 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: xform_ah.c xform_esp.c xform_ipip.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1532): sys/netipsec/xform_ah.c: 1.77 via patch sys/netipsec/xform_esp.c: 1.73 via patch sys/netipsec/xform_ipip.c: 1.56-1.57 via patch Reinforce and clarify. -- Add missing NULL check. Normally that's not triggerable remotely, since we are guaranteed that 8 bytes are valid at mbuf+skip. -- Fix use-after-free. There is a path where the mbuf gets pulled up without a proper mtod afterwards: 218 ipo = mtod(m, struct ip *); 281 m = m_pullup(m, hlen); 232 ipo->ip_src.s_addr Found by Mootja. Meanwhile it seems to me that 'ipo' should be set to NULL if the inner packet is IPv6, but I'll revisit that later. -- As I said in my last commit in this file, ipo should be set to NULL; otherwise the 'local address spoofing' check below is always wrong on IPv6. To generate a diff of this commit: cvs rdiff -u -r1.37.2.3 -r1.37.2.4 src/sys/netipsec/xform_ah.c cvs rdiff -u -r1.40 -r1.40.2.1 src/sys/netipsec/xform_esp.c cvs rdiff -u -r1.28.8.1 -r1.28.8.2 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.37.2.3 src/sys/netipsec/xform_ah.c:1.37.2.4 --- src/sys/netipsec/xform_ah.c:1.37.2.3 Thu Feb 15 16:49:04 2018 +++ src/sys/netipsec/xform_ah.c Tue Mar 13 17:18:15 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.37.2.3 2018/02/15 16:49:04 martin Exp $ */ +/* $NetBSD: xform_ah.c,v 1.37.2.4 2018/03/13 17:18:15 snj Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.3 2018/02/15 16:49:04 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.4 2018/03/13 17:18:15 snj Exp $"); #include "opt_inet.h" #ifdef __FreeBSD__ @@ -498,54 +498,45 @@ ah_massage_headers(struct mbuf **m0, int nxt = ip6.ip6_nxt & 0xff; /* Next header type. */ - for (off = 0; off < skip - sizeof(struct ip6_hdr);) + for (off = 0; off < skip - sizeof(struct ip6_hdr);) { + int noff; + switch (nxt) { case IPPROTO_HOPOPTS: case IPPROTO_DSTOPTS: -ip6e = (struct ip6_ext *) (ptr + off); +ip6e = (struct ip6_ext *)(ptr + off); +noff = off + ((ip6e->ip6e_len + 1) << 3); + +/* Sanity check. */ +if (noff > skip - sizeof(struct ip6_hdr)) { + goto error6; +} /* - * Process the mutable/immutable - * options -- borrows heavily from the - * KAME code. + * Zero out mutable options. */ for (count = off + sizeof(struct ip6_ext); - count < off + ((ip6e->ip6e_len + 1) << 3);) { + count < noff;) { if (ptr[count] == IP6OPT_PAD1) { count++; - continue; /* Skip padding. */ - } - - /* Sanity check. */ - if (count > off + - ((ip6e->ip6e_len + 1) << 3)) { - m_freem(m); - - /* Free, if we allocated. */ - if (alloc) - free(ptr, M_XDATA); - return EINVAL; + continue; } ad = ptr[count + 1] + 2; - /* If mutable option, zeroize. */ - if (ptr[count] & IP6OPT_MUTABLE) - memcpy(ptr + count, ipseczeroes, - ad); + if (count + ad > noff) { + goto error6; + } + + if (ptr[count] & IP6OPT_MUTABLE) { + memset(ptr + count, 0, ad); + } count += ad; +} - /* Sanity check. */ - if (count > - skip - sizeof(struct ip6_hdr)) { - m_freem(m); - - /* Free, if we allocated. */ - if (alloc) - free(ptr, M_XDATA); - return EINVAL; - } +if (count != noff) { + goto error6; } /* Advance. */ @@ -603,11 +594,13 @@ ah_massage_headers(struct mbuf **m0, int default: DPRINTF(("ah_massage_headers: unexpected " "IPv6 header type %d", off)); +error6: if (alloc) free(ptr, M_XDATA); m_freem(m); return EINVAL; } + } /* Copyback and free, if we allocated. */ if (alloc) { Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.40 src/sys/netipsec/xform_esp.c:1.40.2.1 --- src/sys/netipsec/xform_esp.c:1.40 Wed Jan 25 20:31:23 2012 +++ src/sys/netipsec/xform_esp.c Tue Mar 13 17:18:15 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.40 2012/01/25 20:31:23 drochner Exp $ */ +/* $NetBSD: xform_esp.c,v 1.40.2.1 2018/03/13 17:18:15 snj Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.40 2012/01/25 20:31:23
CVS commit: [netbsd-6] src/sys/arch/macppc/dev
Module Name:src Committed By: snj Date: Tue Mar 13 17:09:15 UTC 2018 Modified Files: src/sys/arch/macppc/dev [netbsd-6]: snapper.c Log Message: Pull up following revision(s) (requested by sevan in ticket #1522): sys/arch/macppc/dev/snapper.c: 1.42 Fix issue with audio being downpitched, thanks to "it seems that snapper_init should be called before audio_attach_mi, as snapper init is setting the rate to 44100 after the hardware format has been configured by audio_attach_mi. audio_attach_mi should be the last thing called during an attach of an audio device so the audio device is ready to be configured when audio_attach_mi is called." Resolves PR port-macppc/52949 To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.38.4.1 src/sys/arch/macppc/dev/snapper.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/macppc/dev/snapper.c diff -u src/sys/arch/macppc/dev/snapper.c:1.38 src/sys/arch/macppc/dev/snapper.c:1.38.4.1 --- src/sys/arch/macppc/dev/snapper.c:1.38 Thu Nov 24 03:35:57 2011 +++ src/sys/arch/macppc/dev/snapper.c Tue Mar 13 17:09:15 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: snapper.c,v 1.38 2011/11/24 03:35:57 mrg Exp $ */ +/* $NetBSD: snapper.c,v 1.38.4.1 2018/03/13 17:09:15 snj Exp $ */ /* Id: snapper.c,v 1.11 2002/10/31 17:42:13 tsubai Exp */ /* Id: i2s.c,v 1.12 2005/01/15 14:32:35 tsubai Exp */ @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: snapper.c,v 1.38 2011/11/24 03:35:57 mrg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: snapper.c,v 1.38.4.1 2018/03/13 17:09:15 snj Exp $"); #include #include @@ -839,10 +839,10 @@ snapper_defer(device_t dev) break; } - audio_attach_mi(_hw_if, sc, sc->sc_dev); - /* ki2c_setmode(sc->sc_i2c, I2C_STDSUBMODE); */ snapper_init(sc, sc->sc_node); + + audio_attach_mi(_hw_if, sc, sc->sc_dev); } static int
CVS commit: [netbsd-6] src/sys/arch/sparc/sparc
Module Name:src Committed By: snj Date: Tue Mar 13 16:48:05 UTC 2018 Modified Files: src/sys/arch/sparc/sparc [netbsd-6]: timer.c timer_sun4m.c timerreg.h Log Message: Pull up following revision(s) (requested by mrg in ticket #1519): sys/arch/sparc/sparc/timer_sun4m.c: 1.33 1.34 1.31 sys/arch/sparc/sparc/timer.c: 1.33 sys/arch/sparc/sparc/timer.c: 1.33 1.34 sys/arch/sparc/sparc/timerreg.h: 1.33 1.34 1.31 1.10 fix time goes backwards problems on sparc. there are a few things here: - there's a race between reading the limit register (which clears the interrupt and the limit bit) and increasing the latest offset. this can happen easily if an interrupt comes between the read and the call to tickle_tc() that increases the offset (i obverved this actually happening.) - in early boot, sometimes the counter can cycle twice before the tickle happens. to handle these issues, add two workarounds: - if the limit bit isn't set, but the counter value is less than the previous value, and the offset hasn't changed, use the same fixup as if the limit bit was set. this handles the first case above. - add a hard-workaround for never allowing returning a smaller value (except during 32 bit overflow): if the result is less than the last result, add fixups until it does (or until it would overflow.) the first workaround fixes general run-time issues, and the second fixes issues only seen during boot. also expand some comments in timer_sun4m.c and re-enable the sun4m sub-microsecond tmr_ustolim4m() support (but it's always called with at least 'tick' microseconds, so the end result is the same.) fix hang at 4B microseconds (1h12 or so), and simplify part of the previous To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.8.1 src/sys/arch/sparc/sparc/timer.c cvs rdiff -u -r1.28 -r1.28.8.1 src/sys/arch/sparc/sparc/timer_sun4m.c cvs rdiff -u -r1.9 -r1.9.118.1 src/sys/arch/sparc/sparc/timerreg.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/sparc/sparc/timer.c diff -u src/sys/arch/sparc/sparc/timer.c:1.29 src/sys/arch/sparc/sparc/timer.c:1.29.8.1 --- src/sys/arch/sparc/sparc/timer.c:1.29 Sun Jul 17 23:18:23 2011 +++ src/sys/arch/sparc/sparc/timer.c Tue Mar 13 16:48:05 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: timer.c,v 1.29 2011/07/17 23:18:23 mrg Exp $ */ +/* $NetBSD: timer.c,v 1.29.8.1 2018/03/13 16:48:05 snj Exp $ */ /* * Copyright (c) 1992, 1993 @@ -60,7 +60,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: timer.c,v 1.29 2011/07/17 23:18:23 mrg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: timer.c,v 1.29.8.1 2018/03/13 16:48:05 snj Exp $"); #include #include @@ -83,56 +83,93 @@ static u_int timer_get_timecount(struct * timecounter local state */ static struct counter { - volatile u_int *cntreg; /* counter register */ + __cpu_simple_lock_t lock; /* protects access to offset, reg, last* */ + volatile u_int *cntreg; /* counter register to read */ u_int limit; /* limit we count up to */ u_int offset; /* accumulated offet due to wraps */ u_int shift; /* scaling for valid bits */ u_int mask; /* valid bit mask */ -} cntr; + u_int lastcnt; /* the last* values are used to notice */ + u_int lastres; /* and fix up cases where it would appear */ + u_int lastoffset; /* time went backwards. */ +} cntr __aligned(CACHE_LINE_SIZE); /* * define timecounter */ static struct timecounter counter_timecounter = { - timer_get_timecount, /* get_timecount */ - 0, /* no poll_pps */ - ~0u, /* counter_mask */ - 0, /* frequency - set at initialisation */ - "timer-counter", /* name */ - 100, /* quality */ -/* private reference */ + .tc_get_timecount = timer_get_timecount, + .tc_poll_pps = NULL, + .tc_counter_mask = ~0u, + .tc_frequency = 0, + .tc_name = "timer-counter", + .tc_quality = 100, + .tc_priv = , }; /* * timer_get_timecount provide current counter value */ +__attribute__((__optimize__("Os"))) static u_int timer_get_timecount(struct timecounter *tc) { - struct counter *ctr = (struct counter *)tc->tc_priv; - - u_int c, res, r; + u_int cnt, res, fixup, offset; int s; - + /* + * We use splhigh/__cpu_simple_lock here as we don't want + * any mutex or lockdebug overhead. The lock protects a + * bunch of the members of cntr that are written here to + * deal with the various minor races to be observed and + * worked around. + */ s = splhigh(); - res = c = *ctr->cntreg; + __cpu_simple_lock(); + res = cnt = *cntr.cntreg; res &= ~TMR_LIMIT; + offset = cntr.offset; - if (c != res) { - r = ctr->limit; + /* + * There are 3 cases here: + * - limit reached, interrupt not yet processed. + * - count reset but offset the same, race between handling + * the interrupt and tickle_tc() updating the offset. + * - normal case. + * + * For the first two cases, add the limit so
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: snj Date: Tue Mar 13 16:43:06 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: ip6_forward.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1518): sys/netinet6/ip6_forward.c: 1.89-1.90 via patch Fix use-after-free of mbuf by ip6flow_create This fixes recent failures of some ATF tests such as t_ipsec_tunnel_odd. -- Fix use-after-free of mbuf by ip6flow_create (one more) To generate a diff of this commit: cvs rdiff -u -r1.69 -r1.69.2.1 src/sys/netinet6/ip6_forward.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_forward.c diff -u src/sys/netinet6/ip6_forward.c:1.69 src/sys/netinet6/ip6_forward.c:1.69.2.1 --- src/sys/netinet6/ip6_forward.c:1.69 Mon Dec 19 11:59:58 2011 +++ src/sys/netinet6/ip6_forward.c Tue Mar 13 16:43:06 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_forward.c,v 1.69 2011/12/19 11:59:58 drochner Exp $ */ +/* $NetBSD: ip6_forward.c,v 1.69.2.1 2018/03/13 16:43:06 snj Exp $ */ /* $KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69 2011/12/19 11:59:58 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69.2.1 2018/03/13 16:43:06 snj Exp $"); #include "opt_gateway.h" #include "opt_ipsec.h" @@ -645,8 +645,8 @@ ip6_forward(struct mbuf *m, int srcrt) IP6_STATINC(IP6_STAT_REDIRECTSENT); else { #ifdef GATEWAY - if (m->m_flags & M_CANFASTFWD) -ip6flow_create(_forward_rt, m); + if (mcopy->m_flags & M_CANFASTFWD) +ip6flow_create(_forward_rt, mcopy); #endif if (mcopy) goto freecopy;
CVS commit: [netbsd-6] src/sys/dev
Module Name:src Committed By: snj Date: Tue Mar 13 16:38:28 UTC 2018 Modified Files: src/sys/dev [netbsd-6]: fss.c Log Message: Pull up following revision(s) (requested by hannken in ticket #1516): sys/dev/fss.c: 1.101-1.103 Bounds check against media size for non-persistent snapshots. -- Treat partial read from backing store as I/O error. -- Pass residual back to b_resid for persistent snapshots. To generate a diff of this commit: cvs rdiff -u -r1.81.4.4 -r1.81.4.5 src/sys/dev/fss.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/fss.c diff -u src/sys/dev/fss.c:1.81.4.4 src/sys/dev/fss.c:1.81.4.5 --- src/sys/dev/fss.c:1.81.4.4 Sat Aug 27 14:47:47 2016 +++ src/sys/dev/fss.c Tue Mar 13 16:38:28 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: fss.c,v 1.81.4.4 2016/08/27 14:47:47 bouyer Exp $ */ +/* $NetBSD: fss.c,v 1.81.4.5 2018/03/13 16:38:28 snj Exp $ */ /*- * Copyright (c) 2003 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: fss.c,v 1.81.4.4 2016/08/27 14:47:47 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: fss.c,v 1.81.4.5 2018/03/13 16:38:28 snj Exp $"); #include #include @@ -90,7 +90,7 @@ static void fss_softc_free(struct fss_so static int fss_read_cluster(struct fss_softc *, u_int32_t); static void fss_bs_thread(void *); static int fss_bs_io(struct fss_softc *, fss_io_type, -u_int32_t, off_t, int, void *); +u_int32_t, off_t, int, void *, size_t *); static u_int32_t *fss_bs_indir(struct fss_softc *, u_int32_t); static kmutex_t fss_device_lock; /* Protect all units. */ @@ -266,20 +266,26 @@ fss_strategy(struct buf *bp) mutex_enter(>sc_slock); if (write || !FSS_ISVALID(sc)) { - - mutex_exit(>sc_slock); - bp->b_error = (write ? EROFS : ENXIO); - bp->b_resid = bp->b_bcount; - biodone(bp); - return; + goto done; } + /* Check bounds for non-persistent snapshots. */ + if ((sc->sc_flags & FSS_PERSISTENT) == 0 && + bounds_check_with_mediasize(bp, DEV_BSIZE, + btodb(FSS_CLTOB(sc, sc->sc_clcount - 1) + sc->sc_clresid)) <= 0) + goto done; bp->b_rawblkno = bp->b_blkno; bufq_put(sc->sc_bufq, bp); cv_signal(>sc_work_cv); mutex_exit(>sc_slock); + return; + +done: + mutex_exit(>sc_slock); + bp->b_resid = bp->b_bcount; + biodone(bp); } int @@ -993,6 +999,8 @@ restart: todo -= len; } error = biowait(mbp); + if (error == 0 && mbp->b_resid != 0) + error = EIO; putiobuf(mbp); mutex_enter(>sc_slock); @@ -1014,7 +1022,7 @@ restart: */ static int fss_bs_io(struct fss_softc *sc, fss_io_type rw, -u_int32_t cl, off_t off, int len, void *data) +u_int32_t cl, off_t off, int len, void *data, size_t *resid) { int error; @@ -1025,7 +1033,7 @@ fss_bs_io(struct fss_softc *sc, fss_io_t error = vn_rdwr((rw == FSS_READ ? UIO_READ : UIO_WRITE), sc->sc_bs_vp, data, len, off, UIO_SYSSPACE, IO_ADV_ENCODE(POSIX_FADV_NOREUSE) | IO_NODELOCKED, - sc->sc_bs_lwp->l_cred, NULL, NULL); + sc->sc_bs_lwp->l_cred, resid, NULL); if (error == 0) { mutex_enter(sc->sc_bs_vp->v_interlock); error = VOP_PUTPAGES(sc->sc_bs_vp, trunc_page(off), @@ -1054,7 +1062,7 @@ fss_bs_indir(struct fss_softc *sc, u_int if (sc->sc_indir_dirty) { if (fss_bs_io(sc, FSS_WRITE, sc->sc_indir_cur, 0, - FSS_CLSIZE(sc), (void *)sc->sc_indir_data) != 0) + FSS_CLSIZE(sc), (void *)sc->sc_indir_data, NULL) != 0) return NULL; setbit(sc->sc_indir_valid, sc->sc_indir_cur); } @@ -1064,7 +1072,7 @@ fss_bs_indir(struct fss_softc *sc, u_int if (isset(sc->sc_indir_valid, sc->sc_indir_cur)) { if (fss_bs_io(sc, FSS_READ, sc->sc_indir_cur, 0, - FSS_CLSIZE(sc), (void *)sc->sc_indir_data) != 0) + FSS_CLSIZE(sc), (void *)sc->sc_indir_data, NULL) != 0) return NULL; } else memset(sc->sc_indir_data, 0, FSS_CLSIZE(sc)); @@ -1085,6 +1093,7 @@ fss_bs_thread(void *arg) long off; char *addr; u_int32_t c, cl, ch, *indirp; + size_t resid; struct buf *bp, *nbp; struct fss_softc *sc; struct fss_cache *scp, *scl; @@ -1121,14 +1130,18 @@ fss_bs_thread(void *arg) disk_busy(sc->sc_dkdev); error = fss_bs_io(sc, FSS_READ, 0, dbtob(bp->b_blkno), bp->b_bcount, -bp->b_data); +bp->b_data, ); +if (error) + resid = bp->b_bcount; disk_unbusy(sc->sc_dkdev, (error ? 0 : bp->b_bcount), is_read); - } else + } else { error = ENXIO; +resid = bp->b_bcount; + } bp->b_error = error; - bp->b_resid = (error ? bp->b_bcount : 0); + bp->b_resid = resid; biodone(bp); mutex_enter(>sc_slock); @@ -1149,7 +1162,7 @@ fss_bs_thread(void *arg) indirp = fss_bs_indir(sc, scp->fc_cluster); if (indirp != NULL) { error = fss_bs_io(sc, FSS_WRITE, sc->sc_clnext, -0, FSS_CLSIZE(sc), scp->fc_data); +0, FSS_CLSIZE(sc), scp->fc_data, NULL); } else error = EIO; @@ -1217,6 +1230,8
CVS commit: [netbsd-6] src/sys/arch/sparc/sparc
Module Name:src Committed By: snj Date: Sat Mar 3 20:47:24 UTC 2018 Modified Files: src/sys/arch/sparc/sparc [netbsd-6]: locore.s Log Message: Pull up following revision(s) (requested by maya in ticket #1513): sys/arch/sparc/sparc/locore.s: 1.269 Avoid an instruction requiring a higher alignment than we are guaranteed Fixes PR port-sparc/52721: ddb errors on ps command Thanks to mlelstv. To generate a diff of this commit: cvs rdiff -u -r1.265 -r1.265.8.1 src/sys/arch/sparc/sparc/locore.s Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/sparc/sparc/locore.s diff -u src/sys/arch/sparc/sparc/locore.s:1.265 src/sys/arch/sparc/sparc/locore.s:1.265.8.1 --- src/sys/arch/sparc/sparc/locore.s:1.265 Mon Aug 15 02:19:44 2011 +++ src/sys/arch/sparc/sparc/locore.s Sat Mar 3 20:47:24 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: locore.s,v 1.265 2011/08/15 02:19:44 mrg Exp $ */ +/* $NetBSD: locore.s,v 1.265.8.1 2018/03/03 20:47:24 snj Exp $ */ /* * Copyright (c) 1996 Paul Kranenburg @@ -6286,8 +6286,9 @@ ENTRY(longjmp) cmp %fp, %g7 ! compare against desired frame bl,a 1b ! if below, restore !pop frame and loop - be,a 2f ! if there, - ldd [%g1+0], %o2 !fetch return %sp and pc, and get out + ld [%g1+0], %o2 ! fetch return %sp + be,a 2f ! we're there, get out + ld [%g1+4], %o3 ! fetch return pc Llongjmpbotch: ! otherwise, went too far; bomb out
CVS commit: [netbsd-6] src/sys
Module Name:src Committed By: snj Date: Sat Mar 3 20:44:39 UTC 2018 Modified Files: src/sys/dev [netbsd-6]: rndpseudo.c src/sys/kern [netbsd-6]: subr_cprng.c src/sys/sys [netbsd-6]: cprng.h Log Message: Apply patch (requested by riastradh in ticket #1512): Fix panic when waiting with kqueue/kevent for a read from /dev/random. To generate a diff of this commit: cvs rdiff -u -r1.6.2.3 -r1.6.2.4 src/sys/dev/rndpseudo.c cvs rdiff -u -r1.5.2.8 -r1.5.2.9 src/sys/kern/subr_cprng.c cvs rdiff -u -r1.4.2.1 -r1.4.2.2 src/sys/sys/cprng.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/rndpseudo.c diff -u src/sys/dev/rndpseudo.c:1.6.2.3 src/sys/dev/rndpseudo.c:1.6.2.4 --- src/sys/dev/rndpseudo.c:1.6.2.3 Mon May 21 16:49:54 2012 +++ src/sys/dev/rndpseudo.c Sat Mar 3 20:44:38 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: rndpseudo.c,v 1.6.2.3 2012/05/21 16:49:54 jdc Exp $ */ +/* $NetBSD: rndpseudo.c,v 1.6.2.4 2018/03/03 20:44:38 snj Exp $ */ /*- * Copyright (c) 1997-2011 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: rndpseudo.c,v 1.6.2.3 2012/05/21 16:49:54 jdc Exp $"); +__KERNEL_RCSID(0, "$NetBSD: rndpseudo.c,v 1.6.2.4 2018/03/03 20:44:38 snj Exp $"); #if defined(_KERNEL_OPT) #include "opt_compat_netbsd.h" @@ -673,13 +673,13 @@ rnd_poll(struct file *fp, int events) } } + mutex_enter(>cprng->mtx); if (cprng_strong_ready(ctx->cprng)) { revents |= events & (POLLIN | POLLRDNORM); } else { - mutex_enter(>cprng->mtx); selrecord(curlwp, >cprng->selq); - mutex_exit(>cprng->mtx); } + mutex_exit(>cprng->mtx); return (revents); } @@ -731,12 +731,24 @@ static int filt_rndread(struct knote *kn, long hint) { cprng_strong_t *c = kn->kn_hook; + int ret; + if (hint & NOTE_SUBMIT) + KASSERT(mutex_owned(>mtx)); + else + mutex_enter(>mtx); if (cprng_strong_ready(c)) { kn->kn_data = RND_TEMP_BUFFER_SIZE; - return 1; + ret = 1; + } else { + ret = 0; } - return 0; + if (hint & NOTE_SUBMIT) + KASSERT(mutex_owned(>mtx)); + else + mutex_exit(>mtx); + + return ret; } static const struct filterops rnd_seltrue_filtops = Index: src/sys/kern/subr_cprng.c diff -u src/sys/kern/subr_cprng.c:1.5.2.8 src/sys/kern/subr_cprng.c:1.5.2.9 --- src/sys/kern/subr_cprng.c:1.5.2.8 Fri Mar 29 00:44:28 2013 +++ src/sys/kern/subr_cprng.c Sat Mar 3 20:44:38 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_cprng.c,v 1.5.2.8 2013/03/29 00:44:28 msaitoh Exp $ */ +/* $NetBSD: subr_cprng.c,v 1.5.2.9 2018/03/03 20:44:38 snj Exp $ */ /*- * Copyright (c) 2011 The NetBSD Foundation, Inc. @@ -46,7 +46,7 @@ #include -__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.5.2.8 2013/03/29 00:44:28 msaitoh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.5.2.9 2018/03/03 20:44:38 snj Exp $"); void cprng_init(void) @@ -95,7 +95,7 @@ cprng_strong_doreseed(cprng_strong_t *co if (c->flags & CPRNG_USE_CV) { cv_broadcast(>cv); } - selnotify(>selq, 0, 0); + selnotify(>selq, 0, NOTE_SUBMIT); } static void @@ -397,7 +397,7 @@ cprng_strong_setflags(cprng_strong_t *co if (c->flags & CPRNG_USE_CV) { cv_broadcast(>cv); } - selnotify(>selq, 0, 0); + selnotify(>selq, 0, NOTE_SUBMIT); } } c->flags = flags; Index: src/sys/sys/cprng.h diff -u src/sys/sys/cprng.h:1.4.2.1 src/sys/sys/cprng.h:1.4.2.2 --- src/sys/sys/cprng.h:1.4.2.1 Fri Apr 20 23:35:20 2012 +++ src/sys/sys/cprng.h Sat Mar 3 20:44:39 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: cprng.h,v 1.4.2.1 2012/04/20 23:35:20 riz Exp $ */ +/* $NetBSD: cprng.h,v 1.4.2.2 2018/03/03 20:44:39 snj Exp $ */ /*- * Copyright (c) 2011 The NetBSD Foundation, Inc. @@ -121,12 +121,11 @@ static inline int cprng_strong_ready(cprng_strong_t *c) { int ret = 0; - - mutex_enter(>mtx); + + KASSERT(mutex_owned(>mtx)); if (c->drbg.reseed_counter < NIST_CTR_DRBG_RESEED_INTERVAL) { ret = 1; } - mutex_exit(>mtx); return ret; }
CVS commit: [netbsd-6] src/sys/arch
Module Name:src Committed By: snj Date: Mon Feb 19 20:54:38 UTC 2018 Modified Files: src/sys/arch/amd64/amd64 [netbsd-6]: machdep.c src/sys/arch/amd64/include [netbsd-6]: segments.h src/sys/arch/i386/i386 [netbsd-6]: machdep.c src/sys/arch/i386/include [netbsd-6]: segments.h src/sys/arch/x86/x86 [netbsd-6]: vm_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1517): sys/arch/amd64/amd64/machdep.c: 1.280 via patch sys/arch/amd64/include/segments.h: 1.34 via patch sys/arch/i386/i386/machdep.c: 1.800 sys/arch/i386/include/segments.h: 1.64 sys/arch/x86/x86/vm_machdep.c: 1.30 Fix a huge privilege separation vulnerability in Xen-amd64. On amd64 the kernel runs in ring3, like userland, and therefore SEL_KPL equals SEL_UPL. While Xen can make a distinction between usermode and kernelmode in %cs, it can't when it comes to iopl. Since we set SEL_KPL in iopl, Xen sees SEL_UPL, and allows (unprivileged) userland processes to read and write to the CPU ports. It is easy, then, to completely escalate privileges; by reprogramming the PIC, by reading the ATA disks, by intercepting the keyboard interrupts (keylogger), etc. Declare IOPL_KPL, set to 1 on Xen-amd64, which allows the kernel to use the ports but not userland. I didn't test this change on i386, but it seems fine enough. To generate a diff of this commit: cvs rdiff -u -r1.175.2.9 -r1.175.2.10 src/sys/arch/amd64/amd64/machdep.c cvs rdiff -u -r1.22 -r1.22.10.1 src/sys/arch/amd64/include/segments.h cvs rdiff -u -r1.717.2.8 -r1.717.2.9 src/sys/arch/i386/i386/machdep.c cvs rdiff -u -r1.54 -r1.54.10.1 src/sys/arch/i386/include/segments.h cvs rdiff -u -r1.14 -r1.14.2.1 src/sys/arch/x86/x86/vm_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/amd64/amd64/machdep.c diff -u src/sys/arch/amd64/amd64/machdep.c:1.175.2.9 src/sys/arch/amd64/amd64/machdep.c:1.175.2.10 --- src/sys/arch/amd64/amd64/machdep.c:1.175.2.9 Tue Aug 8 12:00:35 2017 +++ src/sys/arch/amd64/amd64/machdep.c Mon Feb 19 20:54:37 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: machdep.c,v 1.175.2.9 2017/08/08 12:00:35 martin Exp $ */ +/* $NetBSD: machdep.c,v 1.175.2.10 2018/02/19 20:54:37 snj Exp $ */ /*- * Copyright (c) 1996, 1997, 1998, 2000, 2006, 2007, 2008, 2011 @@ -111,7 +111,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.175.2.9 2017/08/08 12:00:35 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.175.2.10 2018/02/19 20:54:37 snj Exp $"); /* #define XENDEBUG_LOW */ @@ -477,7 +477,7 @@ x86_64_proc0_tss_ldt_init(void) pcb->pcb_fs = 0; pcb->pcb_gs = 0; pcb->pcb_rsp0 = (uvm_lwp_getuarea(l) + KSTACK_SIZE - 16) & ~0xf; - pcb->pcb_iopl = SEL_KPL; + pcb->pcb_iopl = IOPL_KPL; pmap_kernel()->pm_ldt_sel = GSYSSEL(GLDT_SEL, SEL_KPL); pcb->pcb_cr0 = rcr0() & ~CR0_TS; Index: src/sys/arch/amd64/include/segments.h diff -u src/sys/arch/amd64/include/segments.h:1.22 src/sys/arch/amd64/include/segments.h:1.22.10.1 --- src/sys/arch/amd64/include/segments.h:1.22 Mon Feb 7 03:54:45 2011 +++ src/sys/arch/amd64/include/segments.h Mon Feb 19 20:54:37 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: segments.h,v 1.22 2011/02/07 03:54:45 chs Exp $ */ +/* $NetBSD: segments.h,v 1.22.10.1 2018/02/19 20:54:37 snj Exp $ */ /*- * Copyright (c) 1990 The Regents of the University of California. @@ -107,6 +107,12 @@ #define ISLDT(s) ((s) & SEL_LDT) /* is it local or global */ #define SEL_LDT 4 /* local descriptor table */ +#ifdef XEN +#define IOPL_KPL 1 +#else +#define IOPL_KPL SEL_KPL +#endif + /* Dynamically allocated TSSs and LDTs start (byte offset) */ #define SYSSEL_START (NGDT_MEM << 3) #define DYNSEL_START (SYSSEL_START + (NGDT_SYS << 4)) Index: src/sys/arch/i386/i386/machdep.c diff -u src/sys/arch/i386/i386/machdep.c:1.717.2.8 src/sys/arch/i386/i386/machdep.c:1.717.2.9 --- src/sys/arch/i386/i386/machdep.c:1.717.2.8 Tue Aug 8 12:00:35 2017 +++ src/sys/arch/i386/i386/machdep.c Mon Feb 19 20:54:38 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: machdep.c,v 1.717.2.8 2017/08/08 12:00:35 martin Exp $ */ +/* $NetBSD: machdep.c,v 1.717.2.9 2018/02/19 20:54:38 snj Exp $ */ /*- * Copyright (c) 1996, 1997, 1998, 2000, 2004, 2006, 2008, 2009 @@ -67,7 +67,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.717.2.8 2017/08/08 12:00:35 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.717.2.9 2018/02/19 20:54:38 snj Exp $"); #include "opt_beep.h" #include "opt_compat_ibcs2.h" @@ -509,7 +509,7 @@ i386_proc0_tss_ldt_init(void) pmap_kernel()->pm_ldt_sel = GSEL(GLDT_SEL, SEL_KPL); pcb->pcb_cr0 = rcr0() & ~CR0_TS; pcb->pcb_esp0 = uvm_lwp_getuarea(l) + KSTACK_SIZE - 16; - pcb->pcb_iopl = SEL_KPL; + pcb->pcb_iopl = IOPL_KPL; l->l_md.md_regs = (struct trapframe *)pcb->pcb_esp0 - 1; memcpy(>pcb_fsd, [GUDATA_SEL], sizeof(pcb->pcb_fsd));
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: martin Date: Fri Feb 16 18:10:09 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: ipsec.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1531): sys/netipsec/ipsec.c: revision 1.130 Fix inverted logic, otherwise the kernel crashes when receiving a 1-byte AH packet. Triggerable before authentication when IPsec and forwarding are both enabled. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.55.8.1 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.55 src/sys/netipsec/ipsec.c:1.55.8.1 --- src/sys/netipsec/ipsec.c:1.55 Thu Jun 9 19:54:18 2011 +++ src/sys/netipsec/ipsec.c Fri Feb 16 18:10:09 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.55 2011/06/09 19:54:18 drochner Exp $ */ +/* $NetBSD: ipsec.c,v 1.55.8.1 2018/02/16 18:10:09 martin Exp $ */ /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.55 2011/06/09 19:54:18 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.55.8.1 2018/02/16 18:10:09 martin Exp $"); /* * IPsec controller part. @@ -979,7 +979,7 @@ ipsec4_get_ulp(struct mbuf *m, struct se spidx->dst.sin.sin_port = uh.uh_dport; return; case IPPROTO_AH: - if (m->m_pkthdr.len > off + sizeof(ip6e)) + if (off + sizeof(ip6e) > m->m_pkthdr.len) goto done; /* XXX sigh, this works but is totally bogus */ m_copydata(m, off, sizeof(ip6e), );
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: martin Date: Thu Feb 15 16:49:05 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: xform_ah.c Log Message: Fix previous (Ticket #1530) To generate a diff of this commit: cvs rdiff -u -r1.37.2.2 -r1.37.2.3 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.37.2.2 src/sys/netipsec/xform_ah.c:1.37.2.3 --- src/sys/netipsec/xform_ah.c:1.37.2.2 Thu Feb 15 08:08:19 2018 +++ src/sys/netipsec/xform_ah.c Thu Feb 15 16:49:04 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.37.2.2 2018/02/15 08:08:19 martin Exp $ */ +/* $NetBSD: xform_ah.c,v 1.37.2.3 2018/02/15 16:49:04 martin Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.2 2018/02/15 08:08:19 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.3 2018/02/15 16:49:04 martin Exp $"); #include "opt_inet.h" #ifdef __FreeBSD__ @@ -687,11 +687,10 @@ ah_input(struct mbuf *m, const struct se return EACCES; } if (skip + authsize + rplen > m->m_pkthdr.len) { - char buf[IPSEC_ADDRSTRLEN]; DPRINTF(("%s: bad mbuf length %u (expecting >= %lu)" " for packet in SA %s/%08lx\n", __func__, m->m_pkthdr.len, (u_long)(skip + authsize + rplen), - ipsec_address(>sah->saidx.dst, buf, sizeof(buf)), + ipsec_address(>sah->saidx.dst), (u_long) ntohl(sav->spi))); AH_STATINC(AH_STAT_BADAUTHL); m_freem(m);
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: martin Date: Thu Feb 15 14:49:00 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: xform_ipip.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1529): sys/netipsec/xform_ipip.c: revision 1.44 via patch PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right, don't forget to subtract the ipv6 header length. To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.28.8.1 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ipip.c diff -u src/sys/netipsec/xform_ipip.c:1.28 src/sys/netipsec/xform_ipip.c:1.28.8.1 --- src/sys/netipsec/xform_ipip.c:1.28 Sun Jul 17 20:54:54 2011 +++ src/sys/netipsec/xform_ipip.c Thu Feb 15 14:49:00 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipip.c,v 1.28 2011/07/17 20:54:54 joerg Exp $ */ +/* $NetBSD: xform_ipip.c,v 1.28.8.1 2018/02/15 14:49:00 martin Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.28 2011/07/17 20:54:54 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.28.8.1 2018/02/15 14:49:00 martin Exp $"); /* * IP-inside-IP processing @@ -566,7 +566,7 @@ ipip_output( ip6o->ip6_flow = 0; ip6o->ip6_vfc &= ~IPV6_VERSION_MASK; ip6o->ip6_vfc |= IPV6_VERSION; - ip6o->ip6_plen = htons(m->m_pkthdr.len); + ip6o->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6o)); ip6o->ip6_hlim = ip_defttl; ip6o->ip6_dst = saidx->dst.sin6.sin6_addr; ip6o->ip6_src = saidx->src.sin6.sin6_addr;
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: martin Date: Thu Feb 15 08:08:19 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: xform_ah.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1530): sys/netipsec/xform_ah.c: revision 1.80-1.81 via patch Fix use-after-free, 'ah' may not be valid after m_makewritable and ah_massage_headers. Make sure the Authentication Header fits the mbuf chain, otherwise panic. To generate a diff of this commit: cvs rdiff -u -r1.37.2.1 -r1.37.2.2 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.37.2.1 src/sys/netipsec/xform_ah.c:1.37.2.2 --- src/sys/netipsec/xform_ah.c:1.37.2.1 Mon Jan 29 19:25:51 2018 +++ src/sys/netipsec/xform_ah.c Thu Feb 15 08:08:19 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.37.2.1 2018/01/29 19:25:51 martin Exp $ */ +/* $NetBSD: xform_ah.c,v 1.37.2.2 2018/02/15 08:08:19 martin Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.1 2018/01/29 19:25:51 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.2 2018/02/15 08:08:19 martin Exp $"); #include "opt_inet.h" #ifdef __FreeBSD__ @@ -636,6 +636,7 @@ ah_input(struct mbuf *m, const struct se struct m_tag *mtag; struct newah *ah; int hl, rplen, authsize, error; + uint8_t nxt; struct cryptodesc *crda; struct cryptop *crp; @@ -660,6 +661,8 @@ ah_input(struct mbuf *m, const struct se return ENOBUFS; } + nxt = ah->ah_nxt; + /* Check replay window, if applicable. */ if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) { AH_STATINC(AH_STAT_REPLAY); @@ -683,6 +686,18 @@ ah_input(struct mbuf *m, const struct se m_freem(m); return EACCES; } + if (skip + authsize + rplen > m->m_pkthdr.len) { + char buf[IPSEC_ADDRSTRLEN]; + DPRINTF(("%s: bad mbuf length %u (expecting >= %lu)" + " for packet in SA %s/%08lx\n", __func__, + m->m_pkthdr.len, (u_long)(skip + authsize + rplen), + ipsec_address(>sah->saidx.dst, buf, sizeof(buf)), + (u_long) ntohl(sav->spi))); + AH_STATINC(AH_STAT_BADAUTHL); + m_freem(m); + return EACCES; + } + AH_STATADD(AH_STAT_IBYTES, m->m_pkthdr.len - skip - hl); /* Get crypto descriptors. */ @@ -780,7 +795,7 @@ ah_input(struct mbuf *m, const struct se tc->tc_spi = sav->spi; tc->tc_dst = sav->sah->saidx.dst; tc->tc_proto = sav->sah->saidx.proto; - tc->tc_nxt = ah->ah_nxt; + tc->tc_nxt = nxt; tc->tc_protoff = protoff; tc->tc_skip = skip; tc->tc_ptr = mtag; /* Save the mtag we've identified. */
CVS commit: [netbsd-6] src/sys/dist/pf/net
Module Name:src Committed By: snj Date: Sat Feb 10 04:25:38 UTC 2018 Modified Files: src/sys/dist/pf/net [netbsd-6]: pf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1527): sys/dist/pf/net/pf.c: revision 1.78 via patch Oh, what is this. Fix a remotely-triggerable integer overflow: the way we define TCPOLEN_SACK makes it unsigned, and the comparison in the while() is unsigned too. That's not the expected behavior, the original code wanted a signed comparison. It's pretty easy to make 'hlen' go negative and trigger a buffer overflow. This bug was reported 8 years ago by Lucio Albornoz in PR/44059. To generate a diff of this commit: cvs rdiff -u -r1.68 -r1.68.2.1 src/sys/dist/pf/net/pf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dist/pf/net/pf.c diff -u src/sys/dist/pf/net/pf.c:1.68 src/sys/dist/pf/net/pf.c:1.68.2.1 --- src/sys/dist/pf/net/pf.c:1.68 Mon Dec 19 16:10:07 2011 +++ src/sys/dist/pf/net/pf.c Sat Feb 10 04:25:37 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: pf.c,v 1.68 2011/12/19 16:10:07 drochner Exp $ */ +/* $NetBSD: pf.c,v 1.68.2.1 2018/02/10 04:25:37 snj Exp $ */ /* $OpenBSD: pf.c,v 1.552.2.1 2007/11/27 16:37:57 henning Exp $ */ /* @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.68 2011/12/19 16:10:07 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.68.2.1 2018/02/10 04:25:37 snj Exp $"); #include "pflog.h" @@ -1590,7 +1590,7 @@ pf_modulate_sack(struct mbuf *m, int off struct sackblk sack; #ifdef __NetBSD__ -#define TCPOLEN_SACK (2 * sizeof(uint32_t)) +#define TCPOLEN_SACK 8 /* 2*sizeof(tcp_seq) */ #endif #define TCPOLEN_SACKLEN (TCPOLEN_SACK + 2)
CVS commit: [netbsd-6] src/sys/netinet
Module Name:src Committed By: martin Date: Fri Feb 9 14:09:35 UTC 2018 Modified Files: src/sys/netinet [netbsd-6]: ip_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1526): sys/netinet/ip_input.c: revision 1.366 Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a completely dumb idea, because they have security implications. By sending an IPv4 packet containing an LSRR option, an attacker will cause the system to forward the packet to another IPv4 address - and this way he white-washes the source of the packet. It is also possible for an attacker to reach hidden networks: if a server has a public address, and a private one on an internal network (network which has several internal machines connected), the attacker can send a packet with: source = 0.0.0.0 destination = public address of the server LSRR first address = address of a machine on the internal network And the packet will be forwarded, by the server, to the internal machine, in some cases even with the internal IP address of the server as a source. To generate a diff of this commit: cvs rdiff -u -r1.298 -r1.298.2.1 src/sys/netinet/ip_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/ip_input.c diff -u src/sys/netinet/ip_input.c:1.298 src/sys/netinet/ip_input.c:1.298.2.1 --- src/sys/netinet/ip_input.c:1.298 Mon Jan 9 14:31:22 2012 +++ src/sys/netinet/ip_input.c Fri Feb 9 14:09:35 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_input.c,v 1.298 2012/01/09 14:31:22 liamjfoy Exp $ */ +/* $NetBSD: ip_input.c,v 1.298.2.1 2018/02/09 14:09:35 martin Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -91,7 +91,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.298 2012/01/09 14:31:22 liamjfoy Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.298.2.1 2018/02/09 14:09:35 martin Exp $"); #include "opt_inet.h" #include "opt_compat_netbsd.h" @@ -161,10 +161,10 @@ __KERNEL_RCSID(0, "$NetBSD: ip_input.c,v #define IPSENDREDIRECTS 1 #endif #ifndef IPFORWSRCRT -#define IPFORWSRCRT 1 /* forward source-routed packets */ +#define IPFORWSRCRT 0 /* forward source-routed packets */ #endif #ifndef IPALLOWSRCRT -#define IPALLOWSRCRT 1 /* allow source-routed packets */ +#define IPALLOWSRCRT 0 /* allow source-routed packets */ #endif #ifndef IPMTUDISC #define IPMTUDISC 1
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Feb 2 13:10:00 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: nd6_nbr.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1525): sys/netinet6/nd6_nbr.c: revision 1.145 (patch) Fix memory leak. Contrary to what the XXX indicates, this place is 100% reachable remotely. To generate a diff of this commit: cvs rdiff -u -r1.95 -r1.95.2.1 src/sys/netinet6/nd6_nbr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/nd6_nbr.c diff -u src/sys/netinet6/nd6_nbr.c:1.95 src/sys/netinet6/nd6_nbr.c:1.95.2.1 --- src/sys/netinet6/nd6_nbr.c:1.95 Mon Dec 19 11:59:58 2011 +++ src/sys/netinet6/nd6_nbr.c Fri Feb 2 13:10:00 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: nd6_nbr.c,v 1.95 2011/12/19 11:59:58 drochner Exp $ */ +/* $NetBSD: nd6_nbr.c,v 1.95.2.1 2018/02/02 13:10:00 martin Exp $ */ /* $KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.95 2011/12/19 11:59:58 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.95.2.1 2018/02/02 13:10:00 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -589,7 +589,7 @@ nd6_na_input(struct mbuf *m, int off, in taddr6 = nd_na->nd_na_target; if (in6_setscope(, ifp, NULL)) - return; /* XXX: impossible */ + goto bad; if (IN6_IS_ADDR_MULTICAST()) { nd6log((LOG_ERR,
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Feb 2 11:07:12 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: ip6_mroute.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1524): sys/netinet6/ip6_mroute.c: revision 1.120 Fix a pretty simple, yet pretty tragic typo: we should return IPPROTO_DONE, not IPPROTO_NONE. With IPPROTO_NONE we will keep parsing the header chain on an mbuf that was already freed. To generate a diff of this commit: cvs rdiff -u -r1.103 -r1.103.2.1 src/sys/netinet6/ip6_mroute.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_mroute.c diff -u src/sys/netinet6/ip6_mroute.c:1.103 src/sys/netinet6/ip6_mroute.c:1.103.2.1 --- src/sys/netinet6/ip6_mroute.c:1.103 Sat Dec 31 20:41:59 2011 +++ src/sys/netinet6/ip6_mroute.c Fri Feb 2 11:07:12 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_mroute.c,v 1.103 2011/12/31 20:41:59 christos Exp $ */ +/* $NetBSD: ip6_mroute.c,v 1.103.2.1 2018/02/02 11:07:12 martin Exp $ */ /* $KAME: ip6_mroute.c,v 1.49 2001/07/25 09:21:18 jinmei Exp $ */ /* @@ -117,7 +117,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_mroute.c,v 1.103 2011/12/31 20:41:59 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_mroute.c,v 1.103.2.1 2018/02/02 11:07:12 martin Exp $"); #include "opt_inet.h" #include "opt_mrouting.h" @@ -1864,7 +1864,7 @@ pim6_input(struct mbuf **mp, int *offp, (eip6->ip6_vfc & IPV6_VERSION)); #endif m_freem(m); - return (IPPROTO_NONE); + return (IPPROTO_DONE); } /* verify the inner packet is destined to a mcast group */
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 22:10:20 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: ah_input.c esp_input.c ipcomp_input.c Log Message: Ooops, remainder of Ticket #1523, accidently not commited previously To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.59.8.1 src/sys/netinet6/ah_input.c cvs rdiff -u -r1.50 -r1.50.8.1 src/sys/netinet6/esp_input.c cvs rdiff -u -r1.38 -r1.38.8.1 src/sys/netinet6/ipcomp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ah_input.c diff -u src/sys/netinet6/ah_input.c:1.59 src/sys/netinet6/ah_input.c:1.59.8.1 --- src/sys/netinet6/ah_input.c:1.59 Sun Jul 17 20:54:53 2011 +++ src/sys/netinet6/ah_input.c Tue Jan 30 22:10:20 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $ */ +/* $NetBSD: ah_input.c,v 1.59.8.1 2018/01/30 22:10:20 martin Exp $ */ /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59.8.1 2018/01/30 22:10:20 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -858,7 +858,8 @@ ah6_input(struct mbuf **mp, int *offp, i * next header field of the previous header. * This is necessary because AH will be stripped off below. */ - prvnxtp = ip6_get_prevhdr(m, off); /* XXX */ + const int prvnxt = ip6_get_prevhdr(m, off); + prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */ *prvnxtp = nxt; ip6 = mtod(m, struct ip6_hdr *); Index: src/sys/netinet6/esp_input.c diff -u src/sys/netinet6/esp_input.c:1.50 src/sys/netinet6/esp_input.c:1.50.8.1 --- src/sys/netinet6/esp_input.c:1.50 Sun Jul 17 20:54:53 2011 +++ src/sys/netinet6/esp_input.c Tue Jan 30 22:10:20 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $ */ +/* $NetBSD: esp_input.c,v 1.50.8.1 2018/01/30 22:10:20 martin Exp $ */ /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50.8.1 2018/01/30 22:10:20 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -834,7 +834,8 @@ noreplaycheck: /* * Set the next header field of the previous header correctly. */ - prvnxtp = ip6_get_prevhdr(m, off); /* XXX */ + const int prvnxt = ip6_get_prevhdr(m, off); + prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */ *prvnxtp = nxt; stripsiz = esplen + ivlen; Index: src/sys/netinet6/ipcomp_input.c diff -u src/sys/netinet6/ipcomp_input.c:1.38 src/sys/netinet6/ipcomp_input.c:1.38.8.1 --- src/sys/netinet6/ipcomp_input.c:1.38 Sun Jul 17 20:54:53 2011 +++ src/sys/netinet6/ipcomp_input.c Tue Jan 30 22:10:20 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $ */ +/* $NetBSD: ipcomp_input.c,v 1.38.8.1 2018/01/30 22:10:20 martin Exp $ */ /* $KAME: ipcomp_input.c,v 1.29 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38.8.1 2018/01/30 22:10:20 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -352,7 +352,8 @@ ipcomp6_input(struct mbuf **mp, int *off m->m_flags |= M_DECRYPTED; /* update next header field */ - prvnxtp = ip6_get_prevhdr(m, off); + const int prvnxt = ip6_get_prevhdr(m, off); + prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */ *prvnxtp = nxt; /*
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:44:22 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1523): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) sys/netinet6/ah_input.c: adjust other callers (patch) sys/netinet6/esp_input.c: adjust other callers (patch) sys/netinet6/ipcomp_input.c: adjust other callers (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.52.2.2 -r1.52.2.3 src/sys/netinet6/frag6.c cvs rdiff -u -r1.136.2.1 -r1.136.2.2 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.58.2.1 -r1.58.2.2 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.109 -r1.109.2.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.52.2.2 src/sys/netinet6/frag6.c:1.52.2.3 --- src/sys/netinet6/frag6.c:1.52.2.2 Thu Oct 25 17:23:33 2012 +++ src/sys/netinet6/frag6.c Tue Jan 30 18:44:22 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $ */ +/* $NetBSD: frag6.c,v 1.52.2.3 2018/01/30 18:44:22 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.3 2018/01/30 18:44:22 martin Exp $"); #include #include @@ -441,14 +441,6 @@ insert: m_cat(m, t); } - /* - * Store NXT to the original. - */ - { - u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */ - *prvnxtp = nxt; - } - frag6_remque(q6); frag6_nfrags -= q6->ip6q_nfrag; kmem_intr_free(q6, sizeof(struct ip6q)); @@ -461,6 +453,21 @@ insert: m->m_pkthdr.len = plen; } + /* + * Restore NXT to the original. + */ + { + const int prvnxt = ip6_get_prevhdr(m, offset); + uint8_t *prvnxtp; + + IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt, + sizeof(*prvnxtp)); + if (prvnxtp == NULL) { + goto dropfrag; + } + *prvnxtp = nxt; + } + IP6_STATINC(IP6_STAT_REASSEMBLED); in6_ifstat_inc(dstifp, ifs6_reass_ok); Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.136.2.1 src/sys/netinet6/ip6_input.c:1.136.2.2 --- src/sys/netinet6/ip6_input.c:1.136.2.1 Mon Jul 8 07:40:07 2013 +++ src/sys/netinet6/ip6_input.c Tue Jan 30 18:44:22 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.136.2.1 2013/07/08 07:40:07 jdc Exp $ */ +/* $NetBSD: ip6_input.c,v 1.136.2.2 2018/01/30 18:44:22 martin Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.2.1 2013/07/08 07:40:07 jdc Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.2.2 2018/01/30 18:44:22 martin Exp $"); #include "opt_gateway.h" #include "opt_inet.h" @@ -1419,50 +1419,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of } /* - * Get pointer to the previous header followed by the header + * Get offset to the previous header followed by the header * currently processed. - * XXX: This function supposes that
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: martin Date: Mon Jan 29 19:25:51 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: xform_ah.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1521): sys/netipsec/xform_ah.c: revision 1.76 Fix a vulnerability in IPsec-IPv6-AH, that allows an attacker to remotely crash the kernel with a single packet. In this loop we need to increment 'ad' by two, because the length field of the option header does not count the size of the option header itself. If the length is zero, then 'count' is incremented by zero, and there's an infinite loop. Beyond that, this code was written with the assumption that since the IPv6 packet already went through the generic IPv6 option parser, several fields are guaranteed to be valid; but this assumption does not hold because of the missing '+2', and there's as a result a triggerable buffer overflow (write zeros after the end of the mbuf, potentially to the next mbuf in memory since it's a pool). Add the missing '+2', this place will be reinforced in separate commits. To generate a diff of this commit: cvs rdiff -u -r1.37 -r1.37.2.1 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.37 src/sys/netipsec/xform_ah.c:1.37.2.1 --- src/sys/netipsec/xform_ah.c:1.37 Thu Jan 26 21:10:24 2012 +++ src/sys/netipsec/xform_ah.c Mon Jan 29 19:25:51 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.37 2012/01/26 21:10:24 drochner Exp $ */ +/* $NetBSD: xform_ah.c,v 1.37.2.1 2018/01/29 19:25:51 martin Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37 2012/01/26 21:10:24 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.1 2018/01/29 19:25:51 martin Exp $"); #include "opt_inet.h" #ifdef __FreeBSD__ @@ -527,12 +527,12 @@ ah_massage_headers(struct mbuf **m0, int return EINVAL; } - ad = ptr[count + 1]; + ad = ptr[count + 1] + 2; /* If mutable option, zeroize. */ if (ptr[count] & IP6OPT_MUTABLE) memcpy(ptr + count, ipseczeroes, - ptr[count + 1]); + ad); count += ad;
CVS commit: [netbsd-6] src/sys/fs/msdosfs
Module Name:src Committed By: martin Date: Tue Oct 17 15:43:09 UTC 2017 Modified Files: src/sys/fs/msdosfs [netbsd-6]: msdosfs_vfsops.c Log Message: Apply patch form mlelstv to fix the build after pullup #1506 To generate a diff of this commit: cvs rdiff -u -r1.93.6.4 -r1.93.6.5 src/sys/fs/msdosfs/msdosfs_vfsops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/fs/msdosfs/msdosfs_vfsops.c diff -u src/sys/fs/msdosfs/msdosfs_vfsops.c:1.93.6.4 src/sys/fs/msdosfs/msdosfs_vfsops.c:1.93.6.5 --- src/sys/fs/msdosfs/msdosfs_vfsops.c:1.93.6.4 Fri Oct 13 08:05:30 2017 +++ src/sys/fs/msdosfs/msdosfs_vfsops.c Tue Oct 17 15:43:09 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: msdosfs_vfsops.c,v 1.93.6.4 2017/10/13 08:05:30 snj Exp $ */ +/* $NetBSD: msdosfs_vfsops.c,v 1.93.6.5 2017/10/17 15:43:09 martin Exp $ */ /*- * Copyright (C) 1994, 1995, 1997 Wolfgang Solfrank. @@ -48,7 +48,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: msdosfs_vfsops.c,v 1.93.6.4 2017/10/13 08:05:30 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: msdosfs_vfsops.c,v 1.93.6.5 2017/10/17 15:43:09 martin Exp $"); #if defined(_KERNEL_OPT) #include "opt_compat_netbsd.h" @@ -712,8 +712,8 @@ msdosfs_mountfs(struct vnode *devvp, str /* validate cluster count against FAT */ if ((pmp->pm_maxcluster & pmp->pm_fatmask) != pmp->pm_maxcluster) { - DPRINTF("maxcluster %lu outside of mask %#lx\n", - pmp->pm_maxcluster, pmp->pm_fatmask); + DPRINTF(("maxcluster %lu outside of mask %#lx\n", + pmp->pm_maxcluster, pmp->pm_fatmask)); error = EINVAL; goto error_exit; } @@ -723,8 +723,8 @@ msdosfs_mountfs(struct vnode *devvp, str fatblocksecs = howmany(fatbytes, pmp->pm_BytesPerSec); if (pmp->pm_FATsecs != fatblocksecs) { - DPRINTF("FATsecs %lu != real %lu\n", pmp->pm_FATsecs, - fatblocksecs); + DPRINTF(("FATsecs %lu != real %lu\n", pmp->pm_FATsecs, + fatblocksecs)); error = EINVAL; goto error_exit; }
CVS commit: [netbsd-6] src/sys/fs/msdosfs
Module Name:src Committed By: snj Date: Fri Oct 13 08:05:30 UTC 2017 Modified Files: src/sys/fs/msdosfs [netbsd-6]: msdosfs_vfsops.c Log Message: Pull up following revision(s) (requested by mlelstv in ticket #1506): sys/fs/msdosfs/msdosfs_vfsops.c: revision 1.128 Add more sanity checks for BPB parameters. Handle FAT12 format for media with sectors >= 32kByte. Does fix PR 52485. To generate a diff of this commit: cvs rdiff -u -r1.93.6.3 -r1.93.6.4 src/sys/fs/msdosfs/msdosfs_vfsops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/fs/msdosfs/msdosfs_vfsops.c diff -u src/sys/fs/msdosfs/msdosfs_vfsops.c:1.93.6.3 src/sys/fs/msdosfs/msdosfs_vfsops.c:1.93.6.4 --- src/sys/fs/msdosfs/msdosfs_vfsops.c:1.93.6.3 Sun Nov 9 06:37:00 2014 +++ src/sys/fs/msdosfs/msdosfs_vfsops.c Fri Oct 13 08:05:30 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: msdosfs_vfsops.c,v 1.93.6.3 2014/11/09 06:37:00 msaitoh Exp $ */ +/* $NetBSD: msdosfs_vfsops.c,v 1.93.6.4 2017/10/13 08:05:30 snj Exp $ */ /*- * Copyright (C) 1994, 1995, 1997 Wolfgang Solfrank. @@ -48,7 +48,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: msdosfs_vfsops.c,v 1.93.6.3 2014/11/09 06:37:00 msaitoh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: msdosfs_vfsops.c,v 1.93.6.4 2017/10/13 08:05:30 snj Exp $"); #if defined(_KERNEL_OPT) #include "opt_compat_netbsd.h" @@ -479,6 +479,7 @@ msdosfs_mountfs(struct vnode *devvp, str int ronly, error, BlkPerSec; uint64_t psize; unsigned secsize; + u_long fatbytes, fatblocksecs; /* Flush out any old buffers remaining from a previous use. */ if ((error = vinvalbuf(devvp, V_SAVE, l->l_cred, l, 0, 0)) != 0) @@ -708,12 +709,40 @@ msdosfs_mountfs(struct vnode *devvp, str pmp->pm_fatdiv = 1; } } - if (FAT12(pmp)) - pmp->pm_fatblocksize = 3 * pmp->pm_BytesPerSec; - else + + /* validate cluster count against FAT */ + if ((pmp->pm_maxcluster & pmp->pm_fatmask) != pmp->pm_maxcluster) { + DPRINTF("maxcluster %lu outside of mask %#lx\n", + pmp->pm_maxcluster, pmp->pm_fatmask); + error = EINVAL; + goto error_exit; + } + + /* validate FAT size */ + fatbytes = (pmp->pm_maxcluster+1) * pmp->pm_fatmult / pmp->pm_fatdiv; + fatblocksecs = howmany(fatbytes, pmp->pm_BytesPerSec); + + if (pmp->pm_FATsecs != fatblocksecs) { + DPRINTF("FATsecs %lu != real %lu\n", pmp->pm_FATsecs, + fatblocksecs); + error = EINVAL; + goto error_exit; + } + + if (FAT12(pmp)) { + /* + * limit block size to what is needed to read a FAT block + * to not exceed MAXBSIZE + */ + pmp->pm_fatblocksec = min(3, fatblocksecs); + pmp->pm_fatblocksize = pmp->pm_fatblocksec + * pmp->pm_BytesPerSec; + } else { pmp->pm_fatblocksize = MAXBSIZE; + pmp->pm_fatblocksec = pmp->pm_fatblocksize + / pmp->pm_BytesPerSec; + } - pmp->pm_fatblocksec = pmp->pm_fatblocksize / pmp->pm_BytesPerSec; pmp->pm_bnshift = ffs(pmp->pm_BytesPerSec) - 1; /*
CVS commit: [netbsd-6] src/sys/arch/i386/i386
Module Name:src Committed By: snj Date: Fri Oct 13 08:03:04 UTC 2017 Modified Files: src/sys/arch/i386/i386 [netbsd-6]: vector.S Log Message: Pull up following revision(s) (requested by maxv in ticket #1505): sys/arch/i386/i386/i386_trap.S: revision 1.12 via patch Pfff, use %ss and not %ds. The latter is controlled by userland, the former contains the kernel value (flat); FreeBSD fixed this too a few weeks ago. As I said earlier, this dtrace code is complete bullshit. To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.59.8.1 src/sys/arch/i386/i386/vector.S Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/i386/i386/vector.S diff -u src/sys/arch/i386/i386/vector.S:1.59 src/sys/arch/i386/i386/vector.S:1.59.8.1 --- src/sys/arch/i386/i386/vector.S:1.59 Sun Jun 12 03:35:42 2011 +++ src/sys/arch/i386/i386/vector.S Fri Oct 13 08:03:03 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: vector.S,v 1.59 2011/06/12 03:35:42 rmind Exp $ */ +/* $NetBSD: vector.S,v 1.59.8.1 2017/10/13 08:03:03 snj Exp $ */ /* * Copyright 2002 (c) Wasabi Systems, Inc. @@ -65,7 +65,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vector.S,v 1.59 2011/06/12 03:35:42 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vector.S,v 1.59.8.1 2017/10/13 08:03:03 snj Exp $"); #include "opt_ddb.h" #include "opt_multiprocessor.h" @@ -773,7 +773,7 @@ IDTVEC(trap05) SUPERALIGN_TEXT IDTVEC(trap06) /* Check if there is no DTrace hook registered. */ - cmpl $0,dtrace_invop_jump_addr + cmpl $0,%ss:dtrace_invop_jump_addr je norm_ill /* Check if this is a user fault. */
CVS commit: [netbsd-6] src/sys/compat/linux32/arch/amd64
Module Name:src Committed By: snj Date: Sat Sep 9 16:53:36 UTC 2017 Modified Files: src/sys/compat/linux32/arch/amd64 [netbsd-6]: linux32_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1502): sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39 Fix a ring0 escalation vulnerability in compat_linux32 where the index of %cs is controlled by userland, making it easy to trigger the page fault and get kernel privileges. To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.10.1 \ src/sys/compat/linux32/arch/amd64/linux32_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux32/arch/amd64/linux32_machdep.c diff -u src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29 src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29.10.1 --- src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29 Fri Mar 4 22:25:31 2011 +++ src/sys/compat/linux32/arch/amd64/linux32_machdep.c Sat Sep 9 16:53:36 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: linux32_machdep.c,v 1.29 2011/03/04 22:25:31 joerg Exp $ */ +/* $NetBSD: linux32_machdep.c,v 1.29.10.1 2017/09/09 16:53:36 snj Exp $ */ /*- * Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved. @@ -31,7 +31,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ #include -__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.29 2011/03/04 22:25:31 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.29.10.1 2017/09/09 16:53:36 snj Exp $"); #include #include @@ -428,8 +428,9 @@ linux32_restore_sigcontext(struct lwp *l /* * Check for security violations. */ - if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0 || - !USERMODE(scp->sc_cs, scp->sc_eflags)) + if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0) + return EINVAL; + if (!VALID_USER_CSEL32(scp->sc_cs)) return EINVAL; if (scp->sc_fs != 0 && !VALID_USER_DSEL32(scp->sc_fs) &&
CVS commit: [netbsd-6] src/sys/arch/sparc64/sparc64
Module Name:src Committed By: snj Date: Mon Sep 4 16:05:13 UTC 2017 Modified Files: src/sys/arch/sparc64/sparc64 [netbsd-6]: compat_13_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1501): sys/arch/sparc64/sparc64/compat_13_machdep.c: revision 1.24 Apply only CCR. Otherwise userland could set PSTATE_PRIV in %pstate and get kernel privileges on the hardware. ok martin To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.23.18.1 \ src/sys/arch/sparc64/sparc64/compat_13_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/sparc64/sparc64/compat_13_machdep.c diff -u src/sys/arch/sparc64/sparc64/compat_13_machdep.c:1.23 src/sys/arch/sparc64/sparc64/compat_13_machdep.c:1.23.18.1 --- src/sys/arch/sparc64/sparc64/compat_13_machdep.c:1.23 Sat Nov 21 04:16:52 2009 +++ src/sys/arch/sparc64/sparc64/compat_13_machdep.c Mon Sep 4 16:05:13 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: compat_13_machdep.c,v 1.23 2009/11/21 04:16:52 rmind Exp $ */ +/* $NetBSD: compat_13_machdep.c,v 1.23.18.1 2017/09/04 16:05:13 snj Exp $ */ /*- * Copyright (c) 1996, 1997, 1998 The NetBSD Foundation, Inc. @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: compat_13_machdep.c,v 1.23 2009/11/21 04:16:52 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: compat_13_machdep.c,v 1.23.18.1 2017/09/04 16:05:13 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_ddb.h" @@ -129,7 +129,7 @@ compat_13_sys_sigreturn(struct lwp *l, c return (EINVAL); /* take only psr ICC field */ #ifdef __arch64__ - tf->tf_tstate = (int64_t)(tf->tf_tstate & ~TSTATE_CCR) | scp->sc_tstate; + tf->tf_tstate = (int64_t)(tf->tf_tstate & ~TSTATE_CCR) | (scp->sc_tstate & TSTATE_CCR); #else tf->tf_tstate = (int64_t)(tf->tf_tstate & ~TSTATE_CCR) | PSRCC_TO_TSTATE(scp->sc_psr); #endif
CVS commit: [netbsd-6] src/sys/arch
Module Name:src Committed By: martin Date: Thu Aug 31 15:18:12 UTC 2017 Modified Files: src/sys/arch/evbmips/conf [netbsd-6]: MALTA MALTA32 MALTA64 src/sys/arch/mips/mips [netbsd-6]: bds_emul.S Log Message: Pull up following revision(s) (requested by mrg in ticket #1499): sys/arch/evbmips/conf/MALTA64: revision 1.8 sys/arch/evbmips/conf/MALTA32: revision 1.4 sys/arch/mips/mips/bds_emul.S: revision 1.9 sys/arch/evbmips/conf/MALTA: revision 1.88 Re-enable the NOFPU and (renamed) FPEMUL options. None of the Malta CPU daughter cards currently supported by NetBSD have an FPU. Detected on real hardware. gxemul wrongly supports an FPU on the 4Kc and 5Kc CPUs. Remove the NOFPU option. The main MALTA config file has this now. mips_emul_daddi and mips_emul_daddiu don't exist, but there are bcemul_daddi and bcemul_daddiu here that should be used. however, bcemul_daddi needed to be changed to use dadd not daddui. fixes FPEMUL and N64 kernels. ok simonb. To generate a diff of this commit: cvs rdiff -u -r1.65.2.1 -r1.65.2.2 src/sys/arch/evbmips/conf/MALTA cvs rdiff -u -r1.3 -r1.3.2.1 src/sys/arch/evbmips/conf/MALTA32 cvs rdiff -u -r1.5.2.1 -r1.5.2.2 src/sys/arch/evbmips/conf/MALTA64 cvs rdiff -u -r1.6 -r1.6.2.1 src/sys/arch/mips/mips/bds_emul.S Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/evbmips/conf/MALTA diff -u src/sys/arch/evbmips/conf/MALTA:1.65.2.1 src/sys/arch/evbmips/conf/MALTA:1.65.2.2 --- src/sys/arch/evbmips/conf/MALTA:1.65.2.1 Mon Sep 17 18:40:12 2012 +++ src/sys/arch/evbmips/conf/MALTA Thu Aug 31 15:18:12 2017 @@ -1,17 +1,18 @@ -# $NetBSD: MALTA,v 1.65.2.1 2012/09/17 18:40:12 riz Exp $ +# $NetBSD: MALTA,v 1.65.2.2 2017/08/31 15:18:12 martin Exp $ include "arch/evbmips/conf/std.malta" #options INCLUDE_CONFIG_FILE # embed config file in kernel binary -#ident "MALTA-$Revision: 1.65.2.1 $" +#ident "MALTA-$Revision: 1.65.2.2 $" maxusers 32 options MIPS32 options MIPS64 -#options NOFPU # No FPU -#options FPEMUL # emulate FPU insn + +options NOFPU # No FPU +options FPEMUL # emulate FPU insn # Options for necessary to use MD # options MEMORY_DISK_HOOKS Index: src/sys/arch/evbmips/conf/MALTA32 diff -u src/sys/arch/evbmips/conf/MALTA32:1.3 src/sys/arch/evbmips/conf/MALTA32:1.3.2.1 --- src/sys/arch/evbmips/conf/MALTA32:1.3 Thu Feb 9 18:58:44 2012 +++ src/sys/arch/evbmips/conf/MALTA32 Thu Aug 31 15:18:12 2017 @@ -1,11 +1,10 @@ -# $NetBSD: MALTA32,v 1.3 2012/02/09 18:58:44 matt Exp $ +# $NetBSD: MALTA32,v 1.3.2.1 2017/08/31 15:18:12 martin Exp $ # include "arch/evbmips/conf/MALTA" makeoptions LP64="no" no options MIPS32 -options NOFPU # No FPU #options EXEC_ELF64 no ath* Index: src/sys/arch/evbmips/conf/MALTA64 diff -u src/sys/arch/evbmips/conf/MALTA64:1.5.2.1 src/sys/arch/evbmips/conf/MALTA64:1.5.2.2 --- src/sys/arch/evbmips/conf/MALTA64:1.5.2.1 Sat Oct 13 06:15:23 2012 +++ src/sys/arch/evbmips/conf/MALTA64 Thu Aug 31 15:18:12 2017 @@ -1,11 +1,10 @@ -# $NetBSD: MALTA64,v 1.5.2.1 2012/10/13 06:15:23 riz Exp $ +# $NetBSD: MALTA64,v 1.5.2.2 2017/08/31 15:18:12 martin Exp $ # include "arch/evbmips/conf/MALTA" makeoptions LP64="yes" no options MIPS32 -options NOFPU # No FPU options EXEC_ELF64 options COMPAT_NETBSD32 no options SYMTAB_SPACE Index: src/sys/arch/mips/mips/bds_emul.S diff -u src/sys/arch/mips/mips/bds_emul.S:1.6 src/sys/arch/mips/mips/bds_emul.S:1.6.2.1 --- src/sys/arch/mips/mips/bds_emul.S:1.6 Sun Dec 25 11:51:15 2011 +++ src/sys/arch/mips/mips/bds_emul.S Thu Aug 31 15:18:12 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: bds_emul.S,v 1.6 2011/12/25 11:51:15 kiyohara Exp $ */ +/* $NetBSD: bds_emul.S,v 1.6.2.1 2017/08/31 15:18:12 martin Exp $ */ /* * Copyright (c) 1992, 1993 @@ -101,8 +101,8 @@ bcemul_optbl: PTR_WORD bcemul_sigill # 030 LDL (*) PTR_WORD bcemul_sigill # 031 LDR (*) #else - PTR_WORD _C_LABEL(mips_emul_daddi) # 030 DADDI (*) - PTR_WORD _C_LABEL(mips_emul_daddiu) # 031 DADDIU (*) + PTR_WORD bcemul_daddi # 030 DADDI (*) + PTR_WORD bcemul_daddiu # 031 DADDIU (*) PTR_WORD _C_LABEL(mips_emul_ldl) # 032 LDL (*) PTR_WORD _C_LABEL(mips_emul_ldr) # 033 LDR (*) #endif @@ -191,7 +191,7 @@ bcemul_uimmed_prologue: #ifndef __mips_o32 bcemul_daddi: bal bcemul_immed_prologue - daddiu t0, v0, v1 + dadd t0, v0, v1 b bcemul_check_add_overflow #endif
CVS commit: [netbsd-6] src/sys/arch/i386/conf
Module Name:src Committed By: snj Date: Sat Aug 26 16:26:46 UTC 2017 Modified Files: src/sys/arch/i386/conf [netbsd-6]: GENERIC Log Message: Apply patch (requested by maxv in ticket #1466): Disable vm86 by default. The use case is limited, and the potential for damage is too high. To generate a diff of this commit: cvs rdiff -u -r1.1066.2.7 -r1.1066.2.8 src/sys/arch/i386/conf/GENERIC Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/i386/conf/GENERIC diff -u src/sys/arch/i386/conf/GENERIC:1.1066.2.7 src/sys/arch/i386/conf/GENERIC:1.1066.2.8 --- src/sys/arch/i386/conf/GENERIC:1.1066.2.7 Wed Aug 15 15:33:00 2012 +++ src/sys/arch/i386/conf/GENERIC Sat Aug 26 16:26:46 2017 @@ -1,4 +1,4 @@ -# $NetBSD: GENERIC,v 1.1066.2.7 2012/08/15 15:33:00 sborrill Exp $ +# $NetBSD: GENERIC,v 1.1066.2.8 2017/08/26 16:26:46 snj Exp $ # # GENERIC machine description file # @@ -22,12 +22,12 @@ include "arch/i386/conf/std.i386" options INCLUDE_CONFIG_FILE # embed config file in kernel binary -#ident "GENERIC-$Revision: 1.1066.2.7 $" +#ident "GENERIC-$Revision: 1.1066.2.8 $" maxusers 64 # estimated number of users # CPU-related options. -options VM86 # virtual 8086 emulation +#options VM86 # virtual 8086 emulation options USER_LDT # user-settable LDT; used by WINE #options PAE # PAE mode (36 bits physical addressing)
CVS commit: [netbsd-6] src/sys/lib/libkern
Module Name:src Committed By: snj Date: Wed Aug 23 19:38:02 UTC 2017 Modified Files: src/sys/lib/libkern [netbsd-6]: Makefile.libkern Log Message: Pull up following revision(s) (requested by mrg in ticket #1481): sys/lib/libkern/Makefile.libkern: revision 1.19 Add strnlen.c to SRCS (which will automatically use the .S version if it exists). To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.17.2.1 src/sys/lib/libkern/Makefile.libkern Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/lib/libkern/Makefile.libkern diff -u src/sys/lib/libkern/Makefile.libkern:1.17 src/sys/lib/libkern/Makefile.libkern:1.17.2.1 --- src/sys/lib/libkern/Makefile.libkern:1.17 Sun Feb 5 14:19:03 2012 +++ src/sys/lib/libkern/Makefile.libkern Wed Aug 23 19:38:02 2017 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile.libkern,v 1.17 2012/02/05 14:19:03 dholland Exp $ +# $NetBSD: Makefile.libkern,v 1.17.2.1 2017/08/23 19:38:02 snj Exp $ # # Variable definitions for libkern. @@ -84,7 +84,7 @@ SRCS+= random.c SRCS+= rngtest.c SRCS+= memchr.c -SRCS+= strcat.c strcmp.c strcpy.c strlen.c +SRCS+= strcat.c strcmp.c strcpy.c strlen.c strnlen.c SRCS+= strncmp.c strncpy.c SRCS+= strcasecmp.c strncasecmp.c
CVS commit: [netbsd-6] src/sys/altq
Module Name:src Committed By: snj Date: Sat Aug 19 05:37:06 UTC 2017 Modified Files: src/sys/altq [netbsd-6]: altq_cbq.c altq_hfsc.c altq_jobs.c altq_priq.c altq_wfq.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1488): sys/altq/altq_cbq.c: revision 1.31 sys/altq/altq_hfsc.c: revision 1.27 sys/altq/altq_jobs.c: revision 1.11 sys/altq/altq_priq.c: revision 1.24 sys/altq/altq_wfq.c: revision 1.22 Zero buffers copied to userland to avoid stack disclosure. >From Ilja Van Sprundel. -- Reject negative indices. (Would be nice to change the types too, and it's *probably* safe to replace int by u_int, but I'm reluctant to touch the ioctl definitions without at least a modicum more thought. Also one of them is a u_long, because why not?) >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.26.18.1 src/sys/altq/altq_cbq.c cvs rdiff -u -r1.24 -r1.24.36.1 src/sys/altq/altq_hfsc.c cvs rdiff -u -r1.6.14.1 -r1.6.14.2 src/sys/altq/altq_jobs.c cvs rdiff -u -r1.21 -r1.21.18.1 src/sys/altq/altq_priq.c cvs rdiff -u -r1.19 -r1.19.34.1 src/sys/altq/altq_wfq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/altq/altq_cbq.c diff -u src/sys/altq/altq_cbq.c:1.26 src/sys/altq/altq_cbq.c:1.26.18.1 --- src/sys/altq/altq_cbq.c:1.26 Sun Nov 22 18:40:26 2009 +++ src/sys/altq/altq_cbq.c Sat Aug 19 05:37:06 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: altq_cbq.c,v 1.26 2009/11/22 18:40:26 mbalmer Exp $ */ +/* $NetBSD: altq_cbq.c,v 1.26.18.1 2017/08/19 05:37:06 snj Exp $ */ /* $KAME: altq_cbq.c,v 1.21 2005/04/13 03:44:24 suz Exp $ */ /* @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: altq_cbq.c,v 1.26 2009/11/22 18:40:26 mbalmer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: altq_cbq.c,v 1.26.18.1 2017/08/19 05:37:06 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_altq.h" @@ -472,6 +472,7 @@ cbq_getqstats(struct pf_altq *a, void *u if (*nbytes < sizeof(stats)) return (EINVAL); + memset(, 0, sizeof(stats)); get_class_stats(, cl); if ((error = copyout((void *), ubuf, sizeof(stats))) != 0) @@ -876,6 +877,7 @@ cbq_getstats(struct cbq_getstats *gsp) if (++i >= CBQ_MAX_CLASSES) goto out; + memset(, 0, sizeof(stats)); get_class_stats(, cl); stats.handle = cl->stats_.handle; Index: src/sys/altq/altq_hfsc.c diff -u src/sys/altq/altq_hfsc.c:1.24 src/sys/altq/altq_hfsc.c:1.24.36.1 --- src/sys/altq/altq_hfsc.c:1.24 Wed Jun 18 09:06:27 2008 +++ src/sys/altq/altq_hfsc.c Sat Aug 19 05:37:06 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: altq_hfsc.c,v 1.24 2008/06/18 09:06:27 yamt Exp $ */ +/* $NetBSD: altq_hfsc.c,v 1.24.36.1 2017/08/19 05:37:06 snj Exp $ */ /* $KAME: altq_hfsc.c,v 1.26 2005/04/13 03:44:24 suz Exp $ */ /* @@ -43,7 +43,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: altq_hfsc.c,v 1.24 2008/06/18 09:06:27 yamt Exp $"); +__KERNEL_RCSID(0, "$NetBSD: altq_hfsc.c,v 1.24.36.1 2017/08/19 05:37:06 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_altq.h" @@ -313,6 +313,7 @@ hfsc_getqstats(struct pf_altq *a, void * if (*nbytes < sizeof(stats)) return (EINVAL); + memset(, 0, sizeof(stats)); get_class_stats(, cl); if ((error = copyout((void *), ubuf, sizeof(stats))) != 0) Index: src/sys/altq/altq_jobs.c diff -u src/sys/altq/altq_jobs.c:1.6.14.1 src/sys/altq/altq_jobs.c:1.6.14.2 --- src/sys/altq/altq_jobs.c:1.6.14.1 Mon Nov 3 15:08:44 2014 +++ src/sys/altq/altq_jobs.c Sat Aug 19 05:37:06 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: altq_jobs.c,v 1.6.14.1 2014/11/03 15:08:44 msaitoh Exp $ */ +/* $NetBSD: altq_jobs.c,v 1.6.14.2 2017/08/19 05:37:06 snj Exp $ */ /* $KAME: altq_jobs.c,v 1.11 2005/04/13 03:44:25 suz Exp $ */ /* * Copyright (c) 2001, the Rector and Board of Visitors of the @@ -59,7 +59,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: altq_jobs.c,v 1.6.14.1 2014/11/03 15:08:44 msaitoh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: altq_jobs.c,v 1.6.14.2 2017/08/19 05:37:06 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_altq.h" @@ -2111,10 +2111,9 @@ jobscmd_class_stats(struct jobs_class_st usp = ap->stats; for (pri = 0; pri <= jif->jif_maxpri; pri++) { cl = jif->jif_classes[pri]; + (void)memset(, 0, sizeof(stats)); if (cl != NULL) get_class_stats(, cl); - else - (void)memset(, 0, sizeof(stats)); if ((error = copyout((void *), (void *)usp++, sizeof(stats))) != 0) return (error); Index: src/sys/altq/altq_priq.c diff -u src/sys/altq/altq_priq.c:1.21 src/sys/altq/altq_priq.c:1.21.18.1 --- src/sys/altq/altq_priq.c:1.21 Sat Mar 14 15:35:58 2009 +++ src/sys/altq/altq_priq.c Sat Aug 19 05:37:06 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: altq_priq.c,v 1.21 2009/03/14 15:35:58 dsl Exp $ */ +/* $NetBSD: altq_priq.c,v 1.21.18.1 2017/08/19 05:37:06 snj Exp $ */ /* $KAME: altq_priq.c,v 1.13 2005/04/13 03:44:25 suz Exp $ */ /* * Copyright (C) 2000-2003 @@
CVS commit: [netbsd-6] src/sys/compat/linux/common
Module Name:src Committed By: snj Date: Sat Aug 19 05:04:00 UTC 2017 Modified Files: src/sys/compat/linux/common [netbsd-6]: linux_time.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1489): sys/compat/linux/common/linux_time.c: 1.38-1.39 via patch Only let the superuser set the compat_linux timezone. Not really keen to invent a new kauth cookie for this useless purpose. >From Ilja Van Sprundel. -- Put suser check in the right function: settimeofday, not gettimeofday. While here, remove wrong comment. Noted by kre@. To generate a diff of this commit: cvs rdiff -u -r1.35 -r1.35.6.1 src/sys/compat/linux/common/linux_time.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux/common/linux_time.c diff -u src/sys/compat/linux/common/linux_time.c:1.35 src/sys/compat/linux/common/linux_time.c:1.35.6.1 --- src/sys/compat/linux/common/linux_time.c:1.35 Fri Nov 18 04:07:44 2011 +++ src/sys/compat/linux/common/linux_time.c Sat Aug 19 05:03:59 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_time.c,v 1.35 2011/11/18 04:07:44 christos Exp $ */ +/* $NetBSD: linux_time.c,v 1.35.6.1 2017/08/19 05:03:59 snj Exp $ */ /*- * Copyright (c) 2001 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.35 2011/11/18 04:07:44 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.35.6.1 2017/08/19 05:03:59 snj Exp $"); #include #include @@ -109,11 +109,10 @@ linux_sys_settimeofday(struct lwp *l, co return (error); } - /* - * If user is not the superuser, we returned - * after the sys_settimeofday() call. - */ if (SCARG(uap, tzp)) { + if (kauth_authorize_generic(kauth_cred_get(), + KAUTH_GENERIC_ISSUSER, NULL) != 0) + return (EPERM); error = copyin(SCARG(uap, tzp), _sys_tz, sizeof(linux_sys_tz)); if (error) return (error);
CVS commit: [netbsd-6] src/sys/netsmb
Module Name:src Committed By: snj Date: Sat Aug 19 04:44:56 UTC 2017 Modified Files: src/sys/netsmb [netbsd-6]: smb_dev.c smb_subr.c smb_subr.h smb_usr.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1487): sys/netsmb/smb_dev.c: 1.50 sys/netsmb/smb_subr.c: 1.38 sys/netsmb/smb_subr.h: 1.22 sys/netsmb/smb_usr.c: 1.17-1.19 Reject allocations for too-small buffers from userland. >From Ilja Van Sprundel. -- Plug another overflow: refuse bogus sa_len from user. -- Reject negative ioc_setupcnt. -- Reject negative offset/count for smb read/write. Not clear that this is actually a problem for the kernel -- might overwrite user's buffers or return garbage to user, but that's their own damn fault. But it's hard to imagine that negative offset/count ever makes sense, and I haven't ruled out a problem for the kernel. To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.39.14.1 src/sys/netsmb/smb_dev.c cvs rdiff -u -r1.36 -r1.36.8.1 src/sys/netsmb/smb_subr.c cvs rdiff -u -r1.20 -r1.20.14.1 src/sys/netsmb/smb_subr.h cvs rdiff -u -r1.16 -r1.16.18.1 src/sys/netsmb/smb_usr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netsmb/smb_dev.c diff -u src/sys/netsmb/smb_dev.c:1.39 src/sys/netsmb/smb_dev.c:1.39.14.1 --- src/sys/netsmb/smb_dev.c:1.39 Fri Dec 17 14:27:34 2010 +++ src/sys/netsmb/smb_dev.c Sat Aug 19 04:44:55 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: smb_dev.c,v 1.39 2010/12/17 14:27:34 pooka Exp $ */ +/* $NetBSD: smb_dev.c,v 1.39.14.1 2017/08/19 04:44:55 snj Exp $ */ /* * Copyright (c) 2000-2001 Boris Popov @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: smb_dev.c,v 1.39 2010/12/17 14:27:34 pooka Exp $"); +__KERNEL_RCSID(0, "$NetBSD: smb_dev.c,v 1.39.14.1 2017/08/19 04:44:55 snj Exp $"); #include #include @@ -334,6 +334,8 @@ nsmb_dev_ioctl(dev_t dev, u_long cmd, vo struct uio auio; struct iovec iov; + if (rwrq->ioc_cnt < 0 || rwrq->ioc_offset < 0) + return EINVAL; if ((ssp = sdp->sd_share) == NULL) return ENOTCONN; iov.iov_base = rwrq->ioc_base; Index: src/sys/netsmb/smb_subr.c diff -u src/sys/netsmb/smb_subr.c:1.36 src/sys/netsmb/smb_subr.c:1.36.8.1 --- src/sys/netsmb/smb_subr.c:1.36 Sun Sep 25 13:42:30 2011 +++ src/sys/netsmb/smb_subr.c Sat Aug 19 04:44:55 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: smb_subr.c,v 1.36 2011/09/25 13:42:30 chs Exp $ */ +/* $NetBSD: smb_subr.c,v 1.36.8.1 2017/08/19 04:44:55 snj Exp $ */ /* * Copyright (c) 2000-2001 Boris Popov @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: smb_subr.c,v 1.36 2011/09/25 13:42:30 chs Exp $"); +__KERNEL_RCSID(0, "$NetBSD: smb_subr.c,v 1.36.8.1 2017/08/19 04:44:55 snj Exp $"); #include #include @@ -371,3 +371,32 @@ dup_sockaddr(struct sockaddr *sa, int ca memcpy(sa2, sa, sa->sa_len); return sa2; } + +int +dup_sockaddr_copyin(struct sockaddr **ksap, struct sockaddr *usa, +size_t usalen) +{ + struct sockaddr *ksa; + + /* Make sure user provided enough data for a generic sockaddr. */ + if (usalen < sizeof(*ksa)) + return EINVAL; + + /* Don't let the user overfeed us. */ + usalen = MIN(usalen, sizeof(struct sockaddr_storage)); + + /* Copy the buffer in from userland. */ + ksa = smb_memdupin(usa, usalen); + if (ksa == NULL) + return ENOMEM; + + /* Make sure the user's idea of sa_len is reasonable. */ + if (ksa->sa_len > usalen) { + smb_memfree(ksa); + return EINVAL; + } + + /* Success! */ + *ksap = ksa; + return 0; +} Index: src/sys/netsmb/smb_subr.h diff -u src/sys/netsmb/smb_subr.h:1.20 src/sys/netsmb/smb_subr.h:1.20.14.1 --- src/sys/netsmb/smb_subr.h:1.20 Fri Dec 17 13:05:29 2010 +++ src/sys/netsmb/smb_subr.h Sat Aug 19 04:44:55 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: smb_subr.h,v 1.20 2010/12/17 13:05:29 pooka Exp $ */ +/* $NetBSD: smb_subr.h,v 1.20.14.1 2017/08/19 04:44:55 snj Exp $ */ /* * Copyright (c) 2000-2001, Boris Popov @@ -127,5 +127,6 @@ int smb_put_asunistring(struct smb_rq * #endif struct sockaddr *dup_sockaddr(struct sockaddr *, int); +int dup_sockaddr_copyin(struct sockaddr **, struct sockaddr *, size_t); #endif /* !_NETSMB_SMB_SUBR_H_ */ Index: src/sys/netsmb/smb_usr.c diff -u src/sys/netsmb/smb_usr.c:1.16 src/sys/netsmb/smb_usr.c:1.16.18.1 --- src/sys/netsmb/smb_usr.c:1.16 Wed Mar 18 16:00:24 2009 +++ src/sys/netsmb/smb_usr.c Sat Aug 19 04:44:55 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: smb_usr.c,v 1.16 2009/03/18 16:00:24 cegger Exp $ */ +/* $NetBSD: smb_usr.c,v 1.16.18.1 2017/08/19 04:44:55 snj Exp $ */ /* * Copyright (c) 2000-2001 Boris Popov @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: smb_usr.c,v 1.16 2009/03/18 16:00:24 cegger Exp $"); +__KERNEL_RCSID(0, "$NetBSD: smb_usr.c,v 1.16.18.1 2017/08/19 04:44:55 snj Exp $"); #include #include @@ -65,6 +65,7 @@ static int smb_usr_vc2spec(struct smbioc_ossn *dp, struct smb_vcspec *spec) { int
CVS commit: [netbsd-6] src/sys/dev/ic
Module Name:src Committed By: snj Date: Sat Aug 19 04:29:14 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-6]: ciss.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1486): sys/dev/ic/ciss.c: revision 1.37 Reject negative indices from userland. To generate a diff of this commit: cvs rdiff -u -r1.27.8.1 -r1.27.8.2 src/sys/dev/ic/ciss.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/ciss.c diff -u src/sys/dev/ic/ciss.c:1.27.8.1 src/sys/dev/ic/ciss.c:1.27.8.2 --- src/sys/dev/ic/ciss.c:1.27.8.1 Thu Nov 22 17:24:52 2012 +++ src/sys/dev/ic/ciss.c Sat Aug 19 04:29:14 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ciss.c,v 1.27.8.1 2012/11/22 17:24:52 riz Exp $ */ +/* $NetBSD: ciss.c,v 1.27.8.2 2017/08/19 04:29:14 snj Exp $ */ /* $OpenBSD: ciss.c,v 1.14 2006/03/13 16:02:23 mickey Exp $ */ /* @@ -19,7 +19,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.27.8.1 2012/11/22 17:24:52 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.27.8.2 2017/08/19 04:29:14 snj Exp $"); #include "bio.h" @@ -1198,12 +1198,12 @@ ciss_ioctl(device_t dev, u_long cmd, voi /* FALLTHROUGH */ case BIOCDISK: bd = (struct bioc_disk *)addr; - if (bd->bd_volid > sc->maxunits) { + if (bd->bd_volid < 0 || bd->bd_volid > sc->maxunits) { error = EINVAL; break; } ldp = sc->sc_lds[0]; - if (!ldp || (pd = bd->bd_diskid) > ldp->ndrives) { + if (!ldp || (pd = bd->bd_diskid) < 0 || pd > ldp->ndrives) { error = EINVAL; break; } @@ -1304,7 +1304,7 @@ ciss_ioctl_vol(struct ciss_softc *sc, st int error = 0; u_int blks; - if (bv->bv_volid > sc->maxunits) { + if (bv->bv_volid < 0 || bv->bv_volid > sc->maxunits) { return EINVAL; } ldp = sc->sc_lds[bv->bv_volid];
CVS commit: [netbsd-6] src/sys/dev/ic
Module Name:src Committed By: snj Date: Sat Aug 19 04:27:39 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-6]: isp_netbsd.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1485): sys/dev/ic/isp_netbsd.c: revision 1.89 Reject out-of-bounds channel index. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.85.2.1 -r1.85.2.2 src/sys/dev/ic/isp_netbsd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/isp_netbsd.c diff -u src/sys/dev/ic/isp_netbsd.c:1.85.2.1 src/sys/dev/ic/isp_netbsd.c:1.85.2.2 --- src/sys/dev/ic/isp_netbsd.c:1.85.2.1 Mon Sep 3 18:38:34 2012 +++ src/sys/dev/ic/isp_netbsd.c Sat Aug 19 04:27:38 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: isp_netbsd.c,v 1.85.2.1 2012/09/03 18:38:34 riz Exp $ */ +/* $NetBSD: isp_netbsd.c,v 1.85.2.2 2017/08/19 04:27:38 snj Exp $ */ /* * Platform (NetBSD) dependent common attachment code for Qlogic adapters. */ @@ -33,7 +33,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.85.2.1 2012/09/03 18:38:34 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.85.2.2 2017/08/19 04:27:38 snj Exp $"); #include #include @@ -475,6 +475,10 @@ ispioctl(struct scsipi_channel *chan, u_ } lim = local.count; channel = local.channel; + if (channel >= isp->isp_nchan) { + retval = EINVAL; + break; + } ua = *(isp_dlist_t **)addr; uptr = >wwns[0];
CVS commit: [netbsd-6] src/sys/kern
Module Name:src Committed By: snj Date: Sat Aug 19 04:24:24 UTC 2017 Modified Files: src/sys/kern [netbsd-6]: kern_ktrace.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1484): sys/kern/kern_ktrace.c: revision 1.171 via patch Clamp the length we use, not the length we don't. Avoids uninitialized memory disclosure to userland. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.160.2.1 -r1.160.2.2 src/sys/kern/kern_ktrace.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_ktrace.c diff -u src/sys/kern/kern_ktrace.c:1.160.2.1 src/sys/kern/kern_ktrace.c:1.160.2.2 --- src/sys/kern/kern_ktrace.c:1.160.2.1 Sun Dec 7 15:09:31 2014 +++ src/sys/kern/kern_ktrace.c Sat Aug 19 04:24:23 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_ktrace.c,v 1.160.2.1 2014/12/07 15:09:31 martin Exp $ */ +/* $NetBSD: kern_ktrace.c,v 1.160.2.2 2017/08/19 04:24:23 snj Exp $ */ /*- * Copyright (c) 2006, 2007, 2008 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.160.2.1 2014/12/07 15:09:31 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.160.2.2 2017/08/19 04:24:23 snj Exp $"); #include #include @@ -952,7 +952,7 @@ ktruser(const char *id, void *addr, size user_dta = (void *)(ktp + 1); if ((error = copyin(addr, (void *)user_dta, len)) != 0) - len = 0; + kte->kte_kth.ktr_len = 0; ktraddentry(l, kte, KTA_WAITOK); return error;
CVS commit: [netbsd-6] src/sys/compat
Module Name:src Committed By: snj Date: Sat Aug 19 04:20:02 UTC 2017 Modified Files: src/sys/compat/common [netbsd-6]: vfs_syscalls_12.c vfs_syscalls_43.c src/sys/compat/ibcs2 [netbsd-6]: ibcs2_misc.c src/sys/compat/linux/common [netbsd-6]: linux_file64.c linux_misc.c src/sys/compat/linux32/common [netbsd-6]: linux32_dirent.c src/sys/compat/osf1 [netbsd-6]: osf1_file.c src/sys/compat/sunos [netbsd-6]: sunos_misc.c src/sys/compat/sunos32 [netbsd-6]: sunos32_misc.c src/sys/compat/svr4 [netbsd-6]: svr4_misc.c src/sys/compat/svr4_32 [netbsd-6]: svr4_32_misc.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1483): sys/compat/common/vfs_syscalls_12.c: revision 1.34 sys/compat/svr4_32/svr4_32_misc.c: revision 1.78 sys/compat/sunos32/sunos32_misc.c: revision 1.78 sys/compat/linux/common/linux_misc.c: revision 1.239 sys/compat/osf1/osf1_file.c: revision 1.44 sys/compat/common/vfs_syscalls_43.c: revision 1.60 sys/compat/svr4/svr4_misc.c: revision 1.158 sys/compat/ibcs2/ibcs2_misc.c: revision 1.114 sys/compat/linux/common/linux_file64.c: revision 1.59 sys/compat/linux32/common/linux32_dirent.c: revision 1.18 sys/compat/sunos/sunos_misc.c: revision 1.171 Fail, don't panic, on bad dirents from file system. Controllable via puffs from userland. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.29.12.1 -r1.29.12.2 src/sys/compat/common/vfs_syscalls_12.c cvs rdiff -u -r1.54.14.3 -r1.54.14.4 src/sys/compat/common/vfs_syscalls_43.c cvs rdiff -u -r1.111 -r1.111.14.1 src/sys/compat/ibcs2/ibcs2_misc.c cvs rdiff -u -r1.53 -r1.53.8.1 src/sys/compat/linux/common/linux_file64.c cvs rdiff -u -r1.219.8.1 -r1.219.8.2 src/sys/compat/linux/common/linux_misc.c cvs rdiff -u -r1.13 -r1.13.8.1 src/sys/compat/linux32/common/linux32_dirent.c cvs rdiff -u -r1.41.8.1 -r1.41.8.2 src/sys/compat/osf1/osf1_file.c cvs rdiff -u -r1.168 -r1.168.14.1 src/sys/compat/sunos/sunos_misc.c cvs rdiff -u -r1.74 -r1.74.2.1 src/sys/compat/sunos32/sunos32_misc.c cvs rdiff -u -r1.155 -r1.155.8.1 src/sys/compat/svr4/svr4_misc.c cvs rdiff -u -r1.74 -r1.74.8.1 src/sys/compat/svr4_32/svr4_32_misc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/common/vfs_syscalls_12.c diff -u src/sys/compat/common/vfs_syscalls_12.c:1.29.12.1 src/sys/compat/common/vfs_syscalls_12.c:1.29.12.2 --- src/sys/compat/common/vfs_syscalls_12.c:1.29.12.1 Sat Aug 12 16:23:28 2017 +++ src/sys/compat/common/vfs_syscalls_12.c Sat Aug 19 04:20:01 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_syscalls_12.c,v 1.29.12.1 2017/08/12 16:23:28 snj Exp $ */ +/* $NetBSD: vfs_syscalls_12.c,v 1.29.12.2 2017/08/19 04:20:01 snj Exp $ */ /* * Copyright (c) 1989, 1993 @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29.12.1 2017/08/12 16:23:28 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29.12.2 2017/08/19 04:20:01 snj Exp $"); #include #include @@ -171,8 +171,10 @@ again: for (cookie = cookiebuf; len > 0; len -= reclen) { bdp = (struct dirent *)inp; reclen = bdp->d_reclen; - if (reclen & 3) - panic(__func__); + if (reclen & 3) { + error = EIO; + goto out; + } if (bdp->d_fileno == 0) { inp += reclen; /* it is a hole; squish it out */ if (cookie) Index: src/sys/compat/common/vfs_syscalls_43.c diff -u src/sys/compat/common/vfs_syscalls_43.c:1.54.14.3 src/sys/compat/common/vfs_syscalls_43.c:1.54.14.4 --- src/sys/compat/common/vfs_syscalls_43.c:1.54.14.3 Sat Aug 12 16:23:28 2017 +++ src/sys/compat/common/vfs_syscalls_43.c Sat Aug 19 04:20:01 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_syscalls_43.c,v 1.54.14.3 2017/08/12 16:23:28 snj Exp $ */ +/* $NetBSD: vfs_syscalls_43.c,v 1.54.14.4 2017/08/19 04:20:01 snj Exp $ */ /* * Copyright (c) 1989, 1993 @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.14.3 2017/08/12 16:23:28 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.14.4 2017/08/19 04:20:01 snj Exp $"); #if defined(_KERNEL_OPT) #include "opt_compat_netbsd.h" @@ -450,8 +450,10 @@ again: for (cookie = cookiebuf; len > 0; len -= reclen) { bdp = (struct dirent *)inp; reclen = bdp->d_reclen; - if (reclen & 3) - panic(__func__); + if (reclen & 3) { + error = EIO; + goto out; + } if (bdp->d_fileno == 0) { inp += reclen; /* it is a hole; squish it out */ if (cookie) Index: src/sys/compat/ibcs2/ibcs2_misc.c diff -u src/sys/compat/ibcs2/ibcs2_misc.c:1.111 src/sys/compat/ibcs2/ibcs2_misc.c:1.111.14.1 --- src/sys/compat/ibcs2/ibcs2_misc.c:1.111 Thu Jun 24 13:03:06 2010 +++ src/sys/compat/ibcs2/ibcs2_misc.c Sat Aug 19 04:20:01 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ibcs2_misc.c,v 1.111 2010/06/24 13:03:06 hannken Exp $ */ +/*
CVS commit: [netbsd-6] src/sys/kern
Module Name:src Committed By: snj Date: Sat Aug 19 04:17:11 UTC 2017 Modified Files: src/sys/kern [netbsd-6]: vfs_getcwd.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1482): sys/kern/vfs_getcwd.c: revision 1.52 Don't walk off the end of the dirent buffer. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.47.14.1 src/sys/kern/vfs_getcwd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/vfs_getcwd.c diff -u src/sys/kern/vfs_getcwd.c:1.47 src/sys/kern/vfs_getcwd.c:1.47.14.1 --- src/sys/kern/vfs_getcwd.c:1.47 Tue Nov 30 10:30:02 2010 +++ src/sys/kern/vfs_getcwd.c Sat Aug 19 04:17:11 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_getcwd.c,v 1.47 2010/11/30 10:30:02 dholland Exp $ */ +/* $NetBSD: vfs_getcwd.c,v 1.47.14.1 2017/08/19 04:17:11 snj Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.47 2010/11/30 10:30:02 dholland Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.47.14.1 2017/08/19 04:17:11 snj Exp $"); #include #include @@ -207,7 +207,8 @@ unionread: reclen = dp->d_reclen; /* check for malformed directory.. */ -if (reclen < _DIRENT_MINSIZE(dp)) { +if (reclen < _DIRENT_MINSIZE(dp) || +reclen > len) { error = EINVAL; goto out; }
CVS commit: [netbsd-6] src/sys/compat/ibcs2
Module Name:src Committed By: snj Date: Sat Aug 19 04:13:52 UTC 2017 Modified Files: src/sys/compat/ibcs2 [netbsd-6]: ibcs2_exec_coff.c ibcs2_ioctl.c ibcs2_stat.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1481): sys/compat/ibcs2/ibcs2_exec_coff.c: 1.27-1.29 sys/compat/ibcs2/ibcs2_ioctl.c: 1.46 sys/compat/ibcs2/ibcs2_stat.c: 1.49-1.50 Check for NUL termination within the buffer we have. >From Ilja Van Sprundel. -- Make sure we have enough space in the buffer before reading it. >From Ilja Van Sprundel. -- Make sure we move forward over the buffer. >From Ilja Van Sprundel. -- Zero buffers in ibcs2 ioctl to avoid disclosing stack to userland. >From Ilja Van Sprundel. -- Don't drop vnode ref until we're done with mount in ibcs2_stat(v)fs. Nothing else guarantees the mount will stick around. >From Ilja Van Sprundel. -- Little happy on the commit trigger. Actually use the out label. To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.25.14.1 src/sys/compat/ibcs2/ibcs2_exec_coff.c cvs rdiff -u -r1.45 -r1.45.36.1 src/sys/compat/ibcs2/ibcs2_ioctl.c cvs rdiff -u -r1.47 -r1.47.18.1 src/sys/compat/ibcs2/ibcs2_stat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/ibcs2/ibcs2_exec_coff.c diff -u src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.25 src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.25.14.1 --- src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.25 Thu Jul 22 03:19:02 2010 +++ src/sys/compat/ibcs2/ibcs2_exec_coff.c Sat Aug 19 04:13:51 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ibcs2_exec_coff.c,v 1.25 2010/07/22 03:19:02 christos Exp $ */ +/* $NetBSD: ibcs2_exec_coff.c,v 1.25.14.1 2017/08/19 04:13:51 snj Exp $ */ /* * Copyright (c) 1994, 1995, 1998 Scott Bartram @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.25 2010/07/22 03:19:02 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.25.14.1 2017/08/19 04:13:51 snj Exp $"); #include #include @@ -454,6 +454,10 @@ exec_ibcs2_coff_prep_zmagic(struct lwp * } bufp = tbuf; while (len) { + if (len < sizeof(struct coff_slhdr)) { +free(tbuf, M_TEMP); +return ENOEXEC; + } slhdr = (struct coff_slhdr *)bufp; if (slhdr->path_index > LONG_MAX / sizeof(long) || @@ -465,7 +469,9 @@ exec_ibcs2_coff_prep_zmagic(struct lwp * path_index = slhdr->path_index * sizeof(long); entry_len = slhdr->entry_len * sizeof(long); - if (entry_len > len) { + if (entry_len < sizeof(struct coff_slhdr) || + entry_len > len || + strnlen(slhdr->sl_name, entry_len) == entry_len) { free(tbuf, M_TEMP); return ENOEXEC; } Index: src/sys/compat/ibcs2/ibcs2_ioctl.c diff -u src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45 src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45.36.1 --- src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45 Tue Jun 24 10:03:17 2008 +++ src/sys/compat/ibcs2/ibcs2_ioctl.c Sat Aug 19 04:13:51 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $ */ +/* $NetBSD: ibcs2_ioctl.c,v 1.45.36.1 2017/08/19 04:13:51 snj Exp $ */ /* * Copyright (c) 1994, 1995 Scott Bartram @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.45.36.1 2017/08/19 04:13:51 snj Exp $"); #include #include @@ -402,8 +402,10 @@ ibcs2_sys_ioctl(struct lwp *l, const str if ((error = (*ctl)(fp, TIOCGETA, )) != 0) goto out; + memset(, 0, sizeof(sts)); btios2stios(, ); if (SCARG(uap, cmd) == IBCS2_TCGETA) { + memset(, 0, sizeof(st)); stios2stio(, ); error = copyout(, SCARG(uap, data), sizeof(st)); if (error) @@ -559,6 +561,7 @@ ibcs2_sys_gtty(struct lwp *l, const stru fd_putfile(SCARG(uap, fd)); + memset(, 0, sizeof(itb)); itb.sg_ispeed = tb.sg_ispeed; itb.sg_ospeed = tb.sg_ospeed; itb.sg_erase = tb.sg_erase; Index: src/sys/compat/ibcs2/ibcs2_stat.c diff -u src/sys/compat/ibcs2/ibcs2_stat.c:1.47 src/sys/compat/ibcs2/ibcs2_stat.c:1.47.18.1 --- src/sys/compat/ibcs2/ibcs2_stat.c:1.47 Mon Jun 29 05:08:16 2009 +++ src/sys/compat/ibcs2/ibcs2_stat.c Sat Aug 19 04:13:51 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ibcs2_stat.c,v 1.47 2009/06/29 05:08:16 dholland Exp $ */ +/* $NetBSD: ibcs2_stat.c,v 1.47.18.1 2017/08/19 04:13:51 snj Exp $ */ /* * Copyright (c) 1995, 1998 Scott Bartram * All rights reserved. @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.47 2009/06/29 05:08:16 dholland Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.47.18.1 2017/08/19 04:13:51 snj Exp $"); #include #include @@ -147,11 +147,13 @@ ibcs2_sys_statfs(struct lwp *l, const st return (error); mp = vp->v_mount; sp = >mnt_stat; - vrele(vp); if ((error = VFS_STATVFS(mp, sp)) != 0) - return (error); + goto out; sp->f_flag =
CVS commit: [netbsd-6] src/sys/compat/svr4_32
Module Name:src Committed By: snj Date: Sat Aug 19 04:02:49 UTC 2017 Modified Files: src/sys/compat/svr4_32 [netbsd-6]: svr4_32_signal.c Log Message: Pull up following revision(s) (requested by martin in ticket #1481): sys/compat/svr4_32/svr4_32_signal.c: 1.30 make it compile again. To generate a diff of this commit: cvs rdiff -u -r1.26.40.1 -r1.26.40.2 src/sys/compat/svr4_32/svr4_32_signal.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/svr4_32/svr4_32_signal.c diff -u src/sys/compat/svr4_32/svr4_32_signal.c:1.26.40.1 src/sys/compat/svr4_32/svr4_32_signal.c:1.26.40.2 --- src/sys/compat/svr4_32/svr4_32_signal.c:1.26.40.1 Sat Aug 19 03:40:50 2017 +++ src/sys/compat/svr4_32/svr4_32_signal.c Sat Aug 19 04:02:49 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: svr4_32_signal.c,v 1.26.40.1 2017/08/19 03:40:50 snj Exp $ */ +/* $NetBSD: svr4_32_signal.c,v 1.26.40.2 2017/08/19 04:02:49 snj Exp $ */ /*- * Copyright (c) 1994, 1998 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: svr4_32_signal.c,v 1.26.40.1 2017/08/19 03:40:50 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: svr4_32_signal.c,v 1.26.40.2 2017/08/19 04:02:49 snj Exp $"); #if defined(_KERNEL_OPT) #include "opt_compat_svr4.h" @@ -397,16 +397,16 @@ svr4_32_sys_signal(struct lwp *l, const nbsa.sa_handler = (sig_t)SCARG(uap, handler); sigemptyset(_mask); nbsa.sa_flags = 0; - error = sigaction1(l, signum, , , NULL, 0); + error = sigaction1(l, native_signo, , , NULL, 0); if (error) - return (error); + return error; *retval = (u_int)(u_long)obsa.sa_handler; - return (0); + return 0; case SVR4_SIGHOLD_MASK: sighold: sigemptyset(); - sigaddset(, signum); + sigaddset(, native_signo); mutex_enter(p->p_lock); error = sigprocmask1(l, SIG_BLOCK, , 0); mutex_exit(p->p_lock); @@ -414,7 +414,7 @@ svr4_32_sys_signal(struct lwp *l, const case SVR4_SIGRELSE_MASK: sigemptyset(); - sigaddset(, signum); + sigaddset(, native_signo); mutex_enter(p->p_lock); error = sigprocmask1(l, SIG_UNBLOCK, , 0); mutex_exit(p->p_lock); @@ -424,17 +424,17 @@ svr4_32_sys_signal(struct lwp *l, const nbsa.sa_handler = SIG_IGN; sigemptyset(_mask); nbsa.sa_flags = 0; - return (sigaction1(l, signum, , 0, NULL, 0)); + return sigaction1(l, native_signo, , 0, NULL, 0); case SVR4_SIGPAUSE_MASK: mutex_enter(p->p_lock); ss = l->l_sigmask; mutex_exit(p->p_lock); - sigdelset(, signum); - return (sigsuspend1(l, )); + sigdelset(, native_signo); + return sigsuspend1(l, ); default: - return (ENOSYS); + return ENOSYS; } }
CVS commit: [netbsd-6] src/sys/dev
Module Name:src Committed By: snj Date: Sat Aug 19 03:50:01 UTC 2017 Modified Files: src/sys/dev [netbsd-6]: vnd.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1480): sys/dev/vnd.c: 1.260, 1.262 via patch Put in a litany of judicious bounds checks around vnd headers. Thought I was done with this crap after I rewrote vndcompress(1)! >From Ilja Van Sprundel. -- Appease toxic bullshit warning from gcc. If you have a better way to write a useful bounds check that happens to always pass on LP64 but doesn't always on LP32, without making it fail to compile on LP64 or making it an #ifdef conditional on LP32, please put it in here instead. To generate a diff of this commit: cvs rdiff -u -r1.219.8.3 -r1.219.8.4 src/sys/dev/vnd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/vnd.c diff -u src/sys/dev/vnd.c:1.219.8.3 src/sys/dev/vnd.c:1.219.8.4 --- src/sys/dev/vnd.c:1.219.8.3 Wed Feb 4 04:18:23 2015 +++ src/sys/dev/vnd.c Sat Aug 19 03:50:00 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: vnd.c,v 1.219.8.3 2015/02/04 04:18:23 snj Exp $ */ +/* $NetBSD: vnd.c,v 1.219.8.4 2017/08/19 03:50:00 snj Exp $ */ /*- * Copyright (c) 1996, 1997, 1998, 2008 The NetBSD Foundation, Inc. @@ -91,7 +91,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.219.8.3 2015/02/04 04:18:23 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.219.8.4 2017/08/19 03:50:00 snj Exp $"); #if defined(_KERNEL_OPT) #include "opt_vnd.h" @@ -1167,6 +1167,13 @@ vndioctl(dev_t dev, u_long cmd, void *da VOP_UNLOCK(nd.ni_vp); goto close_and_exit; } + + if (ntohl(ch->block_size) == 0 || + ntohl(ch->num_blocks) > UINT32_MAX - 1) { +free(ch, M_TEMP); +VOP_UNLOCK(nd.ni_vp); +goto close_and_exit; + } /* save some header info */ vnd->sc_comp_blksz = ntohl(ch->block_size); @@ -1179,20 +1186,40 @@ vndioctl(dev_t dev, u_long cmd, void *da error = EINVAL; goto close_and_exit; } - if (sizeof(struct vnd_comp_header) + - sizeof(u_int64_t) * vnd->sc_comp_numoffs > - vattr.va_size) { + KASSERT(0 < vnd->sc_comp_blksz); + KASSERT(0 < vnd->sc_comp_numoffs); + /* + * @#^@!$& gcc -Wtype-limits refuses to let me + * write SIZE_MAX/sizeof(uint64_t) < numoffs, + * because the range of the type on amd64 makes + * the comparisons always false. + */ +#if SIZE_MAX <= UINT32_MAX*(64/CHAR_BIT) + if (SIZE_MAX/sizeof(uint64_t) < vnd->sc_comp_numoffs) { +VOP_UNLOCK(nd.ni_vp); +error = EINVAL; +goto close_and_exit; + } +#endif + if ((vattr.va_size < sizeof(struct vnd_comp_header)) || + (vattr.va_size - sizeof(struct vnd_comp_header) < +sizeof(uint64_t)*vnd->sc_comp_numoffs) || + (UQUAD_MAX/vnd->sc_comp_blksz < +vnd->sc_comp_numoffs - 1)) { VOP_UNLOCK(nd.ni_vp); error = EINVAL; goto close_and_exit; } /* set decompressed file size */ + KASSERT(vnd->sc_comp_numoffs - 1 <= + UQUAD_MAX/vnd->sc_comp_blksz); vattr.va_size = ((u_quad_t)vnd->sc_comp_numoffs - 1) * (u_quad_t)vnd->sc_comp_blksz; /* allocate space for all the compressed offsets */ + __CTASSERT(UINT32_MAX <= UQUAD_MAX/sizeof(uint64_t)); vnd->sc_comp_offsets = malloc(sizeof(u_int64_t) * vnd->sc_comp_numoffs, M_DEVBUF, M_WAITOK);
CVS commit: [netbsd-6] src/sys/compat
Module Name:src Committed By: snj Date: Sat Aug 19 03:40:50 UTC 2017 Modified Files: src/sys/compat/svr4 [netbsd-6]: svr4_lwp.c svr4_signal.c svr4_stream.c src/sys/compat/svr4_32 [netbsd-6]: svr4_32_signal.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1479): sys/compat/svr4/svr4_lwp.c: 1.20 sys/compat/svr4/svr4_signal.c: 1.67 sys/compat/svr4/svr4_stream.c: 1.89-1.91 via patch sys/compat/svr4_32/svr4_32_signal.c: 1.29 Fix some of the multitudinous holes in svr4 streams. We should never have enabled this by default; it is a minefield. >From Ilja Van Sprundel. -- Zero stack data before copyout. >From Ilja Van Sprundel. -- Fix indexing of svr4 signals. >From Ilja Van Sprundel. -- Feebly attempt to get this reference counting less bad. This svr4 streams code is bad and it should feel bad. >From Ilja Van Sprundel. -- Check bounds in svr4_sys_putmsg. Check more svr4_strmcmd bounds. svr4 streams code is still a disaster. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.19.18.1 src/sys/compat/svr4/svr4_lwp.c cvs rdiff -u -r1.65 -r1.65.10.1 src/sys/compat/svr4/svr4_signal.c cvs rdiff -u -r1.79 -r1.79.8.1 src/sys/compat/svr4/svr4_stream.c cvs rdiff -u -r1.26 -r1.26.40.1 src/sys/compat/svr4_32/svr4_32_signal.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/svr4/svr4_lwp.c diff -u src/sys/compat/svr4/svr4_lwp.c:1.19 src/sys/compat/svr4/svr4_lwp.c:1.19.18.1 --- src/sys/compat/svr4/svr4_lwp.c:1.19 Mon Nov 23 00:46:07 2009 +++ src/sys/compat/svr4/svr4_lwp.c Sat Aug 19 03:40:49 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $ */ +/* $NetBSD: svr4_lwp.c,v 1.19.18.1 2017/08/19 03:40:49 snj Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19.18.1 2017/08/19 03:40:49 snj Exp $"); #include #include @@ -108,6 +108,8 @@ svr4_sys__lwp_info(struct lwp *l, const struct svr4_lwpinfo lwpinfo; int error; + memset(, 0, sizeof(lwpinfo)); + /* XXX NJWLWP */ TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_stime, _stime); TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_utime, _utime); Index: src/sys/compat/svr4/svr4_signal.c diff -u src/sys/compat/svr4/svr4_signal.c:1.65 src/sys/compat/svr4/svr4_signal.c:1.65.10.1 --- src/sys/compat/svr4/svr4_signal.c:1.65 Thu Feb 3 21:45:31 2011 +++ src/sys/compat/svr4/svr4_signal.c Sat Aug 19 03:40:49 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: svr4_signal.c,v 1.65 2011/02/03 21:45:31 joerg Exp $ */ +/* $NetBSD: svr4_signal.c,v 1.65.10.1 2017/08/19 03:40:49 snj Exp $ */ /*- * Copyright (c) 1994, 1998 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65 2011/02/03 21:45:31 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65.10.1 2017/08/19 03:40:49 snj Exp $"); #include #include @@ -73,6 +73,21 @@ void native_to_svr4_sigaction(const stru extern const int native_to_svr4_signo[]; extern const int svr4_to_native_signo[]; +static int +svr4_decode_signum(int signum, int *native_signo, int *sigcall) +{ + + if (SVR4_SIGNO(signum) >= SVR4_NSIG) + return EINVAL; + + if (native_signo) + *native_signo = svr4_to_native_signo[SVR4_SIGNO(signum)]; + if (sigcall) + *sigcall = SVR4_SIGCALL(signum); + + return 0; +} + static inline void svr4_sigfillset(svr4_sigset_t *s) { @@ -174,6 +189,7 @@ svr4_sys_sigaction(struct lwp *l, const } */ struct svr4_sigaction nssa, ossa; struct sigaction nbsa, obsa; + int native_signo; int error; if (SCARG(uap, nsa)) { @@ -182,7 +198,12 @@ svr4_sys_sigaction(struct lwp *l, const return (error); svr4_to_native_sigaction(, ); } - error = sigaction1(l, svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))], + + error = svr4_decode_signum(SCARG(uap, signum), _signo, NULL); + if (error) + return error; + + error = sigaction1(l, native_signo, SCARG(uap, nsa) ? : 0, SCARG(uap, osa) ? : 0, NULL, 0); if (error) @@ -217,16 +238,18 @@ svr4_sys_signal(struct lwp *l, const str syscallarg(int) signum; syscallarg(svr4_sig_t) handler; } */ - int signum = svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))]; + int native_signo, sigcall; struct proc *p = l->l_proc; struct sigaction nbsa, obsa; sigset_t ss; int error; - if (signum <= 0 || signum >= SVR4_NSIG) - return (EINVAL); + error = svr4_decode_signum(SCARG(uap, signum), _signo, + ); + if (error) + return error; - switch (SVR4_SIGCALL(SCARG(uap, signum))) { + switch (sigcall) { case SVR4_SIGDEFER_MASK: if (SCARG(uap, handler) == SVR4_SIG_HOLD) goto sighold; @@ -236,7 +259,7 @@ svr4_sys_signal(struct lwp *l, const str nbsa.sa_handler =
CVS commit: [netbsd-6] src/sys/dev/ic
Module Name:src Committed By: snj Date: Sat Aug 19 03:15:57 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-6]: bwi.c Log Message: `cat ~/releng/r-commit` To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.18.8.1 src/sys/dev/ic/bwi.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/bwi.c diff -u src/sys/dev/ic/bwi.c:1.18 src/sys/dev/ic/bwi.c:1.18.8.1 --- src/sys/dev/ic/bwi.c:1.18 Mon Oct 10 11:15:24 2011 +++ src/sys/dev/ic/bwi.c Sat Aug 19 03:15:56 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: bwi.c,v 1.18 2011/10/10 11:15:24 njoly Exp $ */ +/* $NetBSD: bwi.c,v 1.18.8.1 2017/08/19 03:15:56 snj Exp $ */ /* $OpenBSD: bwi.c,v 1.74 2008/02/25 21:13:30 mglocker Exp $ */ /* @@ -48,7 +48,7 @@ #include -__KERNEL_RCSID(0, "$NetBSD: bwi.c,v 1.18 2011/10/10 11:15:24 njoly Exp $"); +__KERNEL_RCSID(0, "$NetBSD: bwi.c,v 1.18.8.1 2017/08/19 03:15:56 snj Exp $"); #include #include @@ -8315,7 +8315,7 @@ bwi_newbuf(struct bwi_softc *sc, int buf if (m == NULL) return (ENOBUFS); MCLGET(m, init ? M_WAITOK : M_DONTWAIT); - if (m == NULL) { + if ((m->m_flags & M_EXT) == 0) { error = ENOBUFS; /*
CVS commit: [netbsd-6] src/sys/dev/ic
Module Name:src Committed By: snj Date: Fri Aug 18 15:08:21 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-6]: dm9000.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1477): sys/dev/ic/dm9000.c: revision 1.12 Check for MCLGET failure in dme_alloc_receive_buffer. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.4.2.1 src/sys/dev/ic/dm9000.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/dm9000.c diff -u src/sys/dev/ic/dm9000.c:1.4 src/sys/dev/ic/dm9000.c:1.4.2.1 --- src/sys/dev/ic/dm9000.c:1.4 Sat Jan 28 08:29:55 2012 +++ src/sys/dev/ic/dm9000.c Fri Aug 18 15:08:21 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: dm9000.c,v 1.4 2012/01/28 08:29:55 nisimura Exp $ */ +/* $NetBSD: dm9000.c,v 1.4.2.1 2017/08/18 15:08:21 snj Exp $ */ /* * Copyright (c) 2009 Paul Fleischer @@ -1123,8 +1123,13 @@ dme_alloc_receive_buffer(struct ifnet *i sizeof(struct ether_header); /* All our frames have the CRC attached */ m->m_flags |= M_HASFCS; - if (m->m_pkthdr.len + pad > MHLEN ) + if (m->m_pkthdr.len + pad > MHLEN) { MCLGET(m, M_DONTWAIT); + if ((m->m_flags & M_EXT) == 0) { + m_freem(m); + return NULL; + } + } m->m_data += pad; m->m_len = frame_length + (frame_length % sc->sc_data_width);
CVS commit: [netbsd-6] src/sys/dev/ic
Module Name:src Committed By: snj Date: Fri Aug 18 15:04:58 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-6]: dp83932.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1476): sys/dev/ic/dp83932.c: revision 1.41 Plug mbuf leak on MCLGET failure in sonic_rxintr. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.35 -r1.35.14.1 src/sys/dev/ic/dp83932.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/dp83932.c diff -u src/sys/dev/ic/dp83932.c:1.35 src/sys/dev/ic/dp83932.c:1.35.14.1 --- src/sys/dev/ic/dp83932.c:1.35 Sat Nov 13 13:52:00 2010 +++ src/sys/dev/ic/dp83932.c Fri Aug 18 15:04:58 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: dp83932.c,v 1.35 2010/11/13 13:52:00 uebayasi Exp $ */ +/* $NetBSD: dp83932.c,v 1.35.14.1 2017/08/18 15:04:58 snj Exp $ */ /*- * Copyright (c) 2001 The NetBSD Foundation, Inc. @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: dp83932.c,v 1.35 2010/11/13 13:52:00 uebayasi Exp $"); +__KERNEL_RCSID(0, "$NetBSD: dp83932.c,v 1.35.14.1 2017/08/18 15:04:58 snj Exp $"); #include @@ -785,8 +785,10 @@ sonic_rxintr(struct sonic_softc *sc) goto dropit; if (len > (MHLEN - 2)) { MCLGET(m, M_DONTWAIT); -if ((m->m_flags & M_EXT) == 0) +if ((m->m_flags & M_EXT) == 0) { + m_freem(m); goto dropit; +} } m->m_data += 2; /*
CVS commit: [netbsd-6] src/sys/dev/ic
Module Name:src Committed By: snj Date: Fri Aug 18 15:03:22 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-6]: i82596.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1475): sys/dev/ic/i82596.c: revision 1.37 Null out sc_rx_mbuf[i] after m_freem to avoid double-free later. >From Ilja Van Sprundel. Also null out sc_tx_mbuf[i] after m_freem, out of paranoia. XXX Not entirely clear to how tx mbufs are freed, but no way to test this since it's ews4800mips- and hp700-only, so not keen to make any more elaborate changes... To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.14.1 src/sys/dev/ic/i82596.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/i82596.c diff -u src/sys/dev/ic/i82596.c:1.29 src/sys/dev/ic/i82596.c:1.29.14.1 --- src/sys/dev/ic/i82596.c:1.29 Mon Apr 5 07:19:35 2010 +++ src/sys/dev/ic/i82596.c Fri Aug 18 15:03:22 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: i82596.c,v 1.29 2010/04/05 07:19:35 joerg Exp $ */ +/* $NetBSD: i82596.c,v 1.29.14.1 2017/08/18 15:03:22 snj Exp $ */ /* * Copyright (c) 2003 Jochen Kunz. @@ -43,7 +43,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: i82596.c,v 1.29 2010/04/05 07:19:35 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: i82596.c,v 1.29.14.1 2017/08/18 15:03:22 snj Exp $"); /* autoconfig and device stuff */ #include @@ -754,6 +754,7 @@ iee_start(struct ifnet *ifp) printf("%s: iee_start: can't allocate mbuf\n", device_xname(sc->sc_dev)); m_freem(sc->sc_tx_mbuf[t]); +sc->sc_tx_mbuf[t] = NULL; t--; continue; } @@ -763,6 +764,7 @@ iee_start(struct ifnet *ifp) printf("%s: iee_start: can't allocate mbuf " "cluster\n", device_xname(sc->sc_dev)); m_freem(sc->sc_tx_mbuf[t]); +sc->sc_tx_mbuf[t] = NULL; m_freem(m); t--; continue; @@ -778,6 +780,7 @@ iee_start(struct ifnet *ifp) printf("%s: iee_start: can't load TX DMA map\n", device_xname(sc->sc_dev)); m_freem(sc->sc_tx_mbuf[t]); +sc->sc_tx_mbuf[t] = NULL; t--; continue; } @@ -927,6 +930,7 @@ iee_init(struct ifnet *ifp) printf("%s: iee_init: can't allocate mbuf" " cluster\n", device_xname(sc->sc_dev)); m_freem(sc->sc_rx_mbuf[r]); +sc->sc_rx_mbuf[r] = NULL; err = 1; break; } @@ -940,6 +944,7 @@ iee_init(struct ifnet *ifp) printf("%s: iee_init: can't create RX " "DMA map\n", device_xname(sc->sc_dev)); m_freem(sc->sc_rx_mbuf[r]); +sc->sc_rx_mbuf[r] = NULL; err = 1; break; } @@ -949,6 +954,7 @@ iee_init(struct ifnet *ifp) device_xname(sc->sc_dev)); bus_dmamap_destroy(sc->sc_dmat, sc->sc_rx_map[r]); m_freem(sc->sc_rx_mbuf[r]); + sc->sc_rx_mbuf[r] = NULL; err = 1; break; }
CVS commit: [netbsd-6] src/sys/dev/pci
Module Name:src Committed By: snj Date: Fri Aug 18 15:00:53 UTC 2017 Modified Files: src/sys/dev/pci [netbsd-6]: if_et.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1474): sys/dev/pci/if_et.c: revision 1.15 Check for MCLGET failure in et_newbuf. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.3.2.1 -r1.3.2.2 src/sys/dev/pci/if_et.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/pci/if_et.c diff -u src/sys/dev/pci/if_et.c:1.3.2.1 src/sys/dev/pci/if_et.c:1.3.2.2 --- src/sys/dev/pci/if_et.c:1.3.2.1 Mon Nov 19 18:41:59 2012 +++ src/sys/dev/pci/if_et.c Fri Aug 18 15:00:53 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: if_et.c,v 1.3.2.1 2012/11/19 18:41:59 riz Exp $ */ +/* $NetBSD: if_et.c,v 1.3.2.2 2017/08/18 15:00:53 snj Exp $ */ /* $OpenBSD: if_et.c,v 1.11 2008/06/08 06:18:07 jsg Exp $ */ /* * Copyright (c) 2007 The DragonFly Project. All rights reserved. @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_et.c,v 1.3.2.1 2012/11/19 18:41:59 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_et.c,v 1.3.2.2 2017/08/18 15:00:53 snj Exp $"); #include "opt_inet.h" #include "vlan.h" @@ -2048,6 +2048,10 @@ et_newbuf(struct et_rxbuf_data *rbd, int if (m == NULL) return (ENOBUFS); MCLGET(m, init ? M_WAITOK : M_DONTWAIT); + if ((m->m_flags & M_EXT) == 0) { + m_freem(m); + return (ENOBUFS); + } len = MCLBYTES; } else { MGETHDR(m, init ? M_WAITOK : M_DONTWAIT, MT_DATA);
CVS commit: [netbsd-6] src/sys/dev/pci
Module Name:src Committed By: snj Date: Fri Aug 18 14:58:15 UTC 2017 Modified Files: src/sys/dev/pci [netbsd-6]: if_ipw.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1473): sys/dev/pci/if_ipw.c: revision 1.65 via patch Null out sbuf->m on failure to avoid double-free later. >From Ilja Van Sprundel. Also null out sbuf->map out of paranoia. To generate a diff of this commit: cvs rdiff -u -r1.53 -r1.53.2.1 src/sys/dev/pci/if_ipw.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/pci/if_ipw.c diff -u src/sys/dev/pci/if_ipw.c:1.53 src/sys/dev/pci/if_ipw.c:1.53.2.1 --- src/sys/dev/pci/if_ipw.c:1.53 Mon Jan 30 19:41:20 2012 +++ src/sys/dev/pci/if_ipw.c Fri Aug 18 14:58:15 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: if_ipw.c,v 1.53 2012/01/30 19:41:20 drochner Exp $ */ +/* $NetBSD: if_ipw.c,v 1.53.2.1 2017/08/18 14:58:15 snj Exp $ */ /* FreeBSD: src/sys/dev/ipw/if_ipw.c,v 1.15 2005/11/13 17:17:40 damien Exp */ /*- @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_ipw.c,v 1.53 2012/01/30 19:41:20 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_ipw.c,v 1.53.2.1 2017/08/18 14:58:15 snj Exp $"); /*- * Intel(R) PRO/Wireless 2100 MiniPCI driver @@ -590,6 +590,7 @@ ipw_dma_alloc(struct ipw_softc *sc) MCLGET(sbuf->m, M_DONTWAIT); if (!(sbuf->m->m_flags & M_EXT)) { m_freem(sbuf->m); + sbuf->m = NULL; aprint_error_dev(>sc_dev, "could not allocate rx mbuf cluster\n"); error = ENOMEM; goto fail; @@ -602,6 +603,7 @@ ipw_dma_alloc(struct ipw_softc *sc) if (error != 0) { aprint_error_dev(>sc_dev, "could not create rxbuf dma map\n"); m_freem(sbuf->m); + sbuf->m = NULL; goto fail; } @@ -609,7 +611,9 @@ ipw_dma_alloc(struct ipw_softc *sc) sbuf->m, BUS_DMA_READ | BUS_DMA_NOWAIT); if (error != 0) { bus_dmamap_destroy(sc->sc_dmat, sbuf->map); + sbuf->map = NULL; m_freem(sbuf->m); + sbuf->m = NULL; aprint_error_dev(>sc_dev, "could not map rxbuf dma memory\n"); goto fail; }
CVS commit: [netbsd-6] src/sys/kern
Module Name:src Committed By: snj Date: Fri Aug 18 14:53:10 UTC 2017 Modified Files: src/sys/kern [netbsd-6]: kern_malloc.c Log Message: Pull up following revision(s) (requested by martin in ticket #1465): sys/kern/kern_malloc.c: revision 1.146 Avoid integer overflow in kern_malloc(). Reported by Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.138 -r1.138.2.1 src/sys/kern/kern_malloc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_malloc.c diff -u src/sys/kern/kern_malloc.c:1.138 src/sys/kern/kern_malloc.c:1.138.2.1 --- src/sys/kern/kern_malloc.c:1.138 Mon Feb 6 12:13:44 2012 +++ src/sys/kern/kern_malloc.c Fri Aug 18 14:53:10 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_malloc.c,v 1.138 2012/02/06 12:13:44 drochner Exp $ */ +/* $NetBSD: kern_malloc.c,v 1.138.2.1 2017/08/18 14:53:10 snj Exp $ */ /* * Copyright (c) 1987, 1991, 1993 @@ -66,7 +66,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.138 2012/02/06 12:13:44 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.138.2.1 2017/08/18 14:53:10 snj Exp $"); #include #include @@ -113,7 +113,10 @@ kern_malloc(unsigned long size, struct m void *p; if (size >= PAGE_SIZE) { - allocsize = PAGE_SIZE + size; /* for page alignment */ + if (size > (ULONG_MAX-PAGE_SIZE)) + allocsize = ULONG_MAX; /* this will fail later */ + else + allocsize = PAGE_SIZE + size; /* for page alignment */ hdroffset = PAGE_SIZE - sizeof(struct malloc_header); } else { allocsize = sizeof(struct malloc_header) + size;
CVS commit: [netbsd-6] src/sys/arch/mac68k/nubus
Module Name:src Committed By: snj Date: Sat Aug 12 16:35:11 UTC 2017 Modified Files: src/sys/arch/mac68k/nubus [netbsd-6]: if_netdock_nubus.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1472): sys/arch/mac68k/nubus/if_netdock_nubus.c: revision 1.26 Avoid memory leak in netdock_get. If top is null, this is the first time through and nothing else will free m. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.21.14.1 src/sys/arch/mac68k/nubus/if_netdock_nubus.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/mac68k/nubus/if_netdock_nubus.c diff -u src/sys/arch/mac68k/nubus/if_netdock_nubus.c:1.21 src/sys/arch/mac68k/nubus/if_netdock_nubus.c:1.21.14.1 --- src/sys/arch/mac68k/nubus/if_netdock_nubus.c:1.21 Mon Apr 5 07:19:30 2010 +++ src/sys/arch/mac68k/nubus/if_netdock_nubus.c Sat Aug 12 16:35:11 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: if_netdock_nubus.c,v 1.21 2010/04/05 07:19:30 joerg Exp $ */ +/* $NetBSD: if_netdock_nubus.c,v 1.21.14.1 2017/08/12 16:35:11 snj Exp $ */ /* * Copyright (C) 2000,2002 Daishi Kato@@ -43,7 +43,7 @@ /***/ #include -__KERNEL_RCSID(0, "$NetBSD: if_netdock_nubus.c,v 1.21 2010/04/05 07:19:30 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_netdock_nubus.c,v 1.21.14.1 2017/08/12 16:35:11 snj Exp $"); #include #include @@ -803,6 +803,8 @@ netdock_get(struct netdock_softc *sc, in if ((m->m_flags & M_EXT) == 0) { if (top) m_freem(top); +else + m_freem(m); return (NULL); } len = MCLBYTES;
CVS commit: [netbsd-6] src/sys/arch/newsmips/apbus
Module Name:src Committed By: snj Date: Sat Aug 12 16:30:05 UTC 2017 Modified Files: src/sys/arch/newsmips/apbus [netbsd-6]: if_sn.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1471): sys/arch/newsmips/apbus/if_sn.c: revision 1.39 Avoid memory leak in sonic_get. If this is the first time around, top is null and nothing else will free m. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.33 -r1.33.14.1 src/sys/arch/newsmips/apbus/if_sn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/newsmips/apbus/if_sn.c diff -u src/sys/arch/newsmips/apbus/if_sn.c:1.33 src/sys/arch/newsmips/apbus/if_sn.c:1.33.14.1 --- src/sys/arch/newsmips/apbus/if_sn.c:1.33 Mon Apr 5 07:19:31 2010 +++ src/sys/arch/newsmips/apbus/if_sn.c Sat Aug 12 16:30:05 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: if_sn.c,v 1.33 2010/04/05 07:19:31 joerg Exp $ */ +/* $NetBSD: if_sn.c,v 1.33.14.1 2017/08/12 16:30:05 snj Exp $ */ /* * National Semiconductor DP8393X SONIC Driver @@ -16,7 +16,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_sn.c,v 1.33 2010/04/05 07:19:31 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_sn.c,v 1.33.14.1 2017/08/12 16:30:05 snj Exp $"); #include "opt_inet.h" @@ -1093,7 +1093,10 @@ sonic_get(struct sn_softc *sc, void *pkt if (datalen >= MINCLSIZE) { MCLGET(m, M_DONTWAIT); if ((m->m_flags & M_EXT) == 0) { -if (top) m_freem(top); +if (top) + m_freem(top); +else + m_freem(m); return 0; } len = MCLBYTES;
CVS commit: [netbsd-6] src/sys/dev/usb
Module Name:src Committed By: snj Date: Sat Aug 12 16:26:31 UTC 2017 Modified Files: src/sys/dev/usb [netbsd-6]: if_ural.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1470): sys/dev/usb/if_ural.c: revision 1.52 Free the RX list if ural_alloc_rx_list fails part way through. Reported by Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.39.2.1 src/sys/dev/usb/if_ural.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/usb/if_ural.c diff -u src/sys/dev/usb/if_ural.c:1.39 src/sys/dev/usb/if_ural.c:1.39.2.1 --- src/sys/dev/usb/if_ural.c:1.39 Fri Dec 23 00:51:44 2011 +++ src/sys/dev/usb/if_ural.c Sat Aug 12 16:26:31 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: if_ural.c,v 1.39 2011/12/23 00:51:44 jakllsch Exp $ */ +/* $NetBSD: if_ural.c,v 1.39.2.1 2017/08/12 16:26:31 snj Exp $ */ /* $FreeBSD: /repoman/r/ncvs/src/sys/dev/usb/if_ural.c,v 1.40 2006/06/02 23:14:40 sam Exp $ */ /*- @@ -24,7 +24,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_ural.c,v 1.39 2011/12/23 00:51:44 jakllsch Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_ural.c,v 1.39.2.1 2017/08/12 16:26:31 snj Exp $"); #include @@ -678,7 +678,7 @@ ural_alloc_rx_list(struct ural_softc *sc return 0; -fail: ural_free_tx_list(sc); +fail: ural_free_rx_list(sc); return error; }
CVS commit: [netbsd-6] src/sys/compat
Module Name:src Committed By: snj Date: Sat Aug 12 16:23:29 UTC 2017 Modified Files: src/sys/compat/common [netbsd-6]: vfs_syscalls_12.c vfs_syscalls_43.c src/sys/compat/sys [netbsd-6]: dirent.h Log Message: Pull up following revision(s) (requested by mrg in ticket #1469): sys/compat/common/vfs_syscalls_12.c: revision 1.30 sys/compat/common/vfs_syscalls_43.c: revision 1.56 sys/compat/sys/dirent.h: revision 1.3 It is wishful thinking that vn_readdir will return dirent12 structures. -- Fix the compat-4.3 getdirentries call (pre d_type). This is used in NetBSD-0.9. -- add a struct for the 4.3BSD struct direct To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.12.1 src/sys/compat/common/vfs_syscalls_12.c cvs rdiff -u -r1.54.14.2 -r1.54.14.3 src/sys/compat/common/vfs_syscalls_43.c cvs rdiff -u -r1.2 -r1.2.118.1 src/sys/compat/sys/dirent.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/common/vfs_syscalls_12.c diff -u src/sys/compat/common/vfs_syscalls_12.c:1.29 src/sys/compat/common/vfs_syscalls_12.c:1.29.12.1 --- src/sys/compat/common/vfs_syscalls_12.c:1.29 Wed Jan 19 10:21:16 2011 +++ src/sys/compat/common/vfs_syscalls_12.c Sat Aug 12 16:23:28 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_syscalls_12.c,v 1.29 2011/01/19 10:21:16 tsutsui Exp $ */ +/* $NetBSD: vfs_syscalls_12.c,v 1.29.12.1 2017/08/12 16:23:28 snj Exp $ */ /* * Copyright (c) 1989, 1993 @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29 2011/01/19 10:21:16 tsutsui Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29.12.1 2017/08/12 16:23:28 snj Exp $"); #include #include @@ -56,6 +56,7 @@ __KERNEL_RCSID(0, "$NetBSD: vfs_syscalls #include #include +#include /* * Convert from a new to an old stat structure. @@ -96,28 +97,140 @@ compat_12_sys_getdirentries(struct lwp * syscallarg(u_int) count; syscallarg(long *) basep; } */ + struct dirent *bdp; + struct vnode *vp; + char *inp, *tbuf; /* Current-format */ + int len, reclen; /* Current-format */ + char *outp; /* Dirent12-format */ + int resid, old_reclen = 0; /* Dirent12-format */ struct file *fp; - int error, done; + struct uio auio; + struct iovec aiov; + struct dirent12 idb; + off_t off; /* true file offset */ + int buflen, error, eofflag, nbytes; + struct vattr va; + off_t *cookiebuf = NULL, *cookie; + int ncookies; long loff; - + /* fd_getvnode() will use the descriptor for us */ if ((error = fd_getvnode(SCARG(uap, fd), )) != 0) - return error; + return (error); + if ((fp->f_flag & FREAD) == 0) { error = EBADF; - goto out; + goto out1; + } + + vp = (struct vnode *)fp->f_data; + if (vp->v_type != VDIR) { + error = ENOTDIR; + goto out1; } + vn_lock(vp, LK_SHARED | LK_RETRY); + error = VOP_GETATTR(vp, , l->l_cred); + VOP_UNLOCK(vp); + if (error) + goto out1; + loff = fp->f_offset; + nbytes = SCARG(uap, count); + buflen = min(MAXBSIZE, nbytes); + if (buflen < va.va_blocksize) + buflen = va.va_blocksize; + tbuf = malloc(buflen, M_TEMP, M_WAITOK); + + vn_lock(vp, LK_EXCLUSIVE | LK_RETRY); + off = fp->f_offset; +again: + aiov.iov_base = tbuf; + aiov.iov_len = buflen; + auio.uio_iov = + auio.uio_iovcnt = 1; + auio.uio_rw = UIO_READ; + auio.uio_resid = buflen; + auio.uio_offset = off; + UIO_SETUP_SYSSPACE(); + /* + * First we read into the malloc'ed buffer, then + * we massage it into user space, one record at a time. + */ + error = VOP_READDIR(vp, , fp->f_cred, , , + ); + if (error) + goto out; + + inp = tbuf; + outp = SCARG(uap, buf); + resid = nbytes; + if ((len = buflen - auio.uio_resid) == 0) + goto eof; + + for (cookie = cookiebuf; len > 0; len -= reclen) { + bdp = (struct dirent *)inp; + reclen = bdp->d_reclen; + if (reclen & 3) + panic(__func__); + if (bdp->d_fileno == 0) { + inp += reclen; /* it is a hole; squish it out */ + if (cookie) +off = *cookie++; + else +off += reclen; + continue; + } + old_reclen = _DIRENT_RECLEN(, bdp->d_namlen); + if (reclen > len || resid < old_reclen) { + /* entry too big for buffer, so just stop */ + outp++; + break; + } + /* + * Massage in place to make a Dirent12-shaped dirent (otherwise + * we have to worry about touching user memory outside of + * the copyout() call). + */ + idb.d_fileno = (uint32_t)bdp->d_fileno; + idb.d_reclen = (uint16_t)old_reclen; + idb.d_type = (uint8_t)bdp->d_type; + idb.d_namlen = (uint8_t)bdp->d_namlen; + strcpy(idb.d_name, bdp->d_name); + if ((error = copyout(, outp, old_reclen))) + goto out; + /* advance past this real entry */ + inp += reclen; + if (cookie) + off = *cookie++; /* each entry points to itself */ + else + off += reclen; + /* advance output past Dirent12-shaped entry */ + outp += old_reclen; + resid -= old_reclen; + } - error = vn_readdir(fp,
CVS commit: [netbsd-6] src/sys/arch
Module Name:src Committed By: martin Date: Tue Aug 8 12:00:35 UTC 2017 Modified Files: src/sys/arch/amd64/amd64 [netbsd-6]: locore.S machdep.c trap.c src/sys/arch/i386/i386 [netbsd-6]: locore.S machdep.c trap.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1464): sys/arch/i386/i386/trap.c: revision 1.288 (patch) sys/arch/i386/i386/machdep.c: revision 1.783 (patch) sys/arch/i386/i386/locore.S: revision 1.146 (patch) sys/arch/amd64/amd64/locore.S: revision 1.122,1.124 (patch) sys/arch/amd64/amd64/machdep.c revision 1.254 (patch) sys/arch/amd64/amd64/trap.c: revision 1.95-1.96 (patch) Remove the osyscall call gate and emulate it. There is a one-instruction race in it that could panic the kernel. Restore the ability to run netbsd 1.0 32-bit executables by checking for the relevant lcall instruction in the trap handler and treating it as a syscall. To generate a diff of this commit: cvs rdiff -u -r1.66.2.1 -r1.66.2.2 src/sys/arch/amd64/amd64/locore.S cvs rdiff -u -r1.175.2.8 -r1.175.2.9 src/sys/arch/amd64/amd64/machdep.c cvs rdiff -u -r1.69.2.2 -r1.69.2.3 src/sys/arch/amd64/amd64/trap.c cvs rdiff -u -r1.95.10.3 -r1.95.10.4 src/sys/arch/i386/i386/locore.S cvs rdiff -u -r1.717.2.7 -r1.717.2.8 src/sys/arch/i386/i386/machdep.c cvs rdiff -u -r1.262.8.1 -r1.262.8.2 src/sys/arch/i386/i386/trap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/amd64/amd64/locore.S diff -u src/sys/arch/amd64/amd64/locore.S:1.66.2.1 src/sys/arch/amd64/amd64/locore.S:1.66.2.2 --- src/sys/arch/amd64/amd64/locore.S:1.66.2.1 Fri Apr 20 23:32:14 2012 +++ src/sys/arch/amd64/amd64/locore.S Tue Aug 8 12:00:35 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: locore.S,v 1.66.2.1 2012/04/20 23:32:14 riz Exp $ */ +/* $NetBSD: locore.S,v 1.66.2.2 2017/08/08 12:00:35 martin Exp $ */ /* * Copyright-o-rama! @@ -1209,26 +1209,6 @@ NENTRY(child_trampoline) .globl _C_LABEL(osyscall_return) /* - * oosyscall() - * - * Old call gate entry for syscall. only needed if we're - * going to support running old i386 NetBSD 1.0 or ibcs2 binaries, etc, - * on NetBSD/amd64. - * The 64bit call gate can't request that arguments be copied from the - * user stack (which the i386 code uses to get a gap for the flags). - * push/pop are :: cycles. - */ -IDTVEC(oosyscall) - /* Set rflags in trap frame. */ - pushq (%rsp) # move user's %eip - pushq 16(%rsp) # and %cs - popq 8(%rsp) - pushfq - popq 16(%rsp) - pushq $7 # size of instruction for restart - jmp osyscall1 - -/* * osyscall() * * Trap gate entry for int $80 syscall, also used by sigreturn. @@ -1240,7 +1220,6 @@ IDTVEC(osyscall) addq $0x10,%rsp #endif pushq $2 # size of instruction for restart -osyscall1: pushq $T_ASTFLT # trap # for doing ASTs INTRENTRY STI(si) Index: src/sys/arch/amd64/amd64/machdep.c diff -u src/sys/arch/amd64/amd64/machdep.c:1.175.2.8 src/sys/arch/amd64/amd64/machdep.c:1.175.2.9 --- src/sys/arch/amd64/amd64/machdep.c:1.175.2.8 Sat Apr 20 09:59:39 2013 +++ src/sys/arch/amd64/amd64/machdep.c Tue Aug 8 12:00:35 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: machdep.c,v 1.175.2.8 2013/04/20 09:59:39 bouyer Exp $ */ +/* $NetBSD: machdep.c,v 1.175.2.9 2017/08/08 12:00:35 martin Exp $ */ /*- * Copyright (c) 1996, 1997, 1998, 2000, 2006, 2007, 2008, 2011 @@ -111,7 +111,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.175.2.8 2013/04/20 09:59:39 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.175.2.9 2017/08/08 12:00:35 martin Exp $"); /* #define XENDEBUG_LOW */ @@ -1575,7 +1575,6 @@ typedef void (vector)(void); extern vector IDTVEC(syscall); extern vector IDTVEC(syscall32); extern vector IDTVEC(osyscall); -extern vector IDTVEC(oosyscall); extern vector *IDTVEC(exceptions)[]; static void @@ -1838,10 +1837,7 @@ init_x86_64(paddr_t first_avail) set_mem_segment(GDT_ADDR_MEM(gdtstore, GUDATA_SEL), 0, x86_btop(VM_MAXUSER_ADDRESS) - 1, SDT_MEMRWA, SEL_UPL, 1, 0, 1); - /* make ldt gates and memory segments */ - setgate((struct gate_descriptor *)(ldtstore + LSYS5CALLS_SEL), - (oosyscall), 0, SDT_SYS386CGT, SEL_UPL, - GSEL(GCODE_SEL, SEL_KPL)); + /* make ldt memory segments */ *(struct mem_segment_descriptor *)(ldtstore + LUCODE_SEL) = *GDT_ADDR_MEM(gdtstore, GUCODE_SEL); *(struct mem_segment_descriptor *)(ldtstore + LUDATA_SEL) = @@ -1873,16 +1869,6 @@ init_x86_64(paddr_t first_avail) set_mem_segment(ldt_segp, 0, x86_btop(VM_MAXUSER_ADDRESS32) - 1, SDT_MEMRWA, SEL_UPL, 1, 1, 0); - /* - * Other entries. - */ - memcpy((struct gate_descriptor *)(ldtstore + LSOL26CALLS_SEL), - (struct gate_descriptor *)(ldtstore + LSYS5CALLS_SEL), - sizeof (struct gate_descriptor)); - memcpy((struct gate_descriptor *)(ldtstore + LBSDICALLS_SEL), - (struct
CVS commit: [netbsd-6] src/sys/dev/pci
Module Name:src Committed By: snj Date: Sun Jul 23 14:27:24 UTC 2017 Modified Files: src/sys/dev/pci [netbsd-6]: aceride.c pciide_acer_reg.h Log Message: Pull up following revision(s) (requested by nakayama in ticket #1463): sys/dev/pci/aceride.c: revision 1.37 sys/dev/pci/pciide_acer_reg.h: revision 1.13 Apply workaround from FreeBSD to fix read data corruption observed on Fire V100 and mSATA-SSD with mSATA to IDE adapter. The patch is from port-sparc64@. To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.30.10.1 src/sys/dev/pci/aceride.c cvs rdiff -u -r1.12 -r1.12.18.1 src/sys/dev/pci/pciide_acer_reg.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/pci/aceride.c diff -u src/sys/dev/pci/aceride.c:1.30 src/sys/dev/pci/aceride.c:1.30.10.1 --- src/sys/dev/pci/aceride.c:1.30 Mon Apr 4 20:37:56 2011 +++ src/sys/dev/pci/aceride.c Sun Jul 23 14:27:24 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: aceride.c,v 1.30 2011/04/04 20:37:56 dyoung Exp $ */ +/* $NetBSD: aceride.c,v 1.30.10.1 2017/07/23 14:27:24 snj Exp $ */ /* * Copyright (c) 1999, 2000, 2001 Manuel Bouyer. @@ -25,7 +25,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: aceride.c,v 1.30 2011/04/04 20:37:56 dyoung Exp $"); +__KERNEL_RCSID(0, "$NetBSD: aceride.c,v 1.30.10.1 2017/07/23 14:27:24 snj Exp $"); #include #include @@ -193,8 +193,13 @@ acer_chip_map(struct pciide_softc *sc, c interface = PCI_INTERFACE(pci_conf_read(sc->sc_pc, sc->sc_tag, PCI_CLASS_REG)); - /* From linux: enable "Cable Detection" */ if (rev >= 0xC2) { + /* From FreeBSD: use device interrupt as byte count end */ + pciide_pci_write(sc->sc_pc, sc->sc_tag, ACER_0x4A, + pciide_pci_read(sc->sc_pc, sc->sc_tag, ACER_0x4A) + | ACER_0x4A_BCEINT); + + /* From linux: enable "Cable Detection" */ pciide_pci_write(sc->sc_pc, sc->sc_tag, ACER_0x4B, pciide_pci_read(sc->sc_pc, sc->sc_tag, ACER_0x4B) | ACER_0x4B_CDETECT); Index: src/sys/dev/pci/pciide_acer_reg.h diff -u src/sys/dev/pci/pciide_acer_reg.h:1.12 src/sys/dev/pci/pciide_acer_reg.h:1.12.18.1 --- src/sys/dev/pci/pciide_acer_reg.h:1.12 Mon Oct 19 18:41:15 2009 +++ src/sys/dev/pci/pciide_acer_reg.h Sun Jul 23 14:27:24 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: pciide_acer_reg.h,v 1.12 2009/10/19 18:41:15 bouyer Exp $ */ +/* $NetBSD: pciide_acer_reg.h,v 1.12.18.1 2017/07/23 14:27:24 snj Exp $ */ /* * Copyright (c) 1999 Manuel Bouyer. @@ -37,6 +37,8 @@ * bit 1 is 0 -> secondary has 80 pin cable */ #define ACER_0x4A_80PIN(chan) (0x1 << (chan)) +/* From FreeBSD, use device interrupt as byte count end */ +#define ACER_0x4A_BCEINT 0x20 /* From FreeBSD, for UDMA mode > 2 */ #define ACER_0x4B 0x4b
CVS commit: [netbsd-6] src/sys/dev
Module Name:src Committed By: snj Date: Fri Jul 21 04:06:50 UTC 2017 Modified Files: src/sys/dev [netbsd-6]: audio.c Log Message: Apply patch (requested by nat in ticket #1457): Fix occasional stuttering that can be caused by ringbuffer overflow. To generate a diff of this commit: cvs rdiff -u -r1.257.2.4 -r1.257.2.5 src/sys/dev/audio.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/audio.c diff -u src/sys/dev/audio.c:1.257.2.4 src/sys/dev/audio.c:1.257.2.5 --- src/sys/dev/audio.c:1.257.2.4 Wed Jun 13 19:14:17 2012 +++ src/sys/dev/audio.c Fri Jul 21 04:06:50 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: audio.c,v 1.257.2.4 2012/06/13 19:14:17 riz Exp $ */ +/* $NetBSD: audio.c,v 1.257.2.5 2017/07/21 04:06:50 snj Exp $ */ /*- * Copyright (c) 2008 The NetBSD Foundation, Inc. @@ -155,7 +155,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.257.2.4 2012/06/13 19:14:17 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.257.2.5 2017/07/21 04:06:50 snj Exp $"); #include "audio.h" #if NAUDIO > 0 @@ -2950,6 +2950,9 @@ audio_pint(void *v) return; } + if (audio_stream_get_used(>s) > (cb->usedhigh - cb->blksize)) + goto done; + #ifdef AUDIO_INTR_TIME { struct timeval tv; @@ -3028,6 +3031,7 @@ audio_pint(void *v) } DPRINTFN(5, ("audio_pint: outp=%p cc=%d\n", cb->s.outp, blksize)); +done: if (hw->trigger_output == NULL) { error = hw->start_output(sc->hw_hdl, __UNCONST(cb->s.outp), blksize, audio_pint, (void *)sc);
CVS commit: [netbsd-6] src/sys/dev
Module Name:src Committed By: snj Date: Fri Jul 21 04:02:12 UTC 2017 Modified Files: src/sys/dev [netbsd-6]: cgd.c Log Message: Apply patch (requested by chs in ticket #1455): Avoid crashes by checking if a cgd device has been configured before processing most ioctls, and failing with ENXIO if the device is not configured. To generate a diff of this commit: cvs rdiff -u -r1.76.6.1 -r1.76.6.2 src/sys/dev/cgd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/cgd.c diff -u src/sys/dev/cgd.c:1.76.6.1 src/sys/dev/cgd.c:1.76.6.2 --- src/sys/dev/cgd.c:1.76.6.1 Tue Jun 3 09:17:52 2014 +++ src/sys/dev/cgd.c Fri Jul 21 04:02:12 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: cgd.c,v 1.76.6.1 2014/06/03 09:17:52 sborrill Exp $ */ +/* $NetBSD: cgd.c,v 1.76.6.2 2017/07/21 04:02:12 snj Exp $ */ /*- * Copyright (c) 2002 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: cgd.c,v 1.76.6.1 2014/06/03 09:17:52 sborrill Exp $"); +__KERNEL_RCSID(0, "$NetBSD: cgd.c,v 1.76.6.2 2017/07/21 04:02:12 snj Exp $"); #include #include @@ -558,12 +558,16 @@ cgdioctl(dev_t dev, u_long cmd, void *da */ if ((flag & FWRITE) == 0) return (EBADF); + if ((dksc->sc_flags & DKF_INITED) == 0) + return ENXIO; /* * We pass this call down to the underlying disk. */ return VOP_IOCTL(cs->sc_tvn, cmd, data, flag, l->l_cred); default: + if ((dksc->sc_flags & DKF_INITED) == 0) + return ENXIO; return dk_ioctl(di, dksc, dev, cmd, data, flag, l); } }
CVS commit: [netbsd-6] src/sys/kern
Module Name:src Committed By: snj Date: Fri Jul 14 06:18:25 UTC 2017 Modified Files: src/sys/kern [netbsd-6]: exec_elf.c Log Message: Pull up following revision(s) (requested by uwe in ticket #1438): sys/kern/exec_elf.c: revision 1.88 via patch netbsd_elf_signature - look at note segments (phdrs) not note sections. They point to the same data in the file, but sections are for linkers and are not necessarily present in an executable. The original switch from phdrs to shdrs seems to be just a cop-out to avoid parsing multiple notes per segment, which doesn't really avoid the problem b/c sections also can contain multiple notes. To generate a diff of this commit: cvs rdiff -u -r1.37.2.2 -r1.37.2.3 src/sys/kern/exec_elf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/exec_elf.c diff -u src/sys/kern/exec_elf.c:1.37.2.2 src/sys/kern/exec_elf.c:1.37.2.3 --- src/sys/kern/exec_elf.c:1.37.2.2 Fri Feb 14 23:21:20 2014 +++ src/sys/kern/exec_elf.c Fri Jul 14 06:18:25 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: exec_elf.c,v 1.37.2.2 2014/02/14 23:21:20 bouyer Exp $ */ +/* $NetBSD: exec_elf.c,v 1.37.2.3 2017/07/14 06:18:25 snj Exp $ */ /*- * Copyright (c) 1994, 2000, 2005 The NetBSD Foundation, Inc. @@ -57,7 +57,7 @@ */ #include -__KERNEL_RCSID(1, "$NetBSD: exec_elf.c,v 1.37.2.2 2014/02/14 23:21:20 bouyer Exp $"); +__KERNEL_RCSID(1, "$NetBSD: exec_elf.c,v 1.37.2.3 2017/07/14 06:18:25 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_pax.h" @@ -94,6 +94,7 @@ extern struct emul emul_netbsd; #define elf_load_psection ELFNAME(load_psection) #define exec_elf_makecmds ELFNAME2(exec,makecmds) #define netbsd_elf_signature ELFNAME2(netbsd,signature) +#define netbsd_elf_note ELFNAME2(netbsd,note) #define netbsd_elf_probe ELFNAME2(netbsd,probe) #define coredump ELFNAMEEND(coredump) #define elf_free_emul_arg ELFNAME(free_emul_arg) @@ -104,6 +105,8 @@ void elf_load_psection(struct exec_vmcmd const Elf_Phdr *, Elf_Addr *, u_long *, int *, int); int netbsd_elf_signature(struct lwp *, struct exec_package *, Elf_Ehdr *); +int netbsd_elf_note(struct exec_package *, const Elf_Nhdr *, const char *, + const char *); int netbsd_elf_probe(struct lwp *, struct exec_package *, void *, char *, vaddr_t *); @@ -860,99 +863,140 @@ netbsd_elf_signature(struct lwp *l, stru Elf_Ehdr *eh) { size_t i; - Elf_Shdr *sh; - Elf_Nhdr *np; - size_t shsize; + Elf_Phdr *ph; + size_t phsize; + char *nbuf; int error; int isnetbsd = 0; - char *ndata; epp->ep_pax_flags = 0; - if (eh->e_shnum > MAXSHNUM || eh->e_shnum == 0) + + if (eh->e_phnum > MAXPHNUM || eh->e_phnum == 0) return ENOEXEC; - shsize = eh->e_shnum * sizeof(Elf_Shdr); - sh = kmem_alloc(shsize, KM_SLEEP); - error = exec_read_from(l, epp->ep_vp, eh->e_shoff, sh, shsize); + phsize = eh->e_phnum * sizeof(Elf_Phdr); + ph = kmem_alloc(phsize, KM_SLEEP); + error = exec_read_from(l, epp->ep_vp, eh->e_phoff, ph, phsize); if (error) goto out; - np = kmem_alloc(MAXNOTESIZE, KM_SLEEP); - for (i = 0; i < eh->e_shnum; i++) { - Elf_Shdr *shp = [i]; - - if (shp->sh_type != SHT_NOTE || - shp->sh_size > MAXNOTESIZE || - shp->sh_size < sizeof(Elf_Nhdr) + ELF_NOTE_NETBSD_NAMESZ) + nbuf = kmem_alloc(MAXNOTESIZE, KM_SLEEP); + for (i = 0; i < eh->e_phnum; i++) { + const char *nptr; + size_t nlen; + + if (ph[i].p_type != PT_NOTE || + ph[i].p_filesz > MAXNOTESIZE) continue; - error = exec_read_from(l, epp->ep_vp, shp->sh_offset, np, - shp->sh_size); + nlen = ph[i].p_filesz; + error = exec_read_from(l, epp->ep_vp, ph[i].p_offset, + nbuf, nlen); if (error) continue; - ndata = (char *)(np + 1); - switch (np->n_type) { - case ELF_NOTE_TYPE_NETBSD_TAG: - if (np->n_namesz != ELF_NOTE_NETBSD_NAMESZ || - np->n_descsz != ELF_NOTE_NETBSD_DESCSZ || - memcmp(ndata, ELF_NOTE_NETBSD_NAME, - ELF_NOTE_NETBSD_NAMESZ)) -goto bad; - isnetbsd = 1; - break; + nptr = nbuf; + while (nlen > 0) { + const Elf_Nhdr *np; + const char *ndata, *ndesc; + + /* note header */ + np = (const Elf_Nhdr *)nptr; + if (nlen < sizeof(*np)) { +break; + } + nptr += sizeof(*np); + nlen -= sizeof(*np); + + /* note name */ + ndata = nptr; + if (nlen < roundup(np->n_namesz, 4)) { +break; + } + nptr += roundup(np->n_namesz, 4); + nlen -= roundup(np->n_namesz, 4); + + /* note description */ + ndesc = nptr; + if (nlen < roundup(np->n_descsz, 4)) { +break; + } + nptr += roundup(np->n_descsz, 4); + nlen -= roundup(np->n_descsz, 4); + + isnetbsd |= netbsd_elf_note(epp, np, ndata, ndesc); + } + } + kmem_free(nbuf, MAXNOTESIZE); + + error = isnetbsd ? 0 : ENOEXEC; +out: + kmem_free(ph, phsize); + return error; +} + +int +netbsd_elf_note(struct exec_package *epp, + const Elf_Nhdr *np, const char *ndata, const char *ndesc) +{ + int isnetbsd
CVS commit: [netbsd-6] src/sys/miscfs/procfs
Module Name:src Committed By: snj Date: Thu Jul 6 15:28:21 UTC 2017 Modified Files: src/sys/miscfs/procfs [netbsd-6]: procfs_map.c Log Message: Pull up following revision(s) (requested by tsutsui in ticket #1434): sys/miscfs/procfs/procfs_map.c: revision 1.45 Maps don't change that frequently between reads, so don't give up and do what linux does (support reading from an offset). To generate a diff of this commit: cvs rdiff -u -r1.41.8.1 -r1.41.8.2 src/sys/miscfs/procfs/procfs_map.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/miscfs/procfs/procfs_map.c diff -u src/sys/miscfs/procfs/procfs_map.c:1.41.8.1 src/sys/miscfs/procfs/procfs_map.c:1.41.8.2 --- src/sys/miscfs/procfs/procfs_map.c:1.41.8.1 Mon Jul 29 08:17:55 2013 +++ src/sys/miscfs/procfs/procfs_map.c Thu Jul 6 15:28:21 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: procfs_map.c,v 1.41.8.1 2013/07/29 08:17:55 msaitoh Exp $ */ +/* $NetBSD: procfs_map.c,v 1.41.8.2 2017/07/06 15:28:21 snj Exp $ */ /* * Copyright (c) 1993 @@ -76,7 +76,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: procfs_map.c,v 1.41.8.1 2013/07/29 08:17:55 msaitoh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: procfs_map.c,v 1.41.8.2 2017/07/06 15:28:21 snj Exp $"); #include #include @@ -124,15 +124,6 @@ procfs_domap(struct lwp *curl, struct pr if (uio->uio_rw != UIO_READ) return EOPNOTSUPP; - if (uio->uio_offset != 0) { - /* - * we return 0 here, so that the second read returns EOF - * we don't support reading from an offset because the - * map could have changed between the two reads. - */ - return 0; - } - error = 0; if (linuxmode != 0) @@ -219,7 +210,16 @@ again: vm_map_unlock_read(map); uvmspace_free(vm); - error = uiomove(buffer, pos, uio); + /* + * We support reading from an offset, because linux does. + * The map could have changed between the two reads, and + * that could result in junk, but typically it does not. + */ + if (uio->uio_offset < pos) + error = uiomove(buffer + uio->uio_offset, + pos - uio->uio_offset, uio); + else + error = 0; out: if (path != NULL) free(path, M_TEMP);
CVS commit: [netbsd-6] src/sys/kern
Module Name:src Committed By: snj Date: Thu Jul 6 15:20:00 UTC 2017 Modified Files: src/sys/kern [netbsd-6]: subr_xcall.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1419): sys/kern/subr_xcall.c: revision 1.19 Fix a race condition of low priority xcall xc_lowpri and xc_thread are racy and xc_wait may return during/before executing all xcall callbacks, resulting in a kernel panic at worst. xc_lowpri serializes multiple jobs by a mutex and a cv. If all xcall callbacks are done, xc_wait returns and also xc_lowpri accepts a next job. The problem is that a counter that counts the number of finished xcall callbacks is incremented *before* actually executing a xcall callback (see xc_tailp++ in xc_thread). So xc_lowpri accepts a next job before all xcall callbacks complete and a next job begins to run its xcall callbacks. Even worse the counter is global and shared between jobs, so if a xcall callback of the next job completes, the shared counter is incremented, which confuses wc_wait of the previous job as all xcall callbacks of the previous job are done and wc_wait of the previous job returns during/before executing its xcall callbacks. How to fix: there are actually two counters that count the number of finished xcall callbacks for low priority xcall for historical reasons (I guess): xc_tailp and xc_low_pri.xc_donep. xc_low_pri.xc_donep is incremented correctly while xc_tailp is incremented wrongly, i.e., before executing a xcall callback. We can fix the issue by dropping xc_tailp and using only xc_low_pri.xc_donep. PR kern/51632 To generate a diff of this commit: cvs rdiff -u -r1.13.10.1 -r1.13.10.2 src/sys/kern/subr_xcall.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/subr_xcall.c diff -u src/sys/kern/subr_xcall.c:1.13.10.1 src/sys/kern/subr_xcall.c:1.13.10.2 --- src/sys/kern/subr_xcall.c:1.13.10.1 Sat Apr 20 10:05:22 2013 +++ src/sys/kern/subr_xcall.c Thu Jul 6 15:20:00 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_xcall.c,v 1.13.10.1 2013/04/20 10:05:22 bouyer Exp $ */ +/* $NetBSD: subr_xcall.c,v 1.13.10.2 2017/07/06 15:20:00 snj Exp $ */ /*- * Copyright (c) 2007-2010 The NetBSD Foundation, Inc. @@ -74,7 +74,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: subr_xcall.c,v 1.13.10.1 2013/04/20 10:05:22 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: subr_xcall.c,v 1.13.10.2 2017/07/06 15:20:00 snj Exp $"); #include #include @@ -101,7 +101,6 @@ typedef struct { /* Low priority xcall structures. */ static xc_state_t xc_low_pri __cacheline_aligned; -static uint64_t xc_tailp __cacheline_aligned; /* High priority xcall structures. */ static xc_state_t xc_high_pri __cacheline_aligned; @@ -131,7 +130,6 @@ xc_init(void) memset(xclo, 0, sizeof(xc_state_t)); mutex_init(>xc_lock, MUTEX_DEFAULT, IPL_NONE); cv_init(>xc_busy, "xclocv"); - xc_tailp = 0; memset(xchi, 0, sizeof(xc_state_t)); mutex_init(>xc_lock, MUTEX_DEFAULT, IPL_SOFTCLOCK); @@ -253,7 +251,7 @@ xc_lowpri(xcfunc_t func, void *arg1, voi uint64_t where; mutex_enter(>xc_lock); - while (xc->xc_headp != xc_tailp) { + while (xc->xc_headp != xc->xc_donep) { cv_wait(>xc_busy, >xc_lock); } xc->xc_arg1 = arg1; @@ -274,7 +272,7 @@ xc_lowpri(xcfunc_t func, void *arg1, voi ci->ci_data.cpu_xcall_pending = true; cv_signal(>ci_data.cpu_xcall); } - KASSERT(xc_tailp < xc->xc_headp); + KASSERT(xc->xc_donep < xc->xc_headp); where = xc->xc_headp; mutex_exit(>xc_lock); @@ -299,7 +297,7 @@ xc_thread(void *cookie) mutex_enter(>xc_lock); for (;;) { while (!ci->ci_data.cpu_xcall_pending) { - if (xc->xc_headp == xc_tailp) { + if (xc->xc_headp == xc->xc_donep) { cv_broadcast(>xc_busy); } cv_wait(>ci_data.cpu_xcall, >xc_lock); @@ -309,7 +307,6 @@ xc_thread(void *cookie) func = xc->xc_func; arg1 = xc->xc_arg1; arg2 = xc->xc_arg2; - xc_tailp++; mutex_exit(>xc_lock); KASSERT(func != NULL);
CVS commit: [netbsd-6] src/sys
Module Name:src Committed By: snj Date: Thu Jun 15 06:04:01 UTC 2017 Modified Files: src/sys/arch/ews4800mips/sbd [netbsd-6]: fb_sbdio.c src/sys/arch/pmax/ibus [netbsd-6]: pm.c src/sys/dev/hpc [netbsd-6]: bivideo.c src/sys/dev/ic [netbsd-6]: sti.c Log Message: Pull up following revision(s) (requested by spz in ticket #1456): sys/arch/ews4800mips/sbd/fb_sbdio.c: revision 1.16 sys/arch/pmax/ibus/pm.c: revision 1.13 sys/dev/hpc/bivideo.c: revision 1.34 sys/dev/ic/sti.c: revision 1.19 correct size checks so they cannot be circumvented by integer overflows reported by CTurt, thanks for the notification To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.12.2.1 src/sys/arch/ews4800mips/sbd/fb_sbdio.c cvs rdiff -u -r1.11 -r1.11.2.1 src/sys/arch/pmax/ibus/pm.c cvs rdiff -u -r1.32 -r1.32.14.1 src/sys/dev/hpc/bivideo.c cvs rdiff -u -r1.16.8.1 -r1.16.8.2 src/sys/dev/ic/sti.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/ews4800mips/sbd/fb_sbdio.c diff -u src/sys/arch/ews4800mips/sbd/fb_sbdio.c:1.12 src/sys/arch/ews4800mips/sbd/fb_sbdio.c:1.12.2.1 --- src/sys/arch/ews4800mips/sbd/fb_sbdio.c:1.12 Wed Jan 11 21:17:33 2012 +++ src/sys/arch/ews4800mips/sbd/fb_sbdio.c Thu Jun 15 06:04:01 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: fb_sbdio.c,v 1.12 2012/01/11 21:17:33 macallan Exp $ */ +/* $NetBSD: fb_sbdio.c,v 1.12.2.1 2017/06/15 06:04:01 snj Exp $ */ /*- * Copyright (c) 2004, 2005 The NetBSD Foundation, Inc. @@ -32,7 +32,7 @@ #define WIRED_FB_TLB #include -__KERNEL_RCSID(0, "$NetBSD: fb_sbdio.c,v 1.12 2012/01/11 21:17:33 macallan Exp $"); +__KERNEL_RCSID(0, "$NetBSD: fb_sbdio.c,v 1.12.2.1 2017/06/15 06:04:01 snj Exp $"); #include #include @@ -304,6 +304,8 @@ _fb_ioctl(void *v, void *vs, u_long cmd, if (ri->ri_flg == RI_FORCEMONO) break; ga_clut_get(ga); + if (cmap->index >= 256 || cmap->count > 256 - cmap->index) + return (EINVAL); for (i = 0; i < cmap->count; i++) { cmap->red[i] = ga->clut[cmap->index + i][0]; cmap->green[i] = ga->clut[cmap->index + i][1]; @@ -314,6 +316,8 @@ _fb_ioctl(void *v, void *vs, u_long cmd, case WSDISPLAYIO_PUTCMAP: if (ri->ri_flg == RI_FORCEMONO) break; + if (cmap->index >= 256 || cmap->count > 256 - cmap->index) + return (EINVAL); for (i = 0; i < cmap->count; i++) { ga->clut[cmap->index + i][0] = cmap->red[i]; ga->clut[cmap->index + i][1] = cmap->green[i]; Index: src/sys/arch/pmax/ibus/pm.c diff -u src/sys/arch/pmax/ibus/pm.c:1.11 src/sys/arch/pmax/ibus/pm.c:1.11.2.1 --- src/sys/arch/pmax/ibus/pm.c:1.11 Wed Jan 11 21:17:33 2012 +++ src/sys/arch/pmax/ibus/pm.c Thu Jun 15 06:04:01 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: pm.c,v 1.11 2012/01/11 21:17:33 macallan Exp $ */ +/* $NetBSD: pm.c,v 1.11.2.1 2017/06/15 06:04:01 snj Exp $ */ /*- * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: pm.c,v 1.11 2012/01/11 21:17:33 macallan Exp $"); +__KERNEL_RCSID(0, "$NetBSD: pm.c,v 1.11.2.1 2017/06/15 06:04:01 snj Exp $"); #include #include @@ -668,7 +668,7 @@ pm_get_cmap(struct pm_softc *sc, struct index = p->index; count = p->count; - if (index >= sc->sc_cmap_size || (index + count) > sc->sc_cmap_size) + if (index >= sc->sc_cmap_size || count > sc->sc_cmap_size - index) return (EINVAL); if ((rv = copyout(>sc_cmap.r[index], p->red, count)) != 0) @@ -687,7 +687,7 @@ pm_set_cmap(struct pm_softc *sc, struct index = p->index; count = p->count; - if (index >= sc->sc_cmap_size || (index + count) > sc->sc_cmap_size) + if (index >= sc->sc_cmap_size || count > sc->sc_cmap_size - index) return (EINVAL); if ((rv = copyin(p->red, >sc_cmap.r[index], count)) != 0) Index: src/sys/dev/hpc/bivideo.c diff -u src/sys/dev/hpc/bivideo.c:1.32 src/sys/dev/hpc/bivideo.c:1.32.14.1 --- src/sys/dev/hpc/bivideo.c:1.32 Sat Nov 13 13:51:58 2010 +++ src/sys/dev/hpc/bivideo.c Thu Jun 15 06:04:01 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: bivideo.c,v 1.32 2010/11/13 13:51:58 uebayasi Exp $ */ +/* $NetBSD: bivideo.c,v 1.32.14.1 2017/06/15 06:04:01 snj Exp $ */ /*- * Copyright (c) 1999-2001 @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: bivideo.c,v 1.32 2010/11/13 13:51:58 uebayasi Exp $"); +__KERNEL_RCSID(0, "$NetBSD: bivideo.c,v 1.32.14.1 2017/06/15 06:04:01 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_hpcfb.h" @@ -403,8 +403,8 @@ bivideo_ioctl(void *v, u_long cmd, void if (sc->sc_fbconf.hf_class != HPCFB_CLASS_INDEXCOLOR || sc->sc_fbconf.hf_pack_width != 8 || - 256 <= cmap->index || - 256 < (cmap->index + cmap->count)) + cmap->index >= 256 || + cmap->count > 256 - cmap->index) return (EINVAL); error = copyout(_cmap_r[cmap->index], cmap->red, Index: src/sys/dev/ic/sti.c diff -u src/sys/dev/ic/sti.c:1.16.8.1
CVS commit: [netbsd-6] src/sys/arch/i386/stand/misc
Module Name:src Committed By: snj Date: Sat Jun 3 16:49:29 UTC 2017 Modified Files: src/sys/arch/i386/stand/misc [netbsd-6]: rawr32.exe.uue Log Message: Pull up following revision(s) (requested by martin in ticket #1454): sys/arch/i386/stand/misc/rawr32.exe.uue: revision 1.7 Update to rawrite32 1.0.5 (new signatures to avoid scary windows warnings) To generate a diff of this commit: cvs rdiff -u -r1.4.4.1 -r1.4.4.2 src/sys/arch/i386/stand/misc/rawr32.exe.uue Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. diffs are larger than 1MB and have been omitted
CVS commit: [netbsd-6] src/sys/dev/pci/ixgbe
Module Name:src Committed By: snj Date: Sat Mar 25 17:35:56 UTC 2017 Modified Files: src/sys/dev/pci/ixgbe [netbsd-6]: ixgbe.c Log Message: Pull up following revision(s) (requested by msaitoh in ticket #1439): sys/dev/pci/ixgbe/ixgbe.c: revision 1.60 via patch Use 64bit DMA tag. If not, a lot of bounce buffer is allocated. Fixes PR#49968 reported by Hauke. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.2.4.1 src/sys/dev/pci/ixgbe/ixgbe.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/pci/ixgbe/ixgbe.c diff -u src/sys/dev/pci/ixgbe/ixgbe.c:1.2 src/sys/dev/pci/ixgbe/ixgbe.c:1.2.4.1 --- src/sys/dev/pci/ixgbe/ixgbe.c:1.2 Sat Nov 19 22:51:24 2011 +++ src/sys/dev/pci/ixgbe/ixgbe.c Sat Mar 25 17:35:56 2017 @@ -59,7 +59,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ /*$FreeBSD: src/sys/dev/ixgbe/ixgbe.c,v 1.51 2011/04/25 23:34:21 jfv Exp $*/ -/*$NetBSD: ixgbe.c,v 1.2 2011/11/19 22:51:24 tls Exp $*/ +/*$NetBSD: ixgbe.c,v 1.2.4.1 2017/03/25 17:35:56 snj Exp $*/ #include "opt_inet.h" @@ -475,6 +475,10 @@ ixgbe_attach(device_t parent, device_t d adapter->osdep.pc = pa->pa_pc; adapter->osdep.tag = pa->pa_tag; adapter->osdep.dmat = pa->pa_dmat; + if (pci_dma64_available(pa)) + adapter->osdep.dmat = pa->pa_dmat64; + else + adapter->osdep.dmat = pa->pa_dmat; ent = ixgbe_lookup(pa);
CVS commit: [netbsd-6] src/sys/dev/usb
Module Name:src Committed By: snj Date: Sat Mar 25 17:30:18 UTC 2017 Modified Files: src/sys/dev/usb [netbsd-6]: uplcom.c Log Message: Pull up following revision(s) (requested by bad in ticket #1445): sys/dev/usb/uplcom.c: revision 1.75 Null suspend/resume handler for uplcom(4). To generate a diff of this commit: cvs rdiff -u -r1.73.2.1 -r1.73.2.2 src/sys/dev/usb/uplcom.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/usb/uplcom.c diff -u src/sys/dev/usb/uplcom.c:1.73.2.1 src/sys/dev/usb/uplcom.c:1.73.2.2 --- src/sys/dev/usb/uplcom.c:1.73.2.1 Sat Mar 25 17:26:53 2017 +++ src/sys/dev/usb/uplcom.c Sat Mar 25 17:30:18 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: uplcom.c,v 1.73.2.1 2017/03/25 17:26:53 snj Exp $ */ +/* $NetBSD: uplcom.c,v 1.73.2.2 2017/03/25 17:30:18 snj Exp $ */ /* * Copyright (c) 2001 The NetBSD Foundation, Inc. * All rights reserved. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uplcom.c,v 1.73.2.1 2017/03/25 17:26:53 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uplcom.c,v 1.73.2.2 2017/03/25 17:30:18 snj Exp $"); #include #include @@ -416,6 +416,9 @@ uplcom_attach(device_t parent, device_t sc->sc_subdev = config_found_sm_loc(self, "ucombus", NULL, , ucomprint, ucomsubmatch); + if (!pmf_device_register(self, NULL, NULL)) + aprint_error_dev(self, "couldn't establish power handler\n"); + return; } @@ -450,6 +453,9 @@ uplcom_detach(device_t self, int flags) usbd_add_drv_event(USB_EVENT_DRIVER_DETACH, sc->sc_udev, sc->sc_dev); + if (rv == 0) + pmf_device_deregister(self); + return (rv); }
CVS commit: [netbsd-6] src/sys/dev/usb
Module Name:src Committed By: snj Date: Sat Mar 25 17:26:53 UTC 2017 Modified Files: src/sys/dev/usb [netbsd-6]: uplcom.c Log Message: Pull up following revision(s) (requested by bad in ticket #1444): sys/dev/usb/uplcom.c: revision 1.76 Don't pretend to do zero length IN control transfers as dwctwo(4) (correctly according to usb 2.0 specification 8.5.3) uses IN status stage when no (zero length) data stage. Instead read into a 1 byte array. My uplcom(4) now works on RPI. To generate a diff of this commit: cvs rdiff -u -r1.73 -r1.73.2.1 src/sys/dev/usb/uplcom.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/usb/uplcom.c diff -u src/sys/dev/usb/uplcom.c:1.73 src/sys/dev/usb/uplcom.c:1.73.2.1 --- src/sys/dev/usb/uplcom.c:1.73 Fri Dec 23 00:51:48 2011 +++ src/sys/dev/usb/uplcom.c Sat Mar 25 17:26:53 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: uplcom.c,v 1.73 2011/12/23 00:51:48 jakllsch Exp $ */ +/* $NetBSD: uplcom.c,v 1.73.2.1 2017/03/25 17:26:53 snj Exp $ */ /* * Copyright (c) 2001 The NetBSD Foundation, Inc. * All rights reserved. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uplcom.c,v 1.73 2011/12/23 00:51:48 jakllsch Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uplcom.c,v 1.73.2.1 2017/03/25 17:26:53 snj Exp $"); #include #include @@ -491,21 +491,20 @@ struct pl2303x_init { uint8_t request; uint16_t value; uint16_t index; - uint16_t length; }; static const struct pl2303x_init pl2303x[] = { - { UT_READ_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x8484,0, 0 }, - { UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x0404,0, 0 }, - { UT_READ_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x8484,0, 0 }, - { UT_READ_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x8383,0, 0 }, - { UT_READ_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x8484,0, 0 }, - { UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x0404,1, 0 }, - { UT_READ_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x8484,0, 0 }, - { UT_READ_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x8383,0, 0 }, - { UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0,1, 0 }, - { UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 1,0, 0 }, - { UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 2, 0x44, 0 } + { UT_READ_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x8484,0 }, + { UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x0404,0 }, + { UT_READ_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x8484,0 }, + { UT_READ_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x8383,0 }, + { UT_READ_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x8484,0 }, + { UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x0404,1 }, + { UT_READ_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x8484,0 }, + { UT_READ_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x8383,0 }, + { UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0,1 }, + { UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 1,0 }, + { UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 2, 0x44 } }; #define N_PL2302X_INIT (sizeof(pl2303x)/sizeof(pl2303x[0])) @@ -517,13 +516,22 @@ uplcom_pl2303x_init(struct uplcom_softc int i; for (i = 0; i < N_PL2302X_INIT; i++) { + char buf[1]; + void *b; + req.bmRequestType = pl2303x[i].req_type; req.bRequest = pl2303x[i].request; USETW(req.wValue, pl2303x[i].value); USETW(req.wIndex, pl2303x[i].index); - USETW(req.wLength, pl2303x[i].length); + if (UT_GET_DIR(req.bmRequestType) == UT_READ) { + b = buf; + USETW(req.wLength, sizeof(buf)); + } else { + b = NULL; + USETW(req.wLength, 0); + } - err = usbd_do_request(sc->sc_udev, , 0); + err = usbd_do_request(sc->sc_udev, , b); if (err) { aprint_error_dev(sc->sc_dev, "uplcom_pl2303x_init failed: %s\n",
CVS commit: [netbsd-6] src/sys/arch
Module Name:src Committed By: snj Date: Sat Mar 25 17:18:25 UTC 2017 Modified Files: src/sys/arch/amd64/amd64 [netbsd-6]: trap.c src/sys/arch/i386/i386 [netbsd-6]: trap.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1446): sys/arch/amd64/amd64/trap.c: revision 1.94 sys/arch/i386/i386/trap.c: revision 1.287 Mmh, allow iret to be handled when an #SS fault (T_STKFLT) happens. Even if the sdm is far from being clear, it appears that iret can trigger an #SS fault if %ss points to a writable but non-present segment; in which case the kernel would panic, thinking the fault was internal to it. In particular, userland can create a broken segment in the ldt with USER_LDT, update its %ss with setcontext and trigger the panic. I don't think amd64 is affected since USER_LDT does not exist there, and the changes on tf_ss seem correct - but I'm still adding T_STKFLT for safety. To generate a diff of this commit: cvs rdiff -u -r1.69.2.1 -r1.69.2.2 src/sys/arch/amd64/amd64/trap.c cvs rdiff -u -r1.262 -r1.262.8.1 src/sys/arch/i386/i386/trap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/amd64/amd64/trap.c diff -u src/sys/arch/amd64/amd64/trap.c:1.69.2.1 src/sys/arch/amd64/amd64/trap.c:1.69.2.2 --- src/sys/arch/amd64/amd64/trap.c:1.69.2.1 Sun Jun 3 21:45:10 2012 +++ src/sys/arch/amd64/amd64/trap.c Sat Mar 25 17:18:25 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: trap.c,v 1.69.2.1 2012/06/03 21:45:10 jdc Exp $ */ +/* $NetBSD: trap.c,v 1.69.2.2 2017/03/25 17:18:25 snj Exp $ */ /*- * Copyright (c) 1998, 2000 The NetBSD Foundation, Inc. @@ -68,7 +68,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.69.2.1 2012/06/03 21:45:10 jdc Exp $"); +__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.69.2.2 2017/03/25 17:18:25 snj Exp $"); #include "opt_ddb.h" #include "opt_kgdb.h" @@ -294,6 +294,7 @@ trap(struct trapframe *frame) case T_PROTFLT: case T_SEGNPFLT: case T_ALIGNFLT: + case T_STKFLT: case T_TSSFLT: if (p == NULL) goto we_re_toast; Index: src/sys/arch/i386/i386/trap.c diff -u src/sys/arch/i386/i386/trap.c:1.262 src/sys/arch/i386/i386/trap.c:1.262.8.1 --- src/sys/arch/i386/i386/trap.c:1.262 Wed Sep 7 09:24:55 2011 +++ src/sys/arch/i386/i386/trap.c Sat Mar 25 17:18:25 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: trap.c,v 1.262 2011/09/07 09:24:55 reinoud Exp $ */ +/* $NetBSD: trap.c,v 1.262.8.1 2017/03/25 17:18:25 snj Exp $ */ /*- * Copyright (c) 1998, 2000, 2005, 2006, 2007, 2008 The NetBSD Foundation, Inc. @@ -68,7 +68,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.262 2011/09/07 09:24:55 reinoud Exp $"); +__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.262.8.1 2017/03/25 17:18:25 snj Exp $"); #include "opt_ddb.h" #include "opt_kgdb.h" @@ -405,6 +405,7 @@ trap(struct trapframe *frame) #endif case T_SEGNPFLT: case T_ALIGNFLT: + case T_STKFLT: case T_TSSFLT: if (p == NULL) goto we_re_toast;
CVS commit: [netbsd-6] src/sys/arch/x86
Module Name:src Committed By: snj Date: Mon Mar 6 08:18:44 UTC 2017 Modified Files: src/sys/arch/x86/include [netbsd-6]: pmap.h src/sys/arch/x86/x86 [netbsd-6]: pmap.c Log Message: Pull up following revision(s) (requested by bouyer in ticket #1441): sys/arch/x86/x86/pmap.c: revision 1.241 via patch sys/arch/x86/include/pmap.h: revision 1.63 via patch Should be PG_k, doesn't change anything. -- Remove PG_u from the kernel pages on Xen. Otherwise there is no privilege separation between the kernel and userland. On Xen-amd64, the kernel runs in ring3 just like userland, and the separation is guaranteed by the hypervisor - each syscall/trap is intercepted by Xen and sent manually to the kernel. Before that, the hypervisor modifies the page tables so that the kernel becomes accessible. Later, when returning to userland, the hypervisor removes the kernel pages and flushes the TLB. However, TLB flushes are costly, and in order to reduce the number of pages flushed Xen marks the userland pages as global, while keeping the kernel ones as local. This way, when returning to userland, only the kernel pages get flushed - which makes sense since they are the only ones that got removed from the mapping. Xen differentiates the userland pages by looking at their PG_u bit in the PTE; if a page has this bit then Xen tags it as global, otherwise Xen manually adds the bit but keeps the page as local. The thing is, since we set PG_u in the kernel pages, Xen believes our kernel pages are in fact userland pages, so it marks them as global. Therefore, when returning to userland, the kernel pages indeed get removed from the page tree, but are not flushed from the TLB. Which means that they are still accessible. With this - and depending on the DTLB size - userland has a small window where it can read/write to the last kernel pages accessed, which is enough to completely escalate privileges: the sysent structure systematically gets read when performing a syscall, and chances are that it will still be cached in the TLB. Userland can then use this to patch a chosen syscall, make it point to a userland function, retrieve %gs and compute the address of its credentials, and finally grant itself root privileges. To generate a diff of this commit: cvs rdiff -u -r1.49.2.2 -r1.49.2.3 src/sys/arch/x86/include/pmap.h cvs rdiff -u -r1.164.2.5 -r1.164.2.6 src/sys/arch/x86/x86/pmap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/x86/include/pmap.h diff -u src/sys/arch/x86/include/pmap.h:1.49.2.2 src/sys/arch/x86/include/pmap.h:1.49.2.3 --- src/sys/arch/x86/include/pmap.h:1.49.2.2 Wed May 9 03:22:52 2012 +++ src/sys/arch/x86/include/pmap.h Mon Mar 6 08:18:44 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: pmap.h,v 1.49.2.2 2012/05/09 03:22:52 riz Exp $ */ +/* $NetBSD: pmap.h,v 1.49.2.3 2017/03/06 08:18:44 snj Exp $ */ /* * Copyright (c) 1997 Charles D. Cranor and Washington University. @@ -182,15 +182,7 @@ struct pmap { ((pmap)->pm_pdirpa[0] + (index) * sizeof(pd_entry_t)) #endif -/* - * flag to be used for kernel mappings: PG_u on Xen/amd64, - * 0 otherwise. - */ -#if defined(XEN) && defined(__x86_64__) -#define PG_k PG_u -#else #define PG_k 0 -#endif /* * MD flags that we use for pmap_enter and pmap_kenter_pa: Index: src/sys/arch/x86/x86/pmap.c diff -u src/sys/arch/x86/x86/pmap.c:1.164.2.5 src/sys/arch/x86/x86/pmap.c:1.164.2.6 --- src/sys/arch/x86/x86/pmap.c:1.164.2.5 Thu Jul 14 07:05:34 2016 +++ src/sys/arch/x86/x86/pmap.c Mon Mar 6 08:18:44 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: pmap.c,v 1.164.2.5 2016/07/14 07:05:34 snj Exp $ */ +/* $NetBSD: pmap.c,v 1.164.2.6 2017/03/06 08:18:44 snj Exp $ */ /*- * Copyright (c) 2008, 2010 The NetBSD Foundation, Inc. @@ -171,7 +171,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.164.2.5 2016/07/14 07:05:34 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.164.2.6 2017/03/06 08:18:44 snj Exp $"); #include "opt_user_ldt.h" #include "opt_lockdebug.h" @@ -1467,7 +1467,7 @@ pmap_bootstrap(vaddr_t kva_start) memset((void *) (xen_dummy_user_pgd + KERNBASE), 0, PAGE_SIZE); /* Mark read-only */ HYPERVISOR_update_va_mapping(xen_dummy_user_pgd + KERNBASE, - pmap_pa2pte(xen_dummy_user_pgd) | PG_u | PG_V, UVMF_INVLPG); + pmap_pa2pte(xen_dummy_user_pgd) | PG_k | PG_V, UVMF_INVLPG); /* Pin as L4 */ xpq_queue_pin_l4_table(xpmap_ptom_masked(xen_dummy_user_pgd)); #endif /* __x86_64__ */ @@ -2064,7 +2064,7 @@ pmap_pdp_ctor(void *arg, void *v, int fl * this pdir will NEVER be active in kernel mode * so mark recursive entry invalid */ - pdir[PDIR_SLOT_PTE] = pmap_pa2pte(pdirpa) | PG_u; + pdir[PDIR_SLOT_PTE] = pmap_pa2pte(pdirpa) | PG_k; /* * PDP constructed this way won't be for kernel, * hence we don't put kernel mappings on Xen.
CVS commit: [netbsd-6] src/sys/compat/linux/arch/amd64
Module Name:src Committed By: snj Date: Tue Feb 14 16:59:31 UTC 2017 Modified Files: src/sys/compat/linux/arch/amd64 [netbsd-6]: linux_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1433): sys/compat/linux/arch/amd64/linux_machdep.c: 1.50, 1.51 Don't let userland choose %rip. This is the Intel Sysret vulnerability again. -- Make sure %rip is in userland. This is harmless, since the return to userland is made with iret instead of sysret in this path. While here, use size_t. To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.39.6.1 \ src/sys/compat/linux/arch/amd64/linux_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux/arch/amd64/linux_machdep.c diff -u src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39 src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39.6.1 --- src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39 Fri Nov 18 04:07:43 2011 +++ src/sys/compat/linux/arch/amd64/linux_machdep.c Tue Feb 14 16:59:31 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_machdep.c,v 1.39 2011/11/18 04:07:43 christos Exp $ */ +/* $NetBSD: linux_machdep.c,v 1.39.6.1 2017/02/14 16:59:31 snj Exp $ */ /*- * Copyright (c) 2005 Emmanuel Dreyfus, all rights reserved. @@ -33,7 +33,7 @@ #include -__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.39 2011/11/18 04:07:43 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.39.6.1 2017/02/14 16:59:31 snj Exp $"); #include #include @@ -254,7 +254,12 @@ linux_sendsig(const ksiginfo_t *ksi, con if (error != 0) { sigexit(l, SIGILL); return; - } + } + + if ((vaddr_t)catcher >= VM_MAXUSER_ADDRESS) { + sigexit(l, SIGILL); + return; + } linux_buildcontext(l, catcher, sp); tf->tf_rdi = sigframe.info.lsi_signo; @@ -485,7 +490,7 @@ linux_usertrap(struct lwp *l, vaddr_t tr { struct trapframe *tf = arg; uint64_t retaddr; - int vsyscallnr; + size_t vsyscallnr; /* * Check for a vsyscall. %rip must be the fault address, @@ -515,6 +520,8 @@ linux_usertrap(struct lwp *l, vaddr_t tr */ if (copyin((void *)tf->tf_rsp, , sizeof retaddr) != 0) return 0; + if ((vaddr_t)retaddr >= VM_MAXUSER_ADDRESS) + return 0; tf->tf_rip = retaddr; tf->tf_rax = linux_vsyscall_to_syscall[vsyscallnr]; tf->tf_rsp += 8; /* "pop" the return address */
CVS commit: [netbsd-6] src/sys/netinet
Module Name:src Committed By: snj Date: Sun Feb 5 06:07:36 UTC 2017 Modified Files: src/sys/netinet [netbsd-6]: if_arp.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1432): sys/netinet/if_arp.c: 1.238, 1.239 via patch Make sure the protocol address length equals that of IPv4. Also, make sure the hardware address length equals that of the interface we received the packet on. Otherwise a packet could easily set them both to zero and make the kernel read beyond the allocated mbuf, which is terrible. Note: for the latter we drop the packet instead of replying, since it is malformed. Note: I also added an ugly hack in CARP, since it apparently expects at least six bytes. -- Add some checks, mostly same as in_arpinput. To generate a diff of this commit: cvs rdiff -u -r1.154.2.2 -r1.154.2.3 src/sys/netinet/if_arp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/if_arp.c diff -u src/sys/netinet/if_arp.c:1.154.2.2 src/sys/netinet/if_arp.c:1.154.2.3 --- src/sys/netinet/if_arp.c:1.154.2.2 Sun Nov 15 17:51:52 2015 +++ src/sys/netinet/if_arp.c Sun Feb 5 06:07:36 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: if_arp.c,v 1.154.2.2 2015/11/15 17:51:52 bouyer Exp $ */ +/* $NetBSD: if_arp.c,v 1.154.2.3 2017/02/05 06:07:36 snj Exp $ */ /*- * Copyright (c) 1998, 2000, 2008 The NetBSD Foundation, Inc. @@ -68,7 +68,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_arp.c,v 1.154.2.2 2015/11/15 17:51:52 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_arp.c,v 1.154.2.3 2017/02/05 06:07:36 snj Exp $"); #include "opt_ddb.h" #include "opt_inet.h" @@ -975,6 +975,9 @@ in_arpinput(struct mbuf *m) break; } + if (ah->ar_pln != sizeof(struct in_addr)) + goto out; + memcpy(, ar_spa(ah), sizeof (isaddr)); memcpy(, ar_tpa(ah), sizeof (itaddr)); @@ -1005,7 +1008,10 @@ in_arpinput(struct mbuf *m) ((ia->ia_ifp->if_flags & (IFF_UP|IFF_RUNNING)) == (IFF_UP|IFF_RUNNING))) { index++; + + /* XXX: ar_hln? */ if (ia->ia_ifp == m->m_pkthdr.rcvif && + (ah->ar_hln >= 6) && carp_iamatch(ia, ar_sha(ah), , index)) { break; @@ -1037,6 +1043,14 @@ in_arpinput(struct mbuf *m) } #endif + if (ah->ar_hln != ifp->if_addrlen) { + ARP_STATINC(ARP_STAT_RCVBADLEN); + log(LOG_WARNING, + "arp from %s: addr len: new %d, i/f %d (ignored)\n", + in_fmtaddr(isaddr), ah->ar_hln, ifp->if_addrlen); + goto out; + } + if (ia == NULL) { INADDR_TO_IA(isaddr, ia); while ((ia != NULL) && ia->ia_ifp != m->m_pkthdr.rcvif) @@ -1131,14 +1145,7 @@ in_arpinput(struct mbuf *m) "arp from %s: new addr len %d, was %d\n", in_fmtaddr(isaddr), ah->ar_hln, sdl->sdl_alen); } - if (ifp->if_addrlen != ah->ar_hln) { - ARP_STATINC(ARP_STAT_RCVBADLEN); - log(LOG_WARNING, - "arp from %s: addr len: new %d, i/f %d (ignored)\n", - in_fmtaddr(isaddr), ah->ar_hln, - ifp->if_addrlen); - goto reply; - } + #if NTOKEN > 0 /* * XXX uses m_data and assumes the complete answer including @@ -1437,6 +1444,10 @@ in_revarpinput(struct mbuf *m) tha = ar_tha(ah); if (tha == NULL) goto out; + if (ah->ar_pln != sizeof(struct in_addr)) + goto out; + if (ah->ar_hln != ifp->if_sadl->sdl_alen) + goto out; if (memcmp(tha, CLLADDR(ifp->if_sadl), ifp->if_sadl->sdl_alen)) goto out; memcpy(_ip, ar_spa(ah), sizeof(srv_ip));
CVS commit: [netbsd-6] src/sys/arch/amd64/amd64
Module Name:src Committed By: snj Date: Sun Feb 5 06:01:05 UTC 2017 Modified Files: src/sys/arch/amd64/amd64 [netbsd-6]: copy.S Log Message: Apply patch (requested by maxv in ticket #1431): suword: Don't allow 4 bytes to overflow beyond the userland space. To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.18.14.1 src/sys/arch/amd64/amd64/copy.S Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/amd64/amd64/copy.S diff -u src/sys/arch/amd64/amd64/copy.S:1.18 src/sys/arch/amd64/amd64/copy.S:1.18.14.1 --- src/sys/arch/amd64/amd64/copy.S:1.18 Wed Jul 7 01:13:29 2010 +++ src/sys/arch/amd64/amd64/copy.S Sun Feb 5 06:01:05 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: copy.S,v 1.18 2010/07/07 01:13:29 chs Exp $ */ +/* $NetBSD: copy.S,v 1.18.14.1 2017/02/05 06:01:05 snj Exp $ */ /* * Copyright (c) 2001 Wasabi Systems, Inc. @@ -413,7 +413,7 @@ ENTRY(fubyte) ENTRY(suword) DEFERRED_SWITCH_CHECK - movq $VM_MAXUSER_ADDRESS-4,%r11 + movq $VM_MAXUSER_ADDRESS-8,%r11 cmpq %r11,%rdi ja _C_LABEL(fusuaddrfault)
CVS commit: [netbsd-6] src/sys/net
Module Name:src Committed By: snj Date: Sun Feb 5 05:48:00 UTC 2017 Modified Files: src/sys/net [netbsd-6]: if_arcsubr.c if_ecosubr.c if_ethersubr.c if_fddisubr.c if_tokensubr.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1429): sys/net/if_arcsubr.c: revision 1.76 via patch sys/net/if_ecosubr.c: revision 1.50 via patch sys/net/if_ethersubr.c: revision 1.236 via patch sys/net/if_fddisubr.c: revision 1.104 via patch sys/net/if_tokensubr.c: revision 1.80 via patch Don't forget to free the mbuf when we decide not to reply to an ARP request. This obviously is a terrible bug, since it allows a remote sender to DoS the system with specially-crafted requests sent in a loop. To generate a diff of this commit: cvs rdiff -u -r1.63.14.1 -r1.63.14.2 src/sys/net/if_arcsubr.c cvs rdiff -u -r1.36.4.1 -r1.36.4.2 src/sys/net/if_ecosubr.c cvs rdiff -u -r1.188.8.4 -r1.188.8.5 src/sys/net/if_ethersubr.c cvs rdiff -u -r1.81.14.1 -r1.81.14.2 src/sys/net/if_fddisubr.c cvs rdiff -u -r1.61 -r1.61.8.1 src/sys/net/if_tokensubr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/if_arcsubr.c diff -u src/sys/net/if_arcsubr.c:1.63.14.1 src/sys/net/if_arcsubr.c:1.63.14.2 --- src/sys/net/if_arcsubr.c:1.63.14.1 Tue Oct 23 16:19:47 2012 +++ src/sys/net/if_arcsubr.c Sun Feb 5 05:48:00 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: if_arcsubr.c,v 1.63.14.1 2012/10/23 16:19:47 riz Exp $ */ +/* $NetBSD: if_arcsubr.c,v 1.63.14.2 2017/02/05 05:48:00 snj Exp $ */ /* * Copyright (c) 1994, 1995 Ignatios Souvatzis @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_arcsubr.c,v 1.63.14.1 2012/10/23 16:19:47 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_arcsubr.c,v 1.63.14.2 2017/02/05 05:48:00 snj Exp $"); #include "opt_inet.h" @@ -196,8 +196,10 @@ arc_output(struct ifnet *ifp, struct mbu adst = arcbroadcastaddr; else { uint8_t *tha = ar_tha(arph); - if (tha == NULL) + if (tha == NULL) { +m_freem(m); return 0; + } adst = *tha; } Index: src/sys/net/if_ecosubr.c diff -u src/sys/net/if_ecosubr.c:1.36.4.1 src/sys/net/if_ecosubr.c:1.36.4.2 --- src/sys/net/if_ecosubr.c:1.36.4.1 Sun Dec 7 15:09:32 2014 +++ src/sys/net/if_ecosubr.c Sun Feb 5 05:48:00 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: if_ecosubr.c,v 1.36.4.1 2014/12/07 15:09:32 martin Exp $ */ +/* $NetBSD: if_ecosubr.c,v 1.36.4.2 2017/02/05 05:48:00 snj Exp $ */ /*- * Copyright (c) 2001 Ben Harris @@ -58,7 +58,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_ecosubr.c,v 1.36.4.1 2014/12/07 15:09:32 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_ecosubr.c,v 1.36.4.2 2017/02/05 05:48:00 snj Exp $"); #include "opt_inet.h" #include "opt_pfil_hooks.h" @@ -242,8 +242,10 @@ eco_output(struct ifnet *ifp, struct mbu case AF_ARP: ah = mtod(m, struct arphdr *); - if (ntohs(ah->ar_pro) != ETHERTYPE_IP) - return EAFNOSUPPORT; + if (ntohs(ah->ar_pro) != ETHERTYPE_IP) { + error = EAFNOSUPPORT; + goto bad; + } ehdr.eco_port = ECO_PORT_IP; switch (ntohs(ah->ar_op)) { case ARPOP_REQUEST: @@ -253,7 +255,8 @@ eco_output(struct ifnet *ifp, struct mbu ehdr.eco_control = ECO_CTL_ARP_REPLY; break; default: - return EOPNOTSUPP; + error = EOPNOTSUPP; + goto bad; } if (m->m_flags & M_BCAST) @@ -261,8 +264,10 @@ eco_output(struct ifnet *ifp, struct mbu ECO_ADDR_LEN); else { tha = ar_tha(ah); - if (tha == NULL) + if (tha == NULL) { +m_freem(m); return 0; + } memcpy(ehdr.eco_dhost, tha, ECO_ADDR_LEN); } Index: src/sys/net/if_ethersubr.c diff -u src/sys/net/if_ethersubr.c:1.188.8.4 src/sys/net/if_ethersubr.c:1.188.8.5 --- src/sys/net/if_ethersubr.c:1.188.8.4 Tue Jun 3 15:34:00 2014 +++ src/sys/net/if_ethersubr.c Sun Feb 5 05:48:00 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: if_ethersubr.c,v 1.188.8.4 2014/06/03 15:34:00 msaitoh Exp $ */ +/* $NetBSD: if_ethersubr.c,v 1.188.8.5 2017/02/05 05:48:00 snj Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -61,7 +61,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_ethersubr.c,v 1.188.8.4 2014/06/03 15:34:00 msaitoh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_ethersubr.c,v 1.188.8.5 2017/02/05 05:48:00 snj Exp $"); #include "opt_inet.h" #include "opt_atalk.h" @@ -307,6 +307,7 @@ ether_output(struct ifnet * const ifp0, if (tha == NULL) { /* fake with ARPHDR_IEEE1394 */ +m_freem(m); return 0; } memcpy(edst, tha, sizeof(edst)); Index: src/sys/net/if_fddisubr.c diff -u src/sys/net/if_fddisubr.c:1.81.14.1 src/sys/net/if_fddisubr.c:1.81.14.2 --- src/sys/net/if_fddisubr.c:1.81.14.1 Wed Oct 31 16:07:46 2012 +++ src/sys/net/if_fddisubr.c Sun Feb 5 05:48:00 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: if_fddisubr.c,v 1.81.14.1 2012/10/31 16:07:46 riz Exp $ */ +/* $NetBSD: if_fddisubr.c,v 1.81.14.2
CVS commit: [netbsd-6] src/sys/arch/alpha
Module Name:src Committed By: snj Date: Wed Nov 16 18:04:39 UTC 2016 Modified Files: src/sys/arch/alpha/alpha [netbsd-6]: machdep.c prom.c src/sys/arch/alpha/stand/common [netbsd-6]: booted_dev.c prom.c Log Message: Pull up following revision(s) (requested by flxd in ticket #1416): sys/arch/alpha/alpha/machdep.c: revision 1.347 sys/arch/alpha/alpha/prom.c: revision 1.49 sys/arch/alpha/stand/common/booted_dev.c: revision 1.4 sys/arch/alpha/stand/common/prom.c: revision 1.15 Match the two prom_getenv() and fix buffer overflow causing wrong host controller SCSI ID for DEC 3000. OK skrll@ To generate a diff of this commit: cvs rdiff -u -r1.337.2.1 -r1.337.2.2 src/sys/arch/alpha/alpha/machdep.c cvs rdiff -u -r1.48 -r1.48.2.1 src/sys/arch/alpha/alpha/prom.c cvs rdiff -u -r1.3 -r1.3.174.1 src/sys/arch/alpha/stand/common/booted_dev.c cvs rdiff -u -r1.14 -r1.14.18.1 src/sys/arch/alpha/stand/common/prom.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/alpha/alpha/machdep.c diff -u src/sys/arch/alpha/alpha/machdep.c:1.337.2.1 src/sys/arch/alpha/alpha/machdep.c:1.337.2.2 --- src/sys/arch/alpha/alpha/machdep.c:1.337.2.1 Mon May 21 15:25:57 2012 +++ src/sys/arch/alpha/alpha/machdep.c Wed Nov 16 18:04:39 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: machdep.c,v 1.337.2.1 2012/05/21 15:25:57 riz Exp $ */ +/* $NetBSD: machdep.c,v 1.337.2.2 2016/11/16 18:04:39 snj Exp $ */ /*- * Copyright (c) 1998, 1999, 2000 The NetBSD Foundation, Inc. @@ -68,7 +68,7 @@ #include /* RCS ID & Copyright macro defns */ -__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.337.2.1 2012/05/21 15:25:57 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.337.2.2 2016/11/16 18:04:39 snj Exp $"); #include #include @@ -175,7 +175,7 @@ struct bootinfo_kernel bootinfo; /* For built-in TCDS */ #if defined(DEC_3000_300) || defined(DEC_3000_500) -uint8_t dec_3000_scsiid[2], dec_3000_scsifast[2]; +uint8_t dec_3000_scsiid[3], dec_3000_scsifast[3]; #endif struct platform platform; Index: src/sys/arch/alpha/alpha/prom.c diff -u src/sys/arch/alpha/alpha/prom.c:1.48 src/sys/arch/alpha/alpha/prom.c:1.48.2.1 --- src/sys/arch/alpha/alpha/prom.c:1.48 Mon Feb 6 02:14:12 2012 +++ src/sys/arch/alpha/alpha/prom.c Wed Nov 16 18:04:39 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: prom.c,v 1.48 2012/02/06 02:14:12 matt Exp $ */ +/* $NetBSD: prom.c,v 1.48.2.1 2016/11/16 18:04:39 snj Exp $ */ /* * Copyright (c) 1992, 1994, 1995, 1996 Carnegie Mellon University @@ -27,7 +27,7 @@ #include /* RCS ID & Copyright macro defns */ -__KERNEL_RCSID(0, "$NetBSD: prom.c,v 1.48 2012/02/06 02:14:12 matt Exp $"); +__KERNEL_RCSID(0, "$NetBSD: prom.c,v 1.48.2.1 2016/11/16 18:04:39 snj Exp $"); #include "opt_multiprocessor.h" @@ -95,7 +95,7 @@ init_bootstrap_console(void) init_prom_interface(hwrpb); - prom_getenv(PROM_E_TTY_DEV, buf, 4); + prom_getenv(PROM_E_TTY_DEV, buf, sizeof(buf)); alpha_console = buf[0] - '0'; /* XXX fake out the console routines, for now */ @@ -238,14 +238,14 @@ prom_getenv(int id, char *buf, int len) prom_enter(); ret.bits = prom_getenv_disp(id, to, len); - memcpy(buf, to, len); - prom_leave(); - if (ret.u.status & 0x4) ret.u.retval = 0; - buf[ret.u.retval] = '\0'; + len = min(len - 1, ret.u.retval); + memcpy(buf, to, len); + buf[len] = '\0'; + prom_leave(); - return (ret.bits); + return len; } void Index: src/sys/arch/alpha/stand/common/booted_dev.c diff -u src/sys/arch/alpha/stand/common/booted_dev.c:1.3 src/sys/arch/alpha/stand/common/booted_dev.c:1.3.174.1 --- src/sys/arch/alpha/stand/common/booted_dev.c:1.3 Sat Nov 13 21:38:20 1999 +++ src/sys/arch/alpha/stand/common/booted_dev.c Wed Nov 16 18:04:39 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: booted_dev.c,v 1.3 1999/11/13 21:38:20 thorpej Exp $ */ +/* $NetBSD: booted_dev.c,v 1.3.174.1 2016/11/16 18:04:39 snj Exp $ */ /* * Copyright (c) 1999 Christopher G. Demetriou. All rights reserved. @@ -53,9 +53,8 @@ booted_dev_open(void) * We don't know what device names look like yet, * so we can't change them. */ - ret.bits = prom_getenv(PROM_E_BOOTED_DEV, booted_dev_name, + devlen = prom_getenv(PROM_E_BOOTED_DEV, booted_dev_name, sizeof(booted_dev_name)); - devlen = ret.u.retval; ret.bits = prom_open(booted_dev_name, devlen); Index: src/sys/arch/alpha/stand/common/prom.c diff -u src/sys/arch/alpha/stand/common/prom.c:1.14 src/sys/arch/alpha/stand/common/prom.c:1.14.18.1 --- src/sys/arch/alpha/stand/common/prom.c:1.14 Wed Mar 18 10:22:22 2009 +++ src/sys/arch/alpha/stand/common/prom.c Wed Nov 16 18:04:39 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: prom.c,v 1.14 2009/03/18 10:22:22 cegger Exp $ */ +/* $NetBSD: prom.c,v 1.14.18.1 2016/11/16 18:04:39 snj Exp $ */ /* * Mach Operating System @@ -57,7 +57,7 @@ init_prom_calls(void) prom_dispatch_v.routine = c->crb_v_dispatch->entry_va; /* Look
CVS commit: [netbsd-6] src/sys/kern
Module Name:src Committed By: snj Date: Fri Nov 11 07:08:05 UTC 2016 Modified Files: src/sys/kern [netbsd-6]: uipc_usrreq.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1415): sys/kern/uipc_usrreq.c: revision 1.181 Memory leak, found by Mootja. It is easily triggerable from userland. To generate a diff of this commit: cvs rdiff -u -r1.136.8.3 -r1.136.8.4 src/sys/kern/uipc_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_usrreq.c diff -u src/sys/kern/uipc_usrreq.c:1.136.8.3 src/sys/kern/uipc_usrreq.c:1.136.8.4 --- src/sys/kern/uipc_usrreq.c:1.136.8.3 Mon Feb 18 22:00:49 2013 +++ src/sys/kern/uipc_usrreq.c Fri Nov 11 07:08:05 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_usrreq.c,v 1.136.8.3 2013/02/18 22:00:49 riz Exp $ */ +/* $NetBSD: uipc_usrreq.c,v 1.136.8.4 2016/11/11 07:08:05 snj Exp $ */ /*- * Copyright (c) 1998, 2000, 2004, 2008, 2009 The NetBSD Foundation, Inc. @@ -96,7 +96,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_usrreq.c,v 1.136.8.3 2013/02/18 22:00:49 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_usrreq.c,v 1.136.8.4 2016/11/11 07:08:05 snj Exp $"); #include #include @@ -1014,11 +1014,11 @@ unp_connect(struct socket *so, struct mb goto bad2; } vp = nd.ni_vp; + pathbuf_destroy(pb); if (vp->v_type != VSOCK) { error = ENOTSOCK; goto bad; } - pathbuf_destroy(pb); if ((error = VOP_ACCESS(vp, VWRITE, l->l_cred)) != 0) goto bad; /* Acquire v_interlock to protect against unp_detach(). */
CVS commit: [netbsd-6] src/sys/arch/sparc64/sparc64
Module Name:src Committed By: bouyer Date: Sat Sep 24 13:18:43 UTC 2016 Modified Files: src/sys/arch/sparc64/sparc64 [netbsd-6]: locore.s Log Message: Pull up following revision(s) (requested by nakayama in ticket #1408): sys/arch/sparc64/sparc64/locore.s: revision 1.401 Fix RAS for 32-bit kernels. trapframe is always 64-bit. To generate a diff of this commit: cvs rdiff -u -r1.338.8.7 -r1.338.8.8 src/sys/arch/sparc64/sparc64/locore.s Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/sparc64/sparc64/locore.s diff -u src/sys/arch/sparc64/sparc64/locore.s:1.338.8.7 src/sys/arch/sparc64/sparc64/locore.s:1.338.8.8 --- src/sys/arch/sparc64/sparc64/locore.s:1.338.8.7 Sun Nov 15 21:02:13 2015 +++ src/sys/arch/sparc64/sparc64/locore.s Sat Sep 24 13:18:43 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: locore.s,v 1.338.8.7 2015/11/15 21:02:13 bouyer Exp $ */ +/* $NetBSD: locore.s,v 1.338.8.8 2016/09/24 13:18:43 bouyer Exp $ */ /* * Copyright (c) 2006-2010 Matthew R. Green @@ -5202,12 +5202,12 @@ ENTRY(cpu_switchto) brz,pt %o1, Lsw_noras ! no, skip RAS check LDPTR [%i1 + L_TF], %l3 ! pointer to trap frame call _C_LABEL(ras_lookup) - LDPTR [%l3 + TF_PC], %o1 + ldx [%l3 + TF_PC], %o1 cmp %o0, -1 - be,pt %xcc, Lsw_noras + be,pt CCCR, Lsw_noras add %o0, 4, %o1 - STPTR %o0, [%l3 + TF_PC] ! store rewound %pc - STPTR %o1, [%l3 + TF_NPC] ! and %npc + stx %o0, [%l3 + TF_PC] ! store rewound %pc + stx %o1, [%l3 + TF_NPC] ! and %npc Lsw_noras:
CVS commit: [netbsd-6] src/sys/dev/pci
Module Name:src Committed By: bouyer Date: Sat Sep 24 13:14:57 UTC 2016 Modified Files: src/sys/dev/pci [netbsd-6]: if_wm.c Log Message: Apply patch, requested by martin in ticket #1407: sys/dev/pci/if_wm.c patch fix evbppc build, where the older gcc wrongly warns about uninitialized variable. To generate a diff of this commit: cvs rdiff -u -r1.227.2.19 -r1.227.2.20 src/sys/dev/pci/if_wm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/pci/if_wm.c diff -u src/sys/dev/pci/if_wm.c:1.227.2.19 src/sys/dev/pci/if_wm.c:1.227.2.20 --- src/sys/dev/pci/if_wm.c:1.227.2.19 Fri May 6 18:43:34 2016 +++ src/sys/dev/pci/if_wm.c Sat Sep 24 13:14:57 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: if_wm.c,v 1.227.2.19 2016/05/06 18:43:34 snj Exp $ */ +/* $NetBSD: if_wm.c,v 1.227.2.20 2016/09/24 13:14:57 bouyer Exp $ */ /* * Copyright (c) 2001, 2002, 2003, 2004 Wasabi Systems, Inc. @@ -84,7 +84,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_wm.c,v 1.227.2.19 2016/05/06 18:43:34 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_wm.c,v 1.227.2.20 2016/09/24 13:14:57 bouyer Exp $"); #include #include @@ -6003,7 +6003,7 @@ wm_nvm_version_invm(struct wm_softc *sc) static void wm_nvm_version(struct wm_softc *sc) { - uint16_t major, minor, build, patch; + uint16_t major, minor, patch, build = 0; /* XXX old gcc */ uint16_t uid0, uid1; uint16_t nvm_data; uint16_t off;
CVS commit: [netbsd-6] src/sys/lib/libsa
Module Name:src Committed By: bouyer Date: Sat Sep 24 13:10:52 UTC 2016 Modified Files: src/sys/lib/libsa [netbsd-6]: checkpasswd.c Log Message: Pull up following revision(s) (requested by dholland in ticket #1406): sys/lib/libsa/checkpasswd.c: revision 1.10 Check bounds on input. From Michael Plass. To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.9.14.1 src/sys/lib/libsa/checkpasswd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/lib/libsa/checkpasswd.c diff -u src/sys/lib/libsa/checkpasswd.c:1.9 src/sys/lib/libsa/checkpasswd.c:1.9.14.1 --- src/sys/lib/libsa/checkpasswd.c:1.9 Thu Jan 6 02:45:13 2011 +++ src/sys/lib/libsa/checkpasswd.c Sat Sep 24 13:10:52 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: checkpasswd.c,v 1.9 2011/01/06 02:45:13 jakllsch Exp $ */ +/* $NetBSD: checkpasswd.c,v 1.9.14.1 2016/09/24 13:10:52 bouyer Exp $ */ /*- * Copyright (c) 1993 @@ -84,8 +84,10 @@ getpass(const char *prompt) putchar('\n'); break; default: - *lp++ = c; - putchar('*'); + if ((size_t)(lp - buf) < sizeof(buf) - 1) { +*lp++ = c; +putchar('*'); + } break; } }
CVS commit: [netbsd-6] src/sys/arch/sparc64/sparc64
Module Name:src Committed By: bouyer Date: Sat Sep 24 13:06:41 UTC 2016 Modified Files: src/sys/arch/sparc64/sparc64 [netbsd-6]: kobj_machdep.c Log Message: Pull up following revision(s) (requested by martin in ticket #1405): sys/arch/sparc64/sparc64/kobj_machdep.c: revision 1.5 sys/arch/sparc64/sparc64/kobj_machdep.c: revision 1.6 Follow rev. 1.54, 1.55 of libexec/ld.elf_so/arch/sparc64/mdreloc.c. The target of the OLO10 relocation is the simd13 field of the instruction, so use a 13 bit target mask. Fixes PR kern/51436 (I broke this myself in rev 1.4) To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.4.14.1 src/sys/arch/sparc64/sparc64/kobj_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/sparc64/sparc64/kobj_machdep.c diff -u src/sys/arch/sparc64/sparc64/kobj_machdep.c:1.4 src/sys/arch/sparc64/sparc64/kobj_machdep.c:1.4.14.1 --- src/sys/arch/sparc64/sparc64/kobj_machdep.c:1.4 Sun May 2 11:43:30 2010 +++ src/sys/arch/sparc64/sparc64/kobj_machdep.c Sat Sep 24 13:06:41 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: kobj_machdep.c,v 1.4 2010/05/02 11:43:30 martin Exp $ */ +/* $NetBSD: kobj_machdep.c,v 1.4.14.1 2016/09/24 13:06:41 bouyer Exp $ */ /*- * Copyright (c) 2001 Jake Burkholder. @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kobj_machdep.c,v 1.4 2010/05/02 11:43:30 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kobj_machdep.c,v 1.4.14.1 2016/09/24 13:06:41 bouyer Exp $"); #define ELFSIZE ARCH_ELFSIZE @@ -164,15 +164,15 @@ static const long reloc_target_bitmask[] _BM(22), _BM(10), /* _HIPLT22, LOPLT10 */ _BM(32), _BM(22), _BM(10), /* _PCPLT32, _PCPLT22, _PCPLT10 */ _BM(10), _BM(11), -1, /* _10, _11, _64 */ - _BM(10), _BM(22), /* _OLO10, _HH22 */ + _BM(13), _BM(22), /* _OLO10, _HH22 */ _BM(10), _BM(22), /* _HM10, _LM22 */ _BM(22), _BM(10), _BM(22), /* _PC_HH22, _PC_HM10, _PC_LM22 */ _BM(16), _BM(19), /* _WDISP16, _WDISP19 */ -1,/* GLOB_JMP */ - _BM(7), _BM(5), _BM(6) /* _7, _5, _6 */ + _BM(7), _BM(5), _BM(6), /* _7, _5, _6 */ -1, -1,/* DISP64, PLT64 */ _BM(22), _BM(13), /* HIX22, LOX10 */ - _BM(22), _BM(10), _BM(13), /* H44, M44, L44 */ + _BM(22), _BM(10), _BM(12), /* H44, M44, L44 */ -1, -1, _BM(16), /* REGISTER, UA64, UA16 */ #undef _BM };
CVS commit: [netbsd-6] src/sys/dev/pci
Module Name:src Committed By: bouyer Date: Sat Sep 24 12:56:16 UTC 2016 Modified Files: src/sys/dev/pci [netbsd-6]: if_vioif.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1401): sys/dev/pci/if_vioif.c: revision 1.25 Fix initializing wrong queues Pointed out by Mike Larkin. PR kern/51448 To generate a diff of this commit: cvs rdiff -u -r1.2.8.2 -r1.2.8.3 src/sys/dev/pci/if_vioif.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/pci/if_vioif.c diff -u src/sys/dev/pci/if_vioif.c:1.2.8.2 src/sys/dev/pci/if_vioif.c:1.2.8.3 --- src/sys/dev/pci/if_vioif.c:1.2.8.2 Thu Aug 7 09:31:09 2014 +++ src/sys/dev/pci/if_vioif.c Sat Sep 24 12:56:16 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: if_vioif.c,v 1.2.8.2 2014/08/07 09:31:09 msaitoh Exp $ */ +/* $NetBSD: if_vioif.c,v 1.2.8.3 2016/09/24 12:56:16 bouyer Exp $ */ /* * Copyright (c) 2010 Minoura Makoto. @@ -26,7 +26,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_vioif.c,v 1.2.8.2 2014/08/07 09:31:09 msaitoh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_vioif.c,v 1.2.8.3 2016/09/24 12:56:16 bouyer Exp $"); #include #include @@ -378,7 +378,7 @@ vioif_alloc_mems(struct vioif_softc *sc) } for (i = 0; i < txqsize; i++) { - C_L1(txhdr_dmamaps[i], rx_hdrs[i], + C_L1(txhdr_dmamaps[i], tx_hdrs[i], sizeof(struct virtio_net_hdr), 1, WRITE, "tx header"); C(tx_dmamaps[i], NULL, ETHER_MAX_LEN, 256 /* XXX */, 0,
CVS commit: [netbsd-6] src/sys/miscfs/kernfs
Module Name:src Committed By: bouyer Date: Sat Sep 3 11:36:03 UTC 2016 Modified Files: src/sys/miscfs/kernfs [netbsd-6]: kernfs_vnops.c Log Message: Revert ticket 1367, it causes a kernel panic in test lib/libc/gen/t_getcwd as seen in e.g. http://www-soc.lip6.fr/~bouyer/NetBSD-tests/xen/netbsd-6/i386/201608291710Z_anita.txt lib/libc/gen/t_getcwd (206/500): 2 test cases getcwd_err: [0.006614s] Passed. getcwd_fts: uvm_fault(0xc0e221b0, 0, 1) -> 0xe fatal page fault in supervisor mode trap type 6 code 0 eip c023ba9f cs 9 eflags 10246 cr2 1c ilevel 0 panic: trap cpu1: Begin traceback... panic(c04616d0,cdcfb938,cdcfb938,c023ba9f,9,10246,1c,0,1c,0) at netbsd:panic+0x18 trap() at netbsd:trap+0xb51 --- trap (number 6) --- kernfs_readdir(cdcfbc0c,1,c11ce0b4,c0439f60,c11ce0b4,cdcfbc58,c0cc0cc0,cdcfbc7c,0,0) at netbsd:kernfs_readdir+0x98f VOP_READDIR(c11ce0b4,cdcfbc58,c0cc0cc0,cdcfbc7c,0,0,c19287e0,1,cdcfbc58,cdcfbc74) at netbsd:VOP_READDIR+0x68 vn_readdir(c14c3000,bb512000,0,1000,cdcfbcbc,c19287e0,0,0,c14c3000,0) at netbsd:vn_readdir+0xbd sys___getdents30(c19287e0,cdcfbd00,cdcfbd28,186,bb516000,0,cdcfbd00,c1199bf4,2,bb7a4fe7) at netbsd:sys___getdents30+0x8c syscall(cdcfbd48,bb6b00b3,ab,bf7f001f,bb6b001f,0,bb5010d0,bf7fe764,bb7c4be0,0) at netbsd:syscall+0xaa cpu1: End traceback... To generate a diff of this commit: cvs rdiff -u -r1.144.2.1 -r1.144.2.2 src/sys/miscfs/kernfs/kernfs_vnops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/miscfs/kernfs/kernfs_vnops.c diff -u src/sys/miscfs/kernfs/kernfs_vnops.c:1.144.2.1 src/sys/miscfs/kernfs/kernfs_vnops.c:1.144.2.2 --- src/sys/miscfs/kernfs/kernfs_vnops.c:1.144.2.1 Sat Aug 27 13:13:31 2016 +++ src/sys/miscfs/kernfs/kernfs_vnops.c Sat Sep 3 11:36:03 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: kernfs_vnops.c,v 1.144.2.1 2016/08/27 13:13:31 bouyer Exp $ */ +/* $NetBSD: kernfs_vnops.c,v 1.144.2.2 2016/09/03 11:36:03 bouyer Exp $ */ /* * Copyright (c) 1992, 1993 @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kernfs_vnops.c,v 1.144.2.1 2016/08/27 13:13:31 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kernfs_vnops.c,v 1.144.2.2 2016/09/03 11:36:03 bouyer Exp $"); #ifdef _KERNEL_OPT #include "opt_ipsec.h" @@ -63,7 +63,6 @@ __KERNEL_RCSID(0, "$NetBSD: kernfs_vnops #include #include -#include #ifdef IPSEC #include @@ -860,11 +859,6 @@ kernfs_getattr(void *v) vap->va_bytes = vap->va_size = DEV_BSIZE; break; - case KFSdevice: - vap->va_nlink = 1; - vap->va_rdev = ap->a_vp->v_rdev; - break; - case KFSroot: vap->va_nlink = 1; vap->va_bytes = vap->va_size = DEV_BSIZE; @@ -882,6 +876,7 @@ kernfs_getattr(void *v) case KFSstring: case KFShostname: case KFSavenrun: + case KFSdevice: case KFSmsgbuf: #ifdef IPSEC case KFSipsecsa: @@ -1055,8 +1050,18 @@ kernfs_setdirentfileno_kt(struct dirent if ((error = kernfs_allocvp(ap->a_vp->v_mount, , kt->kt_tag, kt, value)) != 0) return error; - kfs = VTOKERN(vp); - d->d_fileno = kfs->kfs_fileno; + if (kt->kt_tag == KFSdevice) { + struct vattr va; + + error = VOP_GETATTR(vp, , ap->a_cred); + if (error != 0) { + return error; + } + d->d_fileno = va.va_fileid; + } else { + kfs = VTOKERN(vp); + d->d_fileno = kfs->kfs_fileno; + } vput(vp); return 0; }
CVS commit: [netbsd-6] src/sys/net80211
Module Name:src Committed By: bouyer Date: Wed Aug 31 15:15:57 UTC 2016 Modified Files: src/sys/net80211 [netbsd-6]: ieee80211_input.c Log Message: Pull up following revision(s) (requested by mlelstv in ticket #1382): sys/net80211/ieee80211_input.c: revision 1.83 sys/net80211/ieee80211_input.c: revision 1.84 Don't check sequence number on multicast packets in station mode. Handle overflow of 12bit sequence number. In station mode filter packets that or not for us in case the interface is in promiscous mode or doesn't filter packets itself. To generate a diff of this commit: cvs rdiff -u -r1.72 -r1.72.2.1 src/sys/net80211/ieee80211_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net80211/ieee80211_input.c diff -u src/sys/net80211/ieee80211_input.c:1.72 src/sys/net80211/ieee80211_input.c:1.72.2.1 --- src/sys/net80211/ieee80211_input.c:1.72 Sat Dec 31 20:41:58 2011 +++ src/sys/net80211/ieee80211_input.c Wed Aug 31 15:15:57 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: ieee80211_input.c,v 1.72 2011/12/31 20:41:58 christos Exp $ */ +/* $NetBSD: ieee80211_input.c,v 1.72.2.1 2016/08/31 15:15:57 bouyer Exp $ */ /*- * Copyright (c) 2001 Atsushi Onoe * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting @@ -36,7 +36,7 @@ __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.81 2005/08/10 16:22:29 sam Exp $"); #endif #ifdef __NetBSD__ -__KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.72 2011/12/31 20:41:58 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.72.2.1 2016/08/31 15:15:57 bouyer Exp $"); #endif #include "opt_inet.h" @@ -224,6 +224,18 @@ ieee80211_input(struct ieee80211com *ic, ic->ic_stats.is_rx_wrongbss++; goto out; } + + /* Filter out packets not directed to us in case the + * device is in promiscous mode + */ + if ((! IEEE80211_IS_MULTICAST(wh->i_addr1)) + && (! IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr))) { +IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, +bssid, NULL, "not to cur sta: lladdr=%6D, addr1=%6D", +ic->ic_myaddr, ":", wh->i_addr1, ":"); +ic->ic_stats.is_rx_wrongbss++; +goto out; + } break; case IEEE80211_M_IBSS: case IEEE80211_M_AHDEMO: @@ -280,8 +292,11 @@ ieee80211_input(struct ieee80211com *ic, } ni->ni_rssi = rssi; ni->ni_rstamp = rstamp; - if (HAS_SEQ(type)) { - u_int8_t tid; + if (HAS_SEQ(type) && (ic->ic_opmode != IEEE80211_M_STA || + !IEEE80211_IS_MULTICAST(wh->i_addr1))) { + u_int8_t tid, retry; + u_int16_t rxno, orxno; + if (IEEE80211_QOS_HAS_SEQ(wh)) { tid = ((struct ieee80211_qosframe *)wh)-> i_qos[0] & IEEE80211_QOS_TID; @@ -291,15 +306,20 @@ ieee80211_input(struct ieee80211com *ic, } else tid = 0; rxseq = le16toh(*(u_int16_t *)wh->i_seq); - if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && - SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) { + retry = wh->i_fc[1] & IEEE80211_FC1_RETRY; + rxno = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; + orxno = ni->ni_rxseqs[tid] >> IEEE80211_SEQ_SEQ_SHIFT; + if (retry && ( + (orxno == 4095 && rxno == orxno) || + (orxno != 4095 && + SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) + )) { /* duplicate, discard */ IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, bssid, "duplicate", "seqno <%u,%u> fragno <%u,%u> tid %u", -rxseq >> IEEE80211_SEQ_SEQ_SHIFT, -ni->ni_rxseqs[tid] >> - IEEE80211_SEQ_SEQ_SHIFT, +rxno, +orxno, rxseq & IEEE80211_SEQ_FRAG_MASK, ni->ni_rxseqs[tid] & IEEE80211_SEQ_FRAG_MASK,
CVS commit: [netbsd-6] src/sys/netinet
Module Name:src Committed By: bouyer Date: Sun Aug 28 10:49:45 UTC 2016 Modified Files: src/sys/netinet [netbsd-6]: ip_carp.c Log Message: Pull up following revision(s) (requested by is in ticket #1393): sys/netinet/ip_carp.c: revision 1.75 Workaround for PR 47013 by bouyer@. Only works for mixed IPv4/IPv6 environemnts, not for pure-IPv6 yet. A real fix is still needed. To generate a diff of this commit: cvs rdiff -u -r1.47.4.4 -r1.47.4.5 src/sys/netinet/ip_carp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/ip_carp.c diff -u src/sys/netinet/ip_carp.c:1.47.4.4 src/sys/netinet/ip_carp.c:1.47.4.5 --- src/sys/netinet/ip_carp.c:1.47.4.4 Sat Aug 27 14:39:10 2016 +++ src/sys/netinet/ip_carp.c Sun Aug 28 10:49:45 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_carp.c,v 1.47.4.4 2016/08/27 14:39:10 bouyer Exp $ */ +/* $NetBSD: ip_carp.c,v 1.47.4.5 2016/08/28 10:49:45 bouyer Exp $ */ /* $OpenBSD: ip_carp.c,v 1.113 2005/11/04 08:11:54 mcbride Exp $ */ /* @@ -31,7 +31,7 @@ #include "opt_mbuftrace.h" #include -__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.47.4.4 2016/08/27 14:39:10 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.47.4.5 2016/08/28 10:49:45 bouyer Exp $"); /* * TODO: @@ -1086,7 +1086,7 @@ carp_send_ad(void *v) } } #endif /* INET */ -#ifdef INET6 +#ifdef INET6_notyet if (sc->sc_naddrs6) { struct ip6_hdr *ip6; @@ -1494,7 +1494,7 @@ carp_setrun(struct carp_softc *sc, sa_fa callout_schedule(>sc_md_tmo, tvtohz()); break; #endif /* INET */ -#ifdef INET6 +#ifdef INET6_notyet case AF_INET6: callout_schedule(>sc_md6_tmo, tvtohz()); break; @@ -1502,8 +1502,10 @@ carp_setrun(struct carp_softc *sc, sa_fa default: if (sc->sc_naddrs) callout_schedule(>sc_md_tmo, tvtohz()); +#ifdef INET6_notyet if (sc->sc_naddrs6) callout_schedule(>sc_md6_tmo, tvtohz()); +#endif /* INET6 */ break; } break;
CVS commit: [netbsd-6] src/sys/arch/i386/stand/misc
Module Name:src Committed By: bouyer Date: Sun Aug 28 10:38:29 UTC 2016 Modified Files: src/sys/arch/i386/stand/misc [netbsd-6]: rawr32.exe.uue Log Message: Pull up following revision(s) (requested by martin in ticket #1385): sys/arch/i386/stand/misc/rawr32.exe.uue: sync to revision 1.6 New Rawrite32 release To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.4.4.1 src/sys/arch/i386/stand/misc/rawr32.exe.uue Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. diffs are larger than 1MB and have been omitted
CVS commit: [netbsd-6] src/sys/compat/common
Module Name:src Committed By: bouyer Date: Sat Aug 27 14:51:29 UTC 2016 Modified Files: src/sys/compat/common [netbsd-6]: vfs_syscalls_43.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1400): sys/compat/common/vfs_syscalls_43.c: revision 1.58 fill in the tv_nsec parts of the converted timespec in cvtstat(). To generate a diff of this commit: cvs rdiff -u -r1.54.14.1 -r1.54.14.2 src/sys/compat/common/vfs_syscalls_43.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/common/vfs_syscalls_43.c diff -u src/sys/compat/common/vfs_syscalls_43.c:1.54.14.1 src/sys/compat/common/vfs_syscalls_43.c:1.54.14.2 --- src/sys/compat/common/vfs_syscalls_43.c:1.54.14.1 Thu Mar 14 16:33:09 2013 +++ src/sys/compat/common/vfs_syscalls_43.c Sat Aug 27 14:51:29 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_syscalls_43.c,v 1.54.14.1 2013/03/14 16:33:09 riz Exp $ */ +/* $NetBSD: vfs_syscalls_43.c,v 1.54.14.2 2016/08/27 14:51:29 bouyer Exp $ */ /* * Copyright (c) 1989, 1993 @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.14.1 2013/03/14 16:33:09 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.14.2 2016/08/27 14:51:29 bouyer Exp $"); #if defined(_KERNEL_OPT) #include "opt_compat_netbsd.h" @@ -74,15 +74,42 @@ __KERNEL_RCSID(0, "$NetBSD: vfs_syscalls #include #include +static void cvttimespec(struct timespec *, struct timespec50 *); static void cvtstat(struct stat *, struct stat43 *); /* + * Convert from an old to a new timespec structure. + */ +static void +cvttimespec(struct timespec *ts, struct timespec50 *ots) +{ + + if (ts->tv_sec > INT_MAX) { +#if defined(DEBUG) || 1 + static bool first = true; + + if (first) { + first = false; + printf("%s[%s:%d]: time_t does not fit\n", + __func__, curlwp->l_proc->p_comm, + curlwp->l_lid); + } +#endif + ots->tv_sec = INT_MAX; + } else + ots->tv_sec = ts->tv_sec; + ots->tv_nsec = ts->tv_nsec; +} + +/* * Convert from an old to a new stat structure. */ static void cvtstat(struct stat *st, struct stat43 *ost) { + /* Handle any padding. */ + memset(ost, 0, sizeof *ost); ost->st_dev = st->st_dev; ost->st_ino = st->st_ino; ost->st_mode = st->st_mode & 0x; @@ -94,9 +121,9 @@ cvtstat(struct stat *st, struct stat43 * ost->st_size = st->st_size; else ost->st_size = -2; - ost->st_atime = st->st_atime; - ost->st_mtime = st->st_mtime; - ost->st_ctime = st->st_ctime; + cvttimespec(>st_atimespec, >st_atimespec); + cvttimespec(>st_mtimespec, >st_mtimespec); + cvttimespec(>st_ctimespec, >st_ctimespec); ost->st_blksize = st->st_blksize; ost->st_blocks = st->st_blocks; ost->st_flags = st->st_flags;
CVS commit: [netbsd-6] src/sys/dev
Module Name:src Committed By: bouyer Date: Sat Aug 27 14:47:48 UTC 2016 Modified Files: src/sys/dev [netbsd-6]: fss.c Log Message: Pull up following revision(s) (requested by hannken in ticket #1399): sys/dev/fss.c: revision 1.95 Disestablish COW handler on error. No need to do further copies after the snapshot device failed. Should fix PR kern/51377: fss(4) panic if snapshot mounted read/write To generate a diff of this commit: cvs rdiff -u -r1.81.4.3 -r1.81.4.4 src/sys/dev/fss.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/fss.c diff -u src/sys/dev/fss.c:1.81.4.3 src/sys/dev/fss.c:1.81.4.4 --- src/sys/dev/fss.c:1.81.4.3 Mon Feb 11 20:39:28 2013 +++ src/sys/dev/fss.c Sat Aug 27 14:47:47 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: fss.c,v 1.81.4.3 2013/02/11 20:39:28 riz Exp $ */ +/* $NetBSD: fss.c,v 1.81.4.4 2016/08/27 14:47:47 bouyer Exp $ */ /*- * Copyright (c) 2003 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: fss.c,v 1.81.4.3 2013/02/11 20:39:28 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: fss.c,v 1.81.4.4 2016/08/27 14:47:47 bouyer Exp $"); #include #include @@ -430,17 +430,20 @@ fss_dump(dev_t dev, daddr_t blkno, void /* * An error occurred reading or writing the snapshot or backing store. - * If it is the first error log to console. + * If it is the first error log to console and disestablish cow handler. * The caller holds the mutex. */ static inline void fss_error(struct fss_softc *sc, const char *msg) { - if ((sc->sc_flags & (FSS_ACTIVE|FSS_ERROR)) == FSS_ACTIVE) - aprint_error_dev(sc->sc_dev, "snapshot invalid: %s\n", msg); - if ((sc->sc_flags & FSS_ACTIVE) == FSS_ACTIVE) - sc->sc_flags |= FSS_ERROR; + if ((sc->sc_flags & (FSS_ACTIVE | FSS_ERROR)) != FSS_ACTIVE) + return; + + aprint_error_dev(sc->sc_dev, "snapshot invalid: %s\n", msg); + if ((sc->sc_flags & FSS_PERSISTENT) == 0) + fscow_disestablish(sc->sc_mount, fss_copy_on_write, sc); + sc->sc_flags |= FSS_ERROR; } /* @@ -560,9 +563,8 @@ fss_unmount_hook(struct mount *mp) if ((sc = device_lookup_private(_cd, i)) == NULL) continue; mutex_enter(>sc_slock); - if ((sc->sc_flags & FSS_ACTIVE) != 0 && - sc->sc_mount == mp) - fss_error(sc, "forced unmount"); + if ((sc->sc_flags & FSS_ACTIVE) != 0 && sc->sc_mount == mp) + fss_error(sc, "forced by unmount"); mutex_exit(>sc_slock); } mutex_exit(_device_lock); @@ -888,7 +890,7 @@ static int fss_delete_snapshot(struct fss_softc *sc, struct lwp *l) { - if ((sc->sc_flags & FSS_PERSISTENT) == 0) + if ((sc->sc_flags & (FSS_PERSISTENT | FSS_ERROR)) == 0) fscow_disestablish(sc->sc_mount, fss_copy_on_write, sc); mutex_enter(>sc_slock);
CVS commit: [netbsd-6] src/sys/arch/evbppc/conf
Module Name:src Committed By: bouyer Date: Sat Aug 27 14:44:11 UTC 2016 Modified Files: src/sys/arch/evbppc/conf [netbsd-6]: Makefile.ev64260.inc Makefile.obs405.inc Makefile.walnut.inc Log Message: Pull up following revision(s) (requested by maya in ticket #1396): sys/arch/evbppc/conf/Makefile.walnut.inc: revision 1.9 sys/arch/evbppc/conf/Makefile.obs405.inc: revision 1.13 sys/arch/evbppc/conf/Makefile.ev64260.inc: revision 1.8 Fix typo in Makefile which resulted in kernel image not being generated >From Rin Okuyama in PR/51369 To generate a diff of this commit: cvs rdiff -u -r1.5.14.1 -r1.5.14.2 \ src/sys/arch/evbppc/conf/Makefile.ev64260.inc cvs rdiff -u -r1.6.14.1 -r1.6.14.2 \ src/sys/arch/evbppc/conf/Makefile.obs405.inc cvs rdiff -u -r1.6.2.1 -r1.6.2.2 src/sys/arch/evbppc/conf/Makefile.walnut.inc Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/evbppc/conf/Makefile.ev64260.inc diff -u src/sys/arch/evbppc/conf/Makefile.ev64260.inc:1.5.14.1 src/sys/arch/evbppc/conf/Makefile.ev64260.inc:1.5.14.2 --- src/sys/arch/evbppc/conf/Makefile.ev64260.inc:1.5.14.1 Fri Apr 11 08:31:56 2014 +++ src/sys/arch/evbppc/conf/Makefile.ev64260.inc Sat Aug 27 14:44:10 2016 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile.ev64260.inc,v 1.5.14.1 2014/04/11 08:31:56 msaitoh Exp $ +# $NetBSD: Makefile.ev64260.inc,v 1.5.14.2 2016/08/27 14:44:10 bouyer Exp $ MKIMG?= ${HOST_SH} ${THISPPC}/compile/walnut-mkimg.sh @@ -9,5 +9,5 @@ SYSTEM_FIRST_SFILE= ${THISPPC}/${BOARDTY SYSTEM_LD_TAIL_EXTRA+=; \ echo ${MKIMG} $@ $@.img ; \ - OBJDUMP=${OBJDUMP}; OBJCOPY=${OBJCOPY}; STAT=${TOOL_STAT]; \ + OBJDUMP=${OBJDUMP}; OBJCOPY=${OBJCOPY}; STAT=${TOOL_STAT}; \ export OBJDUMP OBJCOPY STAT; ${MKIMG} $@ $@.img Index: src/sys/arch/evbppc/conf/Makefile.obs405.inc diff -u src/sys/arch/evbppc/conf/Makefile.obs405.inc:1.6.14.1 src/sys/arch/evbppc/conf/Makefile.obs405.inc:1.6.14.2 --- src/sys/arch/evbppc/conf/Makefile.obs405.inc:1.6.14.1 Fri Apr 11 08:31:56 2014 +++ src/sys/arch/evbppc/conf/Makefile.obs405.inc Sat Aug 27 14:44:10 2016 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile.obs405.inc,v 1.6.14.1 2014/04/11 08:31:56 msaitoh Exp $ +# $NetBSD: Makefile.obs405.inc,v 1.6.14.2 2016/08/27 14:44:10 bouyer Exp $ CFLAGS+=-mcpu=405 AFLAGS+=-mcpu=405 @@ -15,7 +15,7 @@ SYSTEM_FIRST_SFILE= ${THISPPC}/obs405/ob SYSTEM_LD_TAIL_EXTRA+=; \ echo ${MKIMG} $@ $@.img ; \ - OBJDUMP=${OBJDUMP}; OBJCOPY=${OBJCOPY}; STAT=${TOOL_STAT]; \ + OBJDUMP=${OBJDUMP}; OBJCOPY=${OBJCOPY}; STAT=${TOOL_STAT}; \ export OBJDUMP OBJCOPY STAT; ${MKIMG} $@ $@.img @@ -30,7 +30,7 @@ SYSTEM_FIRST_SFILE= ${POWERPC}/${PPCDIR} SYSTEM_LD_TAIL_EXTRA+=; \ echo ${MKIMG} $@ $@.img ; \ - OBJDUMP=${OBJDUMP}; OBJCOPY=${OBJCOPY}; STAT=${TOOL_STAT]; \ + OBJDUMP=${OBJDUMP}; OBJCOPY=${OBJCOPY}; STAT=${TOOL_STAT}; \ export OBJDUMP OBJCOPY STAT; ${MKIMG} $@ $@.img Index: src/sys/arch/evbppc/conf/Makefile.walnut.inc diff -u src/sys/arch/evbppc/conf/Makefile.walnut.inc:1.6.2.1 src/sys/arch/evbppc/conf/Makefile.walnut.inc:1.6.2.2 --- src/sys/arch/evbppc/conf/Makefile.walnut.inc:1.6.2.1 Fri Apr 11 08:31:56 2014 +++ src/sys/arch/evbppc/conf/Makefile.walnut.inc Sat Aug 27 14:44:10 2016 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile.walnut.inc,v 1.6.2.1 2014/04/11 08:31:56 msaitoh Exp $ +# $NetBSD: Makefile.walnut.inc,v 1.6.2.2 2016/08/27 14:44:10 bouyer Exp $ MKIMG?= ${HOST_SH} ${THISPPC}/compile/walnut-mkimg.sh CFLAGS+=-mcpu=403 @@ -10,5 +10,5 @@ SYSTEM_FIRST_SFILE= ${THISPPC}/walnut/wa SYSTEM_LD_TAIL_EXTRA_EXTRA+=; \ echo ${MKIMG} $@ $@.img ; \ - OBJDUMP=${OBJDUMP}; OBJCOPY=${OBJCOPY}; STAT=${TOOL_STAT]; \ + OBJDUMP=${OBJDUMP}; OBJCOPY=${OBJCOPY}; STAT=${TOOL_STAT}; \ export OBJDUMP OBJCOPY STAT; ${MKIMG} $@ $@.img
CVS commit: [netbsd-6] src/sys/netinet
Module Name:src Committed By: bouyer Date: Sat Aug 27 14:39:10 UTC 2016 Modified Files: src/sys/netinet [netbsd-6]: ip_carp.c Log Message: Pull up following revision(s) (requested by is in ticket #1394): sys/netinet/ip_carp.c: revision 1.76 Print the IPv6 or IPv4 source addresses of packets with wrong hash, to help debugging. To generate a diff of this commit: cvs rdiff -u -r1.47.4.3 -r1.47.4.4 src/sys/netinet/ip_carp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/ip_carp.c diff -u src/sys/netinet/ip_carp.c:1.47.4.3 src/sys/netinet/ip_carp.c:1.47.4.4 --- src/sys/netinet/ip_carp.c:1.47.4.3 Tue Jun 3 15:34:00 2014 +++ src/sys/netinet/ip_carp.c Sat Aug 27 14:39:10 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_carp.c,v 1.47.4.3 2014/06/03 15:34:00 msaitoh Exp $ */ +/* $NetBSD: ip_carp.c,v 1.47.4.4 2016/08/27 14:39:10 bouyer Exp $ */ /* $OpenBSD: ip_carp.c,v 1.113 2005/11/04 08:11:54 mcbride Exp $ */ /* @@ -31,7 +31,7 @@ #include "opt_mbuftrace.h" #include -__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.47.4.3 2014/06/03 15:34:00 msaitoh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.47.4.4 2016/08/27 14:39:10 bouyer Exp $"); /* * TODO: @@ -92,6 +92,7 @@ __KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v #include #include #include +#include #endif #include @@ -673,9 +674,29 @@ carp_proto_input_c(struct mbuf *m, struc /* verify the hash */ if (carp_hmac_verify(sc, ch->carp_counter, ch->carp_md)) { + struct ip *ip; + struct ip6_hdr *ip6; + CARP_STATINC(CARP_STAT_BADAUTH); sc->sc_if.if_ierrors++; - CARP_LOG(sc, ("incorrect hash")); + + switch(af) { + + case AF_INET: + ip = mtod(m, struct ip *); + CARP_LOG(sc, ("incorrect hash from %s", + in_fmtaddr(ip->ip_src))); + break; + + case AF_INET6: + ip6 = mtod(m, struct ip6_hdr *); + CARP_LOG(sc, ("incorrect hash from %s", +ip6_sprintf(>ip6_src))); + break; + + default: CARP_LOG(sc, ("incorrect hash")); + break; + } m_freem(m); return; }
CVS commit: [netbsd-6] src/sys/arch/mips/mips
Module Name:src Committed By: bouyer Date: Sat Aug 27 14:34:55 UTC 2016 Modified Files: src/sys/arch/mips/mips [netbsd-6]: pmap.c Log Message: Pull up following revision(s) (requested by skrll in ticket #1390): sys/arch/mips/mips/pmap.c: revision 1.221 sys/arch/mips/mips/pmap.c: revision 1.222 sys/arch/mips/mips/pmap.c: revision 1.223 Fix a bug introduced by me in 1.214 where unmanaged mappings would be affected by calls to pmap_page_protect which is wrong. Now PV_KENTER mappings are left intact. Thanks to chuq for spotting my mistake and reviewing this diff. Thanks to everyone who tested it as well. Fix PR/51288 reproducable panic on evbmips64-eb (erlite) pmap_page_remove from the previous change neglected to terminate the pv list correctly when it started with an initial unmanaged mapping and subsequent managed mappings. Fix this. Fix MIPS3_NO_PV_UNCACHED alias handling by looping through the pv_list looking for bad aliases and removing the bad entries. That is, revert to the code before the matt-mips64 merge. Additionally, fix the pmap_update call to not use the (recently removed/freed) pv for the pmap_t. Fixes the following two PRs PR/49903: Panic during installation on WorkPad Z50 (hpcmips) whilst uncompressing base.tgz PR/51226: Install bug for hpcmips NetBSD V7 using FTP Full installation To generate a diff of this commit: cvs rdiff -u -r1.207.2.3 -r1.207.2.4 src/sys/arch/mips/mips/pmap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/mips/mips/pmap.c diff -u src/sys/arch/mips/mips/pmap.c:1.207.2.3 src/sys/arch/mips/mips/pmap.c:1.207.2.4 --- src/sys/arch/mips/mips/pmap.c:1.207.2.3 Wed Jun 11 15:38:05 2014 +++ src/sys/arch/mips/mips/pmap.c Sat Aug 27 14:34:55 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: pmap.c,v 1.207.2.3 2014/06/11 15:38:05 msaitoh Exp $ */ +/* $NetBSD: pmap.c,v 1.207.2.4 2016/08/27 14:34:55 bouyer Exp $ */ /*- * Copyright (c) 1998, 2001 The NetBSD Foundation, Inc. @@ -67,7 +67,7 @@ #include -__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.207.2.3 2014/06/11 15:38:05 msaitoh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.207.2.4 2016/08/27 14:34:55 bouyer Exp $"); /* * Manages physical address maps. @@ -316,6 +316,7 @@ u_int pmap_page_colormask; (pm) == curlwp->l_proc->p_vmspace->vm_map.pmap) /* Forward function declarations */ +void pmap_page_remove(struct vm_page *); void pmap_remove_pv(pmap_t, vaddr_t, struct vm_page *, bool); void pmap_enter_pv(pmap_t, vaddr_t, struct vm_page *, u_int *, int); pt_entry_t *pmap_pte(pmap_t, vaddr_t); @@ -1063,6 +1064,10 @@ pmap_page_protect(struct vm_page *pg, vm while (pv != NULL) { const pmap_t pmap = pv->pv_pmap; const uint16_t gen = PG_MD_PVLIST_GEN(md); +if (pv->pv_va & PV_KENTER) { + pv = pv->pv_next; + continue; +} va = trunc_page(pv->pv_va); PG_MD_PVLIST_UNLOCK(md); pmap_protect(pmap, va, va + PAGE_SIZE, prot); @@ -1087,17 +1092,7 @@ pmap_page_protect(struct vm_page *pg, vm if (pmap_clear_mdpage_attributes(md, PG_MD_EXECPAGE)) { PMAP_COUNT(exec_uncached_page_protect); } - (void)PG_MD_PVLIST_LOCK(md, false); - pv = >pvh_first; - while (pv->pv_pmap != NULL) { - const pmap_t pmap = pv->pv_pmap; - va = trunc_page(pv->pv_va); - PG_MD_PVLIST_UNLOCK(md); - pmap_remove(pmap, va, va + PAGE_SIZE); - pmap_update(pmap); - (void)PG_MD_PVLIST_LOCK(md, false); - } - PG_MD_PVLIST_UNLOCK(md); + pmap_page_remove(pg); } } @@ -2069,6 +2064,32 @@ pmap_set_modified(paddr_t pa) / pv_entry management / static void +pmap_check_alias(struct vm_page *pg) +{ +#ifdef MIPS3_PLUS /* XXX mmu XXX */ +#ifndef MIPS3_NO_PV_UNCACHED + struct vm_page_md * const md = VM_PAGE_TO_MD(pg); + + if (MIPS_HAS_R4K_MMU && PG_MD_UNCACHED_P(md)) { + /* + * Page is currently uncached, check if alias mapping has been + * removed. If it was, then reenable caching. + */ + pv_entry_t pv = >pvh_first; + pv_entry_t pv0 = pv->pv_next; + + for (; pv0; pv0 = pv0->pv_next) { + if (mips_cache_badalias(pv->pv_va, pv0->pv_va)) +break; + } + if (pv0 == NULL) + pmap_page_cache(pg, true); + } +#endif +#endif /* MIPS3_PLUS */ +} + +static void pmap_check_pvlist(struct vm_page_md *md) { #ifdef PARANOIADIAG @@ -2155,12 +2176,12 @@ again: * be mapped with one index at any given time. */ - if (mips_cache_badalias(pv->pv_va, va)) { -for (npv = pv; npv; npv = npv->pv_next) { - vaddr_t nva = trunc_page(npv->pv_va); - pmap_remove(npv->pv_pmap, nva, - nva + PAGE_SIZE); - pmap_update(npv->pv_pmap); + for (npv = pv; npv; npv = npv->pv_next) { +vaddr_t nva = trunc_page(npv->pv_va); +pmap_t npm = npv->pv_pmap; +if (mips_cache_badalias(nva, va)) { + pmap_remove(npm, nva, nva + PAGE_SIZE); + pmap_update(npm); goto again; } } @@ -2283,6
CVS commit: [netbsd-6] src/sys/ufs/lfs
Module Name:src Committed By: bouyer Date: Sat Aug 27 14:13:18 UTC 2016 Modified Files: src/sys/ufs/lfs [netbsd-6]: lfs_vnops.c Log Message: Pull up following revision(s) (requested by dholland in ticket #1389): sys/ufs/lfs/lfs_vnops.c: revision 1.304 Fix a deadlock ok dholland@ To generate a diff of this commit: cvs rdiff -u -r1.239.2.1 -r1.239.2.2 src/sys/ufs/lfs/lfs_vnops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/ufs/lfs/lfs_vnops.c diff -u src/sys/ufs/lfs/lfs_vnops.c:1.239.2.1 src/sys/ufs/lfs/lfs_vnops.c:1.239.2.2 --- src/sys/ufs/lfs/lfs_vnops.c:1.239.2.1 Sat Mar 17 17:40:06 2012 +++ src/sys/ufs/lfs/lfs_vnops.c Sat Aug 27 14:13:18 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: lfs_vnops.c,v 1.239.2.1 2012/03/17 17:40:06 bouyer Exp $ */ +/* $NetBSD: lfs_vnops.c,v 1.239.2.2 2016/08/27 14:13:18 bouyer Exp $ */ /*- * Copyright (c) 1999, 2000, 2001, 2002, 2003 The NetBSD Foundation, Inc. @@ -60,7 +60,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: lfs_vnops.c,v 1.239.2.1 2012/03/17 17:40:06 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: lfs_vnops.c,v 1.239.2.2 2016/08/27 14:13:18 bouyer Exp $"); #ifdef _KERNEL_OPT #include "opt_compat_netbsd.h" @@ -443,8 +443,10 @@ lfs_set_dirop(struct vnode *dvp, struct if ((error = mtsleep(_dirvcount, PCATCH | PUSER | PNORELOCK, "lfs_maxdirop", 0, _lock)) != 0) { + mutex_exit(_lock); goto unreserve; } + mutex_exit(_lock); goto restart; }