CVS commit: [netbsd-6] src/sys/arch/sparc64/conf

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Jun  7 18:01:51 UTC 2018

Modified Files:
src/sys/arch/sparc64/conf [netbsd-6]: GENERIC32 NONPLUS

Log Message:
Fix fallout from ticket #1500: COMPAT_SVR4* has been disabled, do not
disable it here again.


To generate a diff of this commit:
cvs rdiff -u -r1.140 -r1.140.102.1 src/sys/arch/sparc64/conf/GENERIC32
cvs rdiff -u -r1.58 -r1.58.102.1 src/sys/arch/sparc64/conf/NONPLUS

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/sparc64/conf/GENERIC32
diff -u src/sys/arch/sparc64/conf/GENERIC32:1.140 src/sys/arch/sparc64/conf/GENERIC32:1.140.102.1
--- src/sys/arch/sparc64/conf/GENERIC32:1.140	Fri Jun 30 10:27:48 2006
+++ src/sys/arch/sparc64/conf/GENERIC32	Thu Jun  7 18:01:51 2018
@@ -1,13 +1,13 @@
-# $NetBSD: GENERIC32,v 1.140 2006/06/30 10:27:48 tsutsui Exp $
+# $NetBSD: GENERIC32,v 1.140.102.1 2018/06/07 18:01:51 martin Exp $
 #
 # GENERIC machine description file for 32-bit kernel
 #
 
 include 	"arch/sparc64/conf/GENERIC"
 
-#ident		"GENERIC32-$Revision: 1.140 $"
+#ident		"GENERIC32-$Revision: 1.140.102.1 $"
 
 include 	"arch/sparc64/conf/std.sparc64-32"
 
 no options 	COMPAT_NETBSD32
-no options 	COMPAT_SVR4_32
+#no options 	COMPAT_SVR4_32

Index: src/sys/arch/sparc64/conf/NONPLUS
diff -u src/sys/arch/sparc64/conf/NONPLUS:1.58 src/sys/arch/sparc64/conf/NONPLUS:1.58.102.1
--- src/sys/arch/sparc64/conf/NONPLUS:1.58	Fri Jun 30 10:27:48 2006
+++ src/sys/arch/sparc64/conf/NONPLUS	Thu Jun  7 18:01:51 2018
@@ -1,9 +1,9 @@
-# 	$NetBSD: NONPLUS,v 1.58 2006/06/30 10:27:48 tsutsui Exp $
+# 	$NetBSD: NONPLUS,v 1.58.102.1 2018/06/07 18:01:51 martin Exp $
 
 include "arch/sparc64/conf/NONPLUS64"
 include "arch/sparc64/conf/std.sparc64-32"
 
-#ident 		"NONPLUS-$Revision: 1.58 $"
+#ident 		"NONPLUS-$Revision: 1.58.102.1 $"
 
 no options 	COMPAT_NETBSD32	# NetBSD/sparc binary compatibility
-no options 	COMPAT_SVR4_32	# 32-bit SVR4 binaries
+#no options 	COMPAT_SVR4_32	# 32-bit SVR4 binaries

CVS commit: [netbsd-6] src/sys

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue May 22 14:38:20 UTC 2018

Modified Files:
src/sys/arch/amiga/conf [netbsd-6]: DRACO GENERIC GENERIC.in
src/sys/arch/hp300/conf [netbsd-6]: GENERIC
src/sys/arch/i386/conf [netbsd-6]: GENERIC XEN3_DOM0 XEN3_DOMU
src/sys/arch/sparc/conf [netbsd-6]: BILL-THE-CAT GENERIC KRUPS MRCOFFEE
TADPOLE3GX
src/sys/arch/sparc64/conf [netbsd-6]: GENERIC NONPLUS64
src/sys/kern [netbsd-6]: kern_exec.c

Log Message:
Apply patch requested by maxv in ticket #1500:

 * disable compat_svr4 and compat_svr4_32 everywhere
 * disable compat_ibcs2 everywhere but on Vax
 * remove the svr4/svr4_32/ibcs2/freebsd entries from the autoload list


To generate a diff of this commit:
cvs rdiff -u -r1.154 -r1.154.2.1 src/sys/arch/amiga/conf/DRACO
cvs rdiff -u -r1.284 -r1.284.2.1 src/sys/arch/amiga/conf/GENERIC
cvs rdiff -u -r1.96 -r1.96.2.1 src/sys/arch/amiga/conf/GENERIC.in
cvs rdiff -u -r1.169.2.1 -r1.169.2.2 src/sys/arch/hp300/conf/GENERIC
cvs rdiff -u -r1.1066.2.8 -r1.1066.2.9 src/sys/arch/i386/conf/GENERIC
cvs rdiff -u -r1.60.2.7 -r1.60.2.8 src/sys/arch/i386/conf/XEN3_DOM0
cvs rdiff -u -r1.41.2.2 -r1.41.2.3 src/sys/arch/i386/conf/XEN3_DOMU
cvs rdiff -u -r1.51 -r1.51.4.1 src/sys/arch/sparc/conf/BILL-THE-CAT
cvs rdiff -u -r1.230 -r1.230.2.1 src/sys/arch/sparc/conf/GENERIC
cvs rdiff -u -r1.56.4.1 -r1.56.4.2 src/sys/arch/sparc/conf/KRUPS
cvs rdiff -u -r1.34 -r1.34.4.1 src/sys/arch/sparc/conf/MRCOFFEE
cvs rdiff -u -r1.54.4.1 -r1.54.4.2 src/sys/arch/sparc/conf/TADPOLE3GX
cvs rdiff -u -r1.148.2.2 -r1.148.2.3 src/sys/arch/sparc64/conf/GENERIC
cvs rdiff -u -r1.34 -r1.34.4.1 src/sys/arch/sparc64/conf/NONPLUS64
cvs rdiff -u -r1.339.2.10 -r1.339.2.11 src/sys/kern/kern_exec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amiga/conf/DRACO
diff -u src/sys/arch/amiga/conf/DRACO:1.154 src/sys/arch/amiga/conf/DRACO:1.154.2.1
--- src/sys/arch/amiga/conf/DRACO:1.154	Tue Jan 24 00:19:39 2012
+++ src/sys/arch/amiga/conf/DRACO	Tue May 22 14:38:20 2018
@@ -1,4 +1,4 @@
-# $NetBSD: DRACO,v 1.154 2012/01/24 00:19:39 rkujawa Exp $
+# $NetBSD: DRACO,v 1.154.2.1 2018/05/22 14:38:20 martin Exp $
 #
 # This file was automatically created.
 # Changes will be lost when make is run in this directory.
@@ -29,7 +29,7 @@ include "arch/amiga/conf/std.amiga"
 
 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary
 
-#ident 		"GENERIC-$Revision: 1.154 $"
+#ident 		"GENERIC-$Revision: 1.154.2.1 $"
 
 
 maxusers	8
@@ -143,7 +143,7 @@ options 	COMPAT_30	# NetBSD 3.0 compatib
 options 	COMPAT_40	# NetBSD 4.0 compatibility.
 options 	COMPAT_50	# NetBSD 5.0 compatibility.
 options 	COMPAT_SUNOS	# Support to run Sun (m68k) executables
-options 	COMPAT_SVR4	# Support to run SVR4 (m68k) executables
+#options 	COMPAT_SVR4	# Support to run SVR4 (m68k) executables
 options 	COMPAT_NOMID	# allow nonvalid machine id executables
 #options 	COMPAT_LINUX	# Support to run Linux/m68k executables
 

Index: src/sys/arch/amiga/conf/GENERIC
diff -u src/sys/arch/amiga/conf/GENERIC:1.284 src/sys/arch/amiga/conf/GENERIC:1.284.2.1
--- src/sys/arch/amiga/conf/GENERIC:1.284	Tue Jan 24 00:19:39 2012
+++ src/sys/arch/amiga/conf/GENERIC	Tue May 22 14:38:20 2018
@@ -1,4 +1,4 @@
-# $NetBSD: GENERIC,v 1.284 2012/01/24 00:19:39 rkujawa Exp $
+# $NetBSD: GENERIC,v 1.284.2.1 2018/05/22 14:38:20 martin Exp $
 #
 # This file was automatically created.
 # Changes will be lost when make is run in this directory.
@@ -29,7 +29,7 @@ include "arch/amiga/conf/std.amiga"
 
 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary
 
-#ident 		"GENERIC-$Revision: 1.284 $"
+#ident 		"GENERIC-$Revision: 1.284.2.1 $"
 
 
 maxusers	8
@@ -155,7 +155,7 @@ options 	COMPAT_30	# NetBSD 3.0 compatib
 options 	COMPAT_40	# NetBSD 4.0 compatibility.
 options 	COMPAT_50	# NetBSD 5.0 compatibility.
 options 	COMPAT_SUNOS	# Support to run Sun (m68k) executables
-options 	COMPAT_SVR4	# Support to run SVR4 (m68k) executables
+#options 	COMPAT_SVR4	# Support to run SVR4 (m68k) executables
 options 	COMPAT_NOMID	# allow nonvalid machine id executables
 #options 	COMPAT_LINUX	# Support to run Linux/m68k executables
 

Index: src/sys/arch/amiga/conf/GENERIC.in
diff -u src/sys/arch/amiga/conf/GENERIC.in:1.96 src/sys/arch/amiga/conf/GENERIC.in:1.96.2.1
--- src/sys/arch/amiga/conf/GENERIC.in:1.96	Tue Jan 24 00:19:39 2012
+++ src/sys/arch/amiga/conf/GENERIC.in	Tue May 22 14:38:20 2018
@@ -1,4 +1,4 @@
-# $NetBSD: GENERIC.in,v 1.96 2012/01/24 00:19:39 rkujawa Exp $
+# $NetBSD: GENERIC.in,v 1.96.2.1 2018/05/22 14:38:20 martin Exp $
 #
 ##
 # GENERIC machine description file
@@ -52,7 +52,7 @@ include "arch/amiga/conf/std.amiga"
 
 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary
 
-#ident 		"GENERIC-$Revision: 1.96 $"
+#ident 		"GENERIC-$Revision: 1.96.2.1 $"
 
 m4_ifdef(`INSTALL_CONFIGURATION', 

CVS commit: [netbsd-6] src/sys/net/npf

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu May 17 13:45:15 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-6]: npf_alg_icmp.c npf_inet.c

Log Message:
Pull up following revision(s) via patch (requested by maxv in ticket #1549):

sys/net/npf/npf_inet.c: revision 1.45
sys/net/npf/npf_alg_icmp.c: revision 1.27,1.28

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.

We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).

Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.

Discussed with rmind@.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.

In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).

This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.


To generate a diff of this commit:
cvs rdiff -u -r1.8.4.7 -r1.8.4.8 src/sys/net/npf/npf_alg_icmp.c
cvs rdiff -u -r1.10.4.10 -r1.10.4.11 src/sys/net/npf/npf_inet.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_alg_icmp.c
diff -u src/sys/net/npf/npf_alg_icmp.c:1.8.4.7 src/sys/net/npf/npf_alg_icmp.c:1.8.4.8
--- src/sys/net/npf/npf_alg_icmp.c:1.8.4.7	Mon Feb 11 21:49:49 2013
+++ src/sys/net/npf/npf_alg_icmp.c	Thu May 17 13:45:15 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_alg_icmp.c,v 1.8.4.7 2013/02/11 21:49:49 riz Exp $	*/
+/*	$NetBSD: npf_alg_icmp.c,v 1.8.4.8 2018/05/17 13:45:15 martin Exp $	*/
 
 /*-
  * Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.8.4.7 2013/02/11 21:49:49 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.8.4.8 2018/05/17 13:45:15 martin Exp $");
 
 #include 
 #include 
@@ -162,12 +162,14 @@ npfa_icmp_match(npf_cache_t *npc, nbuf_t
 /*
  * npfa_icmp{4,6}_inspect: retrieve unique identifiers - either ICMP query
  * ID or TCP/UDP ports of the original packet, which is embedded.
+ *
+ * => Sets hasqid=true if the packet has a Query Id. In this case neither
+ *the nbuf nor npc is touched.
  */
 
 static bool
-npfa_icmp4_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf)
+npfa_icmp4_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf, bool *hasqid)
 {
-	u_int offby;
 
 	/* Per RFC 792. */
 	switch (type) {
@@ -191,12 +193,8 @@ npfa_icmp4_inspect(const int type, npf_c
 	case ICMP_TSTAMPREPLY:
 	case ICMP_IREQ:
 	case ICMP_IREQREPLY:
-		/* Should contain ICMP query ID - ensure. */
-		offby = offsetof(struct icmp, icmp_id);
-		if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) {
-			return false;
-		}
-		npc->npc_info |= NPC_ICMP_ID;
+		/* Contains ICMP query ID. */
+		*hasqid = true;
 		return true;
 	default:
 		break;
@@ -205,9 +203,8 @@ npfa_icmp4_inspect(const int type, npf_c
 }
 
 static bool
-npfa_icmp6_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf)
+npfa_icmp6_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf, bool *hasqid)
 {
-	u_int offby;
 
 	/* Per RFC 4443. */
 	switch (type) {
@@ -226,12 +223,8 @@ npfa_icmp6_inspect(const int type, npf_c
 
 	case ICMP6_ECHO_REQUEST:
 	case ICMP6_ECHO_REPLY:
-		/* Should contain ICMP query ID - ensure. */
-		offby = offsetof(struct icmp6_hdr, icmp6_id);
-		if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) {
-			return false;
-		}
-		npc->npc_info |= NPC_ICMP_ID;
+		/* Contains ICMP query ID. */
+		*hasqid = true;
 		return true;
 	default:
 		break;
@@ -242,12 +235,12 @@ npfa_icmp6_inspect(const int type, npf_c
 /*
  * npfa_icmp_session: ALG ICMP inspector.
  *
- * => Returns true if "enpc" is filled.
+ * => Returns false if there is a problem with the format.
  */
 static bool
 npfa_icmp_inspect(npf_cache_t *npc, nbuf_t *nbuf, npf_cache_t *enpc)
 {
-	bool ret;
+	bool ret, hasqid = false;
 
 	KASSERT(npf_iscached(npc, NPC_IP46));
 	KASSERT(npf_iscached(npc, NPC_ICMP));
@@ -265,10 +258,10 @@ npfa_icmp_inspect(npf_cache_t *npc, nbuf
 	 */
 	if (npf_iscached(npc, NPC_IP4)) {
 		const struct icmp *ic = npc->npc_l4.icmp;
-		ret = npfa_icmp4_inspect(ic->icmp_type, enpc, nbuf);
+		ret = npfa_icmp4_inspect(ic->icmp_type, enpc, nbuf, );
 	} else if (npf_iscached(npc, NPC_IP6)) {
 		const 

CVS commit: [netbsd-6] src/sys/dev/ic

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Mon May 14 16:07:06 UTC 2018

Modified Files:
src/sys/dev/ic [netbsd-6]: hme.c

Log Message:
Pull up following revision(s) (requested by pgoyette in ticket #1548):

sys/dev/ic/hme.c: revision 1.97

Fix mis-placed right paren.  kern/53271


To generate a diff of this commit:
cvs rdiff -u -r1.87.2.1 -r1.87.2.2 src/sys/dev/ic/hme.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/hme.c
diff -u src/sys/dev/ic/hme.c:1.87.2.1 src/sys/dev/ic/hme.c:1.87.2.2
--- src/sys/dev/ic/hme.c:1.87.2.1	Wed Jul  4 19:43:10 2012
+++ src/sys/dev/ic/hme.c	Mon May 14 16:07:06 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: hme.c,v 1.87.2.1 2012/07/04 19:43:10 riz Exp $	*/
+/*	$NetBSD: hme.c,v 1.87.2.2 2018/05/14 16:07:06 martin Exp $	*/
 
 /*-
  * Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: hme.c,v 1.87.2.1 2012/07/04 19:43:10 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: hme.c,v 1.87.2.2 2018/05/14 16:07:06 martin Exp $");
 
 /* #define HMEDEBUG */
 
@@ -752,7 +752,7 @@ hme_get(struct hme_softc *sc, int ri, ui
 			pktlen = m0->m_pkthdr.len - ETHER_HDR_LEN;
 		} else if (ntohs(eh->ether_type) == ETHERTYPE_VLAN) {
 			evh = (struct ether_vlan_header *)eh;
-			if (ntohs(evh->evl_proto != ETHERTYPE_IP))
+			if (ntohs(evh->evl_proto) != ETHERTYPE_IP)
 goto swcsum;
 			ip = (struct ip *)((char *)eh + ETHER_HDR_LEN +
 			ETHER_VLAN_ENCAP_LEN);

CVS commit: [netbsd-6] src/sys/kern

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu May  3 15:00:38 UTC 2018

Modified Files:
src/sys/kern [netbsd-6]: uipc_mbuf.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1547):

sys/kern/uipc_mbuf.c: revision 1.211 (via patch)

Modify m_defrag, so that it never frees the first mbuf of the chain. While
here use the given 'flags' argument, and not M_DONTWAIT.

We have a problem with several drivers: they poll an mbuf chain from their
queues and call m_defrag on them, but m_defrag could update the mbuf
pointer, so the mbuf in the queue is no longer valid. It is not easy to
fix each driver, because doing pop+push will reorder the queue, and we
don't really want that to happen.

This problem was independently spotted by me, Kengo, Masanobu, and other
people too it seems (perhaps PR/53218).

Now m_defrag leaves the first mbuf in place, and compresses the chain
only starting from the second mbuf in the chain.

It is important not to compress the first mbuf with hacks, because the
storage of this first mbuf may be shared with other mbufs.


To generate a diff of this commit:
cvs rdiff -u -r1.145.2.1 -r1.145.2.2 src/sys/kern/uipc_mbuf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/uipc_mbuf.c
diff -u src/sys/kern/uipc_mbuf.c:1.145.2.1 src/sys/kern/uipc_mbuf.c:1.145.2.2
--- src/sys/kern/uipc_mbuf.c:1.145.2.1	Fri Feb  8 19:18:12 2013
+++ src/sys/kern/uipc_mbuf.c	Thu May  3 15:00:37 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: uipc_mbuf.c,v 1.145.2.1 2013/02/08 19:18:12 riz Exp $	*/
+/*	$NetBSD: uipc_mbuf.c,v 1.145.2.2 2018/05/03 15:00:37 martin Exp $	*/
 
 /*-
  * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.145.2.1 2013/02/08 19:18:12 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.145.2.2 2018/05/03 15:00:37 martin Exp $");
 
 #include "opt_mbuftrace.h"
 #include "opt_nmbclusters.h"
@@ -1266,30 +1266,35 @@ m_makewritable(struct mbuf **mp, int off
 }
 
 /*
- * Copy the mbuf chain to a new mbuf chain that is as short as possible.
- * Return the new mbuf chain on success, NULL on failure.  On success,
- * free the old mbuf chain.
+ * Compress the mbuf chain. Return the new mbuf chain on success, NULL on
+ * failure. The first mbuf is preserved, and on success the pointer returned
+ * is the same as the one passed.
  */
 struct mbuf *
 m_defrag(struct mbuf *mold, int flags)
 {
 	struct mbuf *m0, *mn, *n;
-	size_t sz = mold->m_pkthdr.len;
+	int sz;
 
 #ifdef DIAGNOSTIC
 	if ((mold->m_flags & M_PKTHDR) == 0)
 		panic("m_defrag: not a mbuf chain header");
 #endif
 
-	MGETHDR(m0, flags, MT_DATA);
+	if (mold->m_next == NULL)
+		return mold;
+
+	m0 = m_get(flags, MT_DATA);
 	if (m0 == NULL)
 		return NULL;
-	M_COPY_PKTHDR(m0, mold);
 	mn = m0;
 
+	sz = mold->m_pkthdr.len - mold->m_len;
+	KASSERT(sz >= 0);
+
 	do {
-		if (sz > MHLEN) {
-			MCLGET(mn, M_DONTWAIT);
+		if (sz > MLEN) {
+			MCLGET(mn, flags);
 			if ((mn->m_flags & M_EXT) == 0) {
 m_freem(m0);
 return NULL;
@@ -1305,7 +1310,7 @@ m_defrag(struct mbuf *mold, int flags)
 
 		if (sz > 0) {
 			/* need more mbufs */
-			MGET(n, M_NOWAIT, MT_DATA);
+			n = m_get(flags, MT_DATA);
 			if (n == NULL) {
 m_freem(m0);
 return NULL;
@@ -1316,9 +1321,10 @@ m_defrag(struct mbuf *mold, int flags)
 		}
 	} while (sz > 0);
 
-	m_freem(mold);
+	m_freem(mold->m_next);
+	mold->m_next = m0;
 
-	return m0;
+	return mold;
 }
 
 int

CVS commit: [netbsd-6] src/sys/netipsec

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu May  3 14:33:30 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6]: ipsec_output.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1546):

sys/netipsec/ipsec_output.c: revision 1.67,1.75 (via patch)

Strengthen this check, to make sure there is room for an ip6_ext structure.
Seems possible to crash m_copydata here (but I didn't test more than that).

Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I
already fixed half of the problem two months ago in rev1.67, back then I
thought it was not triggerable because each packet we emit is guaranteed
to have correctly formed IPv6 options; but it is actually triggerable via
IPv6 forwarding, we emit a packet we just received, and we don't sanitize
its options before invoking IPsec.

Since it would be wrong to just stop the iteration and continue the IPsec
processing, allow compute_ipsec_pos to fail, and when it does, drop the
packet entirely.


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.38.2.1 src/sys/netipsec/ipsec_output.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec_output.c
diff -u src/sys/netipsec/ipsec_output.c:1.38 src/sys/netipsec/ipsec_output.c:1.38.2.1
--- src/sys/netipsec/ipsec_output.c:1.38	Tue Jan 10 20:01:57 2012
+++ src/sys/netipsec/ipsec_output.c	Thu May  3 14:33:30 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_output.c,v 1.38 2012/01/10 20:01:57 drochner Exp $	*/
+/*	$NetBSD: ipsec_output.c,v 1.38.2.1 2018/05/03 14:33:30 martin Exp $	*/
 
 /*-
  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.38 2012/01/10 20:01:57 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.38.2.1 2018/05/03 14:33:30 martin Exp $");
 
 /*
  * IPsec output processing.
@@ -632,7 +632,7 @@ bad:
 #endif
 
 #ifdef INET6
-static void
+static int
 compute_ipsec_pos(struct mbuf *m, int *i, int *off)
 {
 	int nxt;
@@ -649,7 +649,11 @@ compute_ipsec_pos(struct mbuf *m, int *i
 	 * put AH/ESP/IPcomp header.
 	 *  IPv6 hbh dest1 rthdr ah* [esp* dest2 payload]
 	 */
-	do {
+	while (1) {
+		if (*i + sizeof(ip6e) > m->m_pkthdr.len) {
+			return EINVAL;
+		}
+
 		switch (nxt) {
 		case IPPROTO_AH:
 		case IPPROTO_ESP:
@@ -658,7 +662,7 @@ compute_ipsec_pos(struct mbuf *m, int *i
 		 * we should not skip security header added
 		 * beforehand.
 		 */
-			return;
+			return 0;
 
 		case IPPROTO_HOPOPTS:
 		case IPPROTO_DSTOPTS:
@@ -668,7 +672,7 @@ compute_ipsec_pos(struct mbuf *m, int *i
 		 * we should stop there.
 		 */
 			if (nxt == IPPROTO_DSTOPTS && dstopt)
-return;
+return 0;
 
 			if (nxt == IPPROTO_DSTOPTS) {
 /*
@@ -688,16 +692,14 @@ compute_ipsec_pos(struct mbuf *m, int *i
 			m_copydata(m, *i, sizeof(ip6e), );
 			nxt = ip6e.ip6e_nxt;
 			*off = *i + offsetof(struct ip6_ext, ip6e_nxt);
-			/*
-			 * we will never see nxt == IPPROTO_AH
-			 * so it is safe to omit AH case.
-			 */
 			*i += (ip6e.ip6e_len + 1) << 3;
 			break;
 		default:
-			return;
+			return 0;
 		}
-	} while (*i < m->m_pkthdr.len);
+	}
+
+	return 0;
 }
 
 static int
@@ -799,7 +801,9 @@ ipsec6_process_packet(
 		i = ip->ip_hl << 2;
 		off = offsetof(struct ip, ip_p);
 	} else {	
-		compute_ipsec_pos(m, , );
+		error = compute_ipsec_pos(m, , );
+		if (error)
+			goto bad;
 	}
 	error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off);
 	splx(s);

CVS commit: [netbsd-6] src/sys/netipsec

[SAITOH Masanobu]

Module Name:src
Committed By:   msaitoh
Date:   Wed Apr 18 06:59:10 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6]: ipsec_mbuf.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1545):
sys/netipsec/ipsec_mbuf.c: revision 1.23
sys/netipsec/ipsec_mbuf.c: revision 1.24
Don't assume M_PKTHDR is set only on the first mbuf of the chain. It
should, but it looks like there are several places that can put M_PKTHDR
on secondary mbufs (PR/53189), so drop this assumption right now to
prevent further bugs.
The check is replaced by (m1 != m), which is equivalent to the previous
code: we want to modify m->m_pkthdr.len only when 'm' was not passed in
m_adj().
Fix a pretty bad mistake, that has always been there.
 m_adj(m1, -(m1->m_len - roff));
 if (m1 != m)
 m->m_pkthdr.len -= (m1->m_len - roff);
This is wrong: m_adj will modify m1->m_len, so we're using a wrong value
when manually adjusting m->m_pkthdr.len.
Because of that, it is possible to exploit the attack I described in
uipc_mbuf.c::rev1.182. The exploit is more complicated, but works 100%
reliably.


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.12.10.1 src/sys/netipsec/ipsec_mbuf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec_mbuf.c
diff -u src/sys/netipsec/ipsec_mbuf.c:1.12 src/sys/netipsec/ipsec_mbuf.c:1.12.10.1
--- src/sys/netipsec/ipsec_mbuf.c:1.12	Mon May 16 10:05:23 2011
+++ src/sys/netipsec/ipsec_mbuf.c	Wed Apr 18 06:59:10 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_mbuf.c,v 1.12 2011/05/16 10:05:23 drochner Exp $	*/
+/*	$NetBSD: ipsec_mbuf.c,v 1.12.10.1 2018/04/18 06:59:10 msaitoh Exp $	*/
 /*-
  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
  * All rights reserved.
@@ -28,7 +28,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.12 2011/05/16 10:05:23 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.12.10.1 2018/04/18 06:59:10 msaitoh Exp $");
 
 /*
  * IPsec-specific mbuf routines.
@@ -407,10 +407,11 @@ m_striphdr(struct mbuf *m, int skip, int
 		/* The header was at the beginning of the mbuf */
 		IPSEC_STATINC(IPSEC_STAT_INPUT_FRONT);
 		m_adj(m1, hlen);
-		if ((m1->m_flags & M_PKTHDR) == 0)
+		if (m1 != m)
 			m->m_pkthdr.len -= hlen;
 	} else if (roff + hlen >= m1->m_len) {
 		struct mbuf *mo;
+		int adjlen;
 
 		/*
 		 * Part or all of the header is at the end of this mbuf,
@@ -419,11 +420,13 @@ m_striphdr(struct mbuf *m, int skip, int
 		 */
 		IPSEC_STATINC(IPSEC_STAT_INPUT_END);
 		if (roff + hlen > m1->m_len) {
+			adjlen = roff + hlen - m1->m_len;
+
 			/* Adjust the next mbuf by the remainder */
-			m_adj(m1->m_next, roff + hlen - m1->m_len);
+			m_adj(m1->m_next, adjlen);
 
 			/* The second mbuf is guaranteed not to have a pkthdr... */
-			m->m_pkthdr.len -= (roff + hlen - m1->m_len);
+			m->m_pkthdr.len -= adjlen;
 		}
 
 		/* Now, let's unlink the mbuf chain for a second...*/
@@ -431,9 +434,10 @@ m_striphdr(struct mbuf *m, int skip, int
 		m1->m_next = NULL;
 
 		/* ...and trim the end of the first part of the chain...sick */
-		m_adj(m1, -(m1->m_len - roff));
-		if ((m1->m_flags & M_PKTHDR) == 0)
-			m->m_pkthdr.len -= (m1->m_len - roff);
+		adjlen = m1->m_len - roff;
+		m_adj(m1, -adjlen);
+		if (m1 != m)
+			m->m_pkthdr.len -= adjlen;
 
 		/* Finally, let's relink */
 		m1->m_next = mo;

CVS commit: [netbsd-6] src/sys/arch/amiga/amiga

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue Apr 10 11:27:55 UTC 2018

Modified Files:
src/sys/arch/amiga/amiga [netbsd-6]: cc.c

Log Message:
Pull up following revision(s) (requested by msaitoh in ticket #1544):

sys/arch/amiga/amiga/cc.c: revision 1.27 (patch)

spl leak, found by mootja


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.22.14.1 src/sys/arch/amiga/amiga/cc.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amiga/amiga/cc.c
diff -u src/sys/arch/amiga/amiga/cc.c:1.22 src/sys/arch/amiga/amiga/cc.c:1.22.14.1
--- src/sys/arch/amiga/amiga/cc.c:1.22	Mon Dec 20 00:25:25 2010
+++ src/sys/arch/amiga/amiga/cc.c	Tue Apr 10 11:27:55 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: cc.c,v 1.22 2010/12/20 00:25:25 matt Exp $	*/
+/*	$NetBSD: cc.c,v 1.22.14.1 2018/04/10 11:27:55 martin Exp $	*/
 
 /*
  * Copyright (c) 1994 Christian E. Hopps
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: cc.c,v 1.22 2010/12/20 00:25:25 matt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: cc.c,v 1.22.14.1 2018/04/10 11:27:55 martin Exp $");
 
 #include 
 #include 
@@ -504,9 +504,10 @@ alloc_chipmem(u_long size)
 	while (size > mn->size && mn != (void *)_list)
 		mn = mn->free_link.cqe_next;
 
-	if (mn == (void *)_list)
+	if (mn == (void *)_list) {
+		splx(s);
 		return(NULL);
-
+	}
 	if ((mn->size - size) <= sizeof (*mn)) {
 		/*
 		 * our allocation would not leave room

CVS commit: [netbsd-6] src/sys/net/npf

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:34:17 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-6]: npf.h

Log Message:
Pullup the following revision, requested by maxv in ticket #1542:

sys/net/npf/npf.h   1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet +   0 = IP6 Header
packet +  40 = IP6 Routing header (ip6r_len = 31)
packet +  48 = Crafted UDP header (uh_dport = )
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = )
Will bypass a rule of the kind "block port ". Here NPF reads the
crafted UDP header, sees , lets the packet in; later the kernel reads
the real UDP header, and delivers it on port .

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.14.2.12 -r1.14.2.13 src/sys/net/npf/npf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.14.2.12 src/sys/net/npf/npf.h:1.14.2.13
--- src/sys/net/npf/npf.h:1.14.2.12	Mon Feb 11 21:49:49 2013
+++ src/sys/net/npf/npf.h	Thu Apr  5 11:34:17 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf.h,v 1.14.2.12 2013/02/11 21:49:49 riz Exp $	*/
+/*	$NetBSD: npf.h,v 1.14.2.13 2018/04/05 11:34:17 martin Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -99,7 +99,7 @@ typedef struct {
 	npf_addr_t *		npc_dstip;
 	/* Size (v4 or v6) of IP addresses. */
 	uint8_t			npc_alen;
-	uint8_t			npc_hlen;
+	uint32_t		npc_hlen;
 	uint16_t		npc_proto;
 	/* IPv4, IPv6. */
 	union {

CVS commit: [netbsd-6] src/sys/netinet6

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Sun Apr  1 09:22:37 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6]: raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1541):

sys/netinet6/raw_ip6.c: revision 1.161

Fix use-after-free, the first m_copyback_cow may have freed the mbuf, so
it is wrong to read ip6->ip6_nxt.


To generate a diff of this commit:
cvs rdiff -u -r1.109.2.1 -r1.109.2.2 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/raw_ip6.c
diff -u src/sys/netinet6/raw_ip6.c:1.109.2.1 src/sys/netinet6/raw_ip6.c:1.109.2.2
--- src/sys/netinet6/raw_ip6.c:1.109.2.1	Tue Jan 30 18:44:22 2018
+++ src/sys/netinet6/raw_ip6.c	Sun Apr  1 09:22:37 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: raw_ip6.c,v 1.109.2.1 2018/01/30 18:44:22 martin Exp $	*/
+/*	$NetBSD: raw_ip6.c,v 1.109.2.2 2018/04/01 09:22:37 martin Exp $	*/
 /*	$KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.109.2.1 2018/01/30 18:44:22 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.109.2.2 2018/04/01 09:22:37 martin Exp $");
 
 #include "opt_ipsec.h"
 
@@ -502,6 +502,7 @@ rip6_output(struct mbuf *m, struct socke
 
 	if (so->so_proto->pr_protocol == IPPROTO_ICMPV6 ||
 	in6p->in6p_cksum != -1) {
+		const uint8_t nxt = ip6->ip6_nxt;
 		int off;
 		u_int16_t sum;
 
@@ -523,7 +524,7 @@ rip6_output(struct mbuf *m, struct socke
 			error = ENOBUFS;
 			goto bad;
 		}
-		sum = in6_cksum(m, ip6->ip6_nxt, sizeof(*ip6), plen);
+		sum = in6_cksum(m, nxt, sizeof(*ip6), plen);
 		m = m_copyback_cow(m, off, sizeof(sum), (void *),
 		M_DONTWAIT);
 		if (m == NULL) {

CVS commit: [netbsd-6] src/sys/netinet6

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Sun Apr  1 09:18:54 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6]: ip6_forward.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1540):

sys/netinet6/ip6_forward.c: revision 1.91 (via patch)

Fix two pretty bad mistakes. If ipsec6_check_policy fails m is not freed,
and a 'goto out' is missing after ipsec6_process_packet.


To generate a diff of this commit:
cvs rdiff -u -r1.69.2.1 -r1.69.2.2 src/sys/netinet6/ip6_forward.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ip6_forward.c
diff -u src/sys/netinet6/ip6_forward.c:1.69.2.1 src/sys/netinet6/ip6_forward.c:1.69.2.2
--- src/sys/netinet6/ip6_forward.c:1.69.2.1	Tue Mar 13 16:43:06 2018
+++ src/sys/netinet6/ip6_forward.c	Sun Apr  1 09:18:54 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_forward.c,v 1.69.2.1 2018/03/13 16:43:06 snj Exp $	*/
+/*	$NetBSD: ip6_forward.c,v 1.69.2.2 2018/04/01 09:18:54 martin Exp $	*/
 /*	$KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69.2.1 2018/03/13 16:43:06 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69.2.2 2018/04/01 09:18:54 martin Exp $");
 
 #include "opt_gateway.h"
 #include "opt_ipsec.h"
@@ -361,9 +361,10 @@ ip6_forward(struct mbuf *m, int srcrt)
 		 * because we asked key management for an SA and
 		 * it was delayed (e.g. kicked up to IKE).
 		 */
-	if (error == -EINVAL)
-		error = 0;
-	goto freecopy;
+		if (error == -EINVAL)
+			error = 0;
+		m_freem(m);
+		goto freecopy;
 	}
 #endif /* FAST_IPSEC */
 
@@ -467,8 +468,10 @@ ip6_forward(struct mbuf *m, int srcrt)
 		s = splsoftnet();
 		error = ipsec6_process_packet(m,sp->req);
 		splx(s);
+		/* m is freed */
 		if (mcopy)
 			goto freecopy;
+		return;
 }
 #endif   
 

CVS commit: [netbsd-6] src/sys/dev/ppbus

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 17:48:21 UTC 2018

Modified Files:
src/sys/dev/ppbus [netbsd-6]: if_plip.c

Log Message:
Pull up following revision(s) (requested by msaitoh in ticket #1537):
sys/dev/ppbus/if_plip.c: 1.28
spl leak, found by Mootja


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.24.14.1 src/sys/dev/ppbus/if_plip.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ppbus/if_plip.c
diff -u src/sys/dev/ppbus/if_plip.c:1.24 src/sys/dev/ppbus/if_plip.c:1.24.14.1
--- src/sys/dev/ppbus/if_plip.c:1.24	Mon Apr  5 07:21:47 2010
+++ src/sys/dev/ppbus/if_plip.c	Tue Mar 13 17:48:21 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: if_plip.c,v 1.24 2010/04/05 07:21:47 joerg Exp $ */
+/* $NetBSD: if_plip.c,v 1.24.14.1 2018/03/13 17:48:21 snj Exp $ */
 
 /*-
  * Copyright (c) 1997 Poul-Henning Kamp
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_plip.c,v 1.24 2010/04/05 07:21:47 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_plip.c,v 1.24.14.1 2018/03/13 17:48:21 snj Exp $");
 
 /*
  * Parallel port TCP/IP interfaces added.  I looked at the driver from
@@ -445,6 +445,7 @@ lpioctl(struct ifnet *ifp, u_long cmd, v
 		case AF_INET:
 			break;
 		default:
+			splx(s);
 			return EAFNOSUPPORT;
 		}
 		break;

CVS commit: [netbsd-6] src/sys/netipsec

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 17:47:14 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6]: ipsec_input.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1536):
sys/netipsec/ipsec_input.c: 1.57-1.58
Extend these #ifdef notyet. The m_copydata's in these branches are wrong,
we are not guaranteed to have enough room for another struct ip, and we
may crash here. Triggerable remotely, but after authentication, by sending
an AH packet that has a one-byte-sized IPIP payload.
--
Argh, in my previous commit in this file I forgot to fix the IPv6
entry point; apply the same fix there.


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.2.1 src/sys/netipsec/ipsec_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec_input.c
diff -u src/sys/netipsec/ipsec_input.c:1.29 src/sys/netipsec/ipsec_input.c:1.29.2.1
--- src/sys/netipsec/ipsec_input.c:1.29	Wed Jan 25 21:58:10 2012
+++ src/sys/netipsec/ipsec_input.c	Tue Mar 13 17:47:14 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_input.c,v 1.29 2012/01/25 21:58:10 drochner Exp $	*/
+/*	$NetBSD: ipsec_input.c,v 1.29.2.1 2018/03/13 17:47:14 snj Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $	*/
 /*	$OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $	*/
 
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.29 2012/01/25 21:58:10 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.29.2.1 2018/03/13 17:47:14 snj Exp $");
 
 /*
  * IPsec input processing.
@@ -332,14 +332,15 @@ ipsec4_common_input_cb(struct mbuf *m, s
 	ip->ip_len = htons(m->m_pkthdr.len);
 	prot = ip->ip_p;
 
+#ifdef notyet
 	/* IP-in-IP encapsulation */
 	if (prot == IPPROTO_IPIP) {
 		struct ip ipn;
 
 		/* ipn will now contain the inner IPv4 header */
+		/* XXX: check m_pkthdr.len */
 		m_copydata(m, ip->ip_hl << 2, sizeof(struct ip), );
 
-#ifdef notyet
 		/* XXX PROXY address isn't recorded in SAH */
 		/*
 		 * Check that the inner source address is the same as
@@ -367,7 +368,6 @@ ipsec4_common_input_cb(struct mbuf *m, s
 			error = EACCES;
 			goto bad;
 		}
-#endif /*XXX*/
 	}
 #if INET6
 	/* IPv6-in-IP encapsulation. */
@@ -375,9 +375,9 @@ ipsec4_common_input_cb(struct mbuf *m, s
 		struct ip6_hdr ip6n;
 
 		/* ip6n will now contain the inner IPv6 header. */
+		/* XXX: check m_pkthdr.len */
 		m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr), );
 
-#ifdef notyet
 		/*
 		 * Check that the inner source address is the same as
 		 * the proxy address, if available.
@@ -403,9 +403,9 @@ ipsec4_common_input_cb(struct mbuf *m, s
 			error = EACCES;
 			goto bad;
 		}
-#endif /*XXX*/
 	}
 #endif /* INET6 */
+#endif /* notyet */
 
 	/*
 	 * Record what we've done to the packet (under what SA it was
@@ -651,15 +651,16 @@ ipsec6_common_input_cb(struct mbuf *m, s
 	/* Save protocol */
 	m_copydata(m, protoff, 1, );
 
+#ifdef notyet
 #ifdef INET
 	/* IP-in-IP encapsulation */
 	if (prot == IPPROTO_IPIP) {
 		struct ip ipn;
 
 		/* ipn will now contain the inner IPv4 header */
+		/* XXX: check m_pkthdr.len */
 		m_copydata(m, skip, sizeof(struct ip), );
 
-#ifdef notyet
 		/*
 		 * Check that the inner source address is the same as
 		 * the proxy address, if available.
@@ -683,18 +684,16 @@ ipsec6_common_input_cb(struct mbuf *m, s
 			error = EACCES;
 			goto bad;
 		}
-#endif /*XXX*/
 	}
 #endif /* INET */
-
 	/* IPv6-in-IP encapsulation */
 	if (prot == IPPROTO_IPV6) {
 		struct ip6_hdr ip6n;
 
 		/* ip6n will now contain the inner IPv6 header. */
+		/* XXX: check m_pkthdr.len */
 		m_copydata(m, skip, sizeof(struct ip6_hdr), );
 
-#ifdef notyet
 		/*
 		 * Check that the inner source address is the same as
 		 * the proxy address, if available.
@@ -719,8 +718,8 @@ ipsec6_common_input_cb(struct mbuf *m, s
 			error = EACCES;
 			goto bad;
 		}
-#endif /*XXX*/
 	}
+#endif /* notyet */
 
 	/*
 	 * Record what we've done to the packet (under what SA it was

CVS commit: [netbsd-6] src/sys

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 17:42:41 UTC 2018

Modified Files:
src/sys/net [netbsd-6]: if_mpls.c
src/sys/netmpls [netbsd-6]: mpls_ttl.c

Log Message:
Pull up following revision(s) (requested by uwe in ticket #1534):
sys/net/if_mpls.c: 1.31-1.33 via patch
sys/netmpls/mpls_ttl.c: 1.9 via patch
Style, and fix several bugs:
 - ip4_check(), mpls_unlabel_inet() and mpls_unlabel_inet6() perform
   pullups, so we need to pass the updated pointers back
 - in mpls_lse() the route is not always freed
Looks a little better now.
--
Kick MPLS packets earlier.
--
Several changes:
 * In mpls_unlabel_inet, copy the label locally. It's not incorrect to
   keep a pointer on the mbuf, but it's bug-friendly.
 * In mpls_label_inetX, fix the length check. Meanwhile add an XXX: we
   just want to make sure that m_copydata won't fail, but if we were
   guaranteed that m has M_PKTHDR set, we could simply check the length
   against m->m_pkthdr.len.


To generate a diff of this commit:
cvs rdiff -u -r1.8.8.1 -r1.8.8.2 src/sys/net/if_mpls.c
cvs rdiff -u -r1.3 -r1.3.18.1 src/sys/netmpls/mpls_ttl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/if_mpls.c
diff -u src/sys/net/if_mpls.c:1.8.8.1 src/sys/net/if_mpls.c:1.8.8.2
--- src/sys/net/if_mpls.c:1.8.8.1	Tue Jul 30 03:05:39 2013
+++ src/sys/net/if_mpls.c	Tue Mar 13 17:42:41 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_mpls.c,v 1.8.8.1 2013/07/30 03:05:39 msaitoh Exp $ */
+/*	$NetBSD: if_mpls.c,v 1.8.8.2 2018/03/13 17:42:41 snj Exp $ */
 
 /*
  * Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_mpls.c,v 1.8.8.1 2013/07/30 03:05:39 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_mpls.c,v 1.8.8.2 2018/03/13 17:42:41 snj Exp $");
 
 #include "opt_inet.h"
 #include "opt_mpls.h"
@@ -83,12 +83,12 @@ static int mpls_send_frame(struct mbuf *
 static int mpls_lse(struct mbuf *);
 
 #ifdef INET
-static int mpls_unlabel_inet(struct mbuf *);
+static struct mbuf *mpls_unlabel_inet(struct mbuf *, int *error);
 static struct mbuf *mpls_label_inet(struct mbuf *, union mpls_shim *, uint);
 #endif
 
 #ifdef INET6
-static int mpls_unlabel_inet6(struct mbuf *);
+static struct mbuf *mpls_unlabel_inet6(struct mbuf *, int *error);
 static struct mbuf *mpls_label_inet6(struct mbuf *, union mpls_shim *, uint);
 #endif
 
@@ -308,6 +308,12 @@ mpls_lse(struct mbuf *m)
 	int error = ENOBUFS;
 	uint psize = sizeof(struct sockaddr_mpls);
 
+	/* If we're not accepting MPLS frames, leave now. */
+	if (!mpls_accept) {
+		error = EINVAL;
+		goto done;
+	}
+
 	if (m->m_len < sizeof(union mpls_shim) &&
 	(m = m_pullup(m, sizeof(union mpls_shim))) == NULL)
 		goto done;
@@ -316,10 +322,7 @@ mpls_lse(struct mbuf *m)
 	dst.smpls_family = AF_MPLS;
 	dst.smpls_addr.s_addr = ntohl(mtod(m, union mpls_shim *)->s_addr);
 
-	/* Check if we're accepting MPLS Frames */
 	error = EINVAL;
-	if (!mpls_accept)
-		goto done;
 
 	/* TTL decrement */
 	if ((m = mpls_ttl_dec(m)) == NULL)
@@ -331,15 +334,17 @@ mpls_lse(struct mbuf *m)
 #ifdef INET
 		case MPLS_LABEL_IPV4NULL:
 			/* Pop shim and push mbuf to IP stack */
-			if (dst.smpls_addr.shim.bos)
-error = mpls_unlabel_inet(m);
+			if (dst.smpls_addr.shim.bos) {
+m = mpls_unlabel_inet(m, );
+			}
 			break;
 #endif
 #ifdef INET6
 		case MPLS_LABEL_IPV6NULL:
 			/* Pop shim and push mbuf to IPv6 stack */
-			if (dst.smpls_addr.shim.bos)
-error = mpls_unlabel_inet6(m);
+			if (dst.smpls_addr.shim.bos) {
+m = mpls_unlabel_inet6(m, );
+			}
 			break;
 #endif
 		case MPLS_LABEL_RTALERT:	/* Yeah, I'm all alerted */
@@ -393,8 +398,10 @@ mpls_lse(struct mbuf *m)
 		tshim.shim.bos = tshim.shim.exp = 0;
 		tshim.shim.ttl = mpls_defttl;
 		if (tshim.shim.label != MPLS_LABEL_IMPLNULL &&
-		((m = mpls_prepend_shim(m, )) == NULL))
-			return ENOBUFS;
+		((m = mpls_prepend_shim(m, )) == NULL)) {
+			error = ENOBUFS;
+			goto done;
+		}
 		psize += sizeof(tshim);
 	}
 
@@ -439,11 +446,9 @@ mpls_send_frame(struct mbuf *m, struct i
 	return 0;
 }
 
-
-
 #ifdef INET
-static int
-mpls_unlabel_inet(struct mbuf *m)
+static struct mbuf *
+mpls_unlabel_inet(struct mbuf *m, int *error)
 {
 	int s, iphlen;
 	struct ip *iph;
@@ -451,7 +456,6 @@ mpls_unlabel_inet(struct mbuf *m)
 	struct ifqueue *inq;
 
 	if (mpls_mapttl_inet || mpls_mapprec_inet) {
-
 		/* get shim info */
 		ms = mtod(m, union mpls_shim *);
 		ms->s_addr = ntohl(ms->s_addr);
@@ -460,23 +464,29 @@ mpls_unlabel_inet(struct mbuf *m)
 		m_adj(m, sizeof(union mpls_shim));
 
 		/* get ip header */
-		if (m->m_len < sizeof (struct ip) &&
-		(m = m_pullup(m, sizeof(struct ip))) == NULL)
-			return ENOBUFS;
+		if (m->m_len < sizeof(struct ip) &&
+		(m = m_pullup(m, sizeof(struct ip))) == NULL) {
+			*error = ENOBUFS;
+			return NULL;
+		}
+
 		iph = mtod(m, struct ip *);
 		iphlen = 

CVS commit: [netbsd-6] src/sys/dev/sbus

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 17:20:25 UTC 2018

Modified Files:
src/sys/dev/sbus [netbsd-6]: be.c

Log Message:
Pull up following revision(s) (requested by msaitoh in ticket #1533):
sys/dev/sbus/be.c: 1.86
spl leak, found by Mootja a long time ago


To generate a diff of this commit:
cvs rdiff -u -r1.78 -r1.78.2.1 src/sys/dev/sbus/be.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/sbus/be.c
diff -u src/sys/dev/sbus/be.c:1.78 src/sys/dev/sbus/be.c:1.78.2.1
--- src/sys/dev/sbus/be.c:1.78	Thu Feb  2 19:43:06 2012
+++ src/sys/dev/sbus/be.c	Tue Mar 13 17:20:25 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: be.c,v 1.78 2012/02/02 19:43:06 tls Exp $	*/
+/*	$NetBSD: be.c,v 1.78.2.1 2018/03/13 17:20:25 snj Exp $	*/
 
 /*-
  * Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -57,7 +57,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: be.c,v 1.78 2012/02/02 19:43:06 tls Exp $");
+__KERNEL_RCSID(0, "$NetBSD: be.c,v 1.78.2.1 2018/03/13 17:20:25 snj Exp $");
 
 #include "opt_ddb.h"
 #include "opt_inet.h"
@@ -1126,6 +1126,7 @@ beinit(struct ifnet *ifp)
 
 	callout_reset(>sc_tick_ch, hz, be_tick, sc);
 
+	splx(s);
 	return 0;
 out:
 	splx(s);

CVS commit: [netbsd-6] src/sys/netipsec

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 17:18:16 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6]: xform_ah.c xform_esp.c xform_ipip.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1532):
sys/netipsec/xform_ah.c: 1.77 via patch
sys/netipsec/xform_esp.c: 1.73 via patch
sys/netipsec/xform_ipip.c: 1.56-1.57 via patch
Reinforce and clarify.
--
Add missing NULL check. Normally that's not triggerable remotely, since we
are guaranteed that 8 bytes are valid at mbuf+skip.
--
Fix use-after-free. There is a path where the mbuf gets pulled up without
a proper mtod afterwards:
218 ipo = mtod(m, struct ip *);
281 m = m_pullup(m, hlen);
232 ipo->ip_src.s_addr
Found by Mootja.
Meanwhile it seems to me that 'ipo' should be set to NULL if the inner
packet is IPv6, but I'll revisit that later.
--
As I said in my last commit in this file, ipo should be set to NULL;
otherwise the 'local address spoofing' check below is always wrong on
IPv6.


To generate a diff of this commit:
cvs rdiff -u -r1.37.2.3 -r1.37.2.4 src/sys/netipsec/xform_ah.c
cvs rdiff -u -r1.40 -r1.40.2.1 src/sys/netipsec/xform_esp.c
cvs rdiff -u -r1.28.8.1 -r1.28.8.2 src/sys/netipsec/xform_ipip.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.37.2.3 src/sys/netipsec/xform_ah.c:1.37.2.4
--- src/sys/netipsec/xform_ah.c:1.37.2.3	Thu Feb 15 16:49:04 2018
+++ src/sys/netipsec/xform_ah.c	Tue Mar 13 17:18:15 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ah.c,v 1.37.2.3 2018/02/15 16:49:04 martin Exp $	*/
+/*	$NetBSD: xform_ah.c,v 1.37.2.4 2018/03/13 17:18:15 snj Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.3 2018/02/15 16:49:04 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.4 2018/03/13 17:18:15 snj Exp $");
 
 #include "opt_inet.h"
 #ifdef __FreeBSD__
@@ -498,54 +498,45 @@ ah_massage_headers(struct mbuf **m0, int
 
 		nxt = ip6.ip6_nxt & 0xff; /* Next header type. */
 
-		for (off = 0; off < skip - sizeof(struct ip6_hdr);)
+		for (off = 0; off < skip - sizeof(struct ip6_hdr);) {
+			int noff;
+
 			switch (nxt) {
 			case IPPROTO_HOPOPTS:
 			case IPPROTO_DSTOPTS:
-ip6e = (struct ip6_ext *) (ptr + off);
+ip6e = (struct ip6_ext *)(ptr + off);
+noff = off + ((ip6e->ip6e_len + 1) << 3);
+
+/* Sanity check. */
+if (noff > skip - sizeof(struct ip6_hdr)) {
+	goto error6;
+}
 
 /*
- * Process the mutable/immutable
- * options -- borrows heavily from the
- * KAME code.
+ * Zero out mutable options.
  */
 for (count = off + sizeof(struct ip6_ext);
- count < off + ((ip6e->ip6e_len + 1) << 3);) {
+ count < noff;) {
 	if (ptr[count] == IP6OPT_PAD1) {
 		count++;
-		continue; /* Skip padding. */
-	}
-
-	/* Sanity check. */
-	if (count > off +
-	((ip6e->ip6e_len + 1) << 3)) {
-		m_freem(m);
-
-		/* Free, if we allocated. */
-		if (alloc)
-			free(ptr, M_XDATA);
-		return EINVAL;
+		continue;
 	}
 
 	ad = ptr[count + 1] + 2;
 
-	/* If mutable option, zeroize. */
-	if (ptr[count] & IP6OPT_MUTABLE)
-		memcpy(ptr + count, ipseczeroes,
-		ad);
+	if (count + ad > noff) {
+		goto error6;
+	}
+
+	if (ptr[count] & IP6OPT_MUTABLE) {
+		memset(ptr + count, 0, ad);
+	}
 
 	count += ad;
+}
 
-	/* Sanity check. */
-	if (count >
-	skip - sizeof(struct ip6_hdr)) {
-		m_freem(m);
-
-		/* Free, if we allocated. */
-		if (alloc)
-			free(ptr, M_XDATA);
-		return EINVAL;
-	}
+if (count != noff) {
+	goto error6;
 }
 
 /* Advance. */
@@ -603,11 +594,13 @@ ah_massage_headers(struct mbuf **m0, int
 			default:
 DPRINTF(("ah_massage_headers: unexpected "
 "IPv6 header type %d", off));
+error6:
 if (alloc)
 	free(ptr, M_XDATA);
 m_freem(m);
 return EINVAL;
 			}
+		}
 
 		/* Copyback and free, if we allocated. */
 		if (alloc) {

Index: src/sys/netipsec/xform_esp.c
diff -u src/sys/netipsec/xform_esp.c:1.40 src/sys/netipsec/xform_esp.c:1.40.2.1
--- src/sys/netipsec/xform_esp.c:1.40	Wed Jan 25 20:31:23 2012
+++ src/sys/netipsec/xform_esp.c	Tue Mar 13 17:18:15 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_esp.c,v 1.40 2012/01/25 20:31:23 drochner Exp $	*/
+/*	$NetBSD: xform_esp.c,v 1.40.2.1 2018/03/13 17:18:15 snj Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.40 2012/01/25 20:31:23 

CVS commit: [netbsd-6] src/sys/arch/macppc/dev

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 17:09:15 UTC 2018

Modified Files:
src/sys/arch/macppc/dev [netbsd-6]: snapper.c

Log Message:
Pull up following revision(s) (requested by sevan in ticket #1522):
sys/arch/macppc/dev/snapper.c: 1.42
Fix issue with audio being downpitched, thanks to 
"it seems that snapper_init should be called before audio_attach_mi, as
snapper
init is setting the rate to 44100 after the hardware format has been
configured
by audio_attach_mi.
audio_attach_mi should be the last thing called during an attach of an audio
device so the audio device is ready to be configured when audio_attach_mi is
called."
Resolves PR port-macppc/52949


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.38.4.1 src/sys/arch/macppc/dev/snapper.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/macppc/dev/snapper.c
diff -u src/sys/arch/macppc/dev/snapper.c:1.38 src/sys/arch/macppc/dev/snapper.c:1.38.4.1
--- src/sys/arch/macppc/dev/snapper.c:1.38	Thu Nov 24 03:35:57 2011
+++ src/sys/arch/macppc/dev/snapper.c	Tue Mar 13 17:09:15 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: snapper.c,v 1.38 2011/11/24 03:35:57 mrg Exp $	*/
+/*	$NetBSD: snapper.c,v 1.38.4.1 2018/03/13 17:09:15 snj Exp $	*/
 /*	Id: snapper.c,v 1.11 2002/10/31 17:42:13 tsubai Exp	*/
 /*	Id: i2s.c,v 1.12 2005/01/15 14:32:35 tsubai Exp		*/
 
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: snapper.c,v 1.38 2011/11/24 03:35:57 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: snapper.c,v 1.38.4.1 2018/03/13 17:09:15 snj Exp $");
 
 #include 
 #include 
@@ -839,10 +839,10 @@ snapper_defer(device_t dev)
 		break;
 	}
 
-	audio_attach_mi(_hw_if, sc, sc->sc_dev);
-
 	/* ki2c_setmode(sc->sc_i2c, I2C_STDSUBMODE); */
 	snapper_init(sc, sc->sc_node);
+
+	audio_attach_mi(_hw_if, sc, sc->sc_dev);
 }
 
 static int

CVS commit: [netbsd-6] src/sys/arch/sparc/sparc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 16:48:05 UTC 2018

Modified Files:
src/sys/arch/sparc/sparc [netbsd-6]: timer.c timer_sun4m.c timerreg.h

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1519):
sys/arch/sparc/sparc/timer_sun4m.c: 1.33 1.34 1.31
sys/arch/sparc/sparc/timer.c: 1.33
sys/arch/sparc/sparc/timer.c: 1.33 1.34
sys/arch/sparc/sparc/timerreg.h: 1.33 1.34 1.31 1.10
fix time goes backwards problems on sparc.
there are a few things here:
- there's a race between reading the limit register (which clears
  the interrupt and the limit bit) and increasing the latest offset.
  this can happen easily if an interrupt comes between the read and
  the call to tickle_tc() that increases the offset (i obverved this
  actually happening.)
- in early boot, sometimes the counter can cycle twice before the
  tickle happens.
to handle these issues, add two workarounds:
- if the limit bit isn't set, but the counter value is less than
  the previous value, and the offset hasn't changed, use the same
  fixup as if the limit bit was set.  this handles the first case
  above.
- add a hard-workaround for never allowing returning a smaller
  value (except during 32 bit overflow): if the result is less than
  the last result, add fixups until it does (or until it would
  overflow.)
the first workaround fixes general run-time issues, and the second
fixes issues only seen during boot.
also expand some comments in timer_sun4m.c and re-enable the sun4m
sub-microsecond tmr_ustolim4m() support (but it's always called with
at least 'tick' microseconds, so the end result is the same.)
fix hang at 4B microseconds (1h12 or so), and simplify part of the previous


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.8.1 src/sys/arch/sparc/sparc/timer.c
cvs rdiff -u -r1.28 -r1.28.8.1 src/sys/arch/sparc/sparc/timer_sun4m.c
cvs rdiff -u -r1.9 -r1.9.118.1 src/sys/arch/sparc/sparc/timerreg.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/sparc/sparc/timer.c
diff -u src/sys/arch/sparc/sparc/timer.c:1.29 src/sys/arch/sparc/sparc/timer.c:1.29.8.1
--- src/sys/arch/sparc/sparc/timer.c:1.29	Sun Jul 17 23:18:23 2011
+++ src/sys/arch/sparc/sparc/timer.c	Tue Mar 13 16:48:05 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: timer.c,v 1.29 2011/07/17 23:18:23 mrg Exp $ */
+/*	$NetBSD: timer.c,v 1.29.8.1 2018/03/13 16:48:05 snj Exp $ */
 
 /*
  * Copyright (c) 1992, 1993
@@ -60,7 +60,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: timer.c,v 1.29 2011/07/17 23:18:23 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: timer.c,v 1.29.8.1 2018/03/13 16:48:05 snj Exp $");
 
 #include 
 #include 
@@ -83,56 +83,93 @@ static u_int timer_get_timecount(struct 
  * timecounter local state
  */
 static struct counter {
-	volatile u_int *cntreg;	/* counter register */
+	__cpu_simple_lock_t lock; /* protects access to offset, reg, last* */
+	volatile u_int *cntreg;	/* counter register to read */
 	u_int limit;		/* limit we count up to */
 	u_int offset;		/* accumulated offet due to wraps */
 	u_int shift;		/* scaling for valid bits */
 	u_int mask;		/* valid bit mask */
-} cntr;
+	u_int lastcnt;		/* the last* values are used to notice */
+	u_int lastres;		/* and fix up cases where it would appear */
+	u_int lastoffset;	/* time went backwards. */
+} cntr __aligned(CACHE_LINE_SIZE);
 
 /*
  * define timecounter
  */
 
 static struct timecounter counter_timecounter = {
-	timer_get_timecount,	/* get_timecount */
-	0,			/* no poll_pps */
-	~0u,			/* counter_mask */
-	0,  /* frequency - set at initialisation */
-	"timer-counter",	/* name */
-	100,			/* quality */
-/* private reference */
+	.tc_get_timecount =	timer_get_timecount,
+	.tc_poll_pps =		NULL,
+	.tc_counter_mask =	~0u,
+	.tc_frequency =		0,
+	.tc_name =		"timer-counter",
+	.tc_quality =		100,
+	.tc_priv =		,
 };
 
 /*
  * timer_get_timecount provide current counter value
  */
+__attribute__((__optimize__("Os")))
 static u_int
 timer_get_timecount(struct timecounter *tc)
 {
-	struct counter *ctr = (struct counter *)tc->tc_priv;
-
-	u_int c, res, r;
+	u_int cnt, res, fixup, offset;
 	int s;
 
-
+	/*
+	 * We use splhigh/__cpu_simple_lock here as we don't want
+	 * any mutex or lockdebug overhead.  The lock protects a
+	 * bunch of the members of cntr that are written here to
+	 * deal with the various minor races to be observed and
+	 * worked around.
+	 */
 	s = splhigh();
 
-	res = c = *ctr->cntreg;
+	__cpu_simple_lock();
+	res = cnt = *cntr.cntreg;
 
 	res  &= ~TMR_LIMIT;
+	offset = cntr.offset;
 
-	if (c != res) {
-		r = ctr->limit;
+	/*
+	 * There are 3 cases here:
+	 * - limit reached, interrupt not yet processed.
+	 * - count reset but offset the same, race between handling
+	 *   the interrupt and tickle_tc() updating the offset.
+	 * - normal case.
+	 *
+	 * For the first two cases, add the limit so 

CVS commit: [netbsd-6] src/sys/netinet6

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 16:43:06 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6]: ip6_forward.c

Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #1518):
sys/netinet6/ip6_forward.c: 1.89-1.90 via patch
Fix use-after-free of mbuf by ip6flow_create
This fixes recent failures of some ATF tests such as t_ipsec_tunnel_odd.
--
Fix use-after-free of mbuf by ip6flow_create (one more)


To generate a diff of this commit:
cvs rdiff -u -r1.69 -r1.69.2.1 src/sys/netinet6/ip6_forward.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ip6_forward.c
diff -u src/sys/netinet6/ip6_forward.c:1.69 src/sys/netinet6/ip6_forward.c:1.69.2.1
--- src/sys/netinet6/ip6_forward.c:1.69	Mon Dec 19 11:59:58 2011
+++ src/sys/netinet6/ip6_forward.c	Tue Mar 13 16:43:06 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_forward.c,v 1.69 2011/12/19 11:59:58 drochner Exp $	*/
+/*	$NetBSD: ip6_forward.c,v 1.69.2.1 2018/03/13 16:43:06 snj Exp $	*/
 /*	$KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69 2011/12/19 11:59:58 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69.2.1 2018/03/13 16:43:06 snj Exp $");
 
 #include "opt_gateway.h"
 #include "opt_ipsec.h"
@@ -645,8 +645,8 @@ ip6_forward(struct mbuf *m, int srcrt)
 			IP6_STATINC(IP6_STAT_REDIRECTSENT);
 		else {
 #ifdef GATEWAY
-			if (m->m_flags & M_CANFASTFWD)
-ip6flow_create(_forward_rt, m);
+			if (mcopy->m_flags & M_CANFASTFWD)
+ip6flow_create(_forward_rt, mcopy);
 #endif
 			if (mcopy)
 goto freecopy;

CVS commit: [netbsd-6] src/sys/dev

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 16:38:28 UTC 2018

Modified Files:
src/sys/dev [netbsd-6]: fss.c

Log Message:
Pull up following revision(s) (requested by hannken in ticket #1516):
sys/dev/fss.c: 1.101-1.103
Bounds check against media size for non-persistent snapshots.
--
Treat partial read from backing store as I/O error.
--
Pass residual back to b_resid for persistent snapshots.


To generate a diff of this commit:
cvs rdiff -u -r1.81.4.4 -r1.81.4.5 src/sys/dev/fss.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/fss.c
diff -u src/sys/dev/fss.c:1.81.4.4 src/sys/dev/fss.c:1.81.4.5
--- src/sys/dev/fss.c:1.81.4.4	Sat Aug 27 14:47:47 2016
+++ src/sys/dev/fss.c	Tue Mar 13 16:38:28 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: fss.c,v 1.81.4.4 2016/08/27 14:47:47 bouyer Exp $	*/
+/*	$NetBSD: fss.c,v 1.81.4.5 2018/03/13 16:38:28 snj Exp $	*/
 
 /*-
  * Copyright (c) 2003 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: fss.c,v 1.81.4.4 2016/08/27 14:47:47 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: fss.c,v 1.81.4.5 2018/03/13 16:38:28 snj Exp $");
 
 #include 
 #include 
@@ -90,7 +90,7 @@ static void fss_softc_free(struct fss_so
 static int fss_read_cluster(struct fss_softc *, u_int32_t);
 static void fss_bs_thread(void *);
 static int fss_bs_io(struct fss_softc *, fss_io_type,
-u_int32_t, off_t, int, void *);
+u_int32_t, off_t, int, void *, size_t *);
 static u_int32_t *fss_bs_indir(struct fss_softc *, u_int32_t);
 
 static kmutex_t fss_device_lock;	/* Protect all units. */
@@ -266,20 +266,26 @@ fss_strategy(struct buf *bp)
 	mutex_enter(>sc_slock);
 
 	if (write || !FSS_ISVALID(sc)) {
-
-		mutex_exit(>sc_slock);
-
 		bp->b_error = (write ? EROFS : ENXIO);
-		bp->b_resid = bp->b_bcount;
-		biodone(bp);
-		return;
+		goto done;
 	}
+	/* Check bounds for non-persistent snapshots. */
+	if ((sc->sc_flags & FSS_PERSISTENT) == 0 &&
+	bounds_check_with_mediasize(bp, DEV_BSIZE,
+	btodb(FSS_CLTOB(sc, sc->sc_clcount - 1) + sc->sc_clresid)) <= 0)
+		goto done;
 
 	bp->b_rawblkno = bp->b_blkno;
 	bufq_put(sc->sc_bufq, bp);
 	cv_signal(>sc_work_cv);
 
 	mutex_exit(>sc_slock);
+	return;
+
+done:
+	mutex_exit(>sc_slock);
+	bp->b_resid = bp->b_bcount;
+	biodone(bp);
 }
 
 int
@@ -993,6 +999,8 @@ restart:
 		todo -= len;
 	}
 	error = biowait(mbp);
+	if (error == 0 && mbp->b_resid != 0)
+		error = EIO;
 	putiobuf(mbp);
 
 	mutex_enter(>sc_slock);
@@ -1014,7 +1022,7 @@ restart:
  */
 static int
 fss_bs_io(struct fss_softc *sc, fss_io_type rw,
-u_int32_t cl, off_t off, int len, void *data)
+u_int32_t cl, off_t off, int len, void *data, size_t *resid)
 {
 	int error;
 
@@ -1025,7 +1033,7 @@ fss_bs_io(struct fss_softc *sc, fss_io_t
 	error = vn_rdwr((rw == FSS_READ ? UIO_READ : UIO_WRITE), sc->sc_bs_vp,
 	data, len, off, UIO_SYSSPACE,
 	IO_ADV_ENCODE(POSIX_FADV_NOREUSE) | IO_NODELOCKED,
-	sc->sc_bs_lwp->l_cred, NULL, NULL);
+	sc->sc_bs_lwp->l_cred, resid, NULL);
 	if (error == 0) {
 		mutex_enter(sc->sc_bs_vp->v_interlock);
 		error = VOP_PUTPAGES(sc->sc_bs_vp, trunc_page(off),
@@ -1054,7 +1062,7 @@ fss_bs_indir(struct fss_softc *sc, u_int
 
 	if (sc->sc_indir_dirty) {
 		if (fss_bs_io(sc, FSS_WRITE, sc->sc_indir_cur, 0,
-		FSS_CLSIZE(sc), (void *)sc->sc_indir_data) != 0)
+		FSS_CLSIZE(sc), (void *)sc->sc_indir_data, NULL) != 0)
 			return NULL;
 		setbit(sc->sc_indir_valid, sc->sc_indir_cur);
 	}
@@ -1064,7 +1072,7 @@ fss_bs_indir(struct fss_softc *sc, u_int
 
 	if (isset(sc->sc_indir_valid, sc->sc_indir_cur)) {
 		if (fss_bs_io(sc, FSS_READ, sc->sc_indir_cur, 0,
-		FSS_CLSIZE(sc), (void *)sc->sc_indir_data) != 0)
+		FSS_CLSIZE(sc), (void *)sc->sc_indir_data, NULL) != 0)
 			return NULL;
 	} else
 		memset(sc->sc_indir_data, 0, FSS_CLSIZE(sc));
@@ -1085,6 +1093,7 @@ fss_bs_thread(void *arg)
 	long off;
 	char *addr;
 	u_int32_t c, cl, ch, *indirp;
+	size_t resid;
 	struct buf *bp, *nbp;
 	struct fss_softc *sc;
 	struct fss_cache *scp, *scl;
@@ -1121,14 +1130,18 @@ fss_bs_thread(void *arg)
 disk_busy(sc->sc_dkdev);
 error = fss_bs_io(sc, FSS_READ, 0,
 dbtob(bp->b_blkno), bp->b_bcount,
-bp->b_data);
+bp->b_data, );
+if (error)
+	resid = bp->b_bcount;
 disk_unbusy(sc->sc_dkdev,
 (error ? 0 : bp->b_bcount), is_read);
-			} else
+			} else {
 error = ENXIO;
+resid = bp->b_bcount;
+			}
 
 			bp->b_error = error;
-			bp->b_resid = (error ? bp->b_bcount : 0);
+			bp->b_resid = resid;
 			biodone(bp);
 
 			mutex_enter(>sc_slock);
@@ -1149,7 +1162,7 @@ fss_bs_thread(void *arg)
 			indirp = fss_bs_indir(sc, scp->fc_cluster);
 			if (indirp != NULL) {
 error = fss_bs_io(sc, FSS_WRITE, sc->sc_clnext,
-0, FSS_CLSIZE(sc), scp->fc_data);
+0, FSS_CLSIZE(sc), scp->fc_data, NULL);
 			} else
 error = EIO;
 
@@ -1217,6 +1230,8 

CVS commit: [netbsd-6] src/sys/arch/sparc/sparc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Mar  3 20:47:24 UTC 2018

Modified Files:
src/sys/arch/sparc/sparc [netbsd-6]: locore.s

Log Message:
Pull up following revision(s) (requested by maya in ticket #1513):
sys/arch/sparc/sparc/locore.s: 1.269
Avoid an instruction requiring a higher alignment than we are guaranteed
Fixes PR port-sparc/52721: ddb errors on ps command
Thanks to mlelstv.


To generate a diff of this commit:
cvs rdiff -u -r1.265 -r1.265.8.1 src/sys/arch/sparc/sparc/locore.s

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/sparc/sparc/locore.s
diff -u src/sys/arch/sparc/sparc/locore.s:1.265 src/sys/arch/sparc/sparc/locore.s:1.265.8.1
--- src/sys/arch/sparc/sparc/locore.s:1.265	Mon Aug 15 02:19:44 2011
+++ src/sys/arch/sparc/sparc/locore.s	Sat Mar  3 20:47:24 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: locore.s,v 1.265 2011/08/15 02:19:44 mrg Exp $	*/
+/*	$NetBSD: locore.s,v 1.265.8.1 2018/03/03 20:47:24 snj Exp $	*/
 
 /*
  * Copyright (c) 1996 Paul Kranenburg
@@ -6286,8 +6286,9 @@ ENTRY(longjmp)
 	cmp	%fp, %g7	! compare against desired frame
 	bl,a	1b		! if below,
 	 restore		!pop frame and loop
-	be,a	2f		! if there,
-	 ldd	[%g1+0], %o2	!fetch return %sp and pc, and get out
+	ld	[%g1+0], %o2	! fetch return %sp
+	be,a	2f		! we're there, get out
+	 ld	[%g1+4], %o3	! fetch return pc
 
 Llongjmpbotch:
 ! otherwise, went too far; bomb out

CVS commit: [netbsd-6] src/sys

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Mar  3 20:44:39 UTC 2018

Modified Files:
src/sys/dev [netbsd-6]: rndpseudo.c
src/sys/kern [netbsd-6]: subr_cprng.c
src/sys/sys [netbsd-6]: cprng.h

Log Message:
Apply patch (requested by riastradh in ticket #1512):
Fix panic when waiting with kqueue/kevent for a read from
/dev/random.


To generate a diff of this commit:
cvs rdiff -u -r1.6.2.3 -r1.6.2.4 src/sys/dev/rndpseudo.c
cvs rdiff -u -r1.5.2.8 -r1.5.2.9 src/sys/kern/subr_cprng.c
cvs rdiff -u -r1.4.2.1 -r1.4.2.2 src/sys/sys/cprng.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/rndpseudo.c
diff -u src/sys/dev/rndpseudo.c:1.6.2.3 src/sys/dev/rndpseudo.c:1.6.2.4
--- src/sys/dev/rndpseudo.c:1.6.2.3	Mon May 21 16:49:54 2012
+++ src/sys/dev/rndpseudo.c	Sat Mar  3 20:44:38 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: rndpseudo.c,v 1.6.2.3 2012/05/21 16:49:54 jdc Exp $	*/
+/*	$NetBSD: rndpseudo.c,v 1.6.2.4 2018/03/03 20:44:38 snj Exp $	*/
 
 /*-
  * Copyright (c) 1997-2011 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: rndpseudo.c,v 1.6.2.3 2012/05/21 16:49:54 jdc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rndpseudo.c,v 1.6.2.4 2018/03/03 20:44:38 snj Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -673,13 +673,13 @@ rnd_poll(struct file *fp, int events)
 		}   
 	}
 
+	mutex_enter(>cprng->mtx);
 	if (cprng_strong_ready(ctx->cprng)) {
 		revents |= events & (POLLIN | POLLRDNORM);
 	} else {
-		mutex_enter(>cprng->mtx);
 		selrecord(curlwp, >cprng->selq);
-		mutex_exit(>cprng->mtx);
 	}
+	mutex_exit(>cprng->mtx);
 
 	return (revents);
 }
@@ -731,12 +731,24 @@ static int
 filt_rndread(struct knote *kn, long hint)
 {
 	cprng_strong_t *c = kn->kn_hook;
+	int ret;
 
+	if (hint & NOTE_SUBMIT)
+		KASSERT(mutex_owned(>mtx));
+	else
+		mutex_enter(>mtx);
 	if (cprng_strong_ready(c)) {
 		kn->kn_data = RND_TEMP_BUFFER_SIZE;
-		return 1;
+		ret = 1;
+	} else {
+		ret = 0;
 	}
-	return 0;
+	if (hint & NOTE_SUBMIT)
+		KASSERT(mutex_owned(>mtx));
+	else
+		mutex_exit(>mtx);
+
+	return ret;
 }
 
 static const struct filterops rnd_seltrue_filtops =

Index: src/sys/kern/subr_cprng.c
diff -u src/sys/kern/subr_cprng.c:1.5.2.8 src/sys/kern/subr_cprng.c:1.5.2.9
--- src/sys/kern/subr_cprng.c:1.5.2.8	Fri Mar 29 00:44:28 2013
+++ src/sys/kern/subr_cprng.c	Sat Mar  3 20:44:38 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: subr_cprng.c,v 1.5.2.8 2013/03/29 00:44:28 msaitoh Exp $ */
+/*	$NetBSD: subr_cprng.c,v 1.5.2.9 2018/03/03 20:44:38 snj Exp $ */
 
 /*-
  * Copyright (c) 2011 The NetBSD Foundation, Inc.
@@ -46,7 +46,7 @@
 
 #include 
 
-__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.5.2.8 2013/03/29 00:44:28 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.5.2.9 2018/03/03 20:44:38 snj Exp $");
 
 void
 cprng_init(void)
@@ -95,7 +95,7 @@ cprng_strong_doreseed(cprng_strong_t *co
 	if (c->flags & CPRNG_USE_CV) {
 		cv_broadcast(>cv);
 	}
-	selnotify(>selq, 0, 0);
+	selnotify(>selq, 0, NOTE_SUBMIT);
 }
 
 static void
@@ -397,7 +397,7 @@ cprng_strong_setflags(cprng_strong_t *co
 			if (c->flags & CPRNG_USE_CV) {
 cv_broadcast(>cv);
 			}
-			selnotify(>selq, 0, 0);
+			selnotify(>selq, 0, NOTE_SUBMIT);
 		}
 	}
 	c->flags = flags;

Index: src/sys/sys/cprng.h
diff -u src/sys/sys/cprng.h:1.4.2.1 src/sys/sys/cprng.h:1.4.2.2
--- src/sys/sys/cprng.h:1.4.2.1	Fri Apr 20 23:35:20 2012
+++ src/sys/sys/cprng.h	Sat Mar  3 20:44:39 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: cprng.h,v 1.4.2.1 2012/04/20 23:35:20 riz Exp $ */
+/*	$NetBSD: cprng.h,v 1.4.2.2 2018/03/03 20:44:39 snj Exp $ */
 
 /*-
  * Copyright (c) 2011 The NetBSD Foundation, Inc.
@@ -121,12 +121,11 @@ static inline int
 cprng_strong_ready(cprng_strong_t *c)
 {
 	int ret = 0;
-	
-	mutex_enter(>mtx);
+
+	KASSERT(mutex_owned(>mtx));
 	if (c->drbg.reseed_counter < NIST_CTR_DRBG_RESEED_INTERVAL) {
 		ret = 1;
 	}
-	mutex_exit(>mtx);
 	return ret;
 }
 

CVS commit: [netbsd-6] src/sys/arch

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Mon Feb 19 20:54:38 UTC 2018

Modified Files:
src/sys/arch/amd64/amd64 [netbsd-6]: machdep.c
src/sys/arch/amd64/include [netbsd-6]: segments.h
src/sys/arch/i386/i386 [netbsd-6]: machdep.c
src/sys/arch/i386/include [netbsd-6]: segments.h
src/sys/arch/x86/x86 [netbsd-6]: vm_machdep.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1517):
sys/arch/amd64/amd64/machdep.c: 1.280 via patch
sys/arch/amd64/include/segments.h: 1.34 via patch
sys/arch/i386/i386/machdep.c: 1.800
sys/arch/i386/include/segments.h: 1.64
sys/arch/x86/x86/vm_machdep.c: 1.30
Fix a huge privilege separation vulnerability in Xen-amd64.
On amd64 the kernel runs in ring3, like userland, and therefore SEL_KPL
equals SEL_UPL. While Xen can make a distinction between usermode and
kernelmode in %cs, it can't when it comes to iopl. Since we set SEL_KPL
in iopl, Xen sees SEL_UPL, and allows (unprivileged) userland processes
to read and write to the CPU ports.
It is easy, then, to completely escalate privileges; by reprogramming the
PIC, by reading the ATA disks, by intercepting the keyboard interrupts
(keylogger), etc.
Declare IOPL_KPL, set to 1 on Xen-amd64, which allows the kernel to use
the ports but not userland. I didn't test this change on i386, but it
seems fine enough.


To generate a diff of this commit:
cvs rdiff -u -r1.175.2.9 -r1.175.2.10 src/sys/arch/amd64/amd64/machdep.c
cvs rdiff -u -r1.22 -r1.22.10.1 src/sys/arch/amd64/include/segments.h
cvs rdiff -u -r1.717.2.8 -r1.717.2.9 src/sys/arch/i386/i386/machdep.c
cvs rdiff -u -r1.54 -r1.54.10.1 src/sys/arch/i386/include/segments.h
cvs rdiff -u -r1.14 -r1.14.2.1 src/sys/arch/x86/x86/vm_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amd64/amd64/machdep.c
diff -u src/sys/arch/amd64/amd64/machdep.c:1.175.2.9 src/sys/arch/amd64/amd64/machdep.c:1.175.2.10
--- src/sys/arch/amd64/amd64/machdep.c:1.175.2.9	Tue Aug  8 12:00:35 2017
+++ src/sys/arch/amd64/amd64/machdep.c	Mon Feb 19 20:54:37 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: machdep.c,v 1.175.2.9 2017/08/08 12:00:35 martin Exp $	*/
+/*	$NetBSD: machdep.c,v 1.175.2.10 2018/02/19 20:54:37 snj Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1998, 2000, 2006, 2007, 2008, 2011
@@ -111,7 +111,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.175.2.9 2017/08/08 12:00:35 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.175.2.10 2018/02/19 20:54:37 snj Exp $");
 
 /* #define XENDEBUG_LOW  */
 
@@ -477,7 +477,7 @@ x86_64_proc0_tss_ldt_init(void)
 	pcb->pcb_fs = 0;
 	pcb->pcb_gs = 0;
 	pcb->pcb_rsp0 = (uvm_lwp_getuarea(l) + KSTACK_SIZE - 16) & ~0xf;
-	pcb->pcb_iopl = SEL_KPL;
+	pcb->pcb_iopl = IOPL_KPL;
 
 	pmap_kernel()->pm_ldt_sel = GSYSSEL(GLDT_SEL, SEL_KPL);
 	pcb->pcb_cr0 = rcr0() & ~CR0_TS;

Index: src/sys/arch/amd64/include/segments.h
diff -u src/sys/arch/amd64/include/segments.h:1.22 src/sys/arch/amd64/include/segments.h:1.22.10.1
--- src/sys/arch/amd64/include/segments.h:1.22	Mon Feb  7 03:54:45 2011
+++ src/sys/arch/amd64/include/segments.h	Mon Feb 19 20:54:37 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: segments.h,v 1.22 2011/02/07 03:54:45 chs Exp $	*/
+/*	$NetBSD: segments.h,v 1.22.10.1 2018/02/19 20:54:37 snj Exp $	*/
 
 /*-
  * Copyright (c) 1990 The Regents of the University of California.
@@ -107,6 +107,12 @@
 #define	ISLDT(s)	((s) & SEL_LDT)	/* is it local or global */
 #define	SEL_LDT		4		/* local descriptor table */	
 
+#ifdef XEN
+#define IOPL_KPL	1
+#else
+#define IOPL_KPL	SEL_KPL
+#endif
+
 /* Dynamically allocated TSSs and LDTs start (byte offset) */
 #define SYSSEL_START	(NGDT_MEM << 3)
 #define DYNSEL_START	(SYSSEL_START + (NGDT_SYS << 4))

Index: src/sys/arch/i386/i386/machdep.c
diff -u src/sys/arch/i386/i386/machdep.c:1.717.2.8 src/sys/arch/i386/i386/machdep.c:1.717.2.9
--- src/sys/arch/i386/i386/machdep.c:1.717.2.8	Tue Aug  8 12:00:35 2017
+++ src/sys/arch/i386/i386/machdep.c	Mon Feb 19 20:54:38 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: machdep.c,v 1.717.2.8 2017/08/08 12:00:35 martin Exp $	*/
+/*	$NetBSD: machdep.c,v 1.717.2.9 2018/02/19 20:54:38 snj Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1998, 2000, 2004, 2006, 2008, 2009
@@ -67,7 +67,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.717.2.8 2017/08/08 12:00:35 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.717.2.9 2018/02/19 20:54:38 snj Exp $");
 
 #include "opt_beep.h"
 #include "opt_compat_ibcs2.h"
@@ -509,7 +509,7 @@ i386_proc0_tss_ldt_init(void)
 	pmap_kernel()->pm_ldt_sel = GSEL(GLDT_SEL, SEL_KPL);
 	pcb->pcb_cr0 = rcr0() & ~CR0_TS;
 	pcb->pcb_esp0 = uvm_lwp_getuarea(l) + KSTACK_SIZE - 16;
-	pcb->pcb_iopl = SEL_KPL;
+	pcb->pcb_iopl = IOPL_KPL;
 	l->l_md.md_regs = (struct trapframe *)pcb->pcb_esp0 - 1;
 	memcpy(>pcb_fsd, [GUDATA_SEL], sizeof(pcb->pcb_fsd));
 	

CVS commit: [netbsd-6] src/sys/netipsec

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Fri Feb 16 18:10:09 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6]: ipsec.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1531):

sys/netipsec/ipsec.c: revision 1.130

Fix inverted logic, otherwise the kernel crashes when receiving a 1-byte
AH packet. Triggerable before authentication when IPsec and forwarding
are both enabled.


To generate a diff of this commit:
cvs rdiff -u -r1.55 -r1.55.8.1 src/sys/netipsec/ipsec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec.c
diff -u src/sys/netipsec/ipsec.c:1.55 src/sys/netipsec/ipsec.c:1.55.8.1
--- src/sys/netipsec/ipsec.c:1.55	Thu Jun  9 19:54:18 2011
+++ src/sys/netipsec/ipsec.c	Fri Feb 16 18:10:09 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.c,v 1.55 2011/06/09 19:54:18 drochner Exp $	*/
+/*	$NetBSD: ipsec.c,v 1.55.8.1 2018/02/16 18:10:09 martin Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $	*/
 /*	$KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.55 2011/06/09 19:54:18 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.55.8.1 2018/02/16 18:10:09 martin Exp $");
 
 /*
  * IPsec controller part.
@@ -979,7 +979,7 @@ ipsec4_get_ulp(struct mbuf *m, struct se
 			spidx->dst.sin.sin_port = uh.uh_dport;
 			return;
 		case IPPROTO_AH:
-			if (m->m_pkthdr.len > off + sizeof(ip6e))
+			if (off + sizeof(ip6e) > m->m_pkthdr.len)
 goto done;
 			/* XXX sigh, this works but is totally bogus */
 			m_copydata(m, off, sizeof(ip6e), );

CVS commit: [netbsd-6] src/sys/netipsec

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Feb 15 16:49:05 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6]: xform_ah.c

Log Message:
Fix previous (Ticket #1530)


To generate a diff of this commit:
cvs rdiff -u -r1.37.2.2 -r1.37.2.3 src/sys/netipsec/xform_ah.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.37.2.2 src/sys/netipsec/xform_ah.c:1.37.2.3
--- src/sys/netipsec/xform_ah.c:1.37.2.2	Thu Feb 15 08:08:19 2018
+++ src/sys/netipsec/xform_ah.c	Thu Feb 15 16:49:04 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ah.c,v 1.37.2.2 2018/02/15 08:08:19 martin Exp $	*/
+/*	$NetBSD: xform_ah.c,v 1.37.2.3 2018/02/15 16:49:04 martin Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.2 2018/02/15 08:08:19 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.3 2018/02/15 16:49:04 martin Exp $");
 
 #include "opt_inet.h"
 #ifdef __FreeBSD__
@@ -687,11 +687,10 @@ ah_input(struct mbuf *m, const struct se
 		return EACCES;
 	}
 	if (skip + authsize + rplen > m->m_pkthdr.len) {
-		char buf[IPSEC_ADDRSTRLEN];
 		DPRINTF(("%s: bad mbuf length %u (expecting >= %lu)"
 			" for packet in SA %s/%08lx\n", __func__,
 			m->m_pkthdr.len, (u_long)(skip + authsize + rplen),
-			ipsec_address(>sah->saidx.dst, buf, sizeof(buf)),
+			ipsec_address(>sah->saidx.dst),
 			(u_long) ntohl(sav->spi)));
 		AH_STATINC(AH_STAT_BADAUTHL);
 		m_freem(m);

CVS commit: [netbsd-6] src/sys/netipsec

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Feb 15 14:49:00 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6]: xform_ipip.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1529):
sys/netipsec/xform_ipip.c: revision 1.44 via patch

PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right,
don't forget to subtract the ipv6 header length.


To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.28.8.1 src/sys/netipsec/xform_ipip.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform_ipip.c
diff -u src/sys/netipsec/xform_ipip.c:1.28 src/sys/netipsec/xform_ipip.c:1.28.8.1
--- src/sys/netipsec/xform_ipip.c:1.28	Sun Jul 17 20:54:54 2011
+++ src/sys/netipsec/xform_ipip.c	Thu Feb 15 14:49:00 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ipip.c,v 1.28 2011/07/17 20:54:54 joerg Exp $	*/
+/*	$NetBSD: xform_ipip.c,v 1.28.8.1 2018/02/15 14:49:00 martin Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.28 2011/07/17 20:54:54 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.28.8.1 2018/02/15 14:49:00 martin Exp $");
 
 /*
  * IP-inside-IP processing
@@ -566,7 +566,7 @@ ipip_output(
 		ip6o->ip6_flow = 0;
 		ip6o->ip6_vfc &= ~IPV6_VERSION_MASK;
 		ip6o->ip6_vfc |= IPV6_VERSION;
-		ip6o->ip6_plen = htons(m->m_pkthdr.len);
+		ip6o->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6o));
 		ip6o->ip6_hlim = ip_defttl;
 		ip6o->ip6_dst = saidx->dst.sin6.sin6_addr;
 		ip6o->ip6_src = saidx->src.sin6.sin6_addr;

CVS commit: [netbsd-6] src/sys/netipsec

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Feb 15 08:08:19 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6]: xform_ah.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1530):
sys/netipsec/xform_ah.c: revision 1.80-1.81 via patch

Fix use-after-free, 'ah' may not be valid after m_makewritable and
ah_massage_headers.

Make sure the Authentication Header fits the mbuf chain, otherwise panic.


To generate a diff of this commit:
cvs rdiff -u -r1.37.2.1 -r1.37.2.2 src/sys/netipsec/xform_ah.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.37.2.1 src/sys/netipsec/xform_ah.c:1.37.2.2
--- src/sys/netipsec/xform_ah.c:1.37.2.1	Mon Jan 29 19:25:51 2018
+++ src/sys/netipsec/xform_ah.c	Thu Feb 15 08:08:19 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ah.c,v 1.37.2.1 2018/01/29 19:25:51 martin Exp $	*/
+/*	$NetBSD: xform_ah.c,v 1.37.2.2 2018/02/15 08:08:19 martin Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.1 2018/01/29 19:25:51 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.2 2018/02/15 08:08:19 martin Exp $");
 
 #include "opt_inet.h"
 #ifdef __FreeBSD__
@@ -636,6 +636,7 @@ ah_input(struct mbuf *m, const struct se
 	struct m_tag *mtag;
 	struct newah *ah;
 	int hl, rplen, authsize, error;
+	uint8_t nxt;
 
 	struct cryptodesc *crda;
 	struct cryptop *crp;
@@ -660,6 +661,8 @@ ah_input(struct mbuf *m, const struct se
 		return ENOBUFS;
 	}
 
+	nxt = ah->ah_nxt;
+
 	/* Check replay window, if applicable. */
 	if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
 		AH_STATINC(AH_STAT_REPLAY);
@@ -683,6 +686,18 @@ ah_input(struct mbuf *m, const struct se
 		m_freem(m);
 		return EACCES;
 	}
+	if (skip + authsize + rplen > m->m_pkthdr.len) {
+		char buf[IPSEC_ADDRSTRLEN];
+		DPRINTF(("%s: bad mbuf length %u (expecting >= %lu)"
+			" for packet in SA %s/%08lx\n", __func__,
+			m->m_pkthdr.len, (u_long)(skip + authsize + rplen),
+			ipsec_address(>sah->saidx.dst, buf, sizeof(buf)),
+			(u_long) ntohl(sav->spi)));
+		AH_STATINC(AH_STAT_BADAUTHL);
+		m_freem(m);
+		return EACCES;
+	}
+
 	AH_STATADD(AH_STAT_IBYTES, m->m_pkthdr.len - skip - hl);
 
 	/* Get crypto descriptors. */
@@ -780,7 +795,7 @@ ah_input(struct mbuf *m, const struct se
 	tc->tc_spi = sav->spi;
 	tc->tc_dst = sav->sah->saidx.dst;
 	tc->tc_proto = sav->sah->saidx.proto;
-	tc->tc_nxt = ah->ah_nxt;
+	tc->tc_nxt = nxt;
 	tc->tc_protoff = protoff;
 	tc->tc_skip = skip;
 	tc->tc_ptr = mtag; /* Save the mtag we've identified. */

CVS commit: [netbsd-6] src/sys/dist/pf/net

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Feb 10 04:25:38 UTC 2018

Modified Files:
src/sys/dist/pf/net [netbsd-6]: pf.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1527):
sys/dist/pf/net/pf.c: revision 1.78 via patch
Oh, what is this. Fix a remotely-triggerable integer overflow: the way we
define TCPOLEN_SACK makes it unsigned, and the comparison in the while()
is unsigned too. That's not the expected behavior, the original code
wanted a signed comparison.
It's pretty easy to make 'hlen' go negative and trigger a buffer overflow.
This bug was reported 8 years ago by Lucio Albornoz in PR/44059.


To generate a diff of this commit:
cvs rdiff -u -r1.68 -r1.68.2.1 src/sys/dist/pf/net/pf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dist/pf/net/pf.c
diff -u src/sys/dist/pf/net/pf.c:1.68 src/sys/dist/pf/net/pf.c:1.68.2.1
--- src/sys/dist/pf/net/pf.c:1.68	Mon Dec 19 16:10:07 2011
+++ src/sys/dist/pf/net/pf.c	Sat Feb 10 04:25:37 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: pf.c,v 1.68 2011/12/19 16:10:07 drochner Exp $	*/
+/*	$NetBSD: pf.c,v 1.68.2.1 2018/02/10 04:25:37 snj Exp $	*/
 /*	$OpenBSD: pf.c,v 1.552.2.1 2007/11/27 16:37:57 henning Exp $ */
 
 /*
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.68 2011/12/19 16:10:07 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.68.2.1 2018/02/10 04:25:37 snj Exp $");
 
 #include "pflog.h"
 
@@ -1590,7 +1590,7 @@ pf_modulate_sack(struct mbuf *m, int off
 	struct sackblk sack;
 
 #ifdef __NetBSD__
-#define	TCPOLEN_SACK (2 * sizeof(uint32_t))
+#define	TCPOLEN_SACK		8		/* 2*sizeof(tcp_seq) */
 #endif
 
 #define TCPOLEN_SACKLEN	(TCPOLEN_SACK + 2)

CVS commit: [netbsd-6] src/sys/netinet

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Fri Feb  9 14:09:35 UTC 2018

Modified Files:
src/sys/netinet [netbsd-6]: ip_input.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1526):
sys/netinet/ip_input.c: revision 1.366

Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a
completely dumb idea, because they have security implications.

By sending an IPv4 packet containing an LSRR option, an attacker will
cause the system to forward the packet to another IPv4 address - and
this way he white-washes the source of the packet.

It is also possible for an attacker to reach hidden networks: if a server
has a public address, and a private one on an internal network (network
which has several internal machines connected), the attacker can send a
packet with:
source = 0.0.0.0
destination = public address of the server
LSRR first address = address of a machine on the internal network
And the packet will be forwarded, by the server, to the internal machine,
in some cases even with the internal IP address of the server as a source.


To generate a diff of this commit:
cvs rdiff -u -r1.298 -r1.298.2.1 src/sys/netinet/ip_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet/ip_input.c
diff -u src/sys/netinet/ip_input.c:1.298 src/sys/netinet/ip_input.c:1.298.2.1
--- src/sys/netinet/ip_input.c:1.298	Mon Jan  9 14:31:22 2012
+++ src/sys/netinet/ip_input.c	Fri Feb  9 14:09:35 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_input.c,v 1.298 2012/01/09 14:31:22 liamjfoy Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.298.2.1 2018/02/09 14:09:35 martin Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.298 2012/01/09 14:31:22 liamjfoy Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.298.2.1 2018/02/09 14:09:35 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_compat_netbsd.h"
@@ -161,10 +161,10 @@ __KERNEL_RCSID(0, "$NetBSD: ip_input.c,v
 #define	IPSENDREDIRECTS	1
 #endif
 #ifndef IPFORWSRCRT
-#define	IPFORWSRCRT	1	/* forward source-routed packets */
+#define	IPFORWSRCRT	0	/* forward source-routed packets */
 #endif
 #ifndef IPALLOWSRCRT
-#define	IPALLOWSRCRT	1	/* allow source-routed packets */
+#define	IPALLOWSRCRT	0	/* allow source-routed packets */
 #endif
 #ifndef IPMTUDISC
 #define IPMTUDISC	1

CVS commit: [netbsd-6] src/sys/netinet6

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Fri Feb  2 13:10:00 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6]: nd6_nbr.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1525):
sys/netinet6/nd6_nbr.c: revision 1.145 (patch)

Fix memory leak. Contrary to what the XXX indicates, this place is 100%
reachable remotely.


To generate a diff of this commit:
cvs rdiff -u -r1.95 -r1.95.2.1 src/sys/netinet6/nd6_nbr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/nd6_nbr.c
diff -u src/sys/netinet6/nd6_nbr.c:1.95 src/sys/netinet6/nd6_nbr.c:1.95.2.1
--- src/sys/netinet6/nd6_nbr.c:1.95	Mon Dec 19 11:59:58 2011
+++ src/sys/netinet6/nd6_nbr.c	Fri Feb  2 13:10:00 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: nd6_nbr.c,v 1.95 2011/12/19 11:59:58 drochner Exp $	*/
+/*	$NetBSD: nd6_nbr.c,v 1.95.2.1 2018/02/02 13:10:00 martin Exp $	*/
 /*	$KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.95 2011/12/19 11:59:58 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.95.2.1 2018/02/02 13:10:00 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -589,7 +589,7 @@ nd6_na_input(struct mbuf *m, int off, in
 
 	taddr6 = nd_na->nd_na_target;
 	if (in6_setscope(, ifp, NULL))
-		return;		/* XXX: impossible */
+		goto bad;
 
 	if (IN6_IS_ADDR_MULTICAST()) {
 		nd6log((LOG_ERR,

CVS commit: [netbsd-6] src/sys/netinet6

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Fri Feb  2 11:07:12 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6]: ip6_mroute.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1524):
sys/netinet6/ip6_mroute.c: revision 1.120
Fix a pretty simple, yet pretty tragic typo: we should return IPPROTO_DONE,
not IPPROTO_NONE. With IPPROTO_NONE we will keep parsing the header chain
on an mbuf that was already freed.


To generate a diff of this commit:
cvs rdiff -u -r1.103 -r1.103.2.1 src/sys/netinet6/ip6_mroute.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ip6_mroute.c
diff -u src/sys/netinet6/ip6_mroute.c:1.103 src/sys/netinet6/ip6_mroute.c:1.103.2.1
--- src/sys/netinet6/ip6_mroute.c:1.103	Sat Dec 31 20:41:59 2011
+++ src/sys/netinet6/ip6_mroute.c	Fri Feb  2 11:07:12 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_mroute.c,v 1.103 2011/12/31 20:41:59 christos Exp $	*/
+/*	$NetBSD: ip6_mroute.c,v 1.103.2.1 2018/02/02 11:07:12 martin Exp $	*/
 /*	$KAME: ip6_mroute.c,v 1.49 2001/07/25 09:21:18 jinmei Exp $	*/
 
 /*
@@ -117,7 +117,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_mroute.c,v 1.103 2011/12/31 20:41:59 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_mroute.c,v 1.103.2.1 2018/02/02 11:07:12 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_mrouting.h"
@@ -1864,7 +1864,7 @@ pim6_input(struct mbuf **mp, int *offp, 
 			(eip6->ip6_vfc & IPV6_VERSION));
 #endif
 			m_freem(m);
-			return (IPPROTO_NONE);
+			return (IPPROTO_DONE);
 		}
 
 		/* verify the inner packet is destined to a mcast group */

CVS commit: [netbsd-6] src/sys/netinet6

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue Jan 30 22:10:20 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6]: ah_input.c esp_input.c ipcomp_input.c

Log Message:
Ooops, remainder of Ticket #1523, accidently not commited previously


To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.59.8.1 src/sys/netinet6/ah_input.c
cvs rdiff -u -r1.50 -r1.50.8.1 src/sys/netinet6/esp_input.c
cvs rdiff -u -r1.38 -r1.38.8.1 src/sys/netinet6/ipcomp_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ah_input.c
diff -u src/sys/netinet6/ah_input.c:1.59 src/sys/netinet6/ah_input.c:1.59.8.1
--- src/sys/netinet6/ah_input.c:1.59	Sun Jul 17 20:54:53 2011
+++ src/sys/netinet6/ah_input.c	Tue Jan 30 22:10:20 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: ah_input.c,v 1.59.8.1 2018/01/30 22:10:20 martin Exp $	*/
 /*	$KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59.8.1 2018/01/30 22:10:20 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -858,7 +858,8 @@ ah6_input(struct mbuf **mp, int *offp, i
 		 * next header field of the previous header.
 		 * This is necessary because AH will be stripped off below.
 		 */
-		prvnxtp = ip6_get_prevhdr(m, off); /* XXX */
+		const int prvnxt = ip6_get_prevhdr(m, off);
+		prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */
 		*prvnxtp = nxt;
 
 		ip6 = mtod(m, struct ip6_hdr *);

Index: src/sys/netinet6/esp_input.c
diff -u src/sys/netinet6/esp_input.c:1.50 src/sys/netinet6/esp_input.c:1.50.8.1
--- src/sys/netinet6/esp_input.c:1.50	Sun Jul 17 20:54:53 2011
+++ src/sys/netinet6/esp_input.c	Tue Jan 30 22:10:20 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: esp_input.c,v 1.50.8.1 2018/01/30 22:10:20 martin Exp $	*/
 /*	$KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50.8.1 2018/01/30 22:10:20 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -834,7 +834,8 @@ noreplaycheck:
 		/*
 		 * Set the next header field of the previous header correctly.
 		 */
-		prvnxtp = ip6_get_prevhdr(m, off); /* XXX */
+		const int prvnxt = ip6_get_prevhdr(m, off);
+		prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */
 		*prvnxtp = nxt;
 
 		stripsiz = esplen + ivlen;

Index: src/sys/netinet6/ipcomp_input.c
diff -u src/sys/netinet6/ipcomp_input.c:1.38 src/sys/netinet6/ipcomp_input.c:1.38.8.1
--- src/sys/netinet6/ipcomp_input.c:1.38	Sun Jul 17 20:54:53 2011
+++ src/sys/netinet6/ipcomp_input.c	Tue Jan 30 22:10:20 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: ipcomp_input.c,v 1.38.8.1 2018/01/30 22:10:20 martin Exp $	*/
 /*	$KAME: ipcomp_input.c,v 1.29 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38.8.1 2018/01/30 22:10:20 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -352,7 +352,8 @@ ipcomp6_input(struct mbuf **mp, int *off
 	m->m_flags |= M_DECRYPTED;
 
 	/* update next header field */
-	prvnxtp = ip6_get_prevhdr(m, off);
+	const int prvnxt = ip6_get_prevhdr(m, off);
+	prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */
 	*prvnxtp = nxt;
 
 	/*

CVS commit: [netbsd-6] src/sys/netinet6

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:44:22 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6]: frag6.c ip6_input.c ip6_var.h raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1523):
sys/netinet6/frag6.c: revision 1.65
sys/netinet6/ip6_input.c: revision 1.187
sys/netinet6/ip6_var.h: revision 1.78
sys/netinet6/raw_ip6.c: revision 1.160 (patch)
sys/netinet6/ah_input.c: adjust other callers (patch)
sys/netinet6/esp_input.c: adjust other callers (patch)
sys/netinet6/ipcomp_input.c: adjust other callers (patch)
Fix a buffer overflow in ip6_get_prevhdr. Doing
mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.


To generate a diff of this commit:
cvs rdiff -u -r1.52.2.2 -r1.52.2.3 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.136.2.1 -r1.136.2.2 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.58.2.1 -r1.58.2.2 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.109 -r1.109.2.1 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/frag6.c
diff -u src/sys/netinet6/frag6.c:1.52.2.2 src/sys/netinet6/frag6.c:1.52.2.3
--- src/sys/netinet6/frag6.c:1.52.2.2	Thu Oct 25 17:23:33 2012
+++ src/sys/netinet6/frag6.c	Tue Jan 30 18:44:22 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $	*/
+/*	$NetBSD: frag6.c,v 1.52.2.3 2018/01/30 18:44:22 martin Exp $	*/
 /*	$KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.3 2018/01/30 18:44:22 martin Exp $");
 
 #include 
 #include 
@@ -441,14 +441,6 @@ insert:
 		m_cat(m, t);
 	}
 
-	/*
-	 * Store NXT to the original.
-	 */
-	{
-		u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */
-		*prvnxtp = nxt;
-	}
-
 	frag6_remque(q6);
 	frag6_nfrags -= q6->ip6q_nfrag;
 	kmem_intr_free(q6, sizeof(struct ip6q));
@@ -461,6 +453,21 @@ insert:
 		m->m_pkthdr.len = plen;
 	}
 
+	/*
+	 * Restore NXT to the original.
+	 */
+	{
+		const int prvnxt = ip6_get_prevhdr(m, offset);
+		uint8_t *prvnxtp;
+
+		IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt,
+		sizeof(*prvnxtp));
+		if (prvnxtp == NULL) {
+			goto dropfrag;
+		}
+		*prvnxtp = nxt;
+	}
+
 	IP6_STATINC(IP6_STAT_REASSEMBLED);
 	in6_ifstat_inc(dstifp, ifs6_reass_ok);
 

Index: src/sys/netinet6/ip6_input.c
diff -u src/sys/netinet6/ip6_input.c:1.136.2.1 src/sys/netinet6/ip6_input.c:1.136.2.2
--- src/sys/netinet6/ip6_input.c:1.136.2.1	Mon Jul  8 07:40:07 2013
+++ src/sys/netinet6/ip6_input.c	Tue Jan 30 18:44:22 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.136.2.1 2013/07/08 07:40:07 jdc Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.136.2.2 2018/01/30 18:44:22 martin Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.2.1 2013/07/08 07:40:07 jdc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.2.2 2018/01/30 18:44:22 martin Exp $");
 
 #include "opt_gateway.h"
 #include "opt_inet.h"
@@ -1419,50 +1419,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of
 }
 
 /*
- * Get pointer to the previous header followed by the header
+ * Get offset to the previous header followed by the header
  * currently processed.
- * XXX: This function supposes that

CVS commit: [netbsd-6] src/sys/netipsec

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Mon Jan 29 19:25:51 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6]: xform_ah.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1521):
sys/netipsec/xform_ah.c: revision 1.76
Fix a vulnerability in IPsec-IPv6-AH, that allows an attacker to remotely
crash the kernel with a single packet.
In this loop we need to increment 'ad' by two, because the length field
of the option header does not count the size of the option header itself.
If the length is zero, then 'count' is incremented by zero, and there's
an infinite loop. Beyond that, this code was written with the assumption
that since the IPv6 packet already went through the generic IPv6 option
parser, several fields are guaranteed to be valid; but this assumption
does not hold because of the missing '+2', and there's as a result a
triggerable buffer overflow (write zeros after the end of the mbuf,
potentially to the next mbuf in memory since it's a pool).
Add the missing '+2', this place will be reinforced in separate commits.


To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.37.2.1 src/sys/netipsec/xform_ah.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.37 src/sys/netipsec/xform_ah.c:1.37.2.1
--- src/sys/netipsec/xform_ah.c:1.37	Thu Jan 26 21:10:24 2012
+++ src/sys/netipsec/xform_ah.c	Mon Jan 29 19:25:51 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ah.c,v 1.37 2012/01/26 21:10:24 drochner Exp $	*/
+/*	$NetBSD: xform_ah.c,v 1.37.2.1 2018/01/29 19:25:51 martin Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37 2012/01/26 21:10:24 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.1 2018/01/29 19:25:51 martin Exp $");
 
 #include "opt_inet.h"
 #ifdef __FreeBSD__
@@ -527,12 +527,12 @@ ah_massage_headers(struct mbuf **m0, int
 		return EINVAL;
 	}
 
-	ad = ptr[count + 1];
+	ad = ptr[count + 1] + 2;
 
 	/* If mutable option, zeroize. */
 	if (ptr[count] & IP6OPT_MUTABLE)
 		memcpy(ptr + count, ipseczeroes,
-		ptr[count + 1]);
+		ad);
 
 	count += ad;
 

CVS commit: [netbsd-6] src/sys/fs/msdosfs

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue Oct 17 15:43:09 UTC 2017

Modified Files:
src/sys/fs/msdosfs [netbsd-6]: msdosfs_vfsops.c

Log Message:
Apply patch form mlelstv to fix the build after pullup #1506


To generate a diff of this commit:
cvs rdiff -u -r1.93.6.4 -r1.93.6.5 src/sys/fs/msdosfs/msdosfs_vfsops.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/fs/msdosfs/msdosfs_vfsops.c
diff -u src/sys/fs/msdosfs/msdosfs_vfsops.c:1.93.6.4 src/sys/fs/msdosfs/msdosfs_vfsops.c:1.93.6.5
--- src/sys/fs/msdosfs/msdosfs_vfsops.c:1.93.6.4	Fri Oct 13 08:05:30 2017
+++ src/sys/fs/msdosfs/msdosfs_vfsops.c	Tue Oct 17 15:43:09 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: msdosfs_vfsops.c,v 1.93.6.4 2017/10/13 08:05:30 snj Exp $	*/
+/*	$NetBSD: msdosfs_vfsops.c,v 1.93.6.5 2017/10/17 15:43:09 martin Exp $	*/
 
 /*-
  * Copyright (C) 1994, 1995, 1997 Wolfgang Solfrank.
@@ -48,7 +48,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: msdosfs_vfsops.c,v 1.93.6.4 2017/10/13 08:05:30 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: msdosfs_vfsops.c,v 1.93.6.5 2017/10/17 15:43:09 martin Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -712,8 +712,8 @@ msdosfs_mountfs(struct vnode *devvp, str
 
 	/* validate cluster count against FAT */
 	if ((pmp->pm_maxcluster & pmp->pm_fatmask) != pmp->pm_maxcluster) {
-		DPRINTF("maxcluster %lu outside of mask %#lx\n",
-			pmp->pm_maxcluster, pmp->pm_fatmask);
+		DPRINTF(("maxcluster %lu outside of mask %#lx\n",
+			pmp->pm_maxcluster, pmp->pm_fatmask));
 		error = EINVAL;
 		goto error_exit;
 	}
@@ -723,8 +723,8 @@ msdosfs_mountfs(struct vnode *devvp, str
 	fatblocksecs = howmany(fatbytes, pmp->pm_BytesPerSec);
 
 	if (pmp->pm_FATsecs != fatblocksecs) {
-		DPRINTF("FATsecs %lu != real %lu\n", pmp->pm_FATsecs,
-			fatblocksecs);
+		DPRINTF(("FATsecs %lu != real %lu\n", pmp->pm_FATsecs,
+			fatblocksecs));
 		error = EINVAL;
 		goto error_exit;
 	}

CVS commit: [netbsd-6] src/sys/fs/msdosfs

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Oct 13 08:05:30 UTC 2017

Modified Files:
src/sys/fs/msdosfs [netbsd-6]: msdosfs_vfsops.c

Log Message:
Pull up following revision(s) (requested by mlelstv in ticket #1506):
sys/fs/msdosfs/msdosfs_vfsops.c: revision 1.128
Add more sanity checks for BPB parameters. Handle FAT12 format for media
with sectors >= 32kByte.
Does fix PR 52485.


To generate a diff of this commit:
cvs rdiff -u -r1.93.6.3 -r1.93.6.4 src/sys/fs/msdosfs/msdosfs_vfsops.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/fs/msdosfs/msdosfs_vfsops.c
diff -u src/sys/fs/msdosfs/msdosfs_vfsops.c:1.93.6.3 src/sys/fs/msdosfs/msdosfs_vfsops.c:1.93.6.4
--- src/sys/fs/msdosfs/msdosfs_vfsops.c:1.93.6.3	Sun Nov  9 06:37:00 2014
+++ src/sys/fs/msdosfs/msdosfs_vfsops.c	Fri Oct 13 08:05:30 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: msdosfs_vfsops.c,v 1.93.6.3 2014/11/09 06:37:00 msaitoh Exp $	*/
+/*	$NetBSD: msdosfs_vfsops.c,v 1.93.6.4 2017/10/13 08:05:30 snj Exp $	*/
 
 /*-
  * Copyright (C) 1994, 1995, 1997 Wolfgang Solfrank.
@@ -48,7 +48,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: msdosfs_vfsops.c,v 1.93.6.3 2014/11/09 06:37:00 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: msdosfs_vfsops.c,v 1.93.6.4 2017/10/13 08:05:30 snj Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -479,6 +479,7 @@ msdosfs_mountfs(struct vnode *devvp, str
 	int	ronly, error, BlkPerSec;
 	uint64_t psize;
 	unsigned secsize;
+	u_long fatbytes, fatblocksecs;
 
 	/* Flush out any old buffers remaining from a previous use. */
 	if ((error = vinvalbuf(devvp, V_SAVE, l->l_cred, l, 0, 0)) != 0)
@@ -708,12 +709,40 @@ msdosfs_mountfs(struct vnode *devvp, str
 			pmp->pm_fatdiv = 1;
 		}
 	}
-	if (FAT12(pmp))
-		pmp->pm_fatblocksize = 3 * pmp->pm_BytesPerSec;
-	else
+
+	/* validate cluster count against FAT */
+	if ((pmp->pm_maxcluster & pmp->pm_fatmask) != pmp->pm_maxcluster) {
+		DPRINTF("maxcluster %lu outside of mask %#lx\n",
+			pmp->pm_maxcluster, pmp->pm_fatmask);
+		error = EINVAL;
+		goto error_exit;
+	}
+
+	/* validate FAT size */
+	fatbytes = (pmp->pm_maxcluster+1) * pmp->pm_fatmult / pmp->pm_fatdiv;
+	fatblocksecs = howmany(fatbytes, pmp->pm_BytesPerSec);
+
+	if (pmp->pm_FATsecs != fatblocksecs) {
+		DPRINTF("FATsecs %lu != real %lu\n", pmp->pm_FATsecs,
+			fatblocksecs);
+		error = EINVAL;
+		goto error_exit;
+	}
+
+	if (FAT12(pmp)) {
+		/*
+		 * limit block size to what is needed to read a FAT block
+		 * to not exceed MAXBSIZE
+		 */
+		pmp->pm_fatblocksec = min(3, fatblocksecs);
+		pmp->pm_fatblocksize = pmp->pm_fatblocksec
+			* pmp->pm_BytesPerSec;
+	} else {
 		pmp->pm_fatblocksize = MAXBSIZE;
+		pmp->pm_fatblocksec = pmp->pm_fatblocksize
+			/ pmp->pm_BytesPerSec;
+	}
 
-	pmp->pm_fatblocksec = pmp->pm_fatblocksize / pmp->pm_BytesPerSec;
 	pmp->pm_bnshift = ffs(pmp->pm_BytesPerSec) - 1;
 
 	/*

CVS commit: [netbsd-6] src/sys/arch/i386/i386

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Oct 13 08:03:04 UTC 2017

Modified Files:
src/sys/arch/i386/i386 [netbsd-6]: vector.S

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1505):
sys/arch/i386/i386/i386_trap.S: revision 1.12 via patch
Pfff, use %ss and not %ds. The latter is controlled by userland, the former
contains the kernel value (flat); FreeBSD fixed this too a few weeks ago.
As I said earlier, this dtrace code is complete bullshit.


To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.59.8.1 src/sys/arch/i386/i386/vector.S

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/i386/i386/vector.S
diff -u src/sys/arch/i386/i386/vector.S:1.59 src/sys/arch/i386/i386/vector.S:1.59.8.1
--- src/sys/arch/i386/i386/vector.S:1.59	Sun Jun 12 03:35:42 2011
+++ src/sys/arch/i386/i386/vector.S	Fri Oct 13 08:03:03 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: vector.S,v 1.59 2011/06/12 03:35:42 rmind Exp $	*/
+/*	$NetBSD: vector.S,v 1.59.8.1 2017/10/13 08:03:03 snj Exp $	*/
 
 /*
  * Copyright 2002 (c) Wasabi Systems, Inc.
@@ -65,7 +65,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vector.S,v 1.59 2011/06/12 03:35:42 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vector.S,v 1.59.8.1 2017/10/13 08:03:03 snj Exp $");
 
 #include "opt_ddb.h"
 #include "opt_multiprocessor.h"
@@ -773,7 +773,7 @@ IDTVEC(trap05)
 	SUPERALIGN_TEXT
 IDTVEC(trap06)
 	/* Check if there is no DTrace hook registered. */
-	cmpl	$0,dtrace_invop_jump_addr
+	cmpl	$0,%ss:dtrace_invop_jump_addr
 	je	norm_ill
 
 	/* Check if this is a user fault. */

CVS commit: [netbsd-6] src/sys/compat/linux32/arch/amd64

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Sep  9 16:53:36 UTC 2017

Modified Files:
src/sys/compat/linux32/arch/amd64 [netbsd-6]: linux32_machdep.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1502):
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39
Fix a ring0 escalation vulnerability in compat_linux32 where the
index of %cs is controlled by userland, making it easy to trigger
the page fault and get kernel privileges.


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.10.1 \
src/sys/compat/linux32/arch/amd64/linux32_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/linux32/arch/amd64/linux32_machdep.c
diff -u src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29 src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29.10.1
--- src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29	Fri Mar  4 22:25:31 2011
+++ src/sys/compat/linux32/arch/amd64/linux32_machdep.c	Sat Sep  9 16:53:36 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux32_machdep.c,v 1.29 2011/03/04 22:25:31 joerg Exp $ */
+/*	$NetBSD: linux32_machdep.c,v 1.29.10.1 2017/09/09 16:53:36 snj Exp $ */
 
 /*-
  * Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved.
@@ -31,7 +31,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 #include 
-__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.29 2011/03/04 22:25:31 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.29.10.1 2017/09/09 16:53:36 snj Exp $");
 
 #include 
 #include 
@@ -428,8 +428,9 @@ linux32_restore_sigcontext(struct lwp *l
 	/*
 	 * Check for security violations.
 	 */
-	if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0 ||
-	!USERMODE(scp->sc_cs, scp->sc_eflags))
+	if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0)
+		return EINVAL;
+	if (!VALID_USER_CSEL32(scp->sc_cs))
 		return EINVAL;
 
 	if (scp->sc_fs != 0 && !VALID_USER_DSEL32(scp->sc_fs) &&

CVS commit: [netbsd-6] src/sys/arch/sparc64/sparc64

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Mon Sep  4 16:05:13 UTC 2017

Modified Files:
src/sys/arch/sparc64/sparc64 [netbsd-6]: compat_13_machdep.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1501):
sys/arch/sparc64/sparc64/compat_13_machdep.c: revision 1.24
Apply only CCR. Otherwise userland could set PSTATE_PRIV in %pstate and get
kernel privileges on the hardware.
ok martin


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.23.18.1 \
src/sys/arch/sparc64/sparc64/compat_13_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/sparc64/sparc64/compat_13_machdep.c
diff -u src/sys/arch/sparc64/sparc64/compat_13_machdep.c:1.23 src/sys/arch/sparc64/sparc64/compat_13_machdep.c:1.23.18.1
--- src/sys/arch/sparc64/sparc64/compat_13_machdep.c:1.23	Sat Nov 21 04:16:52 2009
+++ src/sys/arch/sparc64/sparc64/compat_13_machdep.c	Mon Sep  4 16:05:13 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: compat_13_machdep.c,v 1.23 2009/11/21 04:16:52 rmind Exp $	*/
+/*	$NetBSD: compat_13_machdep.c,v 1.23.18.1 2017/09/04 16:05:13 snj Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1998 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: compat_13_machdep.c,v 1.23 2009/11/21 04:16:52 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: compat_13_machdep.c,v 1.23.18.1 2017/09/04 16:05:13 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ddb.h"
@@ -129,7 +129,7 @@ compat_13_sys_sigreturn(struct lwp *l, c
 		return (EINVAL);
 	/* take only psr ICC field */
 #ifdef __arch64__
-	tf->tf_tstate = (int64_t)(tf->tf_tstate & ~TSTATE_CCR) | scp->sc_tstate;
+	tf->tf_tstate = (int64_t)(tf->tf_tstate & ~TSTATE_CCR) | (scp->sc_tstate & TSTATE_CCR);
 #else
 	tf->tf_tstate = (int64_t)(tf->tf_tstate & ~TSTATE_CCR) | PSRCC_TO_TSTATE(scp->sc_psr);
 #endif

CVS commit: [netbsd-6] src/sys/arch

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Aug 31 15:18:12 UTC 2017

Modified Files:
src/sys/arch/evbmips/conf [netbsd-6]: MALTA MALTA32 MALTA64
src/sys/arch/mips/mips [netbsd-6]: bds_emul.S

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1499):
sys/arch/evbmips/conf/MALTA64: revision 1.8
sys/arch/evbmips/conf/MALTA32: revision 1.4
sys/arch/mips/mips/bds_emul.S: revision 1.9
sys/arch/evbmips/conf/MALTA: revision 1.88
Re-enable the NOFPU and (renamed) FPEMUL options.  None of the Malta
CPU daughter cards currently supported by NetBSD have an FPU.
Detected on real hardware.  gxemul wrongly supports an FPU on the
4Kc and 5Kc CPUs.
Remove the NOFPU option.  The main MALTA config file has this now.
mips_emul_daddi and mips_emul_daddiu don't exist, but there are
bcemul_daddi and bcemul_daddiu here that should be used.  however,
bcemul_daddi needed to be changed to use dadd not daddui.
fixes FPEMUL and N64 kernels.  ok simonb.


To generate a diff of this commit:
cvs rdiff -u -r1.65.2.1 -r1.65.2.2 src/sys/arch/evbmips/conf/MALTA
cvs rdiff -u -r1.3 -r1.3.2.1 src/sys/arch/evbmips/conf/MALTA32
cvs rdiff -u -r1.5.2.1 -r1.5.2.2 src/sys/arch/evbmips/conf/MALTA64
cvs rdiff -u -r1.6 -r1.6.2.1 src/sys/arch/mips/mips/bds_emul.S

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/evbmips/conf/MALTA
diff -u src/sys/arch/evbmips/conf/MALTA:1.65.2.1 src/sys/arch/evbmips/conf/MALTA:1.65.2.2
--- src/sys/arch/evbmips/conf/MALTA:1.65.2.1	Mon Sep 17 18:40:12 2012
+++ src/sys/arch/evbmips/conf/MALTA	Thu Aug 31 15:18:12 2017
@@ -1,17 +1,18 @@
-#	$NetBSD: MALTA,v 1.65.2.1 2012/09/17 18:40:12 riz Exp $
+#	$NetBSD: MALTA,v 1.65.2.2 2017/08/31 15:18:12 martin Exp $
 
 include 	"arch/evbmips/conf/std.malta"
 
 #options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary
 
-#ident 		"MALTA-$Revision: 1.65.2.1 $"
+#ident 		"MALTA-$Revision: 1.65.2.2 $"
 
 maxusers	32
 
 options 	MIPS32
 options 	MIPS64
-#options 	NOFPU		# No FPU
-#options 	FPEMUL		# emulate FPU insn
+
+options 	NOFPU		# No FPU
+options 	FPEMUL		# emulate FPU insn
 
 # Options for necessary to use MD
 # options 	MEMORY_DISK_HOOKS

Index: src/sys/arch/evbmips/conf/MALTA32
diff -u src/sys/arch/evbmips/conf/MALTA32:1.3 src/sys/arch/evbmips/conf/MALTA32:1.3.2.1
--- src/sys/arch/evbmips/conf/MALTA32:1.3	Thu Feb  9 18:58:44 2012
+++ src/sys/arch/evbmips/conf/MALTA32	Thu Aug 31 15:18:12 2017
@@ -1,11 +1,10 @@
-# $NetBSD: MALTA32,v 1.3 2012/02/09 18:58:44 matt Exp $
+# $NetBSD: MALTA32,v 1.3.2.1 2017/08/31 15:18:12 martin Exp $
 #
 include "arch/evbmips/conf/MALTA"
 
 makeoptions	LP64="no"
 
 no options	MIPS32
-options 	NOFPU		# No FPU
 #options 	EXEC_ELF64
 
 no ath*

Index: src/sys/arch/evbmips/conf/MALTA64
diff -u src/sys/arch/evbmips/conf/MALTA64:1.5.2.1 src/sys/arch/evbmips/conf/MALTA64:1.5.2.2
--- src/sys/arch/evbmips/conf/MALTA64:1.5.2.1	Sat Oct 13 06:15:23 2012
+++ src/sys/arch/evbmips/conf/MALTA64	Thu Aug 31 15:18:12 2017
@@ -1,11 +1,10 @@
-# $NetBSD: MALTA64,v 1.5.2.1 2012/10/13 06:15:23 riz Exp $
+# $NetBSD: MALTA64,v 1.5.2.2 2017/08/31 15:18:12 martin Exp $
 #
 include "arch/evbmips/conf/MALTA"
 
 makeoptions	LP64="yes"
 
 no options 	MIPS32
-options 	NOFPU			# No FPU
 options 	EXEC_ELF64
 options 	COMPAT_NETBSD32
 no options 	SYMTAB_SPACE

Index: src/sys/arch/mips/mips/bds_emul.S
diff -u src/sys/arch/mips/mips/bds_emul.S:1.6 src/sys/arch/mips/mips/bds_emul.S:1.6.2.1
--- src/sys/arch/mips/mips/bds_emul.S:1.6	Sun Dec 25 11:51:15 2011
+++ src/sys/arch/mips/mips/bds_emul.S	Thu Aug 31 15:18:12 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: bds_emul.S,v 1.6 2011/12/25 11:51:15 kiyohara Exp $	*/
+/*	$NetBSD: bds_emul.S,v 1.6.2.1 2017/08/31 15:18:12 martin Exp $	*/
 
 /*
  * Copyright (c) 1992, 1993
@@ -101,8 +101,8 @@ bcemul_optbl:
 	PTR_WORD bcemul_sigill			# 030 LDL (*)
 	PTR_WORD bcemul_sigill			# 031 LDR (*)
 #else
-	PTR_WORD _C_LABEL(mips_emul_daddi)	# 030 DADDI (*)
-	PTR_WORD _C_LABEL(mips_emul_daddiu)	# 031 DADDIU (*)
+	PTR_WORD bcemul_daddi			# 030 DADDI (*)
+	PTR_WORD bcemul_daddiu			# 031 DADDIU (*)
 	PTR_WORD _C_LABEL(mips_emul_ldl)	# 032 LDL (*)
 	PTR_WORD _C_LABEL(mips_emul_ldr)	# 033 LDR (*)
 #endif
@@ -191,7 +191,7 @@ bcemul_uimmed_prologue:
 #ifndef __mips_o32
 bcemul_daddi:
 	bal	bcemul_immed_prologue
-	daddiu	t0, v0, v1
+	dadd	t0, v0, v1
 	b	bcemul_check_add_overflow
 #endif
 

CVS commit: [netbsd-6] src/sys/arch/i386/conf

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 26 16:26:46 UTC 2017

Modified Files:
src/sys/arch/i386/conf [netbsd-6]: GENERIC

Log Message:
Apply patch (requested by maxv in ticket #1466):
Disable vm86 by default. The use case is limited, and the potential
for damage is too high.


To generate a diff of this commit:
cvs rdiff -u -r1.1066.2.7 -r1.1066.2.8 src/sys/arch/i386/conf/GENERIC

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/i386/conf/GENERIC
diff -u src/sys/arch/i386/conf/GENERIC:1.1066.2.7 src/sys/arch/i386/conf/GENERIC:1.1066.2.8
--- src/sys/arch/i386/conf/GENERIC:1.1066.2.7	Wed Aug 15 15:33:00 2012
+++ src/sys/arch/i386/conf/GENERIC	Sat Aug 26 16:26:46 2017
@@ -1,4 +1,4 @@
-# $NetBSD: GENERIC,v 1.1066.2.7 2012/08/15 15:33:00 sborrill Exp $
+# $NetBSD: GENERIC,v 1.1066.2.8 2017/08/26 16:26:46 snj Exp $
 #
 # GENERIC machine description file
 #
@@ -22,12 +22,12 @@ include 	"arch/i386/conf/std.i386"
 
 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary
 
-#ident 		"GENERIC-$Revision: 1.1066.2.7 $"
+#ident 		"GENERIC-$Revision: 1.1066.2.8 $"
 
 maxusers	64		# estimated number of users
 
 # CPU-related options.
-options 	VM86		# virtual 8086 emulation
+#options 	VM86		# virtual 8086 emulation
 options 	USER_LDT	# user-settable LDT; used by WINE
 #options 	PAE		# PAE mode (36 bits physical addressing)
 

CVS commit: [netbsd-6] src/sys/lib/libkern

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Wed Aug 23 19:38:02 UTC 2017

Modified Files:
src/sys/lib/libkern [netbsd-6]: Makefile.libkern

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1481):
sys/lib/libkern/Makefile.libkern: revision 1.19
Add strnlen.c to SRCS (which will automatically use the .S version if it
exists).


To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.17.2.1 src/sys/lib/libkern/Makefile.libkern

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/lib/libkern/Makefile.libkern
diff -u src/sys/lib/libkern/Makefile.libkern:1.17 src/sys/lib/libkern/Makefile.libkern:1.17.2.1
--- src/sys/lib/libkern/Makefile.libkern:1.17	Sun Feb  5 14:19:03 2012
+++ src/sys/lib/libkern/Makefile.libkern	Wed Aug 23 19:38:02 2017
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile.libkern,v 1.17 2012/02/05 14:19:03 dholland Exp $
+#	$NetBSD: Makefile.libkern,v 1.17.2.1 2017/08/23 19:38:02 snj Exp $
 
 # 
 # Variable definitions for libkern.  
@@ -84,7 +84,7 @@ SRCS+=	random.c
 SRCS+=	rngtest.c
 
 SRCS+=	memchr.c
-SRCS+=	strcat.c strcmp.c strcpy.c strlen.c
+SRCS+=	strcat.c strcmp.c strcpy.c strlen.c strnlen.c
 SRCS+=	strncmp.c strncpy.c
 SRCS+=	strcasecmp.c strncasecmp.c
 

CVS commit: [netbsd-6] src/sys/altq

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 05:37:06 UTC 2017

Modified Files:
src/sys/altq [netbsd-6]: altq_cbq.c altq_hfsc.c altq_jobs.c altq_priq.c
altq_wfq.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1488):
sys/altq/altq_cbq.c: revision 1.31
sys/altq/altq_hfsc.c: revision 1.27
sys/altq/altq_jobs.c: revision 1.11
sys/altq/altq_priq.c: revision 1.24
sys/altq/altq_wfq.c: revision 1.22
Zero buffers copied to userland to avoid stack disclosure.
>From Ilja Van Sprundel.
--
Reject negative indices.
(Would be nice to change the types too, and it's *probably* safe to
replace int by u_int, but I'm reluctant to touch the ioctl
definitions without at least a modicum more thought.  Also one of
them is a u_long, because why not?)
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.26.18.1 src/sys/altq/altq_cbq.c
cvs rdiff -u -r1.24 -r1.24.36.1 src/sys/altq/altq_hfsc.c
cvs rdiff -u -r1.6.14.1 -r1.6.14.2 src/sys/altq/altq_jobs.c
cvs rdiff -u -r1.21 -r1.21.18.1 src/sys/altq/altq_priq.c
cvs rdiff -u -r1.19 -r1.19.34.1 src/sys/altq/altq_wfq.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/altq/altq_cbq.c
diff -u src/sys/altq/altq_cbq.c:1.26 src/sys/altq/altq_cbq.c:1.26.18.1
--- src/sys/altq/altq_cbq.c:1.26	Sun Nov 22 18:40:26 2009
+++ src/sys/altq/altq_cbq.c	Sat Aug 19 05:37:06 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_cbq.c,v 1.26 2009/11/22 18:40:26 mbalmer Exp $	*/
+/*	$NetBSD: altq_cbq.c,v 1.26.18.1 2017/08/19 05:37:06 snj Exp $	*/
 /*	$KAME: altq_cbq.c,v 1.21 2005/04/13 03:44:24 suz Exp $	*/
 
 /*
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: altq_cbq.c,v 1.26 2009/11/22 18:40:26 mbalmer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_cbq.c,v 1.26.18.1 2017/08/19 05:37:06 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@@ -472,6 +472,7 @@ cbq_getqstats(struct pf_altq *a, void *u
 	if (*nbytes < sizeof(stats))
 		return (EINVAL);
 
+	memset(, 0, sizeof(stats));
 	get_class_stats(, cl);
 
 	if ((error = copyout((void *), ubuf, sizeof(stats))) != 0)
@@ -876,6 +877,7 @@ cbq_getstats(struct cbq_getstats *gsp)
 			if (++i >= CBQ_MAX_CLASSES)
 goto out;
 
+		memset(, 0, sizeof(stats));
 		get_class_stats(, cl);
 		stats.handle = cl->stats_.handle;
 

Index: src/sys/altq/altq_hfsc.c
diff -u src/sys/altq/altq_hfsc.c:1.24 src/sys/altq/altq_hfsc.c:1.24.36.1
--- src/sys/altq/altq_hfsc.c:1.24	Wed Jun 18 09:06:27 2008
+++ src/sys/altq/altq_hfsc.c	Sat Aug 19 05:37:06 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_hfsc.c,v 1.24 2008/06/18 09:06:27 yamt Exp $	*/
+/*	$NetBSD: altq_hfsc.c,v 1.24.36.1 2017/08/19 05:37:06 snj Exp $	*/
 /*	$KAME: altq_hfsc.c,v 1.26 2005/04/13 03:44:24 suz Exp $	*/
 
 /*
@@ -43,7 +43,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: altq_hfsc.c,v 1.24 2008/06/18 09:06:27 yamt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_hfsc.c,v 1.24.36.1 2017/08/19 05:37:06 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@@ -313,6 +313,7 @@ hfsc_getqstats(struct pf_altq *a, void *
 	if (*nbytes < sizeof(stats))
 		return (EINVAL);
 
+	memset(, 0, sizeof(stats));
 	get_class_stats(, cl);
 
 	if ((error = copyout((void *), ubuf, sizeof(stats))) != 0)

Index: src/sys/altq/altq_jobs.c
diff -u src/sys/altq/altq_jobs.c:1.6.14.1 src/sys/altq/altq_jobs.c:1.6.14.2
--- src/sys/altq/altq_jobs.c:1.6.14.1	Mon Nov  3 15:08:44 2014
+++ src/sys/altq/altq_jobs.c	Sat Aug 19 05:37:06 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_jobs.c,v 1.6.14.1 2014/11/03 15:08:44 msaitoh Exp $	*/
+/*	$NetBSD: altq_jobs.c,v 1.6.14.2 2017/08/19 05:37:06 snj Exp $	*/
 /*	$KAME: altq_jobs.c,v 1.11 2005/04/13 03:44:25 suz Exp $	*/
 /*
  * Copyright (c) 2001, the Rector and Board of Visitors of the
@@ -59,7 +59,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: altq_jobs.c,v 1.6.14.1 2014/11/03 15:08:44 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_jobs.c,v 1.6.14.2 2017/08/19 05:37:06 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@@ -2111,10 +2111,9 @@ jobscmd_class_stats(struct jobs_class_st
 	usp = ap->stats;
 	for (pri = 0; pri <= jif->jif_maxpri; pri++) {
 		cl = jif->jif_classes[pri];
+		(void)memset(, 0, sizeof(stats));
 		if (cl != NULL)
 			get_class_stats(, cl);
-		else
-			(void)memset(, 0, sizeof(stats));
 		if ((error = copyout((void *), (void *)usp++,
  sizeof(stats))) != 0)
 			return (error);

Index: src/sys/altq/altq_priq.c
diff -u src/sys/altq/altq_priq.c:1.21 src/sys/altq/altq_priq.c:1.21.18.1
--- src/sys/altq/altq_priq.c:1.21	Sat Mar 14 15:35:58 2009
+++ src/sys/altq/altq_priq.c	Sat Aug 19 05:37:06 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_priq.c,v 1.21 2009/03/14 15:35:58 dsl Exp $	*/
+/*	$NetBSD: altq_priq.c,v 1.21.18.1 2017/08/19 05:37:06 snj Exp $	*/
 /*	$KAME: altq_priq.c,v 1.13 2005/04/13 03:44:25 suz Exp $	*/
 /*
  * Copyright (C) 2000-2003
@@ 

CVS commit: [netbsd-6] src/sys/compat/linux/common

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 05:04:00 UTC 2017

Modified Files:
src/sys/compat/linux/common [netbsd-6]: linux_time.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1489):
sys/compat/linux/common/linux_time.c: 1.38-1.39 via patch
Only let the superuser set the compat_linux timezone.
Not really keen to invent a new kauth cookie for this useless purpose.
>From Ilja Van Sprundel.
--
Put suser check in the right function: settimeofday, not gettimeofday.
While here, remove wrong comment.
Noted by kre@.


To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.35.6.1 src/sys/compat/linux/common/linux_time.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/linux/common/linux_time.c
diff -u src/sys/compat/linux/common/linux_time.c:1.35 src/sys/compat/linux/common/linux_time.c:1.35.6.1
--- src/sys/compat/linux/common/linux_time.c:1.35	Fri Nov 18 04:07:44 2011
+++ src/sys/compat/linux/common/linux_time.c	Sat Aug 19 05:03:59 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_time.c,v 1.35 2011/11/18 04:07:44 christos Exp $ */
+/*	$NetBSD: linux_time.c,v 1.35.6.1 2017/08/19 05:03:59 snj Exp $ */
 
 /*-
  * Copyright (c) 2001 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.35 2011/11/18 04:07:44 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.35.6.1 2017/08/19 05:03:59 snj Exp $");
 
 #include 
 #include 
@@ -109,11 +109,10 @@ linux_sys_settimeofday(struct lwp *l, co
 			return (error);
 	}
 
-	/*
-	 * If user is not the superuser, we returned
-	 * after the sys_settimeofday() call.
-	 */
 	if (SCARG(uap, tzp)) {
+		if (kauth_authorize_generic(kauth_cred_get(),
+			KAUTH_GENERIC_ISSUSER, NULL) != 0)
+			return (EPERM);
 		error = copyin(SCARG(uap, tzp), _sys_tz, sizeof(linux_sys_tz));
 		if (error)
 			return (error);

CVS commit: [netbsd-6] src/sys/netsmb

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:44:56 UTC 2017

Modified Files:
src/sys/netsmb [netbsd-6]: smb_dev.c smb_subr.c smb_subr.h smb_usr.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1487):
sys/netsmb/smb_dev.c: 1.50
sys/netsmb/smb_subr.c: 1.38
sys/netsmb/smb_subr.h: 1.22
sys/netsmb/smb_usr.c: 1.17-1.19
Reject allocations for too-small buffers from userland.
>From Ilja Van Sprundel.
--
Plug another overflow: refuse bogus sa_len from user.
--
Reject negative ioc_setupcnt.
--
Reject negative offset/count for smb read/write.
Not clear that this is actually a problem for the kernel -- might
overwrite user's buffers or return garbage to user, but that's their
own damn fault.  But it's hard to imagine that negative offset/count
ever makes sense, and I haven't ruled out a problem for the kernel.


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.39.14.1 src/sys/netsmb/smb_dev.c
cvs rdiff -u -r1.36 -r1.36.8.1 src/sys/netsmb/smb_subr.c
cvs rdiff -u -r1.20 -r1.20.14.1 src/sys/netsmb/smb_subr.h
cvs rdiff -u -r1.16 -r1.16.18.1 src/sys/netsmb/smb_usr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netsmb/smb_dev.c
diff -u src/sys/netsmb/smb_dev.c:1.39 src/sys/netsmb/smb_dev.c:1.39.14.1
--- src/sys/netsmb/smb_dev.c:1.39	Fri Dec 17 14:27:34 2010
+++ src/sys/netsmb/smb_dev.c	Sat Aug 19 04:44:55 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_dev.c,v 1.39 2010/12/17 14:27:34 pooka Exp $	*/
+/*	$NetBSD: smb_dev.c,v 1.39.14.1 2017/08/19 04:44:55 snj Exp $	*/
 
 /*
  * Copyright (c) 2000-2001 Boris Popov
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: smb_dev.c,v 1.39 2010/12/17 14:27:34 pooka Exp $");
+__KERNEL_RCSID(0, "$NetBSD: smb_dev.c,v 1.39.14.1 2017/08/19 04:44:55 snj Exp $");
 
 #include 
 #include 
@@ -334,6 +334,8 @@ nsmb_dev_ioctl(dev_t dev, u_long cmd, vo
 		struct uio auio;
 		struct iovec iov;
 
+		if (rwrq->ioc_cnt < 0 || rwrq->ioc_offset < 0)
+			return EINVAL;
 		if ((ssp = sdp->sd_share) == NULL)
 			return ENOTCONN;
 		iov.iov_base = rwrq->ioc_base;

Index: src/sys/netsmb/smb_subr.c
diff -u src/sys/netsmb/smb_subr.c:1.36 src/sys/netsmb/smb_subr.c:1.36.8.1
--- src/sys/netsmb/smb_subr.c:1.36	Sun Sep 25 13:42:30 2011
+++ src/sys/netsmb/smb_subr.c	Sat Aug 19 04:44:55 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_subr.c,v 1.36 2011/09/25 13:42:30 chs Exp $	*/
+/*	$NetBSD: smb_subr.c,v 1.36.8.1 2017/08/19 04:44:55 snj Exp $	*/
 
 /*
  * Copyright (c) 2000-2001 Boris Popov
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: smb_subr.c,v 1.36 2011/09/25 13:42:30 chs Exp $");
+__KERNEL_RCSID(0, "$NetBSD: smb_subr.c,v 1.36.8.1 2017/08/19 04:44:55 snj Exp $");
 
 #include 
 #include 
@@ -371,3 +371,32 @@ dup_sockaddr(struct sockaddr *sa, int ca
 		memcpy(sa2, sa, sa->sa_len);
 	return sa2;
 }
+
+int
+dup_sockaddr_copyin(struct sockaddr **ksap, struct sockaddr *usa,
+size_t usalen)
+{
+	struct sockaddr *ksa;
+
+	/* Make sure user provided enough data for a generic sockaddr.  */
+	if (usalen < sizeof(*ksa))
+		return EINVAL;
+
+	/* Don't let the user overfeed us.  */
+	usalen = MIN(usalen, sizeof(struct sockaddr_storage));
+
+	/* Copy the buffer in from userland.  */
+	ksa = smb_memdupin(usa, usalen);
+	if (ksa == NULL)
+		return ENOMEM;
+
+	/* Make sure the user's idea of sa_len is reasonable.  */
+	if (ksa->sa_len > usalen) {
+		smb_memfree(ksa);
+		return EINVAL;
+	}
+
+	/* Success!  */
+	*ksap = ksa;
+	return 0;
+}

Index: src/sys/netsmb/smb_subr.h
diff -u src/sys/netsmb/smb_subr.h:1.20 src/sys/netsmb/smb_subr.h:1.20.14.1
--- src/sys/netsmb/smb_subr.h:1.20	Fri Dec 17 13:05:29 2010
+++ src/sys/netsmb/smb_subr.h	Sat Aug 19 04:44:55 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_subr.h,v 1.20 2010/12/17 13:05:29 pooka Exp $	*/
+/*	$NetBSD: smb_subr.h,v 1.20.14.1 2017/08/19 04:44:55 snj Exp $	*/
 
 /*
  * Copyright (c) 2000-2001, Boris Popov
@@ -127,5 +127,6 @@ int  smb_put_asunistring(struct smb_rq *
 #endif
 
 struct sockaddr *dup_sockaddr(struct sockaddr *, int);
+int dup_sockaddr_copyin(struct sockaddr **, struct sockaddr *, size_t);
 
 #endif /* !_NETSMB_SMB_SUBR_H_ */

Index: src/sys/netsmb/smb_usr.c
diff -u src/sys/netsmb/smb_usr.c:1.16 src/sys/netsmb/smb_usr.c:1.16.18.1
--- src/sys/netsmb/smb_usr.c:1.16	Wed Mar 18 16:00:24 2009
+++ src/sys/netsmb/smb_usr.c	Sat Aug 19 04:44:55 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_usr.c,v 1.16 2009/03/18 16:00:24 cegger Exp $	*/
+/*	$NetBSD: smb_usr.c,v 1.16.18.1 2017/08/19 04:44:55 snj Exp $	*/
 
 /*
  * Copyright (c) 2000-2001 Boris Popov
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: smb_usr.c,v 1.16 2009/03/18 16:00:24 cegger Exp $");
+__KERNEL_RCSID(0, "$NetBSD: smb_usr.c,v 1.16.18.1 2017/08/19 04:44:55 snj Exp $");
 
 #include 
 #include 
@@ -65,6 +65,7 @@ static int
 smb_usr_vc2spec(struct smbioc_ossn *dp, struct smb_vcspec *spec)
 {
 	int 

CVS commit: [netbsd-6] src/sys/dev/ic

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:29:14 UTC 2017

Modified Files:
src/sys/dev/ic [netbsd-6]: ciss.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1486):
sys/dev/ic/ciss.c: revision 1.37
Reject negative indices from userland.


To generate a diff of this commit:
cvs rdiff -u -r1.27.8.1 -r1.27.8.2 src/sys/dev/ic/ciss.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/ciss.c
diff -u src/sys/dev/ic/ciss.c:1.27.8.1 src/sys/dev/ic/ciss.c:1.27.8.2
--- src/sys/dev/ic/ciss.c:1.27.8.1	Thu Nov 22 17:24:52 2012
+++ src/sys/dev/ic/ciss.c	Sat Aug 19 04:29:14 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ciss.c,v 1.27.8.1 2012/11/22 17:24:52 riz Exp $	*/
+/*	$NetBSD: ciss.c,v 1.27.8.2 2017/08/19 04:29:14 snj Exp $	*/
 /*	$OpenBSD: ciss.c,v 1.14 2006/03/13 16:02:23 mickey Exp $	*/
 
 /*
@@ -19,7 +19,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.27.8.1 2012/11/22 17:24:52 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.27.8.2 2017/08/19 04:29:14 snj Exp $");
 
 #include "bio.h"
 
@@ -1198,12 +1198,12 @@ ciss_ioctl(device_t dev, u_long cmd, voi
 		/* FALLTHROUGH */
 	case BIOCDISK:
 		bd = (struct bioc_disk *)addr;
-		if (bd->bd_volid > sc->maxunits) {
+		if (bd->bd_volid < 0 || bd->bd_volid > sc->maxunits) {
 			error = EINVAL;
 			break;
 		}
 		ldp = sc->sc_lds[0];
-		if (!ldp || (pd = bd->bd_diskid) > ldp->ndrives) {
+		if (!ldp || (pd = bd->bd_diskid) < 0 || pd > ldp->ndrives) {
 			error = EINVAL;
 			break;
 		}
@@ -1304,7 +1304,7 @@ ciss_ioctl_vol(struct ciss_softc *sc, st
 	int error = 0;
 	u_int blks;
 
-	if (bv->bv_volid > sc->maxunits) {
+	if (bv->bv_volid < 0 || bv->bv_volid > sc->maxunits) {
 		return EINVAL;
 	}
 	ldp = sc->sc_lds[bv->bv_volid];

CVS commit: [netbsd-6] src/sys/dev/ic

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:27:39 UTC 2017

Modified Files:
src/sys/dev/ic [netbsd-6]: isp_netbsd.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1485):
sys/dev/ic/isp_netbsd.c: revision 1.89
Reject out-of-bounds channel index.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.85.2.1 -r1.85.2.2 src/sys/dev/ic/isp_netbsd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/isp_netbsd.c
diff -u src/sys/dev/ic/isp_netbsd.c:1.85.2.1 src/sys/dev/ic/isp_netbsd.c:1.85.2.2
--- src/sys/dev/ic/isp_netbsd.c:1.85.2.1	Mon Sep  3 18:38:34 2012
+++ src/sys/dev/ic/isp_netbsd.c	Sat Aug 19 04:27:38 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: isp_netbsd.c,v 1.85.2.1 2012/09/03 18:38:34 riz Exp $ */
+/* $NetBSD: isp_netbsd.c,v 1.85.2.2 2017/08/19 04:27:38 snj Exp $ */
 /*
  * Platform (NetBSD) dependent common attachment code for Qlogic adapters.
  */
@@ -33,7 +33,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.85.2.1 2012/09/03 18:38:34 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.85.2.2 2017/08/19 04:27:38 snj Exp $");
 
 #include 
 #include 
@@ -475,6 +475,10 @@ ispioctl(struct scsipi_channel *chan, u_
 		}
 		lim = local.count;
 		channel = local.channel;
+		if (channel >= isp->isp_nchan) {
+			retval = EINVAL;
+			break;
+		}
 
 		ua = *(isp_dlist_t **)addr;
 		uptr = >wwns[0];

CVS commit: [netbsd-6] src/sys/kern

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:24:24 UTC 2017

Modified Files:
src/sys/kern [netbsd-6]: kern_ktrace.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1484):
sys/kern/kern_ktrace.c: revision 1.171 via patch
Clamp the length we use, not the length we don't.
Avoids uninitialized memory disclosure to userland.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.160.2.1 -r1.160.2.2 src/sys/kern/kern_ktrace.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/kern_ktrace.c
diff -u src/sys/kern/kern_ktrace.c:1.160.2.1 src/sys/kern/kern_ktrace.c:1.160.2.2
--- src/sys/kern/kern_ktrace.c:1.160.2.1	Sun Dec  7 15:09:31 2014
+++ src/sys/kern/kern_ktrace.c	Sat Aug 19 04:24:23 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_ktrace.c,v 1.160.2.1 2014/12/07 15:09:31 martin Exp $	*/
+/*	$NetBSD: kern_ktrace.c,v 1.160.2.2 2017/08/19 04:24:23 snj Exp $	*/
 
 /*-
  * Copyright (c) 2006, 2007, 2008 The NetBSD Foundation, Inc.
@@ -61,7 +61,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.160.2.1 2014/12/07 15:09:31 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.160.2.2 2017/08/19 04:24:23 snj Exp $");
 
 #include 
 #include 
@@ -952,7 +952,7 @@ ktruser(const char *id, void *addr, size
 
 	user_dta = (void *)(ktp + 1);
 	if ((error = copyin(addr, (void *)user_dta, len)) != 0)
-		len = 0;
+		kte->kte_kth.ktr_len = 0;
 
 	ktraddentry(l, kte, KTA_WAITOK);
 	return error;

CVS commit: [netbsd-6] src/sys/compat

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:20:02 UTC 2017

Modified Files:
src/sys/compat/common [netbsd-6]: vfs_syscalls_12.c vfs_syscalls_43.c
src/sys/compat/ibcs2 [netbsd-6]: ibcs2_misc.c
src/sys/compat/linux/common [netbsd-6]: linux_file64.c linux_misc.c
src/sys/compat/linux32/common [netbsd-6]: linux32_dirent.c
src/sys/compat/osf1 [netbsd-6]: osf1_file.c
src/sys/compat/sunos [netbsd-6]: sunos_misc.c
src/sys/compat/sunos32 [netbsd-6]: sunos32_misc.c
src/sys/compat/svr4 [netbsd-6]: svr4_misc.c
src/sys/compat/svr4_32 [netbsd-6]: svr4_32_misc.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1483):
sys/compat/common/vfs_syscalls_12.c: revision 1.34
sys/compat/svr4_32/svr4_32_misc.c: revision 1.78
sys/compat/sunos32/sunos32_misc.c: revision 1.78
sys/compat/linux/common/linux_misc.c: revision 1.239
sys/compat/osf1/osf1_file.c: revision 1.44
sys/compat/common/vfs_syscalls_43.c: revision 1.60
sys/compat/svr4/svr4_misc.c: revision 1.158
sys/compat/ibcs2/ibcs2_misc.c: revision 1.114
sys/compat/linux/common/linux_file64.c: revision 1.59
sys/compat/linux32/common/linux32_dirent.c: revision 1.18
sys/compat/sunos/sunos_misc.c: revision 1.171
Fail, don't panic, on bad dirents from file system.
Controllable via puffs from userland.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.29.12.1 -r1.29.12.2 src/sys/compat/common/vfs_syscalls_12.c
cvs rdiff -u -r1.54.14.3 -r1.54.14.4 src/sys/compat/common/vfs_syscalls_43.c
cvs rdiff -u -r1.111 -r1.111.14.1 src/sys/compat/ibcs2/ibcs2_misc.c
cvs rdiff -u -r1.53 -r1.53.8.1 src/sys/compat/linux/common/linux_file64.c
cvs rdiff -u -r1.219.8.1 -r1.219.8.2 src/sys/compat/linux/common/linux_misc.c
cvs rdiff -u -r1.13 -r1.13.8.1 src/sys/compat/linux32/common/linux32_dirent.c
cvs rdiff -u -r1.41.8.1 -r1.41.8.2 src/sys/compat/osf1/osf1_file.c
cvs rdiff -u -r1.168 -r1.168.14.1 src/sys/compat/sunos/sunos_misc.c
cvs rdiff -u -r1.74 -r1.74.2.1 src/sys/compat/sunos32/sunos32_misc.c
cvs rdiff -u -r1.155 -r1.155.8.1 src/sys/compat/svr4/svr4_misc.c
cvs rdiff -u -r1.74 -r1.74.8.1 src/sys/compat/svr4_32/svr4_32_misc.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/common/vfs_syscalls_12.c
diff -u src/sys/compat/common/vfs_syscalls_12.c:1.29.12.1 src/sys/compat/common/vfs_syscalls_12.c:1.29.12.2
--- src/sys/compat/common/vfs_syscalls_12.c:1.29.12.1	Sat Aug 12 16:23:28 2017
+++ src/sys/compat/common/vfs_syscalls_12.c	Sat Aug 19 04:20:01 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls_12.c,v 1.29.12.1 2017/08/12 16:23:28 snj Exp $	*/
+/*	$NetBSD: vfs_syscalls_12.c,v 1.29.12.2 2017/08/19 04:20:01 snj Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29.12.1 2017/08/12 16:23:28 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29.12.2 2017/08/19 04:20:01 snj Exp $");
 
 #include 
 #include 
@@ -171,8 +171,10 @@ again:
 	for (cookie = cookiebuf; len > 0; len -= reclen) {
 		bdp = (struct dirent *)inp;
 		reclen = bdp->d_reclen;
-		if (reclen & 3)
-			panic(__func__);
+		if (reclen & 3) {
+			error = EIO;
+			goto out;
+		}
 		if (bdp->d_fileno == 0) {
 			inp += reclen;	/* it is a hole; squish it out */
 			if (cookie)

Index: src/sys/compat/common/vfs_syscalls_43.c
diff -u src/sys/compat/common/vfs_syscalls_43.c:1.54.14.3 src/sys/compat/common/vfs_syscalls_43.c:1.54.14.4
--- src/sys/compat/common/vfs_syscalls_43.c:1.54.14.3	Sat Aug 12 16:23:28 2017
+++ src/sys/compat/common/vfs_syscalls_43.c	Sat Aug 19 04:20:01 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls_43.c,v 1.54.14.3 2017/08/12 16:23:28 snj Exp $	*/
+/*	$NetBSD: vfs_syscalls_43.c,v 1.54.14.4 2017/08/19 04:20:01 snj Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.14.3 2017/08/12 16:23:28 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.14.4 2017/08/19 04:20:01 snj Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -450,8 +450,10 @@ again:
 	for (cookie = cookiebuf; len > 0; len -= reclen) {
 		bdp = (struct dirent *)inp;
 		reclen = bdp->d_reclen;
-		if (reclen & 3)
-			panic(__func__);
+		if (reclen & 3) {
+			error = EIO;
+			goto out;
+		}
 		if (bdp->d_fileno == 0) {
 			inp += reclen;	/* it is a hole; squish it out */
 			if (cookie)

Index: src/sys/compat/ibcs2/ibcs2_misc.c
diff -u src/sys/compat/ibcs2/ibcs2_misc.c:1.111 src/sys/compat/ibcs2/ibcs2_misc.c:1.111.14.1
--- src/sys/compat/ibcs2/ibcs2_misc.c:1.111	Thu Jun 24 13:03:06 2010
+++ src/sys/compat/ibcs2/ibcs2_misc.c	Sat Aug 19 04:20:01 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_misc.c,v 1.111 2010/06/24 13:03:06 hannken Exp $	*/
+/*	

CVS commit: [netbsd-6] src/sys/kern

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:17:11 UTC 2017

Modified Files:
src/sys/kern [netbsd-6]: vfs_getcwd.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1482):
sys/kern/vfs_getcwd.c: revision 1.52
Don't walk off the end of the dirent buffer.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.47.14.1 src/sys/kern/vfs_getcwd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/vfs_getcwd.c
diff -u src/sys/kern/vfs_getcwd.c:1.47 src/sys/kern/vfs_getcwd.c:1.47.14.1
--- src/sys/kern/vfs_getcwd.c:1.47	Tue Nov 30 10:30:02 2010
+++ src/sys/kern/vfs_getcwd.c	Sat Aug 19 04:17:11 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_getcwd.c,v 1.47 2010/11/30 10:30:02 dholland Exp $ */
+/* $NetBSD: vfs_getcwd.c,v 1.47.14.1 2017/08/19 04:17:11 snj Exp $ */
 
 /*-
  * Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.47 2010/11/30 10:30:02 dholland Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.47.14.1 2017/08/19 04:17:11 snj Exp $");
 
 #include 
 #include 
@@ -207,7 +207,8 @@ unionread:
 reclen = dp->d_reclen;
 
 /* check for malformed directory.. */
-if (reclen < _DIRENT_MINSIZE(dp)) {
+if (reclen < _DIRENT_MINSIZE(dp) ||
+reclen > len) {
 	error = EINVAL;
 	goto out;
 }

CVS commit: [netbsd-6] src/sys/compat/ibcs2

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:13:52 UTC 2017

Modified Files:
src/sys/compat/ibcs2 [netbsd-6]: ibcs2_exec_coff.c ibcs2_ioctl.c
ibcs2_stat.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1481):
sys/compat/ibcs2/ibcs2_exec_coff.c: 1.27-1.29
sys/compat/ibcs2/ibcs2_ioctl.c: 1.46
sys/compat/ibcs2/ibcs2_stat.c: 1.49-1.50
Check for NUL termination within the buffer we have.
>From Ilja Van Sprundel.
--
Make sure we have enough space in the buffer before reading it.
>From Ilja Van Sprundel.
--
Make sure we move forward over the buffer.
>From Ilja Van Sprundel.
--
Zero buffers in ibcs2 ioctl to avoid disclosing stack to userland.
>From Ilja Van Sprundel.
--
Don't drop vnode ref until we're done with mount in ibcs2_stat(v)fs.
Nothing else guarantees the mount will stick around.
>From Ilja Van Sprundel.
--
Little happy on the commit trigger.  Actually use the out label.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.25.14.1 src/sys/compat/ibcs2/ibcs2_exec_coff.c
cvs rdiff -u -r1.45 -r1.45.36.1 src/sys/compat/ibcs2/ibcs2_ioctl.c
cvs rdiff -u -r1.47 -r1.47.18.1 src/sys/compat/ibcs2/ibcs2_stat.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/ibcs2/ibcs2_exec_coff.c
diff -u src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.25 src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.25.14.1
--- src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.25	Thu Jul 22 03:19:02 2010
+++ src/sys/compat/ibcs2/ibcs2_exec_coff.c	Sat Aug 19 04:13:51 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_exec_coff.c,v 1.25 2010/07/22 03:19:02 christos Exp $	*/
+/*	$NetBSD: ibcs2_exec_coff.c,v 1.25.14.1 2017/08/19 04:13:51 snj Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995, 1998 Scott Bartram
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.25 2010/07/22 03:19:02 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.25.14.1 2017/08/19 04:13:51 snj Exp $");
 
 #include 
 #include 
@@ -454,6 +454,10 @@ exec_ibcs2_coff_prep_zmagic(struct lwp *
 		}
 		bufp = tbuf;
 		while (len) {
+			if (len < sizeof(struct coff_slhdr)) {
+free(tbuf, M_TEMP);
+return ENOEXEC;
+			}
 			slhdr = (struct coff_slhdr *)bufp;
 
 			if (slhdr->path_index > LONG_MAX / sizeof(long) ||
@@ -465,7 +469,9 @@ exec_ibcs2_coff_prep_zmagic(struct lwp *
 			path_index = slhdr->path_index * sizeof(long);
 			entry_len = slhdr->entry_len * sizeof(long);
 
-			if (entry_len > len) {
+			if (entry_len < sizeof(struct coff_slhdr) ||
+			entry_len > len ||
+			strnlen(slhdr->sl_name, entry_len) == entry_len) {
 free(tbuf, M_TEMP);
 return ENOEXEC;
 			}

Index: src/sys/compat/ibcs2/ibcs2_ioctl.c
diff -u src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45 src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45.36.1
--- src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45	Tue Jun 24 10:03:17 2008
+++ src/sys/compat/ibcs2/ibcs2_ioctl.c	Sat Aug 19 04:13:51 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $	*/
+/*	$NetBSD: ibcs2_ioctl.c,v 1.45.36.1 2017/08/19 04:13:51 snj Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995 Scott Bartram
@@ -27,7 +27,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.45.36.1 2017/08/19 04:13:51 snj Exp $");
 
 #include 
 #include 
@@ -402,8 +402,10 @@ ibcs2_sys_ioctl(struct lwp *l, const str
 		if ((error = (*ctl)(fp, TIOCGETA, )) != 0)
 			goto out;
 
+		memset(, 0, sizeof(sts));
 		btios2stios(, );
 		if (SCARG(uap, cmd) == IBCS2_TCGETA) {
+			memset(, 0, sizeof(st));
 			stios2stio(, );
 			error = copyout(, SCARG(uap, data), sizeof(st));
 			if (error)
@@ -559,6 +561,7 @@ ibcs2_sys_gtty(struct lwp *l, const stru
 
 	fd_putfile(SCARG(uap, fd));
 
+	memset(, 0, sizeof(itb));
 	itb.sg_ispeed = tb.sg_ispeed;
 	itb.sg_ospeed = tb.sg_ospeed;
 	itb.sg_erase = tb.sg_erase;

Index: src/sys/compat/ibcs2/ibcs2_stat.c
diff -u src/sys/compat/ibcs2/ibcs2_stat.c:1.47 src/sys/compat/ibcs2/ibcs2_stat.c:1.47.18.1
--- src/sys/compat/ibcs2/ibcs2_stat.c:1.47	Mon Jun 29 05:08:16 2009
+++ src/sys/compat/ibcs2/ibcs2_stat.c	Sat Aug 19 04:13:51 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_stat.c,v 1.47 2009/06/29 05:08:16 dholland Exp $	*/
+/*	$NetBSD: ibcs2_stat.c,v 1.47.18.1 2017/08/19 04:13:51 snj Exp $	*/
 /*
  * Copyright (c) 1995, 1998 Scott Bartram
  * All rights reserved.
@@ -27,7 +27,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.47 2009/06/29 05:08:16 dholland Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.47.18.1 2017/08/19 04:13:51 snj Exp $");
 
 #include 
 #include 
@@ -147,11 +147,13 @@ ibcs2_sys_statfs(struct lwp *l, const st
 		return (error);
 	mp = vp->v_mount;
 	sp = >mnt_stat;
-	vrele(vp);
 	if ((error = VFS_STATVFS(mp, sp)) != 0)
-		return (error);
+		goto out;
 	sp->f_flag = 

CVS commit: [netbsd-6] src/sys/compat/svr4_32

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:02:49 UTC 2017

Modified Files:
src/sys/compat/svr4_32 [netbsd-6]: svr4_32_signal.c

Log Message:
Pull up following revision(s) (requested by martin in ticket #1481):
sys/compat/svr4_32/svr4_32_signal.c: 1.30
make it compile again.


To generate a diff of this commit:
cvs rdiff -u -r1.26.40.1 -r1.26.40.2 src/sys/compat/svr4_32/svr4_32_signal.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/svr4_32/svr4_32_signal.c
diff -u src/sys/compat/svr4_32/svr4_32_signal.c:1.26.40.1 src/sys/compat/svr4_32/svr4_32_signal.c:1.26.40.2
--- src/sys/compat/svr4_32/svr4_32_signal.c:1.26.40.1	Sat Aug 19 03:40:50 2017
+++ src/sys/compat/svr4_32/svr4_32_signal.c	Sat Aug 19 04:02:49 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_32_signal.c,v 1.26.40.1 2017/08/19 03:40:50 snj Exp $	 */
+/*	$NetBSD: svr4_32_signal.c,v 1.26.40.2 2017/08/19 04:02:49 snj Exp $	 */
 
 /*-
  * Copyright (c) 1994, 1998 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: svr4_32_signal.c,v 1.26.40.1 2017/08/19 03:40:50 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_32_signal.c,v 1.26.40.2 2017/08/19 04:02:49 snj Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_svr4.h"
@@ -397,16 +397,16 @@ svr4_32_sys_signal(struct lwp *l, const 
 		nbsa.sa_handler = (sig_t)SCARG(uap, handler);
 		sigemptyset(_mask);
 		nbsa.sa_flags = 0;
-		error = sigaction1(l, signum, , , NULL, 0);
+		error = sigaction1(l, native_signo, , , NULL, 0);
 		if (error)
-			return (error);
+			return error;
 		*retval = (u_int)(u_long)obsa.sa_handler;
-		return (0);
+		return 0;
 
 	case SVR4_SIGHOLD_MASK:
 	sighold:
 		sigemptyset();
-		sigaddset(, signum);
+		sigaddset(, native_signo);
 		mutex_enter(p->p_lock);
 		error = sigprocmask1(l, SIG_BLOCK, , 0);
 		mutex_exit(p->p_lock);
@@ -414,7 +414,7 @@ svr4_32_sys_signal(struct lwp *l, const 
 
 	case SVR4_SIGRELSE_MASK:
 		sigemptyset();
-		sigaddset(, signum);
+		sigaddset(, native_signo);
 		mutex_enter(p->p_lock);
 		error = sigprocmask1(l, SIG_UNBLOCK, , 0);
 		mutex_exit(p->p_lock);
@@ -424,17 +424,17 @@ svr4_32_sys_signal(struct lwp *l, const 
 		nbsa.sa_handler = SIG_IGN;
 		sigemptyset(_mask);
 		nbsa.sa_flags = 0;
-		return (sigaction1(l, signum, , 0, NULL, 0));
+		return sigaction1(l, native_signo, , 0, NULL, 0);
 
 	case SVR4_SIGPAUSE_MASK:
 		mutex_enter(p->p_lock);
 		ss = l->l_sigmask;
 		mutex_exit(p->p_lock);
-		sigdelset(, signum);
-		return (sigsuspend1(l, ));
+		sigdelset(, native_signo);
+		return sigsuspend1(l, );
 
 	default:
-		return (ENOSYS);
+		return ENOSYS;
 	}
 }
 

CVS commit: [netbsd-6] src/sys/dev

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 03:50:01 UTC 2017

Modified Files:
src/sys/dev [netbsd-6]: vnd.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1480):
sys/dev/vnd.c: 1.260, 1.262 via patch
Put in a litany of judicious bounds checks around vnd headers.
Thought I was done with this crap after I rewrote vndcompress(1)!
>From Ilja Van Sprundel.
--
Appease toxic bullshit warning from gcc.
If you have a better way to write a useful bounds check that happens
to always pass on LP64 but doesn't always on LP32, without making it
fail to compile on LP64 or making it an #ifdef conditional on LP32,
please put it in here instead.


To generate a diff of this commit:
cvs rdiff -u -r1.219.8.3 -r1.219.8.4 src/sys/dev/vnd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/vnd.c
diff -u src/sys/dev/vnd.c:1.219.8.3 src/sys/dev/vnd.c:1.219.8.4
--- src/sys/dev/vnd.c:1.219.8.3	Wed Feb  4 04:18:23 2015
+++ src/sys/dev/vnd.c	Sat Aug 19 03:50:00 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: vnd.c,v 1.219.8.3 2015/02/04 04:18:23 snj Exp $	*/
+/*	$NetBSD: vnd.c,v 1.219.8.4 2017/08/19 03:50:00 snj Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1998, 2008 The NetBSD Foundation, Inc.
@@ -91,7 +91,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.219.8.3 2015/02/04 04:18:23 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.219.8.4 2017/08/19 03:50:00 snj Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_vnd.h"
@@ -1167,6 +1167,13 @@ vndioctl(dev_t dev, u_long cmd, void *da
 VOP_UNLOCK(nd.ni_vp);
 goto close_and_exit;
 			}
+
+			if (ntohl(ch->block_size) == 0 ||
+			ntohl(ch->num_blocks) > UINT32_MAX - 1) {
+free(ch, M_TEMP);
+VOP_UNLOCK(nd.ni_vp);
+goto close_and_exit;
+			}
  
 			/* save some header info */
 			vnd->sc_comp_blksz = ntohl(ch->block_size);
@@ -1179,20 +1186,40 @@ vndioctl(dev_t dev, u_long cmd, void *da
 error = EINVAL;
 goto close_and_exit;
 			}
-			if (sizeof(struct vnd_comp_header) +
-			  sizeof(u_int64_t) * vnd->sc_comp_numoffs >
-			  vattr.va_size) {
+			KASSERT(0 < vnd->sc_comp_blksz);
+			KASSERT(0 < vnd->sc_comp_numoffs);
+			/*
+			 * @#^@!$& gcc -Wtype-limits refuses to let me
+			 * write SIZE_MAX/sizeof(uint64_t) < numoffs,
+			 * because the range of the type on amd64 makes
+			 * the comparisons always false.
+			 */
+#if SIZE_MAX <= UINT32_MAX*(64/CHAR_BIT)
+			if (SIZE_MAX/sizeof(uint64_t) < vnd->sc_comp_numoffs) {
+VOP_UNLOCK(nd.ni_vp);
+error = EINVAL;
+goto close_and_exit;
+			}
+#endif
+			if ((vattr.va_size < sizeof(struct vnd_comp_header)) ||
+			(vattr.va_size - sizeof(struct vnd_comp_header) <
+sizeof(uint64_t)*vnd->sc_comp_numoffs) ||
+			(UQUAD_MAX/vnd->sc_comp_blksz <
+vnd->sc_comp_numoffs - 1)) {
 VOP_UNLOCK(nd.ni_vp);
 error = EINVAL;
 goto close_and_exit;
 			}
  
 			/* set decompressed file size */
+			KASSERT(vnd->sc_comp_numoffs - 1 <=
+			UQUAD_MAX/vnd->sc_comp_blksz);
 			vattr.va_size =
 			((u_quad_t)vnd->sc_comp_numoffs - 1) *
 			 (u_quad_t)vnd->sc_comp_blksz;
  
 			/* allocate space for all the compressed offsets */
+			__CTASSERT(UINT32_MAX <= UQUAD_MAX/sizeof(uint64_t));
 			vnd->sc_comp_offsets =
 			malloc(sizeof(u_int64_t) * vnd->sc_comp_numoffs,
 			M_DEVBUF, M_WAITOK);

CVS commit: [netbsd-6] src/sys/compat

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 03:40:50 UTC 2017

Modified Files:
src/sys/compat/svr4 [netbsd-6]: svr4_lwp.c svr4_signal.c svr4_stream.c
src/sys/compat/svr4_32 [netbsd-6]: svr4_32_signal.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1479):
sys/compat/svr4/svr4_lwp.c: 1.20
sys/compat/svr4/svr4_signal.c: 1.67
sys/compat/svr4/svr4_stream.c: 1.89-1.91 via patch
sys/compat/svr4_32/svr4_32_signal.c: 1.29
Fix some of the multitudinous holes in svr4 streams.
We should never have enabled this by default; it is a minefield.
>From Ilja Van Sprundel.
--
Zero stack data before copyout.
>From Ilja Van Sprundel.
--
Fix indexing of svr4 signals.
>From Ilja Van Sprundel.
--
Feebly attempt to get this reference counting less bad.
This svr4 streams code is bad and it should feel bad.
>From Ilja Van Sprundel.
--
Check bounds in svr4_sys_putmsg.  Check more svr4_strmcmd bounds.
svr4 streams code is still a disaster.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.19.18.1 src/sys/compat/svr4/svr4_lwp.c
cvs rdiff -u -r1.65 -r1.65.10.1 src/sys/compat/svr4/svr4_signal.c
cvs rdiff -u -r1.79 -r1.79.8.1 src/sys/compat/svr4/svr4_stream.c
cvs rdiff -u -r1.26 -r1.26.40.1 src/sys/compat/svr4_32/svr4_32_signal.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/svr4/svr4_lwp.c
diff -u src/sys/compat/svr4/svr4_lwp.c:1.19 src/sys/compat/svr4/svr4_lwp.c:1.19.18.1
--- src/sys/compat/svr4/svr4_lwp.c:1.19	Mon Nov 23 00:46:07 2009
+++ src/sys/compat/svr4/svr4_lwp.c	Sat Aug 19 03:40:49 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $	*/
+/*	$NetBSD: svr4_lwp.c,v 1.19.18.1 2017/08/19 03:40:49 snj Exp $	*/
 
 /*-
  * Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19.18.1 2017/08/19 03:40:49 snj Exp $");
 
 #include 
 #include 
@@ -108,6 +108,8 @@ svr4_sys__lwp_info(struct lwp *l, const 
 	struct svr4_lwpinfo lwpinfo;
 	int error;
 
+	memset(, 0, sizeof(lwpinfo));
+
 	/* XXX NJWLWP */
 	TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_stime, _stime);
 	TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_utime, _utime);

Index: src/sys/compat/svr4/svr4_signal.c
diff -u src/sys/compat/svr4/svr4_signal.c:1.65 src/sys/compat/svr4/svr4_signal.c:1.65.10.1
--- src/sys/compat/svr4/svr4_signal.c:1.65	Thu Feb  3 21:45:31 2011
+++ src/sys/compat/svr4/svr4_signal.c	Sat Aug 19 03:40:49 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_signal.c,v 1.65 2011/02/03 21:45:31 joerg Exp $	 */
+/*	$NetBSD: svr4_signal.c,v 1.65.10.1 2017/08/19 03:40:49 snj Exp $	 */
 
 /*-
  * Copyright (c) 1994, 1998 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65 2011/02/03 21:45:31 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65.10.1 2017/08/19 03:40:49 snj Exp $");
 
 #include 
 #include 
@@ -73,6 +73,21 @@ void native_to_svr4_sigaction(const stru
 extern const int native_to_svr4_signo[];
 extern const int svr4_to_native_signo[];
 
+static int
+svr4_decode_signum(int signum, int *native_signo, int *sigcall)
+{
+
+	if (SVR4_SIGNO(signum) >= SVR4_NSIG)
+		return EINVAL;
+
+	if (native_signo)
+		*native_signo = svr4_to_native_signo[SVR4_SIGNO(signum)];
+	if (sigcall)
+		*sigcall = SVR4_SIGCALL(signum);
+
+	return 0;
+}
+
 static inline void
 svr4_sigfillset(svr4_sigset_t *s)
 {
@@ -174,6 +189,7 @@ svr4_sys_sigaction(struct lwp *l, const 
 	} */
 	struct svr4_sigaction nssa, ossa;
 	struct sigaction nbsa, obsa;
+	int native_signo;
 	int error;
 
 	if (SCARG(uap, nsa)) {
@@ -182,7 +198,12 @@ svr4_sys_sigaction(struct lwp *l, const 
 			return (error);
 		svr4_to_native_sigaction(, );
 	}
-	error = sigaction1(l, svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))],
+
+	error = svr4_decode_signum(SCARG(uap, signum), _signo, NULL);
+	if (error)
+		return error;
+
+	error = sigaction1(l, native_signo,
 	SCARG(uap, nsa) ?  : 0, SCARG(uap, osa) ?  : 0,
 	NULL, 0);
 	if (error)
@@ -217,16 +238,18 @@ svr4_sys_signal(struct lwp *l, const str
 		syscallarg(int) signum;
 		syscallarg(svr4_sig_t) handler;
 	} */
-	int signum = svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))];
+	int native_signo, sigcall;
 	struct proc *p = l->l_proc;
 	struct sigaction nbsa, obsa;
 	sigset_t ss;
 	int error;
 
-	if (signum <= 0 || signum >= SVR4_NSIG)
-		return (EINVAL);
+	error = svr4_decode_signum(SCARG(uap, signum), _signo,
+	);
+	if (error)
+		return error;
 
-	switch (SVR4_SIGCALL(SCARG(uap, signum))) {
+	switch (sigcall) {
 	case SVR4_SIGDEFER_MASK:
 		if (SCARG(uap, handler) == SVR4_SIG_HOLD)
 			goto sighold;
@@ -236,7 +259,7 @@ svr4_sys_signal(struct lwp *l, const str
 		nbsa.sa_handler = 

CVS commit: [netbsd-6] src/sys/dev/ic

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 03:15:57 UTC 2017

Modified Files:
src/sys/dev/ic [netbsd-6]: bwi.c

Log Message:
`cat ~/releng/r-commit`


To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.18.8.1 src/sys/dev/ic/bwi.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/bwi.c
diff -u src/sys/dev/ic/bwi.c:1.18 src/sys/dev/ic/bwi.c:1.18.8.1
--- src/sys/dev/ic/bwi.c:1.18	Mon Oct 10 11:15:24 2011
+++ src/sys/dev/ic/bwi.c	Sat Aug 19 03:15:56 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: bwi.c,v 1.18 2011/10/10 11:15:24 njoly Exp $	*/
+/*	$NetBSD: bwi.c,v 1.18.8.1 2017/08/19 03:15:56 snj Exp $	*/
 /*	$OpenBSD: bwi.c,v 1.74 2008/02/25 21:13:30 mglocker Exp $	*/
 
 /*
@@ -48,7 +48,7 @@
 
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: bwi.c,v 1.18 2011/10/10 11:15:24 njoly Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bwi.c,v 1.18.8.1 2017/08/19 03:15:56 snj Exp $");
 
 #include 
 #include 
@@ -8315,7 +8315,7 @@ bwi_newbuf(struct bwi_softc *sc, int buf
 	if (m == NULL)
 		return (ENOBUFS);
 	MCLGET(m, init ? M_WAITOK : M_DONTWAIT);
-	if (m == NULL) {
+	if ((m->m_flags & M_EXT) == 0) {
 		error = ENOBUFS;
 
 		/*

CVS commit: [netbsd-6] src/sys/dev/ic

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Aug 18 15:08:21 UTC 2017

Modified Files:
src/sys/dev/ic [netbsd-6]: dm9000.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1477):
sys/dev/ic/dm9000.c: revision 1.12
Check for MCLGET failure in dme_alloc_receive_buffer.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.4.2.1 src/sys/dev/ic/dm9000.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/dm9000.c
diff -u src/sys/dev/ic/dm9000.c:1.4 src/sys/dev/ic/dm9000.c:1.4.2.1
--- src/sys/dev/ic/dm9000.c:1.4	Sat Jan 28 08:29:55 2012
+++ src/sys/dev/ic/dm9000.c	Fri Aug 18 15:08:21 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: dm9000.c,v 1.4 2012/01/28 08:29:55 nisimura Exp $	*/
+/*	$NetBSD: dm9000.c,v 1.4.2.1 2017/08/18 15:08:21 snj Exp $	*/
 
 /*
  * Copyright (c) 2009 Paul Fleischer
@@ -1123,8 +1123,13 @@ dme_alloc_receive_buffer(struct ifnet *i
 		sizeof(struct ether_header);
 	/* All our frames have the CRC attached */
 	m->m_flags |= M_HASFCS;
-	if (m->m_pkthdr.len + pad > MHLEN )
+	if (m->m_pkthdr.len + pad > MHLEN) {
 		MCLGET(m, M_DONTWAIT);
+		if ((m->m_flags & M_EXT) == 0) {
+			m_freem(m);
+			return NULL;
+		}
+	}
 
 	m->m_data += pad;
 	m->m_len = frame_length + (frame_length % sc->sc_data_width);

CVS commit: [netbsd-6] src/sys/dev/ic

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Aug 18 15:04:58 UTC 2017

Modified Files:
src/sys/dev/ic [netbsd-6]: dp83932.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1476):
sys/dev/ic/dp83932.c: revision 1.41
Plug mbuf leak on MCLGET failure in sonic_rxintr.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.35.14.1 src/sys/dev/ic/dp83932.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/dp83932.c
diff -u src/sys/dev/ic/dp83932.c:1.35 src/sys/dev/ic/dp83932.c:1.35.14.1
--- src/sys/dev/ic/dp83932.c:1.35	Sat Nov 13 13:52:00 2010
+++ src/sys/dev/ic/dp83932.c	Fri Aug 18 15:04:58 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: dp83932.c,v 1.35 2010/11/13 13:52:00 uebayasi Exp $	*/
+/*	$NetBSD: dp83932.c,v 1.35.14.1 2017/08/18 15:04:58 snj Exp $	*/
 
 /*-
  * Copyright (c) 2001 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: dp83932.c,v 1.35 2010/11/13 13:52:00 uebayasi Exp $");
+__KERNEL_RCSID(0, "$NetBSD: dp83932.c,v 1.35.14.1 2017/08/18 15:04:58 snj Exp $");
 
 
 #include 
@@ -785,8 +785,10 @@ sonic_rxintr(struct sonic_softc *sc)
 goto dropit;
 			if (len > (MHLEN - 2)) {
 MCLGET(m, M_DONTWAIT);
-if ((m->m_flags & M_EXT) == 0)
+if ((m->m_flags & M_EXT) == 0) {
+	m_freem(m);
 	goto dropit;
+}
 			}
 			m->m_data += 2;
 			/*

CVS commit: [netbsd-6] src/sys/dev/ic

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Aug 18 15:03:22 UTC 2017

Modified Files:
src/sys/dev/ic [netbsd-6]: i82596.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1475):
sys/dev/ic/i82596.c: revision 1.37
Null out sc_rx_mbuf[i] after m_freem to avoid double-free later.
>From Ilja Van Sprundel.
Also null out sc_tx_mbuf[i] after m_freem, out of paranoia.
XXX Not entirely clear to how tx mbufs are freed, but no way to test
this since it's ews4800mips- and hp700-only, so not keen to make any
more elaborate changes...


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.14.1 src/sys/dev/ic/i82596.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/i82596.c
diff -u src/sys/dev/ic/i82596.c:1.29 src/sys/dev/ic/i82596.c:1.29.14.1
--- src/sys/dev/ic/i82596.c:1.29	Mon Apr  5 07:19:35 2010
+++ src/sys/dev/ic/i82596.c	Fri Aug 18 15:03:22 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: i82596.c,v 1.29 2010/04/05 07:19:35 joerg Exp $ */
+/* $NetBSD: i82596.c,v 1.29.14.1 2017/08/18 15:03:22 snj Exp $ */
 
 /*
  * Copyright (c) 2003 Jochen Kunz.
@@ -43,7 +43,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: i82596.c,v 1.29 2010/04/05 07:19:35 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: i82596.c,v 1.29.14.1 2017/08/18 15:03:22 snj Exp $");
 
 /* autoconfig and device stuff */
 #include 
@@ -754,6 +754,7 @@ iee_start(struct ifnet *ifp)
 printf("%s: iee_start: can't allocate mbuf\n",
 device_xname(sc->sc_dev));
 m_freem(sc->sc_tx_mbuf[t]);
+sc->sc_tx_mbuf[t] = NULL;
 t--;
 continue;
 			}
@@ -763,6 +764,7 @@ iee_start(struct ifnet *ifp)
 printf("%s: iee_start: can't allocate mbuf "
 "cluster\n", device_xname(sc->sc_dev));
 m_freem(sc->sc_tx_mbuf[t]);
+sc->sc_tx_mbuf[t] = NULL;
 m_freem(m);
 t--;
 continue;
@@ -778,6 +780,7 @@ iee_start(struct ifnet *ifp)
 printf("%s: iee_start: can't load TX DMA map\n",
 device_xname(sc->sc_dev));
 m_freem(sc->sc_tx_mbuf[t]);
+sc->sc_tx_mbuf[t] = NULL;
 t--;
 continue;
 			}
@@ -927,6 +930,7 @@ iee_init(struct ifnet *ifp)
 printf("%s: iee_init: can't allocate mbuf"
 " cluster\n", device_xname(sc->sc_dev));
 m_freem(sc->sc_rx_mbuf[r]);
+sc->sc_rx_mbuf[r] = NULL;
 err = 1;
 break;
 			}
@@ -940,6 +944,7 @@ iee_init(struct ifnet *ifp)
 printf("%s: iee_init: can't create RX "
 "DMA map\n", device_xname(sc->sc_dev));
 m_freem(sc->sc_rx_mbuf[r]);
+sc->sc_rx_mbuf[r] = NULL;
 err = 1;
 break;
 			}
@@ -949,6 +954,7 @@ iee_init(struct ifnet *ifp)
 			device_xname(sc->sc_dev));
 			bus_dmamap_destroy(sc->sc_dmat, sc->sc_rx_map[r]);
 			m_freem(sc->sc_rx_mbuf[r]);
+			sc->sc_rx_mbuf[r] = NULL;
 			err = 1;
 			break;
 		}

CVS commit: [netbsd-6] src/sys/dev/pci

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Aug 18 15:00:53 UTC 2017

Modified Files:
src/sys/dev/pci [netbsd-6]: if_et.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1474):
sys/dev/pci/if_et.c: revision 1.15
Check for MCLGET failure in et_newbuf.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.3.2.1 -r1.3.2.2 src/sys/dev/pci/if_et.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/pci/if_et.c
diff -u src/sys/dev/pci/if_et.c:1.3.2.1 src/sys/dev/pci/if_et.c:1.3.2.2
--- src/sys/dev/pci/if_et.c:1.3.2.1	Mon Nov 19 18:41:59 2012
+++ src/sys/dev/pci/if_et.c	Fri Aug 18 15:00:53 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_et.c,v 1.3.2.1 2012/11/19 18:41:59 riz Exp $	*/
+/*	$NetBSD: if_et.c,v 1.3.2.2 2017/08/18 15:00:53 snj Exp $	*/
 /*	$OpenBSD: if_et.c,v 1.11 2008/06/08 06:18:07 jsg Exp $	*/
 /*
  * Copyright (c) 2007 The DragonFly Project.  All rights reserved.
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_et.c,v 1.3.2.1 2012/11/19 18:41:59 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_et.c,v 1.3.2.2 2017/08/18 15:00:53 snj Exp $");
 
 #include "opt_inet.h"
 #include "vlan.h"
@@ -2048,6 +2048,10 @@ et_newbuf(struct et_rxbuf_data *rbd, int
 		if (m == NULL)
 			return (ENOBUFS);
 		MCLGET(m, init ? M_WAITOK : M_DONTWAIT);
+		if ((m->m_flags & M_EXT) == 0) {
+			m_freem(m);
+			return (ENOBUFS);
+		}
 		len = MCLBYTES;
 	} else {
 		MGETHDR(m, init ? M_WAITOK : M_DONTWAIT, MT_DATA);

CVS commit: [netbsd-6] src/sys/dev/pci

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Aug 18 14:58:15 UTC 2017

Modified Files:
src/sys/dev/pci [netbsd-6]: if_ipw.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1473):
sys/dev/pci/if_ipw.c: revision 1.65 via patch
Null out sbuf->m on failure to avoid double-free later.
>From Ilja Van Sprundel.
Also null out sbuf->map out of paranoia.


To generate a diff of this commit:
cvs rdiff -u -r1.53 -r1.53.2.1 src/sys/dev/pci/if_ipw.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/pci/if_ipw.c
diff -u src/sys/dev/pci/if_ipw.c:1.53 src/sys/dev/pci/if_ipw.c:1.53.2.1
--- src/sys/dev/pci/if_ipw.c:1.53	Mon Jan 30 19:41:20 2012
+++ src/sys/dev/pci/if_ipw.c	Fri Aug 18 14:58:15 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_ipw.c,v 1.53 2012/01/30 19:41:20 drochner Exp $	*/
+/*	$NetBSD: if_ipw.c,v 1.53.2.1 2017/08/18 14:58:15 snj Exp $	*/
 /*	FreeBSD: src/sys/dev/ipw/if_ipw.c,v 1.15 2005/11/13 17:17:40 damien Exp 	*/
 
 /*-
@@ -29,7 +29,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_ipw.c,v 1.53 2012/01/30 19:41:20 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ipw.c,v 1.53.2.1 2017/08/18 14:58:15 snj Exp $");
 
 /*-
  * Intel(R) PRO/Wireless 2100 MiniPCI driver
@@ -590,6 +590,7 @@ ipw_dma_alloc(struct ipw_softc *sc)
 		MCLGET(sbuf->m, M_DONTWAIT);
 		if (!(sbuf->m->m_flags & M_EXT)) {
 			m_freem(sbuf->m);
+			sbuf->m = NULL;
 			aprint_error_dev(>sc_dev, "could not allocate rx mbuf cluster\n");
 			error = ENOMEM;
 			goto fail;
@@ -602,6 +603,7 @@ ipw_dma_alloc(struct ipw_softc *sc)
 		if (error != 0) {
 			aprint_error_dev(>sc_dev, "could not create rxbuf dma map\n");
 			m_freem(sbuf->m);
+			sbuf->m = NULL;
 			goto fail;
 		}
 
@@ -609,7 +611,9 @@ ipw_dma_alloc(struct ipw_softc *sc)
 		sbuf->m, BUS_DMA_READ | BUS_DMA_NOWAIT);
 		if (error != 0) {
 			bus_dmamap_destroy(sc->sc_dmat, sbuf->map);
+			sbuf->map = NULL;
 			m_freem(sbuf->m);
+			sbuf->m = NULL;
 			aprint_error_dev(>sc_dev, "could not map rxbuf dma memory\n");
 			goto fail;
 		}

CVS commit: [netbsd-6] src/sys/kern

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Aug 18 14:53:10 UTC 2017

Modified Files:
src/sys/kern [netbsd-6]: kern_malloc.c

Log Message:
Pull up following revision(s) (requested by martin in ticket #1465):
sys/kern/kern_malloc.c: revision 1.146
Avoid integer overflow in kern_malloc(). Reported by Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.138 -r1.138.2.1 src/sys/kern/kern_malloc.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/kern_malloc.c
diff -u src/sys/kern/kern_malloc.c:1.138 src/sys/kern/kern_malloc.c:1.138.2.1
--- src/sys/kern/kern_malloc.c:1.138	Mon Feb  6 12:13:44 2012
+++ src/sys/kern/kern_malloc.c	Fri Aug 18 14:53:10 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_malloc.c,v 1.138 2012/02/06 12:13:44 drochner Exp $	*/
+/*	$NetBSD: kern_malloc.c,v 1.138.2.1 2017/08/18 14:53:10 snj Exp $	*/
 
 /*
  * Copyright (c) 1987, 1991, 1993
@@ -66,7 +66,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.138 2012/02/06 12:13:44 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.138.2.1 2017/08/18 14:53:10 snj Exp $");
 
 #include 
 #include 
@@ -113,7 +113,10 @@ kern_malloc(unsigned long size, struct m
 	void *p;
 
 	if (size >= PAGE_SIZE) {
-		allocsize = PAGE_SIZE + size; /* for page alignment */
+		if (size > (ULONG_MAX-PAGE_SIZE))
+			allocsize = ULONG_MAX;	/* this will fail later */
+		else
+			allocsize = PAGE_SIZE + size; /* for page alignment */
 		hdroffset = PAGE_SIZE - sizeof(struct malloc_header);
 	} else {
 		allocsize = sizeof(struct malloc_header) + size;

CVS commit: [netbsd-6] src/sys/arch/mac68k/nubus

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 12 16:35:11 UTC 2017

Modified Files:
src/sys/arch/mac68k/nubus [netbsd-6]: if_netdock_nubus.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1472):
sys/arch/mac68k/nubus/if_netdock_nubus.c: revision 1.26
Avoid memory leak in netdock_get.
If top is null, this is the first time through and nothing else will
free m.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.21.14.1 src/sys/arch/mac68k/nubus/if_netdock_nubus.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/mac68k/nubus/if_netdock_nubus.c
diff -u src/sys/arch/mac68k/nubus/if_netdock_nubus.c:1.21 src/sys/arch/mac68k/nubus/if_netdock_nubus.c:1.21.14.1
--- src/sys/arch/mac68k/nubus/if_netdock_nubus.c:1.21	Mon Apr  5 07:19:30 2010
+++ src/sys/arch/mac68k/nubus/if_netdock_nubus.c	Sat Aug 12 16:35:11 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_netdock_nubus.c,v 1.21 2010/04/05 07:19:30 joerg Exp $	*/
+/*	$NetBSD: if_netdock_nubus.c,v 1.21.14.1 2017/08/12 16:35:11 snj Exp $	*/
 
 /*
  * Copyright (C) 2000,2002 Daishi Kato 
@@ -43,7 +43,7 @@
 /***/
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_netdock_nubus.c,v 1.21 2010/04/05 07:19:30 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_netdock_nubus.c,v 1.21.14.1 2017/08/12 16:35:11 snj Exp $");
 
 #include 
 #include 
@@ -803,6 +803,8 @@ netdock_get(struct netdock_softc *sc, in
 			if ((m->m_flags & M_EXT) == 0) {
 if (top)
 	m_freem(top);
+else
+	m_freem(m);
 return (NULL);
 			}
 			len = MCLBYTES;

CVS commit: [netbsd-6] src/sys/arch/newsmips/apbus

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 12 16:30:05 UTC 2017

Modified Files:
src/sys/arch/newsmips/apbus [netbsd-6]: if_sn.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1471):
sys/arch/newsmips/apbus/if_sn.c: revision 1.39
Avoid memory leak in sonic_get.
If this is the first time around, top is null and nothing else will
free m.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.33.14.1 src/sys/arch/newsmips/apbus/if_sn.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/newsmips/apbus/if_sn.c
diff -u src/sys/arch/newsmips/apbus/if_sn.c:1.33 src/sys/arch/newsmips/apbus/if_sn.c:1.33.14.1
--- src/sys/arch/newsmips/apbus/if_sn.c:1.33	Mon Apr  5 07:19:31 2010
+++ src/sys/arch/newsmips/apbus/if_sn.c	Sat Aug 12 16:30:05 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_sn.c,v 1.33 2010/04/05 07:19:31 joerg Exp $	*/
+/*	$NetBSD: if_sn.c,v 1.33.14.1 2017/08/12 16:30:05 snj Exp $	*/
 
 /*
  * National Semiconductor  DP8393X SONIC Driver
@@ -16,7 +16,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_sn.c,v 1.33 2010/04/05 07:19:31 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_sn.c,v 1.33.14.1 2017/08/12 16:30:05 snj Exp $");
 
 #include "opt_inet.h"
 
@@ -1093,7 +1093,10 @@ sonic_get(struct sn_softc *sc, void *pkt
 		if (datalen >= MINCLSIZE) {
 			MCLGET(m, M_DONTWAIT);
 			if ((m->m_flags & M_EXT) == 0) {
-if (top) m_freem(top);
+if (top)
+	m_freem(top);
+else
+	m_freem(m);
 return 0;
 			}
 			len = MCLBYTES;

CVS commit: [netbsd-6] src/sys/dev/usb

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 12 16:26:31 UTC 2017

Modified Files:
src/sys/dev/usb [netbsd-6]: if_ural.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1470):
sys/dev/usb/if_ural.c: revision 1.52
Free the RX list if ural_alloc_rx_list fails part way through.
Reported by Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.39.2.1 src/sys/dev/usb/if_ural.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/usb/if_ural.c
diff -u src/sys/dev/usb/if_ural.c:1.39 src/sys/dev/usb/if_ural.c:1.39.2.1
--- src/sys/dev/usb/if_ural.c:1.39	Fri Dec 23 00:51:44 2011
+++ src/sys/dev/usb/if_ural.c	Sat Aug 12 16:26:31 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_ural.c,v 1.39 2011/12/23 00:51:44 jakllsch Exp $ */
+/*	$NetBSD: if_ural.c,v 1.39.2.1 2017/08/12 16:26:31 snj Exp $ */
 /*	$FreeBSD: /repoman/r/ncvs/src/sys/dev/usb/if_ural.c,v 1.40 2006/06/02 23:14:40 sam Exp $	*/
 
 /*-
@@ -24,7 +24,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_ural.c,v 1.39 2011/12/23 00:51:44 jakllsch Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ural.c,v 1.39.2.1 2017/08/12 16:26:31 snj Exp $");
 
 
 #include 
@@ -678,7 +678,7 @@ ural_alloc_rx_list(struct ural_softc *sc
 
 	return 0;
 
-fail:	ural_free_tx_list(sc);
+fail:	ural_free_rx_list(sc);
 	return error;
 }
 

CVS commit: [netbsd-6] src/sys/compat

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 12 16:23:29 UTC 2017

Modified Files:
src/sys/compat/common [netbsd-6]: vfs_syscalls_12.c vfs_syscalls_43.c
src/sys/compat/sys [netbsd-6]: dirent.h

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1469):
sys/compat/common/vfs_syscalls_12.c: revision 1.30
sys/compat/common/vfs_syscalls_43.c: revision 1.56
sys/compat/sys/dirent.h: revision 1.3
It is wishful thinking that vn_readdir will return dirent12 structures.
--
Fix the compat-4.3 getdirentries call (pre d_type). This is used in NetBSD-0.9.
--
add a struct for the 4.3BSD struct direct


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.12.1 src/sys/compat/common/vfs_syscalls_12.c
cvs rdiff -u -r1.54.14.2 -r1.54.14.3 src/sys/compat/common/vfs_syscalls_43.c
cvs rdiff -u -r1.2 -r1.2.118.1 src/sys/compat/sys/dirent.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/common/vfs_syscalls_12.c
diff -u src/sys/compat/common/vfs_syscalls_12.c:1.29 src/sys/compat/common/vfs_syscalls_12.c:1.29.12.1
--- src/sys/compat/common/vfs_syscalls_12.c:1.29	Wed Jan 19 10:21:16 2011
+++ src/sys/compat/common/vfs_syscalls_12.c	Sat Aug 12 16:23:28 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls_12.c,v 1.29 2011/01/19 10:21:16 tsutsui Exp $	*/
+/*	$NetBSD: vfs_syscalls_12.c,v 1.29.12.1 2017/08/12 16:23:28 snj Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29 2011/01/19 10:21:16 tsutsui Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29.12.1 2017/08/12 16:23:28 snj Exp $");
 
 #include 
 #include 
@@ -56,6 +56,7 @@ __KERNEL_RCSID(0, "$NetBSD: vfs_syscalls
 #include 
 
 #include 
+#include 
 
 /*
  * Convert from a new to an old stat structure.
@@ -96,28 +97,140 @@ compat_12_sys_getdirentries(struct lwp *
 		syscallarg(u_int) count;
 		syscallarg(long *) basep;
 	} */
+	struct dirent *bdp;
+	struct vnode *vp;
+	char *inp, *tbuf;		/* Current-format */
+	int len, reclen;		/* Current-format */
+	char *outp;			/* Dirent12-format */
+	int resid, old_reclen = 0;	/* Dirent12-format */
 	struct file *fp;
-	int error, done;
+	struct uio auio;
+	struct iovec aiov;
+	struct dirent12 idb;
+	off_t off;		/* true file offset */
+	int buflen, error, eofflag, nbytes;
+	struct vattr va;
+	off_t *cookiebuf = NULL, *cookie;
+	int ncookies;
 	long loff;
-
+		 
 	/* fd_getvnode() will use the descriptor for us */
 	if ((error = fd_getvnode(SCARG(uap, fd), )) != 0)
-		return error;
+		return (error);
+
 	if ((fp->f_flag & FREAD) == 0) {
 		error = EBADF;
-		goto out;
+		goto out1;
+	}
+
+	vp = (struct vnode *)fp->f_data;
+	if (vp->v_type != VDIR) {
+		error = ENOTDIR;
+		goto out1;
 	}
 
+	vn_lock(vp, LK_SHARED | LK_RETRY);
+	error = VOP_GETATTR(vp, , l->l_cred);
+	VOP_UNLOCK(vp);
+	if (error)
+		goto out1;
+
 	loff = fp->f_offset;
+	nbytes = SCARG(uap, count);
+	buflen = min(MAXBSIZE, nbytes);
+	if (buflen < va.va_blocksize)
+		buflen = va.va_blocksize;
+	tbuf = malloc(buflen, M_TEMP, M_WAITOK);
+
+	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
+	off = fp->f_offset;
+again:
+	aiov.iov_base = tbuf;
+	aiov.iov_len = buflen;
+	auio.uio_iov = 
+	auio.uio_iovcnt = 1;
+	auio.uio_rw = UIO_READ;
+	auio.uio_resid = buflen;
+	auio.uio_offset = off;
+	UIO_SETUP_SYSSPACE();
+	/*
+ * First we read into the malloc'ed buffer, then
+ * we massage it into user space, one record at a time.
+ */
+	error = VOP_READDIR(vp, , fp->f_cred, , ,
+	);
+	if (error)
+		goto out;
+
+	inp = tbuf;
+	outp = SCARG(uap, buf);
+	resid = nbytes;
+	if ((len = buflen - auio.uio_resid) == 0)
+		goto eof;
+
+	for (cookie = cookiebuf; len > 0; len -= reclen) {
+		bdp = (struct dirent *)inp;
+		reclen = bdp->d_reclen;
+		if (reclen & 3)
+			panic(__func__);
+		if (bdp->d_fileno == 0) {
+			inp += reclen;	/* it is a hole; squish it out */
+			if (cookie)
+off = *cookie++;
+			else
+off += reclen;
+			continue;
+		}
+		old_reclen = _DIRENT_RECLEN(, bdp->d_namlen);
+		if (reclen > len || resid < old_reclen) {
+			/* entry too big for buffer, so just stop */
+			outp++;
+			break;
+		}
+		/*
+		 * Massage in place to make a Dirent12-shaped dirent (otherwise
+		 * we have to worry about touching user memory outside of
+		 * the copyout() call).
+		 */
+		idb.d_fileno = (uint32_t)bdp->d_fileno;
+		idb.d_reclen = (uint16_t)old_reclen;
+		idb.d_type = (uint8_t)bdp->d_type;
+		idb.d_namlen = (uint8_t)bdp->d_namlen;
+		strcpy(idb.d_name, bdp->d_name);
+		if ((error = copyout(, outp, old_reclen)))
+			goto out;
+		/* advance past this real entry */
+		inp += reclen;
+		if (cookie)
+			off = *cookie++; /* each entry points to itself */
+		else
+			off += reclen;
+		/* advance output past Dirent12-shaped entry */
+		outp += old_reclen;
+		resid -= old_reclen;
+	}
 
-	error = vn_readdir(fp, 

CVS commit: [netbsd-6] src/sys/arch

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue Aug  8 12:00:35 UTC 2017

Modified Files:
src/sys/arch/amd64/amd64 [netbsd-6]: locore.S machdep.c trap.c
src/sys/arch/i386/i386 [netbsd-6]: locore.S machdep.c trap.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1464):

sys/arch/i386/i386/trap.c: revision 1.288   (patch)
sys/arch/i386/i386/machdep.c:  revision 1.783   (patch)
sys/arch/i386/i386/locore.S:   revision 1.146   (patch)
sys/arch/amd64/amd64/locore.S: revision 1.122,1.124 (patch)
sys/arch/amd64/amd64/machdep.c revision 1.254   (patch)
sys/arch/amd64/amd64/trap.c:   revision 1.95-1.96   (patch)

Remove the osyscall call gate and emulate it. There is a
one-instruction race in it that could panic the kernel.

Restore the ability to run netbsd 1.0 32-bit executables by checking
for the relevant lcall instruction in the trap handler and treating it
as a syscall.


To generate a diff of this commit:
cvs rdiff -u -r1.66.2.1 -r1.66.2.2 src/sys/arch/amd64/amd64/locore.S
cvs rdiff -u -r1.175.2.8 -r1.175.2.9 src/sys/arch/amd64/amd64/machdep.c
cvs rdiff -u -r1.69.2.2 -r1.69.2.3 src/sys/arch/amd64/amd64/trap.c
cvs rdiff -u -r1.95.10.3 -r1.95.10.4 src/sys/arch/i386/i386/locore.S
cvs rdiff -u -r1.717.2.7 -r1.717.2.8 src/sys/arch/i386/i386/machdep.c
cvs rdiff -u -r1.262.8.1 -r1.262.8.2 src/sys/arch/i386/i386/trap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amd64/amd64/locore.S
diff -u src/sys/arch/amd64/amd64/locore.S:1.66.2.1 src/sys/arch/amd64/amd64/locore.S:1.66.2.2
--- src/sys/arch/amd64/amd64/locore.S:1.66.2.1	Fri Apr 20 23:32:14 2012
+++ src/sys/arch/amd64/amd64/locore.S	Tue Aug  8 12:00:35 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: locore.S,v 1.66.2.1 2012/04/20 23:32:14 riz Exp $	*/
+/*	$NetBSD: locore.S,v 1.66.2.2 2017/08/08 12:00:35 martin Exp $	*/
 
 /*
  * Copyright-o-rama!
@@ -1209,26 +1209,6 @@ NENTRY(child_trampoline)
 	.globl  _C_LABEL(osyscall_return)
 
 /*
- * oosyscall()
- *
- * Old call gate entry for syscall. only needed if we're
- * going to support running old i386 NetBSD 1.0 or ibcs2 binaries, etc,
- * on NetBSD/amd64.
- * The 64bit call gate can't request that arguments be copied from the
- * user stack (which the i386 code uses to get a gap for the flags).
- * push/pop are :: cycles.
- */
-IDTVEC(oosyscall)
-	/* Set rflags in trap frame. */
-	pushq	(%rsp)		# move user's %eip
-	pushq	16(%rsp)	# and %cs
-	popq	8(%rsp)
-	pushfq
-	popq	16(%rsp)
-	pushq	$7		# size of instruction for restart
-	jmp	osyscall1
-
-/*
  * osyscall()
  *
  * Trap gate entry for int $80 syscall, also used by sigreturn.
@@ -1240,7 +1220,6 @@ IDTVEC(osyscall)
 	addq $0x10,%rsp
 #endif
 	pushq	$2		# size of instruction for restart
-osyscall1:
 	pushq	$T_ASTFLT	# trap # for doing ASTs
 	INTRENTRY
 	STI(si)

Index: src/sys/arch/amd64/amd64/machdep.c
diff -u src/sys/arch/amd64/amd64/machdep.c:1.175.2.8 src/sys/arch/amd64/amd64/machdep.c:1.175.2.9
--- src/sys/arch/amd64/amd64/machdep.c:1.175.2.8	Sat Apr 20 09:59:39 2013
+++ src/sys/arch/amd64/amd64/machdep.c	Tue Aug  8 12:00:35 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: machdep.c,v 1.175.2.8 2013/04/20 09:59:39 bouyer Exp $	*/
+/*	$NetBSD: machdep.c,v 1.175.2.9 2017/08/08 12:00:35 martin Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1998, 2000, 2006, 2007, 2008, 2011
@@ -111,7 +111,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.175.2.8 2013/04/20 09:59:39 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.175.2.9 2017/08/08 12:00:35 martin Exp $");
 
 /* #define XENDEBUG_LOW  */
 
@@ -1575,7 +1575,6 @@ typedef void (vector)(void);
 extern vector IDTVEC(syscall);
 extern vector IDTVEC(syscall32);
 extern vector IDTVEC(osyscall);
-extern vector IDTVEC(oosyscall);
 extern vector *IDTVEC(exceptions)[];
 
 static void
@@ -1838,10 +1837,7 @@ init_x86_64(paddr_t first_avail)
 	set_mem_segment(GDT_ADDR_MEM(gdtstore, GUDATA_SEL), 0,
 	x86_btop(VM_MAXUSER_ADDRESS) - 1, SDT_MEMRWA, SEL_UPL, 1, 0, 1);
 
-	/* make ldt gates and memory segments */
-	setgate((struct gate_descriptor *)(ldtstore + LSYS5CALLS_SEL),
-	(oosyscall), 0, SDT_SYS386CGT, SEL_UPL,
-	GSEL(GCODE_SEL, SEL_KPL));
+	/* make ldt memory segments */
 	*(struct mem_segment_descriptor *)(ldtstore + LUCODE_SEL) =
 	*GDT_ADDR_MEM(gdtstore, GUCODE_SEL);
 	*(struct mem_segment_descriptor *)(ldtstore + LUDATA_SEL) =
@@ -1873,16 +1869,6 @@ init_x86_64(paddr_t first_avail)
 	set_mem_segment(ldt_segp, 0, x86_btop(VM_MAXUSER_ADDRESS32) - 1,
 	SDT_MEMRWA, SEL_UPL, 1, 1, 0);
 
-	/*
-	 * Other entries.
-	 */
-	memcpy((struct gate_descriptor *)(ldtstore + LSOL26CALLS_SEL),
-	(struct gate_descriptor *)(ldtstore + LSYS5CALLS_SEL),
-	sizeof (struct gate_descriptor));
-	memcpy((struct gate_descriptor *)(ldtstore + LBSDICALLS_SEL),
-	(struct 

CVS commit: [netbsd-6] src/sys/dev/pci

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sun Jul 23 14:27:24 UTC 2017

Modified Files:
src/sys/dev/pci [netbsd-6]: aceride.c pciide_acer_reg.h

Log Message:
Pull up following revision(s) (requested by nakayama in ticket #1463):
sys/dev/pci/aceride.c: revision 1.37
sys/dev/pci/pciide_acer_reg.h: revision 1.13
Apply workaround from FreeBSD to fix read data corruption observed
on Fire V100 and mSATA-SSD with mSATA to IDE adapter.
The patch is from port-sparc64@.


To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.30.10.1 src/sys/dev/pci/aceride.c
cvs rdiff -u -r1.12 -r1.12.18.1 src/sys/dev/pci/pciide_acer_reg.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/pci/aceride.c
diff -u src/sys/dev/pci/aceride.c:1.30 src/sys/dev/pci/aceride.c:1.30.10.1
--- src/sys/dev/pci/aceride.c:1.30	Mon Apr  4 20:37:56 2011
+++ src/sys/dev/pci/aceride.c	Sun Jul 23 14:27:24 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: aceride.c,v 1.30 2011/04/04 20:37:56 dyoung Exp $	*/
+/*	$NetBSD: aceride.c,v 1.30.10.1 2017/07/23 14:27:24 snj Exp $	*/
 
 /*
  * Copyright (c) 1999, 2000, 2001 Manuel Bouyer.
@@ -25,7 +25,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: aceride.c,v 1.30 2011/04/04 20:37:56 dyoung Exp $");
+__KERNEL_RCSID(0, "$NetBSD: aceride.c,v 1.30.10.1 2017/07/23 14:27:24 snj Exp $");
 
 #include 
 #include 
@@ -193,8 +193,13 @@ acer_chip_map(struct pciide_softc *sc, c
 	interface = PCI_INTERFACE(pci_conf_read(sc->sc_pc, sc->sc_tag,
 	PCI_CLASS_REG));
 
-	/* From linux: enable "Cable Detection" */
 	if (rev >= 0xC2) {
+		/* From FreeBSD: use device interrupt as byte count end */
+		pciide_pci_write(sc->sc_pc, sc->sc_tag, ACER_0x4A,
+		pciide_pci_read(sc->sc_pc, sc->sc_tag, ACER_0x4A)
+		| ACER_0x4A_BCEINT);
+
+		/* From linux: enable "Cable Detection" */
 		pciide_pci_write(sc->sc_pc, sc->sc_tag, ACER_0x4B,
 		pciide_pci_read(sc->sc_pc, sc->sc_tag, ACER_0x4B)
 		| ACER_0x4B_CDETECT);

Index: src/sys/dev/pci/pciide_acer_reg.h
diff -u src/sys/dev/pci/pciide_acer_reg.h:1.12 src/sys/dev/pci/pciide_acer_reg.h:1.12.18.1
--- src/sys/dev/pci/pciide_acer_reg.h:1.12	Mon Oct 19 18:41:15 2009
+++ src/sys/dev/pci/pciide_acer_reg.h	Sun Jul 23 14:27:24 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pciide_acer_reg.h,v 1.12 2009/10/19 18:41:15 bouyer Exp $	*/
+/*	$NetBSD: pciide_acer_reg.h,v 1.12.18.1 2017/07/23 14:27:24 snj Exp $	*/
 
 /*
  * Copyright (c) 1999 Manuel Bouyer.
@@ -37,6 +37,8 @@
  * bit 1 is 0 -> secondary has 80 pin cable
  */
 #define ACER_0x4A_80PIN(chan)	(0x1 << (chan))
+/* From FreeBSD, use device interrupt as byte count end */
+#define ACER_0x4A_BCEINT	0x20
 
 /* From FreeBSD, for UDMA mode > 2 */
 #define ACER_0x4B	0x4b

CVS commit: [netbsd-6] src/sys/dev

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Jul 21 04:06:50 UTC 2017

Modified Files:
src/sys/dev [netbsd-6]: audio.c

Log Message:
Apply patch (requested by nat in ticket #1457):
Fix occasional stuttering that can be caused by ringbuffer overflow.


To generate a diff of this commit:
cvs rdiff -u -r1.257.2.4 -r1.257.2.5 src/sys/dev/audio.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/audio.c
diff -u src/sys/dev/audio.c:1.257.2.4 src/sys/dev/audio.c:1.257.2.5
--- src/sys/dev/audio.c:1.257.2.4	Wed Jun 13 19:14:17 2012
+++ src/sys/dev/audio.c	Fri Jul 21 04:06:50 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: audio.c,v 1.257.2.4 2012/06/13 19:14:17 riz Exp $	*/
+/*	$NetBSD: audio.c,v 1.257.2.5 2017/07/21 04:06:50 snj Exp $	*/
 
 /*-
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -155,7 +155,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.257.2.4 2012/06/13 19:14:17 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.257.2.5 2017/07/21 04:06:50 snj Exp $");
 
 #include "audio.h"
 #if NAUDIO > 0
@@ -2950,6 +2950,9 @@ audio_pint(void *v)
 		return;
 	}
 
+	if (audio_stream_get_used(>s) > (cb->usedhigh - cb->blksize))
+		goto done;
+
 #ifdef AUDIO_INTR_TIME
 	{
 		struct timeval tv;
@@ -3028,6 +3031,7 @@ audio_pint(void *v)
 	}
 
 	DPRINTFN(5, ("audio_pint: outp=%p cc=%d\n", cb->s.outp, blksize));
+done:
 	if (hw->trigger_output == NULL) {
 		error = hw->start_output(sc->hw_hdl, __UNCONST(cb->s.outp),
 		blksize, audio_pint, (void *)sc);

CVS commit: [netbsd-6] src/sys/dev

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Jul 21 04:02:12 UTC 2017

Modified Files:
src/sys/dev [netbsd-6]: cgd.c

Log Message:
Apply patch (requested by chs in ticket #1455):
Avoid crashes by checking if a cgd device has been configured before
processing most ioctls, and failing with ENXIO if the device is not
configured.


To generate a diff of this commit:
cvs rdiff -u -r1.76.6.1 -r1.76.6.2 src/sys/dev/cgd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/cgd.c
diff -u src/sys/dev/cgd.c:1.76.6.1 src/sys/dev/cgd.c:1.76.6.2
--- src/sys/dev/cgd.c:1.76.6.1	Tue Jun  3 09:17:52 2014
+++ src/sys/dev/cgd.c	Fri Jul 21 04:02:12 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: cgd.c,v 1.76.6.1 2014/06/03 09:17:52 sborrill Exp $ */
+/* $NetBSD: cgd.c,v 1.76.6.2 2017/07/21 04:02:12 snj Exp $ */
 
 /*-
  * Copyright (c) 2002 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: cgd.c,v 1.76.6.1 2014/06/03 09:17:52 sborrill Exp $");
+__KERNEL_RCSID(0, "$NetBSD: cgd.c,v 1.76.6.2 2017/07/21 04:02:12 snj Exp $");
 
 #include 
 #include 
@@ -558,12 +558,16 @@ cgdioctl(dev_t dev, u_long cmd, void *da
 		 */
 		if ((flag & FWRITE) == 0)
 			return (EBADF);
+		if ((dksc->sc_flags & DKF_INITED) == 0)
+			return ENXIO;
 
 		/*
 		 * We pass this call down to the underlying disk.
 		 */
 		return VOP_IOCTL(cs->sc_tvn, cmd, data, flag, l->l_cred);
 	default:
+		if ((dksc->sc_flags & DKF_INITED) == 0)
+			return ENXIO;
 		return dk_ioctl(di, dksc, dev, cmd, data, flag, l);
 	}
 }

CVS commit: [netbsd-6] src/sys/kern

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Jul 14 06:18:25 UTC 2017

Modified Files:
src/sys/kern [netbsd-6]: exec_elf.c

Log Message:
Pull up following revision(s) (requested by uwe in ticket #1438):
sys/kern/exec_elf.c: revision 1.88 via patch
netbsd_elf_signature - look at note segments (phdrs) not note
sections.  They point to the same data in the file, but sections are
for linkers and are not necessarily present in an executable.
The original switch from phdrs to shdrs seems to be just a cop-out to
avoid parsing multiple notes per segment, which doesn't really avoid
the problem b/c sections also can contain multiple notes.


To generate a diff of this commit:
cvs rdiff -u -r1.37.2.2 -r1.37.2.3 src/sys/kern/exec_elf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/exec_elf.c
diff -u src/sys/kern/exec_elf.c:1.37.2.2 src/sys/kern/exec_elf.c:1.37.2.3
--- src/sys/kern/exec_elf.c:1.37.2.2	Fri Feb 14 23:21:20 2014
+++ src/sys/kern/exec_elf.c	Fri Jul 14 06:18:25 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: exec_elf.c,v 1.37.2.2 2014/02/14 23:21:20 bouyer Exp $	*/
+/*	$NetBSD: exec_elf.c,v 1.37.2.3 2017/07/14 06:18:25 snj Exp $	*/
 
 /*-
  * Copyright (c) 1994, 2000, 2005 The NetBSD Foundation, Inc.
@@ -57,7 +57,7 @@
  */
 
 #include 
-__KERNEL_RCSID(1, "$NetBSD: exec_elf.c,v 1.37.2.2 2014/02/14 23:21:20 bouyer Exp $");
+__KERNEL_RCSID(1, "$NetBSD: exec_elf.c,v 1.37.2.3 2017/07/14 06:18:25 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_pax.h"
@@ -94,6 +94,7 @@ extern struct emul emul_netbsd;
 #define elf_load_psection	ELFNAME(load_psection)
 #define exec_elf_makecmds	ELFNAME2(exec,makecmds)
 #define netbsd_elf_signature	ELFNAME2(netbsd,signature)
+#define netbsd_elf_note   	ELFNAME2(netbsd,note)
 #define netbsd_elf_probe	ELFNAME2(netbsd,probe)
 #define	coredump		ELFNAMEEND(coredump)
 #define	elf_free_emul_arg	ELFNAME(free_emul_arg)
@@ -104,6 +105,8 @@ void	elf_load_psection(struct exec_vmcmd
 	const Elf_Phdr *, Elf_Addr *, u_long *, int *, int);
 
 int	netbsd_elf_signature(struct lwp *, struct exec_package *, Elf_Ehdr *);
+int	netbsd_elf_note(struct exec_package *, const Elf_Nhdr *, const char *,
+	const char *);
 int	netbsd_elf_probe(struct lwp *, struct exec_package *, void *, char *,
 	vaddr_t *);
 
@@ -860,99 +863,140 @@ netbsd_elf_signature(struct lwp *l, stru
 Elf_Ehdr *eh)
 {
 	size_t i;
-	Elf_Shdr *sh;
-	Elf_Nhdr *np;
-	size_t shsize;
+	Elf_Phdr *ph;
+	size_t phsize;
+	char *nbuf;
 	int error;
 	int isnetbsd = 0;
-	char *ndata;
 
 	epp->ep_pax_flags = 0;
-	if (eh->e_shnum > MAXSHNUM || eh->e_shnum == 0)
+
+	if (eh->e_phnum > MAXPHNUM || eh->e_phnum == 0)
 		return ENOEXEC;
 
-	shsize = eh->e_shnum * sizeof(Elf_Shdr);
-	sh = kmem_alloc(shsize, KM_SLEEP);
-	error = exec_read_from(l, epp->ep_vp, eh->e_shoff, sh, shsize);
+	phsize = eh->e_phnum * sizeof(Elf_Phdr);
+	ph = kmem_alloc(phsize, KM_SLEEP);
+	error = exec_read_from(l, epp->ep_vp, eh->e_phoff, ph, phsize);
 	if (error)
 		goto out;
 
-	np = kmem_alloc(MAXNOTESIZE, KM_SLEEP);
-	for (i = 0; i < eh->e_shnum; i++) {
-		Elf_Shdr *shp = [i];
-
-		if (shp->sh_type != SHT_NOTE ||
-		shp->sh_size > MAXNOTESIZE ||
-		shp->sh_size < sizeof(Elf_Nhdr) + ELF_NOTE_NETBSD_NAMESZ)
+	nbuf = kmem_alloc(MAXNOTESIZE, KM_SLEEP);
+	for (i = 0; i < eh->e_phnum; i++) {
+		const char *nptr;
+		size_t nlen;
+
+		if (ph[i].p_type != PT_NOTE ||
+		ph[i].p_filesz > MAXNOTESIZE)
 			continue;
 
-		error = exec_read_from(l, epp->ep_vp, shp->sh_offset, np,
-		shp->sh_size);
+		nlen = ph[i].p_filesz;
+		error = exec_read_from(l, epp->ep_vp, ph[i].p_offset,
+   nbuf, nlen);
 		if (error)
 			continue;
 
-		ndata = (char *)(np + 1);
-		switch (np->n_type) {
-		case ELF_NOTE_TYPE_NETBSD_TAG:
-			if (np->n_namesz != ELF_NOTE_NETBSD_NAMESZ ||
-			np->n_descsz != ELF_NOTE_NETBSD_DESCSZ ||
-			memcmp(ndata, ELF_NOTE_NETBSD_NAME,
-			ELF_NOTE_NETBSD_NAMESZ))
-goto bad;
-			isnetbsd = 1;
-			break;
+		nptr = nbuf;
+		while (nlen > 0) {
+			const Elf_Nhdr *np;
+			const char *ndata, *ndesc;
+
+			/* note header */
+			np = (const Elf_Nhdr *)nptr;
+			if (nlen < sizeof(*np)) {
+break;
+			}
+			nptr += sizeof(*np);
+			nlen -= sizeof(*np);
+
+			/* note name */
+			ndata = nptr;
+			if (nlen < roundup(np->n_namesz, 4)) {
+break;
+			}
+			nptr += roundup(np->n_namesz, 4);
+			nlen -= roundup(np->n_namesz, 4);
+
+			/* note description */
+			ndesc = nptr;
+			if (nlen < roundup(np->n_descsz, 4)) {
+break;
+			}
+			nptr += roundup(np->n_descsz, 4);
+			nlen -= roundup(np->n_descsz, 4);
+
+			isnetbsd |= netbsd_elf_note(epp, np, ndata, ndesc);
+		}
+	}
+	kmem_free(nbuf, MAXNOTESIZE);
+
+	error = isnetbsd ? 0 : ENOEXEC;
+out:
+	kmem_free(ph, phsize);
+	return error;
+}
+
+int
+netbsd_elf_note(struct exec_package *epp,
+		const Elf_Nhdr *np, const char *ndata, const char *ndesc)
+{
+	int isnetbsd 

CVS commit: [netbsd-6] src/sys/miscfs/procfs

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Thu Jul  6 15:28:21 UTC 2017

Modified Files:
src/sys/miscfs/procfs [netbsd-6]: procfs_map.c

Log Message:
Pull up following revision(s) (requested by tsutsui in ticket #1434):
sys/miscfs/procfs/procfs_map.c: revision 1.45
Maps don't change that frequently between reads, so don't give up and
do what linux does (support reading from an offset).


To generate a diff of this commit:
cvs rdiff -u -r1.41.8.1 -r1.41.8.2 src/sys/miscfs/procfs/procfs_map.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/miscfs/procfs/procfs_map.c
diff -u src/sys/miscfs/procfs/procfs_map.c:1.41.8.1 src/sys/miscfs/procfs/procfs_map.c:1.41.8.2
--- src/sys/miscfs/procfs/procfs_map.c:1.41.8.1	Mon Jul 29 08:17:55 2013
+++ src/sys/miscfs/procfs/procfs_map.c	Thu Jul  6 15:28:21 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: procfs_map.c,v 1.41.8.1 2013/07/29 08:17:55 msaitoh Exp $	*/
+/*	$NetBSD: procfs_map.c,v 1.41.8.2 2017/07/06 15:28:21 snj Exp $	*/
 
 /*
  * Copyright (c) 1993
@@ -76,7 +76,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: procfs_map.c,v 1.41.8.1 2013/07/29 08:17:55 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: procfs_map.c,v 1.41.8.2 2017/07/06 15:28:21 snj Exp $");
 
 #include 
 #include 
@@ -124,15 +124,6 @@ procfs_domap(struct lwp *curl, struct pr
 	if (uio->uio_rw != UIO_READ)
 		return EOPNOTSUPP;
 
-	if (uio->uio_offset != 0) {
-		/*
-		 * we return 0 here, so that the second read returns EOF
-		 * we don't support reading from an offset because the
-		 * map could have changed between the two reads.
-		 */
-		return 0;
-	}
-
 	error = 0;
 
 	if (linuxmode != 0)
@@ -219,7 +210,16 @@ again:
 	vm_map_unlock_read(map);
 	uvmspace_free(vm);
 
-	error = uiomove(buffer, pos, uio);
+	/*
+	 * We support reading from an offset, because linux does.
+	 * The map could have changed between the two reads, and
+	 * that could result in junk, but typically it does not.
+	 */
+	if (uio->uio_offset < pos)
+		error = uiomove(buffer + uio->uio_offset,
+		pos - uio->uio_offset, uio);
+	else
+		error = 0;
 out:
 	if (path != NULL)
 		free(path, M_TEMP);

CVS commit: [netbsd-6] src/sys/kern

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Thu Jul  6 15:20:00 UTC 2017

Modified Files:
src/sys/kern [netbsd-6]: subr_xcall.c

Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #1419):
sys/kern/subr_xcall.c: revision 1.19
Fix a race condition of low priority xcall
xc_lowpri and xc_thread are racy and xc_wait may return during/before
executing all xcall callbacks, resulting in a kernel panic at worst.
xc_lowpri serializes multiple jobs by a mutex and a cv. If all xcall
callbacks are done, xc_wait returns and also xc_lowpri accepts a next job.
The problem is that a counter that counts the number of finished xcall
callbacks is incremented *before* actually executing a xcall callback
(see xc_tailp++ in xc_thread). So xc_lowpri accepts a next job before
all xcall callbacks complete and a next job begins to run its xcall callbacks.
Even worse the counter is global and shared between jobs, so if a xcall
callback of the next job completes, the shared counter is incremented,
which confuses wc_wait of the previous job as all xcall callbacks of the
previous job are done and wc_wait of the previous job returns during/before
executing its xcall callbacks.
How to fix: there are actually two counters that count the number of finished
xcall callbacks for low priority xcall for historical reasons (I guess):
xc_tailp and xc_low_pri.xc_donep. xc_low_pri.xc_donep is incremented correctly
while xc_tailp is incremented wrongly, i.e., before executing a xcall callback.
We can fix the issue by dropping xc_tailp and using only xc_low_pri.xc_donep.
PR kern/51632


To generate a diff of this commit:
cvs rdiff -u -r1.13.10.1 -r1.13.10.2 src/sys/kern/subr_xcall.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/subr_xcall.c
diff -u src/sys/kern/subr_xcall.c:1.13.10.1 src/sys/kern/subr_xcall.c:1.13.10.2
--- src/sys/kern/subr_xcall.c:1.13.10.1	Sat Apr 20 10:05:22 2013
+++ src/sys/kern/subr_xcall.c	Thu Jul  6 15:20:00 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: subr_xcall.c,v 1.13.10.1 2013/04/20 10:05:22 bouyer Exp $	*/
+/*	$NetBSD: subr_xcall.c,v 1.13.10.2 2017/07/06 15:20:00 snj Exp $	*/
 
 /*-
  * Copyright (c) 2007-2010 The NetBSD Foundation, Inc.
@@ -74,7 +74,7 @@
  */
  
 #include 
-__KERNEL_RCSID(0, "$NetBSD: subr_xcall.c,v 1.13.10.1 2013/04/20 10:05:22 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_xcall.c,v 1.13.10.2 2017/07/06 15:20:00 snj Exp $");
 
 #include 
 #include 
@@ -101,7 +101,6 @@ typedef struct {
 
 /* Low priority xcall structures. */
 static xc_state_t	xc_low_pri	__cacheline_aligned;
-static uint64_t		xc_tailp	__cacheline_aligned;
 
 /* High priority xcall structures. */
 static xc_state_t	xc_high_pri	__cacheline_aligned;
@@ -131,7 +130,6 @@ xc_init(void)
 	memset(xclo, 0, sizeof(xc_state_t));
 	mutex_init(>xc_lock, MUTEX_DEFAULT, IPL_NONE);
 	cv_init(>xc_busy, "xclocv");
-	xc_tailp = 0;
 
 	memset(xchi, 0, sizeof(xc_state_t));
 	mutex_init(>xc_lock, MUTEX_DEFAULT, IPL_SOFTCLOCK);
@@ -253,7 +251,7 @@ xc_lowpri(xcfunc_t func, void *arg1, voi
 	uint64_t where;
 
 	mutex_enter(>xc_lock);
-	while (xc->xc_headp != xc_tailp) {
+	while (xc->xc_headp != xc->xc_donep) {
 		cv_wait(>xc_busy, >xc_lock);
 	}
 	xc->xc_arg1 = arg1;
@@ -274,7 +272,7 @@ xc_lowpri(xcfunc_t func, void *arg1, voi
 		ci->ci_data.cpu_xcall_pending = true;
 		cv_signal(>ci_data.cpu_xcall);
 	}
-	KASSERT(xc_tailp < xc->xc_headp);
+	KASSERT(xc->xc_donep < xc->xc_headp);
 	where = xc->xc_headp;
 	mutex_exit(>xc_lock);
 
@@ -299,7 +297,7 @@ xc_thread(void *cookie)
 	mutex_enter(>xc_lock);
 	for (;;) {
 		while (!ci->ci_data.cpu_xcall_pending) {
-			if (xc->xc_headp == xc_tailp) {
+			if (xc->xc_headp == xc->xc_donep) {
 cv_broadcast(>xc_busy);
 			}
 			cv_wait(>ci_data.cpu_xcall, >xc_lock);
@@ -309,7 +307,6 @@ xc_thread(void *cookie)
 		func = xc->xc_func;
 		arg1 = xc->xc_arg1;
 		arg2 = xc->xc_arg2;
-		xc_tailp++;
 		mutex_exit(>xc_lock);
 
 		KASSERT(func != NULL);

CVS commit: [netbsd-6] src/sys

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Thu Jun 15 06:04:01 UTC 2017

Modified Files:
src/sys/arch/ews4800mips/sbd [netbsd-6]: fb_sbdio.c
src/sys/arch/pmax/ibus [netbsd-6]: pm.c
src/sys/dev/hpc [netbsd-6]: bivideo.c
src/sys/dev/ic [netbsd-6]: sti.c

Log Message:
Pull up following revision(s) (requested by spz in ticket #1456):
sys/arch/ews4800mips/sbd/fb_sbdio.c: revision 1.16
sys/arch/pmax/ibus/pm.c: revision 1.13
sys/dev/hpc/bivideo.c: revision 1.34
sys/dev/ic/sti.c: revision 1.19
correct size checks so they cannot be circumvented by integer overflows
reported by CTurt, thanks for the notification


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.12.2.1 src/sys/arch/ews4800mips/sbd/fb_sbdio.c
cvs rdiff -u -r1.11 -r1.11.2.1 src/sys/arch/pmax/ibus/pm.c
cvs rdiff -u -r1.32 -r1.32.14.1 src/sys/dev/hpc/bivideo.c
cvs rdiff -u -r1.16.8.1 -r1.16.8.2 src/sys/dev/ic/sti.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/ews4800mips/sbd/fb_sbdio.c
diff -u src/sys/arch/ews4800mips/sbd/fb_sbdio.c:1.12 src/sys/arch/ews4800mips/sbd/fb_sbdio.c:1.12.2.1
--- src/sys/arch/ews4800mips/sbd/fb_sbdio.c:1.12	Wed Jan 11 21:17:33 2012
+++ src/sys/arch/ews4800mips/sbd/fb_sbdio.c	Thu Jun 15 06:04:01 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: fb_sbdio.c,v 1.12 2012/01/11 21:17:33 macallan Exp $	*/
+/*	$NetBSD: fb_sbdio.c,v 1.12.2.1 2017/06/15 06:04:01 snj Exp $	*/
 
 /*-
  * Copyright (c) 2004, 2005 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
 #define WIRED_FB_TLB
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: fb_sbdio.c,v 1.12 2012/01/11 21:17:33 macallan Exp $");
+__KERNEL_RCSID(0, "$NetBSD: fb_sbdio.c,v 1.12.2.1 2017/06/15 06:04:01 snj Exp $");
 
 #include 
 #include 
@@ -304,6 +304,8 @@ _fb_ioctl(void *v, void *vs, u_long cmd,
 		if (ri->ri_flg == RI_FORCEMONO)
 			break;
 		ga_clut_get(ga);
+		if (cmap->index >= 256 || cmap->count > 256 - cmap->index)
+			return (EINVAL);
 		for (i = 0; i < cmap->count; i++) {
 			cmap->red[i] = ga->clut[cmap->index + i][0];
 			cmap->green[i] = ga->clut[cmap->index + i][1];
@@ -314,6 +316,8 @@ _fb_ioctl(void *v, void *vs, u_long cmd,
 	case WSDISPLAYIO_PUTCMAP:
 		if (ri->ri_flg == RI_FORCEMONO)
 			break;
+		if (cmap->index >= 256 || cmap->count > 256 - cmap->index)
+			return (EINVAL);
 		for (i = 0; i < cmap->count; i++) {
 			ga->clut[cmap->index + i][0] = cmap->red[i];
 			ga->clut[cmap->index + i][1] = cmap->green[i];

Index: src/sys/arch/pmax/ibus/pm.c
diff -u src/sys/arch/pmax/ibus/pm.c:1.11 src/sys/arch/pmax/ibus/pm.c:1.11.2.1
--- src/sys/arch/pmax/ibus/pm.c:1.11	Wed Jan 11 21:17:33 2012
+++ src/sys/arch/pmax/ibus/pm.c	Thu Jun 15 06:04:01 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pm.c,v 1.11 2012/01/11 21:17:33 macallan Exp $	*/
+/*	$NetBSD: pm.c,v 1.11.2.1 2017/06/15 06:04:01 snj Exp $	*/
 
 /*-
  * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: pm.c,v 1.11 2012/01/11 21:17:33 macallan Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pm.c,v 1.11.2.1 2017/06/15 06:04:01 snj Exp $");
 
 #include 
 #include 
@@ -668,7 +668,7 @@ pm_get_cmap(struct pm_softc *sc, struct 
 	index = p->index;
 	count = p->count;
 
-	if (index >= sc->sc_cmap_size || (index + count) > sc->sc_cmap_size)
+	if (index >= sc->sc_cmap_size || count > sc->sc_cmap_size - index)
 		return (EINVAL);
 
 	if ((rv = copyout(>sc_cmap.r[index], p->red, count)) != 0)
@@ -687,7 +687,7 @@ pm_set_cmap(struct pm_softc *sc, struct 
 	index = p->index;
 	count = p->count;
 
-	if (index >= sc->sc_cmap_size || (index + count) > sc->sc_cmap_size)
+	if (index >= sc->sc_cmap_size || count > sc->sc_cmap_size - index)
 		return (EINVAL);
 
 	if ((rv = copyin(p->red, >sc_cmap.r[index], count)) != 0)

Index: src/sys/dev/hpc/bivideo.c
diff -u src/sys/dev/hpc/bivideo.c:1.32 src/sys/dev/hpc/bivideo.c:1.32.14.1
--- src/sys/dev/hpc/bivideo.c:1.32	Sat Nov 13 13:51:58 2010
+++ src/sys/dev/hpc/bivideo.c	Thu Jun 15 06:04:01 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: bivideo.c,v 1.32 2010/11/13 13:51:58 uebayasi Exp $	*/
+/*	$NetBSD: bivideo.c,v 1.32.14.1 2017/06/15 06:04:01 snj Exp $	*/
 
 /*-
  * Copyright (c) 1999-2001
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: bivideo.c,v 1.32 2010/11/13 13:51:58 uebayasi Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bivideo.c,v 1.32.14.1 2017/06/15 06:04:01 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_hpcfb.h"
@@ -403,8 +403,8 @@ bivideo_ioctl(void *v, u_long cmd, void 
 
 		if (sc->sc_fbconf.hf_class != HPCFB_CLASS_INDEXCOLOR ||
 		sc->sc_fbconf.hf_pack_width != 8 ||
-		256 <= cmap->index ||
-		256 < (cmap->index + cmap->count))
+		cmap->index >= 256 ||
+		cmap->count > 256 - cmap->index)
 			return (EINVAL);
 
 		error = copyout(_cmap_r[cmap->index], cmap->red,

Index: src/sys/dev/ic/sti.c
diff -u src/sys/dev/ic/sti.c:1.16.8.1 

CVS commit: [netbsd-6] src/sys/arch/i386/stand/misc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Jun  3 16:49:29 UTC 2017

Modified Files:
src/sys/arch/i386/stand/misc [netbsd-6]: rawr32.exe.uue

Log Message:
Pull up following revision(s) (requested by martin in ticket #1454):
sys/arch/i386/stand/misc/rawr32.exe.uue: revision 1.7
Update to rawrite32 1.0.5 (new signatures to avoid scary windows
warnings)


To generate a diff of this commit:
cvs rdiff -u -r1.4.4.1 -r1.4.4.2 src/sys/arch/i386/stand/misc/rawr32.exe.uue

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffs are larger than 1MB and have been omitted

CVS commit: [netbsd-6] src/sys/dev/pci/ixgbe

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Mar 25 17:35:56 UTC 2017

Modified Files:
src/sys/dev/pci/ixgbe [netbsd-6]: ixgbe.c

Log Message:
Pull up following revision(s) (requested by msaitoh in ticket #1439):
sys/dev/pci/ixgbe/ixgbe.c: revision 1.60 via patch
Use 64bit DMA tag. If not, a lot of bounce buffer is allocated.
Fixes PR#49968 reported by Hauke.


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.2.4.1 src/sys/dev/pci/ixgbe/ixgbe.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/pci/ixgbe/ixgbe.c
diff -u src/sys/dev/pci/ixgbe/ixgbe.c:1.2 src/sys/dev/pci/ixgbe/ixgbe.c:1.2.4.1
--- src/sys/dev/pci/ixgbe/ixgbe.c:1.2	Sat Nov 19 22:51:24 2011
+++ src/sys/dev/pci/ixgbe/ixgbe.c	Sat Mar 25 17:35:56 2017
@@ -59,7 +59,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*$FreeBSD: src/sys/dev/ixgbe/ixgbe.c,v 1.51 2011/04/25 23:34:21 jfv Exp $*/
-/*$NetBSD: ixgbe.c,v 1.2 2011/11/19 22:51:24 tls Exp $*/
+/*$NetBSD: ixgbe.c,v 1.2.4.1 2017/03/25 17:35:56 snj Exp $*/
 
 #include "opt_inet.h"
 
@@ -475,6 +475,10 @@ ixgbe_attach(device_t parent, device_t d
 	adapter->osdep.pc = pa->pa_pc;
 	adapter->osdep.tag = pa->pa_tag;
 	adapter->osdep.dmat = pa->pa_dmat;
+	if (pci_dma64_available(pa))
+		adapter->osdep.dmat = pa->pa_dmat64;
+	else
+		adapter->osdep.dmat = pa->pa_dmat;
 
 	ent = ixgbe_lookup(pa);
 

CVS commit: [netbsd-6] src/sys/dev/usb

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Mar 25 17:30:18 UTC 2017

Modified Files:
src/sys/dev/usb [netbsd-6]: uplcom.c

Log Message:
Pull up following revision(s) (requested by bad in ticket #1445):
sys/dev/usb/uplcom.c: revision 1.75
Null suspend/resume handler for uplcom(4).


To generate a diff of this commit:
cvs rdiff -u -r1.73.2.1 -r1.73.2.2 src/sys/dev/usb/uplcom.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/usb/uplcom.c
diff -u src/sys/dev/usb/uplcom.c:1.73.2.1 src/sys/dev/usb/uplcom.c:1.73.2.2
--- src/sys/dev/usb/uplcom.c:1.73.2.1	Sat Mar 25 17:26:53 2017
+++ src/sys/dev/usb/uplcom.c	Sat Mar 25 17:30:18 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: uplcom.c,v 1.73.2.1 2017/03/25 17:26:53 snj Exp $	*/
+/*	$NetBSD: uplcom.c,v 1.73.2.2 2017/03/25 17:30:18 snj Exp $	*/
 /*
  * Copyright (c) 2001 The NetBSD Foundation, Inc.
  * All rights reserved.
@@ -34,7 +34,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: uplcom.c,v 1.73.2.1 2017/03/25 17:26:53 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uplcom.c,v 1.73.2.2 2017/03/25 17:30:18 snj Exp $");
 
 #include 
 #include 
@@ -416,6 +416,9 @@ uplcom_attach(device_t parent, device_t 
 	sc->sc_subdev = config_found_sm_loc(self, "ucombus", NULL, ,
 	ucomprint, ucomsubmatch);
 
+	if (!pmf_device_register(self, NULL, NULL))
+		aprint_error_dev(self, "couldn't establish power handler\n");
+
 	return;
 }
 
@@ -450,6 +453,9 @@ uplcom_detach(device_t self, int flags)
 	usbd_add_drv_event(USB_EVENT_DRIVER_DETACH, sc->sc_udev,
 			   sc->sc_dev);
 
+	if (rv == 0)
+		pmf_device_deregister(self);
+
 	return (rv);
 }
 

CVS commit: [netbsd-6] src/sys/dev/usb

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Mar 25 17:26:53 UTC 2017

Modified Files:
src/sys/dev/usb [netbsd-6]: uplcom.c

Log Message:
Pull up following revision(s) (requested by bad in ticket #1444):
sys/dev/usb/uplcom.c: revision 1.76
Don't pretend to do zero length IN control transfers as dwctwo(4)
(correctly according to usb 2.0 specification 8.5.3) uses IN status stage
when no (zero length) data stage.  Instead read into a 1 byte array.
My uplcom(4) now works on RPI.


To generate a diff of this commit:
cvs rdiff -u -r1.73 -r1.73.2.1 src/sys/dev/usb/uplcom.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/usb/uplcom.c
diff -u src/sys/dev/usb/uplcom.c:1.73 src/sys/dev/usb/uplcom.c:1.73.2.1
--- src/sys/dev/usb/uplcom.c:1.73	Fri Dec 23 00:51:48 2011
+++ src/sys/dev/usb/uplcom.c	Sat Mar 25 17:26:53 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: uplcom.c,v 1.73 2011/12/23 00:51:48 jakllsch Exp $	*/
+/*	$NetBSD: uplcom.c,v 1.73.2.1 2017/03/25 17:26:53 snj Exp $	*/
 /*
  * Copyright (c) 2001 The NetBSD Foundation, Inc.
  * All rights reserved.
@@ -34,7 +34,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: uplcom.c,v 1.73 2011/12/23 00:51:48 jakllsch Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uplcom.c,v 1.73.2.1 2017/03/25 17:26:53 snj Exp $");
 
 #include 
 #include 
@@ -491,21 +491,20 @@ struct pl2303x_init {
 	uint8_t		request;
 	uint16_t	value;
 	uint16_t	index;
-	uint16_t	length;
 };
 
 static const struct pl2303x_init pl2303x[] = {
-	{ UT_READ_VENDOR_DEVICE,  UPLCOM_SET_REQUEST, 0x8484,0, 0 },
-	{ UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x0404,0, 0 },
-	{ UT_READ_VENDOR_DEVICE,  UPLCOM_SET_REQUEST, 0x8484,0, 0 },
-	{ UT_READ_VENDOR_DEVICE,  UPLCOM_SET_REQUEST, 0x8383,0, 0 },
-	{ UT_READ_VENDOR_DEVICE,  UPLCOM_SET_REQUEST, 0x8484,0, 0 },
-	{ UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x0404,1, 0 },
-	{ UT_READ_VENDOR_DEVICE,  UPLCOM_SET_REQUEST, 0x8484,0, 0 },
-	{ UT_READ_VENDOR_DEVICE,  UPLCOM_SET_REQUEST, 0x8383,0, 0 },
-	{ UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST,  0,1, 0 },
-	{ UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST,  1,0, 0 },
-	{ UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST,  2, 0x44, 0 }
+	{ UT_READ_VENDOR_DEVICE,  UPLCOM_SET_REQUEST, 0x8484,0 },
+	{ UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x0404,0 },
+	{ UT_READ_VENDOR_DEVICE,  UPLCOM_SET_REQUEST, 0x8484,0 },
+	{ UT_READ_VENDOR_DEVICE,  UPLCOM_SET_REQUEST, 0x8383,0 },
+	{ UT_READ_VENDOR_DEVICE,  UPLCOM_SET_REQUEST, 0x8484,0 },
+	{ UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST, 0x0404,1 },
+	{ UT_READ_VENDOR_DEVICE,  UPLCOM_SET_REQUEST, 0x8484,0 },
+	{ UT_READ_VENDOR_DEVICE,  UPLCOM_SET_REQUEST, 0x8383,0 },
+	{ UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST,  0,1 },
+	{ UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST,  1,0 },
+	{ UT_WRITE_VENDOR_DEVICE, UPLCOM_SET_REQUEST,  2, 0x44 }
 };
 #define N_PL2302X_INIT  (sizeof(pl2303x)/sizeof(pl2303x[0]))
 
@@ -517,13 +516,22 @@ uplcom_pl2303x_init(struct uplcom_softc 
 	int i;
 
 	for (i = 0; i < N_PL2302X_INIT; i++) {
+		char buf[1];
+		void *b;
+
 		req.bmRequestType = pl2303x[i].req_type;
 		req.bRequest = pl2303x[i].request;
 		USETW(req.wValue, pl2303x[i].value);
 		USETW(req.wIndex, pl2303x[i].index);
-		USETW(req.wLength, pl2303x[i].length);
+		if (UT_GET_DIR(req.bmRequestType) == UT_READ) {
+			b = buf;
+			USETW(req.wLength, sizeof(buf));
+		} else {
+			b = NULL;
+			USETW(req.wLength, 0);
+		}
 
-		err = usbd_do_request(sc->sc_udev, , 0);
+		err = usbd_do_request(sc->sc_udev, , b);
 		if (err) {
 			aprint_error_dev(sc->sc_dev,
 			"uplcom_pl2303x_init failed: %s\n",

CVS commit: [netbsd-6] src/sys/arch

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Mar 25 17:18:25 UTC 2017

Modified Files:
src/sys/arch/amd64/amd64 [netbsd-6]: trap.c
src/sys/arch/i386/i386 [netbsd-6]: trap.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1446):
sys/arch/amd64/amd64/trap.c: revision 1.94
sys/arch/i386/i386/trap.c: revision 1.287
Mmh, allow iret to be handled when an #SS fault (T_STKFLT) happens. Even
if the sdm is far from being clear, it appears that iret can trigger an #SS
fault if %ss points to a writable but non-present segment; in which case
the kernel would panic, thinking the fault was internal to it.
In particular, userland can create a broken segment in the ldt with
USER_LDT, update its %ss with setcontext and trigger the panic. I don't
think amd64 is affected since USER_LDT does not exist there, and the
changes on tf_ss seem correct - but I'm still adding T_STKFLT for safety.


To generate a diff of this commit:
cvs rdiff -u -r1.69.2.1 -r1.69.2.2 src/sys/arch/amd64/amd64/trap.c
cvs rdiff -u -r1.262 -r1.262.8.1 src/sys/arch/i386/i386/trap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amd64/amd64/trap.c
diff -u src/sys/arch/amd64/amd64/trap.c:1.69.2.1 src/sys/arch/amd64/amd64/trap.c:1.69.2.2
--- src/sys/arch/amd64/amd64/trap.c:1.69.2.1	Sun Jun  3 21:45:10 2012
+++ src/sys/arch/amd64/amd64/trap.c	Sat Mar 25 17:18:25 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: trap.c,v 1.69.2.1 2012/06/03 21:45:10 jdc Exp $	*/
+/*	$NetBSD: trap.c,v 1.69.2.2 2017/03/25 17:18:25 snj Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2000 The NetBSD Foundation, Inc.
@@ -68,7 +68,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.69.2.1 2012/06/03 21:45:10 jdc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.69.2.2 2017/03/25 17:18:25 snj Exp $");
 
 #include "opt_ddb.h"
 #include "opt_kgdb.h"
@@ -294,6 +294,7 @@ trap(struct trapframe *frame)
 	case T_PROTFLT:
 	case T_SEGNPFLT:
 	case T_ALIGNFLT:
+	case T_STKFLT:
 	case T_TSSFLT:
 		if (p == NULL)
 			goto we_re_toast;

Index: src/sys/arch/i386/i386/trap.c
diff -u src/sys/arch/i386/i386/trap.c:1.262 src/sys/arch/i386/i386/trap.c:1.262.8.1
--- src/sys/arch/i386/i386/trap.c:1.262	Wed Sep  7 09:24:55 2011
+++ src/sys/arch/i386/i386/trap.c	Sat Mar 25 17:18:25 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: trap.c,v 1.262 2011/09/07 09:24:55 reinoud Exp $	*/
+/*	$NetBSD: trap.c,v 1.262.8.1 2017/03/25 17:18:25 snj Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2000, 2005, 2006, 2007, 2008 The NetBSD Foundation, Inc.
@@ -68,7 +68,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.262 2011/09/07 09:24:55 reinoud Exp $");
+__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.262.8.1 2017/03/25 17:18:25 snj Exp $");
 
 #include "opt_ddb.h"
 #include "opt_kgdb.h"
@@ -405,6 +405,7 @@ trap(struct trapframe *frame)
 #endif
 	case T_SEGNPFLT:
 	case T_ALIGNFLT:
+	case T_STKFLT:
 	case T_TSSFLT:
 		if (p == NULL)
 			goto we_re_toast;

CVS commit: [netbsd-6] src/sys/arch/x86

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Mon Mar  6 08:18:44 UTC 2017

Modified Files:
src/sys/arch/x86/include [netbsd-6]: pmap.h
src/sys/arch/x86/x86 [netbsd-6]: pmap.c

Log Message:
Pull up following revision(s) (requested by bouyer in ticket #1441):
sys/arch/x86/x86/pmap.c: revision 1.241 via patch
sys/arch/x86/include/pmap.h: revision 1.63 via patch
Should be PG_k, doesn't change anything.
--
Remove PG_u from the kernel pages on Xen. Otherwise there is no privilege
separation between the kernel and userland.
On Xen-amd64, the kernel runs in ring3 just like userland, and the
separation is guaranteed by the hypervisor - each syscall/trap is
intercepted by Xen and sent manually to the kernel. Before that, the
hypervisor modifies the page tables so that the kernel becomes accessible.
Later, when returning to userland, the hypervisor removes the kernel pages
and flushes the TLB.
However, TLB flushes are costly, and in order to reduce the number of pages
flushed Xen marks the userland pages as global, while keeping the kernel
ones as local. This way, when returning to userland, only the kernel pages
get flushed - which makes sense since they are the only ones that got
removed from the mapping.
Xen differentiates the userland pages by looking at their PG_u bit in the
PTE; if a page has this bit then Xen tags it as global, otherwise Xen
manually adds the bit but keeps the page as local. The thing is, since we
set PG_u in the kernel pages, Xen believes our kernel pages are in fact
userland pages, so it marks them as global. Therefore, when returning to
userland, the kernel pages indeed get removed from the page tree, but are
not flushed from the TLB. Which means that they are still accessible.
With this - and depending on the DTLB size - userland has a small window
where it can read/write to the last kernel pages accessed, which is enough
to completely escalate privileges: the sysent structure systematically gets
read when performing a syscall, and chances are that it will still be
cached in the TLB. Userland can then use this to patch a chosen syscall,
make it point to a userland function, retrieve %gs and compute the address
of its credentials, and finally grant itself root privileges.


To generate a diff of this commit:
cvs rdiff -u -r1.49.2.2 -r1.49.2.3 src/sys/arch/x86/include/pmap.h
cvs rdiff -u -r1.164.2.5 -r1.164.2.6 src/sys/arch/x86/x86/pmap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/x86/include/pmap.h
diff -u src/sys/arch/x86/include/pmap.h:1.49.2.2 src/sys/arch/x86/include/pmap.h:1.49.2.3
--- src/sys/arch/x86/include/pmap.h:1.49.2.2	Wed May  9 03:22:52 2012
+++ src/sys/arch/x86/include/pmap.h	Mon Mar  6 08:18:44 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pmap.h,v 1.49.2.2 2012/05/09 03:22:52 riz Exp $	*/
+/*	$NetBSD: pmap.h,v 1.49.2.3 2017/03/06 08:18:44 snj Exp $	*/
 
 /*
  * Copyright (c) 1997 Charles D. Cranor and Washington University.
@@ -182,15 +182,7 @@ struct pmap {
 	((pmap)->pm_pdirpa[0] + (index) * sizeof(pd_entry_t))
 #endif
 
-/* 
- * flag to be used for kernel mappings: PG_u on Xen/amd64, 
- * 0 otherwise.
- */
-#if defined(XEN) && defined(__x86_64__)
-#define PG_k PG_u
-#else
 #define PG_k 0
-#endif
 
 /*
  * MD flags that we use for pmap_enter and pmap_kenter_pa:

Index: src/sys/arch/x86/x86/pmap.c
diff -u src/sys/arch/x86/x86/pmap.c:1.164.2.5 src/sys/arch/x86/x86/pmap.c:1.164.2.6
--- src/sys/arch/x86/x86/pmap.c:1.164.2.5	Thu Jul 14 07:05:34 2016
+++ src/sys/arch/x86/x86/pmap.c	Mon Mar  6 08:18:44 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pmap.c,v 1.164.2.5 2016/07/14 07:05:34 snj Exp $	*/
+/*	$NetBSD: pmap.c,v 1.164.2.6 2017/03/06 08:18:44 snj Exp $	*/
 
 /*-
  * Copyright (c) 2008, 2010 The NetBSD Foundation, Inc.
@@ -171,7 +171,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.164.2.5 2016/07/14 07:05:34 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.164.2.6 2017/03/06 08:18:44 snj Exp $");
 
 #include "opt_user_ldt.h"
 #include "opt_lockdebug.h"
@@ -1467,7 +1467,7 @@ pmap_bootstrap(vaddr_t kva_start)
 	memset((void *) (xen_dummy_user_pgd + KERNBASE), 0, PAGE_SIZE);
 	/* Mark read-only */
 	HYPERVISOR_update_va_mapping(xen_dummy_user_pgd + KERNBASE,
-	pmap_pa2pte(xen_dummy_user_pgd) | PG_u | PG_V, UVMF_INVLPG);
+	pmap_pa2pte(xen_dummy_user_pgd) | PG_k | PG_V, UVMF_INVLPG);
 	/* Pin as L4 */
 	xpq_queue_pin_l4_table(xpmap_ptom_masked(xen_dummy_user_pgd));
 #endif /* __x86_64__ */
@@ -2064,7 +2064,7 @@ pmap_pdp_ctor(void *arg, void *v, int fl
 	 * this pdir will NEVER be active in kernel mode
 	 * so mark recursive entry invalid
 	 */
-	pdir[PDIR_SLOT_PTE] = pmap_pa2pte(pdirpa) | PG_u;
+	pdir[PDIR_SLOT_PTE] = pmap_pa2pte(pdirpa) | PG_k;
 	/*
 	 * PDP constructed this way won't be for kernel,
 	 * hence we don't put kernel mappings on Xen.

CVS commit: [netbsd-6] src/sys/compat/linux/arch/amd64

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Feb 14 16:59:31 UTC 2017

Modified Files:
src/sys/compat/linux/arch/amd64 [netbsd-6]: linux_machdep.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1433):
sys/compat/linux/arch/amd64/linux_machdep.c: 1.50, 1.51
Don't let userland choose %rip. This is the Intel Sysret vulnerability
again.
--
Make sure %rip is in userland. This is harmless, since the return to
userland is made with iret instead of sysret in this path. While here, use
size_t.


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.39.6.1 \
src/sys/compat/linux/arch/amd64/linux_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/linux/arch/amd64/linux_machdep.c
diff -u src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39 src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39.6.1
--- src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39	Fri Nov 18 04:07:43 2011
+++ src/sys/compat/linux/arch/amd64/linux_machdep.c	Tue Feb 14 16:59:31 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_machdep.c,v 1.39 2011/11/18 04:07:43 christos Exp $ */
+/*	$NetBSD: linux_machdep.c,v 1.39.6.1 2017/02/14 16:59:31 snj Exp $ */
 
 /*-
  * Copyright (c) 2005 Emmanuel Dreyfus, all rights reserved.
@@ -33,7 +33,7 @@
 
 #include 
 
-__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.39 2011/11/18 04:07:43 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.39.6.1 2017/02/14 16:59:31 snj Exp $");
 
 #include 
 #include 
@@ -254,7 +254,12 @@ linux_sendsig(const ksiginfo_t *ksi, con
 	if (error != 0) {
 		sigexit(l, SIGILL);
 		return;
-	}	
+	}
+
+	if ((vaddr_t)catcher >= VM_MAXUSER_ADDRESS) {
+		sigexit(l, SIGILL);
+		return;
+	}
 
 	linux_buildcontext(l, catcher, sp);
 	tf->tf_rdi = sigframe.info.lsi_signo;
@@ -485,7 +490,7 @@ linux_usertrap(struct lwp *l, vaddr_t tr
 {
 	struct trapframe *tf = arg;
 	uint64_t retaddr;
-	int vsyscallnr;
+	size_t vsyscallnr;
 
 	/*
 	 * Check for a vsyscall. %rip must be the fault address,
@@ -515,6 +520,8 @@ linux_usertrap(struct lwp *l, vaddr_t tr
 	 */
 	if (copyin((void *)tf->tf_rsp, , sizeof retaddr) != 0)
 		return 0;
+	if ((vaddr_t)retaddr >= VM_MAXUSER_ADDRESS)
+		return 0;
 	tf->tf_rip = retaddr;
 	tf->tf_rax = linux_vsyscall_to_syscall[vsyscallnr];
 	tf->tf_rsp += 8;	/* "pop" the return address */

CVS commit: [netbsd-6] src/sys/netinet

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sun Feb  5 06:07:36 UTC 2017

Modified Files:
src/sys/netinet [netbsd-6]: if_arp.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1432):
sys/netinet/if_arp.c: 1.238, 1.239 via patch
Make sure the protocol address length equals that of IPv4. Also, make sure
the hardware address length equals that of the interface we received the
packet on. Otherwise a packet could easily set them both to zero and make
the kernel read beyond the allocated mbuf, which is terrible.
Note: for the latter we drop the packet instead of replying, since it is
malformed.
Note: I also added an ugly hack in CARP, since it apparently expects at
least six bytes.
--
Add some checks, mostly same as in_arpinput.


To generate a diff of this commit:
cvs rdiff -u -r1.154.2.2 -r1.154.2.3 src/sys/netinet/if_arp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet/if_arp.c
diff -u src/sys/netinet/if_arp.c:1.154.2.2 src/sys/netinet/if_arp.c:1.154.2.3
--- src/sys/netinet/if_arp.c:1.154.2.2	Sun Nov 15 17:51:52 2015
+++ src/sys/netinet/if_arp.c	Sun Feb  5 06:07:36 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_arp.c,v 1.154.2.2 2015/11/15 17:51:52 bouyer Exp $	*/
+/*	$NetBSD: if_arp.c,v 1.154.2.3 2017/02/05 06:07:36 snj Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2000, 2008 The NetBSD Foundation, Inc.
@@ -68,7 +68,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_arp.c,v 1.154.2.2 2015/11/15 17:51:52 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_arp.c,v 1.154.2.3 2017/02/05 06:07:36 snj Exp $");
 
 #include "opt_ddb.h"
 #include "opt_inet.h"
@@ -975,6 +975,9 @@ in_arpinput(struct mbuf *m)
 		break;
 	}
 
+	if (ah->ar_pln != sizeof(struct in_addr))
+		goto out;
+
 	memcpy(, ar_spa(ah), sizeof (isaddr));
 	memcpy(, ar_tpa(ah), sizeof (itaddr));
 
@@ -1005,7 +1008,10 @@ in_arpinput(struct mbuf *m)
 		((ia->ia_ifp->if_flags & (IFF_UP|IFF_RUNNING)) ==
 		(IFF_UP|IFF_RUNNING))) {
 			index++;
+
+			/* XXX: ar_hln? */
 			if (ia->ia_ifp == m->m_pkthdr.rcvif &&
+			(ah->ar_hln >= 6) &&
 			carp_iamatch(ia, ar_sha(ah),
 			, index)) {
 break;
@@ -1037,6 +1043,14 @@ in_arpinput(struct mbuf *m)
 	}
 #endif
 
+	if (ah->ar_hln != ifp->if_addrlen) {
+		ARP_STATINC(ARP_STAT_RCVBADLEN);
+		log(LOG_WARNING,
+		"arp from %s: addr len: new %d, i/f %d (ignored)\n",
+		in_fmtaddr(isaddr), ah->ar_hln, ifp->if_addrlen);
+		goto out;
+	}
+
 	if (ia == NULL) {
 		INADDR_TO_IA(isaddr, ia);
 		while ((ia != NULL) && ia->ia_ifp != m->m_pkthdr.rcvif)
@@ -1131,14 +1145,7 @@ in_arpinput(struct mbuf *m)
 			"arp from %s: new addr len %d, was %d\n",
 			in_fmtaddr(isaddr), ah->ar_hln, sdl->sdl_alen);
 		}
-		if (ifp->if_addrlen != ah->ar_hln) {
-			ARP_STATINC(ARP_STAT_RCVBADLEN);
-			log(LOG_WARNING,
-			"arp from %s: addr len: new %d, i/f %d (ignored)\n",
-			in_fmtaddr(isaddr), ah->ar_hln,
-			ifp->if_addrlen);
-			goto reply;
-		}
+
 #if NTOKEN > 0
 		/*
 		 * XXX uses m_data and assumes the complete answer including
@@ -1437,6 +1444,10 @@ in_revarpinput(struct mbuf *m)
 	tha = ar_tha(ah);
 	if (tha == NULL)
 		goto out;
+	if (ah->ar_pln != sizeof(struct in_addr))
+		goto out;
+	if (ah->ar_hln != ifp->if_sadl->sdl_alen)
+		goto out;
 	if (memcmp(tha, CLLADDR(ifp->if_sadl), ifp->if_sadl->sdl_alen))
 		goto out;
 	memcpy(_ip, ar_spa(ah), sizeof(srv_ip));

CVS commit: [netbsd-6] src/sys/arch/amd64/amd64

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sun Feb  5 06:01:05 UTC 2017

Modified Files:
src/sys/arch/amd64/amd64 [netbsd-6]: copy.S

Log Message:
Apply patch (requested by maxv in ticket #1431):
suword: Don't allow 4 bytes to overflow beyond the userland space.


To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.18.14.1 src/sys/arch/amd64/amd64/copy.S

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amd64/amd64/copy.S
diff -u src/sys/arch/amd64/amd64/copy.S:1.18 src/sys/arch/amd64/amd64/copy.S:1.18.14.1
--- src/sys/arch/amd64/amd64/copy.S:1.18	Wed Jul  7 01:13:29 2010
+++ src/sys/arch/amd64/amd64/copy.S	Sun Feb  5 06:01:05 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: copy.S,v 1.18 2010/07/07 01:13:29 chs Exp $	*/
+/*	$NetBSD: copy.S,v 1.18.14.1 2017/02/05 06:01:05 snj Exp $	*/
 
 /*
  * Copyright (c) 2001 Wasabi Systems, Inc.
@@ -413,7 +413,7 @@ ENTRY(fubyte)
 
 ENTRY(suword)
 	DEFERRED_SWITCH_CHECK
-	movq	$VM_MAXUSER_ADDRESS-4,%r11
+	movq	$VM_MAXUSER_ADDRESS-8,%r11
 	cmpq	%r11,%rdi
 	ja	_C_LABEL(fusuaddrfault)
 

CVS commit: [netbsd-6] src/sys/net

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sun Feb  5 05:48:00 UTC 2017

Modified Files:
src/sys/net [netbsd-6]: if_arcsubr.c if_ecosubr.c if_ethersubr.c
if_fddisubr.c if_tokensubr.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1429):
sys/net/if_arcsubr.c: revision 1.76 via patch
sys/net/if_ecosubr.c: revision 1.50 via patch
sys/net/if_ethersubr.c: revision 1.236 via patch
sys/net/if_fddisubr.c: revision 1.104 via patch
sys/net/if_tokensubr.c: revision 1.80 via patch
Don't forget to free the mbuf when we decide not to reply to an ARP
request. This obviously is a terrible bug, since it allows a remote sender
to DoS the system with specially-crafted requests sent in a loop.


To generate a diff of this commit:
cvs rdiff -u -r1.63.14.1 -r1.63.14.2 src/sys/net/if_arcsubr.c
cvs rdiff -u -r1.36.4.1 -r1.36.4.2 src/sys/net/if_ecosubr.c
cvs rdiff -u -r1.188.8.4 -r1.188.8.5 src/sys/net/if_ethersubr.c
cvs rdiff -u -r1.81.14.1 -r1.81.14.2 src/sys/net/if_fddisubr.c
cvs rdiff -u -r1.61 -r1.61.8.1 src/sys/net/if_tokensubr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/if_arcsubr.c
diff -u src/sys/net/if_arcsubr.c:1.63.14.1 src/sys/net/if_arcsubr.c:1.63.14.2
--- src/sys/net/if_arcsubr.c:1.63.14.1	Tue Oct 23 16:19:47 2012
+++ src/sys/net/if_arcsubr.c	Sun Feb  5 05:48:00 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_arcsubr.c,v 1.63.14.1 2012/10/23 16:19:47 riz Exp $	*/
+/*	$NetBSD: if_arcsubr.c,v 1.63.14.2 2017/02/05 05:48:00 snj Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995 Ignatios Souvatzis
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_arcsubr.c,v 1.63.14.1 2012/10/23 16:19:47 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_arcsubr.c,v 1.63.14.2 2017/02/05 05:48:00 snj Exp $");
 
 #include "opt_inet.h"
 
@@ -196,8 +196,10 @@ arc_output(struct ifnet *ifp, struct mbu
 			adst = arcbroadcastaddr;
 		else {
 			uint8_t *tha = ar_tha(arph);
-			if (tha == NULL)
+			if (tha == NULL) {
+m_freem(m);
 return 0;
+			}
 			adst = *tha;
 		}
 

Index: src/sys/net/if_ecosubr.c
diff -u src/sys/net/if_ecosubr.c:1.36.4.1 src/sys/net/if_ecosubr.c:1.36.4.2
--- src/sys/net/if_ecosubr.c:1.36.4.1	Sun Dec  7 15:09:32 2014
+++ src/sys/net/if_ecosubr.c	Sun Feb  5 05:48:00 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_ecosubr.c,v 1.36.4.1 2014/12/07 15:09:32 martin Exp $	*/
+/*	$NetBSD: if_ecosubr.c,v 1.36.4.2 2017/02/05 05:48:00 snj Exp $	*/
 
 /*-
  * Copyright (c) 2001 Ben Harris
@@ -58,7 +58,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_ecosubr.c,v 1.36.4.1 2014/12/07 15:09:32 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ecosubr.c,v 1.36.4.2 2017/02/05 05:48:00 snj Exp $");
 
 #include "opt_inet.h"
 #include "opt_pfil_hooks.h"
@@ -242,8 +242,10 @@ eco_output(struct ifnet *ifp, struct mbu
 	case AF_ARP:
 		ah = mtod(m, struct arphdr *);
 
-		if (ntohs(ah->ar_pro) != ETHERTYPE_IP)
-			return EAFNOSUPPORT;
+		if (ntohs(ah->ar_pro) != ETHERTYPE_IP) {
+			error = EAFNOSUPPORT;
+			goto bad;
+		}
 		ehdr.eco_port = ECO_PORT_IP;
 		switch (ntohs(ah->ar_op)) {
 		case ARPOP_REQUEST:
@@ -253,7 +255,8 @@ eco_output(struct ifnet *ifp, struct mbu
 			ehdr.eco_control = ECO_CTL_ARP_REPLY;
 			break;
 		default:
-			return EOPNOTSUPP;
+			error = EOPNOTSUPP;
+			goto bad;
 		}
 
 		if (m->m_flags & M_BCAST)
@@ -261,8 +264,10 @@ eco_output(struct ifnet *ifp, struct mbu
 			ECO_ADDR_LEN);
 		else {
 			tha = ar_tha(ah);
-			if (tha == NULL)
+			if (tha == NULL) {
+m_freem(m);
 return 0;
+			}
 			memcpy(ehdr.eco_dhost, tha, ECO_ADDR_LEN);
 		}
 

Index: src/sys/net/if_ethersubr.c
diff -u src/sys/net/if_ethersubr.c:1.188.8.4 src/sys/net/if_ethersubr.c:1.188.8.5
--- src/sys/net/if_ethersubr.c:1.188.8.4	Tue Jun  3 15:34:00 2014
+++ src/sys/net/if_ethersubr.c	Sun Feb  5 05:48:00 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_ethersubr.c,v 1.188.8.4 2014/06/03 15:34:00 msaitoh Exp $	*/
+/*	$NetBSD: if_ethersubr.c,v 1.188.8.5 2017/02/05 05:48:00 snj Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -61,7 +61,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_ethersubr.c,v 1.188.8.4 2014/06/03 15:34:00 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ethersubr.c,v 1.188.8.5 2017/02/05 05:48:00 snj Exp $");
 
 #include "opt_inet.h"
 #include "opt_atalk.h"
@@ -307,6 +307,7 @@ ether_output(struct ifnet * const ifp0, 
 
 			if (tha == NULL) {
 /* fake with ARPHDR_IEEE1394 */
+m_freem(m);
 return 0;
 			}
 			memcpy(edst, tha, sizeof(edst));

Index: src/sys/net/if_fddisubr.c
diff -u src/sys/net/if_fddisubr.c:1.81.14.1 src/sys/net/if_fddisubr.c:1.81.14.2
--- src/sys/net/if_fddisubr.c:1.81.14.1	Wed Oct 31 16:07:46 2012
+++ src/sys/net/if_fddisubr.c	Sun Feb  5 05:48:00 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_fddisubr.c,v 1.81.14.1 2012/10/31 16:07:46 riz Exp $	*/
+/*	$NetBSD: if_fddisubr.c,v 1.81.14.2 

CVS commit: [netbsd-6] src/sys/arch/alpha

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Wed Nov 16 18:04:39 UTC 2016

Modified Files:
src/sys/arch/alpha/alpha [netbsd-6]: machdep.c prom.c
src/sys/arch/alpha/stand/common [netbsd-6]: booted_dev.c prom.c

Log Message:
Pull up following revision(s) (requested by flxd in ticket #1416):
sys/arch/alpha/alpha/machdep.c: revision 1.347
sys/arch/alpha/alpha/prom.c: revision 1.49
sys/arch/alpha/stand/common/booted_dev.c: revision 1.4
sys/arch/alpha/stand/common/prom.c: revision 1.15
Match the two prom_getenv() and fix buffer overflow causing wrong host
controller SCSI ID for DEC 3000.
OK skrll@


To generate a diff of this commit:
cvs rdiff -u -r1.337.2.1 -r1.337.2.2 src/sys/arch/alpha/alpha/machdep.c
cvs rdiff -u -r1.48 -r1.48.2.1 src/sys/arch/alpha/alpha/prom.c
cvs rdiff -u -r1.3 -r1.3.174.1 src/sys/arch/alpha/stand/common/booted_dev.c
cvs rdiff -u -r1.14 -r1.14.18.1 src/sys/arch/alpha/stand/common/prom.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/alpha/alpha/machdep.c
diff -u src/sys/arch/alpha/alpha/machdep.c:1.337.2.1 src/sys/arch/alpha/alpha/machdep.c:1.337.2.2
--- src/sys/arch/alpha/alpha/machdep.c:1.337.2.1	Mon May 21 15:25:57 2012
+++ src/sys/arch/alpha/alpha/machdep.c	Wed Nov 16 18:04:39 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: machdep.c,v 1.337.2.1 2012/05/21 15:25:57 riz Exp $ */
+/* $NetBSD: machdep.c,v 1.337.2.2 2016/11/16 18:04:39 snj Exp $ */
 
 /*-
  * Copyright (c) 1998, 1999, 2000 The NetBSD Foundation, Inc.
@@ -68,7 +68,7 @@
 
 #include 			/* RCS ID & Copyright macro defns */
 
-__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.337.2.1 2012/05/21 15:25:57 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.337.2.2 2016/11/16 18:04:39 snj Exp $");
 
 #include 
 #include 
@@ -175,7 +175,7 @@ struct bootinfo_kernel bootinfo;
 
 /* For built-in TCDS */
 #if defined(DEC_3000_300) || defined(DEC_3000_500)
-uint8_t	dec_3000_scsiid[2], dec_3000_scsifast[2];
+uint8_t	dec_3000_scsiid[3], dec_3000_scsifast[3];
 #endif
 
 struct platform platform;

Index: src/sys/arch/alpha/alpha/prom.c
diff -u src/sys/arch/alpha/alpha/prom.c:1.48 src/sys/arch/alpha/alpha/prom.c:1.48.2.1
--- src/sys/arch/alpha/alpha/prom.c:1.48	Mon Feb  6 02:14:12 2012
+++ src/sys/arch/alpha/alpha/prom.c	Wed Nov 16 18:04:39 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: prom.c,v 1.48 2012/02/06 02:14:12 matt Exp $ */
+/* $NetBSD: prom.c,v 1.48.2.1 2016/11/16 18:04:39 snj Exp $ */
 
 /*
  * Copyright (c) 1992, 1994, 1995, 1996 Carnegie Mellon University
@@ -27,7 +27,7 @@
 
 #include 			/* RCS ID & Copyright macro defns */
 
-__KERNEL_RCSID(0, "$NetBSD: prom.c,v 1.48 2012/02/06 02:14:12 matt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: prom.c,v 1.48.2.1 2016/11/16 18:04:39 snj Exp $");
 
 #include "opt_multiprocessor.h"
 
@@ -95,7 +95,7 @@ init_bootstrap_console(void)
 
 	init_prom_interface(hwrpb);
 
-	prom_getenv(PROM_E_TTY_DEV, buf, 4);
+	prom_getenv(PROM_E_TTY_DEV, buf, sizeof(buf));
 	alpha_console = buf[0] - '0';
 
 	/* XXX fake out the console routines, for now */
@@ -238,14 +238,14 @@ prom_getenv(int id, char *buf, int len)
 
 	prom_enter();
 	ret.bits = prom_getenv_disp(id, to, len);
-	memcpy(buf, to, len);
-	prom_leave();
-
 	if (ret.u.status & 0x4)
 		ret.u.retval = 0;
-	buf[ret.u.retval] = '\0';
+	len = min(len - 1, ret.u.retval);
+	memcpy(buf, to, len);
+	buf[len] = '\0';
+	prom_leave();
 
-	return (ret.bits);
+	return len;
 }
 
 void

Index: src/sys/arch/alpha/stand/common/booted_dev.c
diff -u src/sys/arch/alpha/stand/common/booted_dev.c:1.3 src/sys/arch/alpha/stand/common/booted_dev.c:1.3.174.1
--- src/sys/arch/alpha/stand/common/booted_dev.c:1.3	Sat Nov 13 21:38:20 1999
+++ src/sys/arch/alpha/stand/common/booted_dev.c	Wed Nov 16 18:04:39 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: booted_dev.c,v 1.3 1999/11/13 21:38:20 thorpej Exp $ */
+/* $NetBSD: booted_dev.c,v 1.3.174.1 2016/11/16 18:04:39 snj Exp $ */
 
 /*
  * Copyright (c) 1999 Christopher G. Demetriou.  All rights reserved.
@@ -53,9 +53,8 @@ booted_dev_open(void)
 	 * We don't know what device names look like yet,
 	 * so we can't change them.
 	 */
-	ret.bits = prom_getenv(PROM_E_BOOTED_DEV, booted_dev_name,
+	devlen = prom_getenv(PROM_E_BOOTED_DEV, booted_dev_name,
 	sizeof(booted_dev_name));
-	devlen = ret.u.retval;
 
 	ret.bits = prom_open(booted_dev_name, devlen);
 

Index: src/sys/arch/alpha/stand/common/prom.c
diff -u src/sys/arch/alpha/stand/common/prom.c:1.14 src/sys/arch/alpha/stand/common/prom.c:1.14.18.1
--- src/sys/arch/alpha/stand/common/prom.c:1.14	Wed Mar 18 10:22:22 2009
+++ src/sys/arch/alpha/stand/common/prom.c	Wed Nov 16 18:04:39 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: prom.c,v 1.14 2009/03/18 10:22:22 cegger Exp $ */
+/* $NetBSD: prom.c,v 1.14.18.1 2016/11/16 18:04:39 snj Exp $ */
 
 /*  
  * Mach Operating System
@@ -57,7 +57,7 @@ init_prom_calls(void)
 	prom_dispatch_v.routine = c->crb_v_dispatch->entry_va;
 
 	/* Look 

CVS commit: [netbsd-6] src/sys/kern

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Nov 11 07:08:05 UTC 2016

Modified Files:
src/sys/kern [netbsd-6]: uipc_usrreq.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1415):
sys/kern/uipc_usrreq.c: revision 1.181
Memory leak, found by Mootja. It is easily triggerable from userland.


To generate a diff of this commit:
cvs rdiff -u -r1.136.8.3 -r1.136.8.4 src/sys/kern/uipc_usrreq.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/uipc_usrreq.c
diff -u src/sys/kern/uipc_usrreq.c:1.136.8.3 src/sys/kern/uipc_usrreq.c:1.136.8.4
--- src/sys/kern/uipc_usrreq.c:1.136.8.3	Mon Feb 18 22:00:49 2013
+++ src/sys/kern/uipc_usrreq.c	Fri Nov 11 07:08:05 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: uipc_usrreq.c,v 1.136.8.3 2013/02/18 22:00:49 riz Exp $	*/
+/*	$NetBSD: uipc_usrreq.c,v 1.136.8.4 2016/11/11 07:08:05 snj Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2000, 2004, 2008, 2009 The NetBSD Foundation, Inc.
@@ -96,7 +96,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: uipc_usrreq.c,v 1.136.8.3 2013/02/18 22:00:49 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_usrreq.c,v 1.136.8.4 2016/11/11 07:08:05 snj Exp $");
 
 #include 
 #include 
@@ -1014,11 +1014,11 @@ unp_connect(struct socket *so, struct mb
 		goto bad2;
 	}
 	vp = nd.ni_vp;
+	pathbuf_destroy(pb);
 	if (vp->v_type != VSOCK) {
 		error = ENOTSOCK;
 		goto bad;
 	}
-	pathbuf_destroy(pb);
 	if ((error = VOP_ACCESS(vp, VWRITE, l->l_cred)) != 0)
 		goto bad;
 	/* Acquire v_interlock to protect against unp_detach(). */

CVS commit: [netbsd-6] src/sys/arch/sparc64/sparc64

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sat Sep 24 13:18:43 UTC 2016

Modified Files:
src/sys/arch/sparc64/sparc64 [netbsd-6]: locore.s

Log Message:
Pull up following revision(s) (requested by nakayama in ticket #1408):
sys/arch/sparc64/sparc64/locore.s: revision 1.401
Fix RAS for 32-bit kernels.  trapframe is always 64-bit.


To generate a diff of this commit:
cvs rdiff -u -r1.338.8.7 -r1.338.8.8 src/sys/arch/sparc64/sparc64/locore.s

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/sparc64/sparc64/locore.s
diff -u src/sys/arch/sparc64/sparc64/locore.s:1.338.8.7 src/sys/arch/sparc64/sparc64/locore.s:1.338.8.8
--- src/sys/arch/sparc64/sparc64/locore.s:1.338.8.7	Sun Nov 15 21:02:13 2015
+++ src/sys/arch/sparc64/sparc64/locore.s	Sat Sep 24 13:18:43 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: locore.s,v 1.338.8.7 2015/11/15 21:02:13 bouyer Exp $	*/
+/*	$NetBSD: locore.s,v 1.338.8.8 2016/09/24 13:18:43 bouyer Exp $	*/
 
 /*
  * Copyright (c) 2006-2010 Matthew R. Green
@@ -5202,12 +5202,12 @@ ENTRY(cpu_switchto)
 	brz,pt	%o1, Lsw_noras		! no, skip RAS check
 	 LDPTR	[%i1 + L_TF], %l3	! pointer to trap frame
 	call	_C_LABEL(ras_lookup)
-	 LDPTR	[%l3 + TF_PC], %o1
+	 ldx	[%l3 + TF_PC], %o1
 	cmp	%o0, -1
-	be,pt	%xcc, Lsw_noras
+	be,pt	CCCR, Lsw_noras
 	 add	%o0, 4, %o1
-	STPTR	%o0, [%l3 + TF_PC]	! store rewound %pc
-	STPTR	%o1, [%l3 + TF_NPC]	! and %npc
+	stx	%o0, [%l3 + TF_PC]	! store rewound %pc
+	stx	%o1, [%l3 + TF_NPC]	! and %npc
 
 Lsw_noras:
 

CVS commit: [netbsd-6] src/sys/dev/pci

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sat Sep 24 13:14:57 UTC 2016

Modified Files:
src/sys/dev/pci [netbsd-6]: if_wm.c

Log Message:
Apply patch, requested by martin in ticket #1407:
sys/dev/pci/if_wm.c patch
fix evbppc build, where the older gcc wrongly warns about uninitialized
variable.


To generate a diff of this commit:
cvs rdiff -u -r1.227.2.19 -r1.227.2.20 src/sys/dev/pci/if_wm.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/pci/if_wm.c
diff -u src/sys/dev/pci/if_wm.c:1.227.2.19 src/sys/dev/pci/if_wm.c:1.227.2.20
--- src/sys/dev/pci/if_wm.c:1.227.2.19	Fri May  6 18:43:34 2016
+++ src/sys/dev/pci/if_wm.c	Sat Sep 24 13:14:57 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_wm.c,v 1.227.2.19 2016/05/06 18:43:34 snj Exp $	*/
+/*	$NetBSD: if_wm.c,v 1.227.2.20 2016/09/24 13:14:57 bouyer Exp $	*/
 
 /*
  * Copyright (c) 2001, 2002, 2003, 2004 Wasabi Systems, Inc.
@@ -84,7 +84,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_wm.c,v 1.227.2.19 2016/05/06 18:43:34 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wm.c,v 1.227.2.20 2016/09/24 13:14:57 bouyer Exp $");
 
 #include 
 #include 
@@ -6003,7 +6003,7 @@ wm_nvm_version_invm(struct wm_softc *sc)
 static void
 wm_nvm_version(struct wm_softc *sc)
 {
-	uint16_t major, minor, build, patch;
+	uint16_t major, minor, patch, build = 0; /* XXX old gcc */
 	uint16_t uid0, uid1;
 	uint16_t nvm_data;
 	uint16_t off;

CVS commit: [netbsd-6] src/sys/lib/libsa

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sat Sep 24 13:10:52 UTC 2016

Modified Files:
src/sys/lib/libsa [netbsd-6]: checkpasswd.c

Log Message:
Pull up following revision(s) (requested by dholland in ticket #1406):
sys/lib/libsa/checkpasswd.c: revision 1.10
Check bounds on input. From Michael Plass.


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.9.14.1 src/sys/lib/libsa/checkpasswd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/lib/libsa/checkpasswd.c
diff -u src/sys/lib/libsa/checkpasswd.c:1.9 src/sys/lib/libsa/checkpasswd.c:1.9.14.1
--- src/sys/lib/libsa/checkpasswd.c:1.9	Thu Jan  6 02:45:13 2011
+++ src/sys/lib/libsa/checkpasswd.c	Sat Sep 24 13:10:52 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: checkpasswd.c,v 1.9 2011/01/06 02:45:13 jakllsch Exp $	*/
+/*	$NetBSD: checkpasswd.c,v 1.9.14.1 2016/09/24 13:10:52 bouyer Exp $	*/
 
 /*-
  * Copyright (c) 1993
@@ -84,8 +84,10 @@ getpass(const char *prompt)
 			putchar('\n');
 			break;
 		default:
-			*lp++ = c;
-			putchar('*');
+			if ((size_t)(lp - buf) < sizeof(buf) - 1) {
+*lp++ = c;
+putchar('*');
+			}
 			break;
 		}
 	}

CVS commit: [netbsd-6] src/sys/arch/sparc64/sparc64

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sat Sep 24 13:06:41 UTC 2016

Modified Files:
src/sys/arch/sparc64/sparc64 [netbsd-6]: kobj_machdep.c

Log Message:
Pull up following revision(s) (requested by martin in ticket #1405):
sys/arch/sparc64/sparc64/kobj_machdep.c: revision 1.5
sys/arch/sparc64/sparc64/kobj_machdep.c: revision 1.6
Follow rev. 1.54, 1.55 of libexec/ld.elf_so/arch/sparc64/mdreloc.c.
The target of the OLO10 relocation is the simd13 field of the instruction,
so use a 13 bit target mask.
Fixes PR kern/51436 (I broke this myself in rev 1.4)


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.4.14.1 src/sys/arch/sparc64/sparc64/kobj_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/sparc64/sparc64/kobj_machdep.c
diff -u src/sys/arch/sparc64/sparc64/kobj_machdep.c:1.4 src/sys/arch/sparc64/sparc64/kobj_machdep.c:1.4.14.1
--- src/sys/arch/sparc64/sparc64/kobj_machdep.c:1.4	Sun May  2 11:43:30 2010
+++ src/sys/arch/sparc64/sparc64/kobj_machdep.c	Sat Sep 24 13:06:41 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: kobj_machdep.c,v 1.4 2010/05/02 11:43:30 martin Exp $	*/
+/*	$NetBSD: kobj_machdep.c,v 1.4.14.1 2016/09/24 13:06:41 bouyer Exp $	*/
 
 /*-
  * Copyright (c) 2001 Jake Burkholder.
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: kobj_machdep.c,v 1.4 2010/05/02 11:43:30 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kobj_machdep.c,v 1.4.14.1 2016/09/24 13:06:41 bouyer Exp $");
 
 #define	ELFSIZE		ARCH_ELFSIZE
 
@@ -164,15 +164,15 @@ static const long reloc_target_bitmask[]
 	_BM(22), _BM(10),		/* _HIPLT22, LOPLT10 */
 	_BM(32), _BM(22), _BM(10),	/* _PCPLT32, _PCPLT22, _PCPLT10 */
 	_BM(10), _BM(11), -1,		/* _10, _11, _64 */
-	_BM(10), _BM(22),		/* _OLO10, _HH22 */
+	_BM(13), _BM(22),		/* _OLO10, _HH22 */
 	_BM(10), _BM(22),		/* _HM10, _LM22 */
 	_BM(22), _BM(10), _BM(22),	/* _PC_HH22, _PC_HM10, _PC_LM22 */
 	_BM(16), _BM(19),		/* _WDISP16, _WDISP19 */
 	-1,/* GLOB_JMP */
-	_BM(7), _BM(5), _BM(6)		/* _7, _5, _6 */
+	_BM(7), _BM(5), _BM(6),		/* _7, _5, _6 */
 	-1, -1,/* DISP64, PLT64 */
 	_BM(22), _BM(13),		/* HIX22, LOX10 */
-	_BM(22), _BM(10), _BM(13),	/* H44, M44, L44 */
+	_BM(22), _BM(10), _BM(12),	/* H44, M44, L44 */
 	-1, -1, _BM(16),		/* REGISTER, UA64, UA16 */
 #undef _BM
 };

CVS commit: [netbsd-6] src/sys/dev/pci

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sat Sep 24 12:56:16 UTC 2016

Modified Files:
src/sys/dev/pci [netbsd-6]: if_vioif.c

Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #1401):
sys/dev/pci/if_vioif.c: revision 1.25
Fix initializing wrong queues
Pointed out by Mike Larkin.
PR kern/51448


To generate a diff of this commit:
cvs rdiff -u -r1.2.8.2 -r1.2.8.3 src/sys/dev/pci/if_vioif.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/pci/if_vioif.c
diff -u src/sys/dev/pci/if_vioif.c:1.2.8.2 src/sys/dev/pci/if_vioif.c:1.2.8.3
--- src/sys/dev/pci/if_vioif.c:1.2.8.2	Thu Aug  7 09:31:09 2014
+++ src/sys/dev/pci/if_vioif.c	Sat Sep 24 12:56:16 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_vioif.c,v 1.2.8.2 2014/08/07 09:31:09 msaitoh Exp $	*/
+/*	$NetBSD: if_vioif.c,v 1.2.8.3 2016/09/24 12:56:16 bouyer Exp $	*/
 
 /*
  * Copyright (c) 2010 Minoura Makoto.
@@ -26,7 +26,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_vioif.c,v 1.2.8.2 2014/08/07 09:31:09 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_vioif.c,v 1.2.8.3 2016/09/24 12:56:16 bouyer Exp $");
 
 #include 
 #include 
@@ -378,7 +378,7 @@ vioif_alloc_mems(struct vioif_softc *sc)
 	}
 
 	for (i = 0; i < txqsize; i++) {
-		C_L1(txhdr_dmamaps[i], rx_hdrs[i],
+		C_L1(txhdr_dmamaps[i], tx_hdrs[i],
 		sizeof(struct virtio_net_hdr), 1,
 		WRITE, "tx header");
 		C(tx_dmamaps[i], NULL, ETHER_MAX_LEN, 256 /* XXX */, 0,

CVS commit: [netbsd-6] src/sys/miscfs/kernfs

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sat Sep  3 11:36:03 UTC 2016

Modified Files:
src/sys/miscfs/kernfs [netbsd-6]: kernfs_vnops.c

Log Message:
Revert ticket 1367, it causes a kernel panic in test lib/libc/gen/t_getcwd
as seen in e.g.
http://www-soc.lip6.fr/~bouyer/NetBSD-tests/xen/netbsd-6/i386/201608291710Z_anita.txt

lib/libc/gen/t_getcwd (206/500): 2 test cases
getcwd_err: [0.006614s] Passed.
getcwd_fts: uvm_fault(0xc0e221b0, 0, 1) -> 0xe
fatal page fault in supervisor mode
trap type 6 code 0 eip c023ba9f cs 9 eflags 10246 cr2 1c ilevel 0
panic: trap
cpu1: Begin traceback...
panic(c04616d0,cdcfb938,cdcfb938,c023ba9f,9,10246,1c,0,1c,0) at 
netbsd:panic+0x18
trap() at netbsd:trap+0xb51
--- trap (number 6) ---
kernfs_readdir(cdcfbc0c,1,c11ce0b4,c0439f60,c11ce0b4,cdcfbc58,c0cc0cc0,cdcfbc7c,0,0)
 at netbsd:kernfs_readdir+0x98f
VOP_READDIR(c11ce0b4,cdcfbc58,c0cc0cc0,cdcfbc7c,0,0,c19287e0,1,cdcfbc58,cdcfbc74)
 at netbsd:VOP_READDIR+0x68
vn_readdir(c14c3000,bb512000,0,1000,cdcfbcbc,c19287e0,0,0,c14c3000,0) at 
netbsd:vn_readdir+0xbd
sys___getdents30(c19287e0,cdcfbd00,cdcfbd28,186,bb516000,0,cdcfbd00,c1199bf4,2,bb7a4fe7)
 at netbsd:sys___getdents30+0x8c
syscall(cdcfbd48,bb6b00b3,ab,bf7f001f,bb6b001f,0,bb5010d0,bf7fe764,bb7c4be0,0) 
at netbsd:syscall+0xaa
cpu1: End traceback...


To generate a diff of this commit:
cvs rdiff -u -r1.144.2.1 -r1.144.2.2 src/sys/miscfs/kernfs/kernfs_vnops.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/miscfs/kernfs/kernfs_vnops.c
diff -u src/sys/miscfs/kernfs/kernfs_vnops.c:1.144.2.1 src/sys/miscfs/kernfs/kernfs_vnops.c:1.144.2.2
--- src/sys/miscfs/kernfs/kernfs_vnops.c:1.144.2.1	Sat Aug 27 13:13:31 2016
+++ src/sys/miscfs/kernfs/kernfs_vnops.c	Sat Sep  3 11:36:03 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: kernfs_vnops.c,v 1.144.2.1 2016/08/27 13:13:31 bouyer Exp $	*/
+/*	$NetBSD: kernfs_vnops.c,v 1.144.2.2 2016/09/03 11:36:03 bouyer Exp $	*/
 
 /*
  * Copyright (c) 1992, 1993
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: kernfs_vnops.c,v 1.144.2.1 2016/08/27 13:13:31 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kernfs_vnops.c,v 1.144.2.2 2016/09/03 11:36:03 bouyer Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ipsec.h"
@@ -63,7 +63,6 @@ __KERNEL_RCSID(0, "$NetBSD: kernfs_vnops
 
 #include 
 #include 
-#include 
 
 #ifdef IPSEC
 #include 
@@ -860,11 +859,6 @@ kernfs_getattr(void *v)
 		vap->va_bytes = vap->va_size = DEV_BSIZE;
 		break;
 
-	case KFSdevice:
-		vap->va_nlink = 1;
-		vap->va_rdev = ap->a_vp->v_rdev;
-		break;
-
 	case KFSroot:
 		vap->va_nlink = 1;
 		vap->va_bytes = vap->va_size = DEV_BSIZE;
@@ -882,6 +876,7 @@ kernfs_getattr(void *v)
 	case KFSstring:
 	case KFShostname:
 	case KFSavenrun:
+	case KFSdevice:
 	case KFSmsgbuf:
 #ifdef IPSEC
 	case KFSipsecsa:
@@ -1055,8 +1050,18 @@ kernfs_setdirentfileno_kt(struct dirent 
 	if ((error = kernfs_allocvp(ap->a_vp->v_mount, , kt->kt_tag, kt,
 	value)) != 0)
 		return error;
-	kfs = VTOKERN(vp);
-	d->d_fileno = kfs->kfs_fileno;
+	if (kt->kt_tag == KFSdevice) {
+		struct vattr va;
+
+		error = VOP_GETATTR(vp, , ap->a_cred);
+		if (error != 0) {
+			return error;
+		}
+		d->d_fileno = va.va_fileid;
+	} else {
+		kfs = VTOKERN(vp);
+		d->d_fileno = kfs->kfs_fileno;
+	}
 	vput(vp);
 	return 0;
 }

CVS commit: [netbsd-6] src/sys/net80211

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Wed Aug 31 15:15:57 UTC 2016

Modified Files:
src/sys/net80211 [netbsd-6]: ieee80211_input.c

Log Message:
Pull up following revision(s) (requested by mlelstv in ticket #1382):
sys/net80211/ieee80211_input.c: revision 1.83
sys/net80211/ieee80211_input.c: revision 1.84
Don't check sequence number on multicast packets in station mode.
Handle overflow of 12bit sequence number.
In station mode filter packets that or not for us in case the
interface is in promiscous mode or doesn't filter packets itself.


To generate a diff of this commit:
cvs rdiff -u -r1.72 -r1.72.2.1 src/sys/net80211/ieee80211_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net80211/ieee80211_input.c
diff -u src/sys/net80211/ieee80211_input.c:1.72 src/sys/net80211/ieee80211_input.c:1.72.2.1
--- src/sys/net80211/ieee80211_input.c:1.72	Sat Dec 31 20:41:58 2011
+++ src/sys/net80211/ieee80211_input.c	Wed Aug 31 15:15:57 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: ieee80211_input.c,v 1.72 2011/12/31 20:41:58 christos Exp $	*/
+/*	$NetBSD: ieee80211_input.c,v 1.72.2.1 2016/08/31 15:15:57 bouyer Exp $	*/
 /*-
  * Copyright (c) 2001 Atsushi Onoe
  * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
@@ -36,7 +36,7 @@
 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.81 2005/08/10 16:22:29 sam Exp $");
 #endif
 #ifdef __NetBSD__
-__KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.72 2011/12/31 20:41:58 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.72.2.1 2016/08/31 15:15:57 bouyer Exp $");
 #endif
 
 #include "opt_inet.h"
@@ -224,6 +224,18 @@ ieee80211_input(struct ieee80211com *ic,
 ic->ic_stats.is_rx_wrongbss++;
 goto out;
 			}
+
+			/* Filter out packets not directed to us in case the
+			 * device is in promiscous mode
+			 */
+			if ((! IEEE80211_IS_MULTICAST(wh->i_addr1))
+			&& (! IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr))) {
+IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
+bssid, NULL, "not to cur sta: lladdr=%6D, addr1=%6D",
+ic->ic_myaddr, ":", wh->i_addr1, ":");
+ic->ic_stats.is_rx_wrongbss++;
+goto out;
+			}
 			break;
 		case IEEE80211_M_IBSS:
 		case IEEE80211_M_AHDEMO:
@@ -280,8 +292,11 @@ ieee80211_input(struct ieee80211com *ic,
 		}
 		ni->ni_rssi = rssi;
 		ni->ni_rstamp = rstamp;
-		if (HAS_SEQ(type)) {
-			u_int8_t tid;
+		if (HAS_SEQ(type) && (ic->ic_opmode != IEEE80211_M_STA ||
+		!IEEE80211_IS_MULTICAST(wh->i_addr1))) {
+			u_int8_t tid, retry;
+			u_int16_t rxno, orxno;
+
 			if (IEEE80211_QOS_HAS_SEQ(wh)) {
 tid = ((struct ieee80211_qosframe *)wh)->
 	i_qos[0] & IEEE80211_QOS_TID;
@@ -291,15 +306,20 @@ ieee80211_input(struct ieee80211com *ic,
 			} else
 tid = 0;
 			rxseq = le16toh(*(u_int16_t *)wh->i_seq);
-			if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
-			SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
+			retry = wh->i_fc[1] & IEEE80211_FC1_RETRY;
+			rxno = rxseq >> IEEE80211_SEQ_SEQ_SHIFT;
+			orxno = ni->ni_rxseqs[tid] >> IEEE80211_SEQ_SEQ_SHIFT;
+			if (retry && (
+			(orxno == 4095 && rxno == orxno) ||
+			(orxno != 4095 &&
+			 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid]))
+			)) {
 /* duplicate, discard */
 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
 bssid, "duplicate",
 "seqno <%u,%u> fragno <%u,%u> tid %u",
-rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
-ni->ni_rxseqs[tid] >>
-	IEEE80211_SEQ_SEQ_SHIFT,
+rxno,
+orxno,
 rxseq & IEEE80211_SEQ_FRAG_MASK,
 ni->ni_rxseqs[tid] &
 	IEEE80211_SEQ_FRAG_MASK,

CVS commit: [netbsd-6] src/sys/netinet

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sun Aug 28 10:49:45 UTC 2016

Modified Files:
src/sys/netinet [netbsd-6]: ip_carp.c

Log Message:
Pull up following revision(s) (requested by is in ticket #1393):
sys/netinet/ip_carp.c: revision 1.75
Workaround for PR 47013 by bouyer@. Only works for mixed IPv4/IPv6
environemnts, not for pure-IPv6 yet. A real fix is still needed.


To generate a diff of this commit:
cvs rdiff -u -r1.47.4.4 -r1.47.4.5 src/sys/netinet/ip_carp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet/ip_carp.c
diff -u src/sys/netinet/ip_carp.c:1.47.4.4 src/sys/netinet/ip_carp.c:1.47.4.5
--- src/sys/netinet/ip_carp.c:1.47.4.4	Sat Aug 27 14:39:10 2016
+++ src/sys/netinet/ip_carp.c	Sun Aug 28 10:49:45 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_carp.c,v 1.47.4.4 2016/08/27 14:39:10 bouyer Exp $	*/
+/*	$NetBSD: ip_carp.c,v 1.47.4.5 2016/08/28 10:49:45 bouyer Exp $	*/
 /*	$OpenBSD: ip_carp.c,v 1.113 2005/11/04 08:11:54 mcbride Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
 #include "opt_mbuftrace.h"
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.47.4.4 2016/08/27 14:39:10 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.47.4.5 2016/08/28 10:49:45 bouyer Exp $");
 
 /*
  * TODO:
@@ -1086,7 +1086,7 @@ carp_send_ad(void *v)
 		}
 	}
 #endif /* INET */
-#ifdef INET6
+#ifdef INET6_notyet
 	if (sc->sc_naddrs6) {
 		struct ip6_hdr *ip6;
 
@@ -1494,7 +1494,7 @@ carp_setrun(struct carp_softc *sc, sa_fa
 			callout_schedule(>sc_md_tmo, tvtohz());
 			break;
 #endif /* INET */
-#ifdef INET6
+#ifdef INET6_notyet
 		case AF_INET6:
 			callout_schedule(>sc_md6_tmo, tvtohz());
 			break;
@@ -1502,8 +1502,10 @@ carp_setrun(struct carp_softc *sc, sa_fa
 		default:
 			if (sc->sc_naddrs)
 callout_schedule(>sc_md_tmo, tvtohz());
+#ifdef INET6_notyet
 			if (sc->sc_naddrs6)
 callout_schedule(>sc_md6_tmo, tvtohz());
+#endif /* INET6 */
 			break;
 		}
 		break;

CVS commit: [netbsd-6] src/sys/arch/i386/stand/misc

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sun Aug 28 10:38:29 UTC 2016

Modified Files:
src/sys/arch/i386/stand/misc [netbsd-6]: rawr32.exe.uue

Log Message:
Pull up following revision(s) (requested by martin in ticket #1385):
sys/arch/i386/stand/misc/rawr32.exe.uue: sync to revision 1.6
New Rawrite32 release


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.4.4.1 src/sys/arch/i386/stand/misc/rawr32.exe.uue

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffs are larger than 1MB and have been omitted

CVS commit: [netbsd-6] src/sys/compat/common

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sat Aug 27 14:51:29 UTC 2016

Modified Files:
src/sys/compat/common [netbsd-6]: vfs_syscalls_43.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1400):
sys/compat/common/vfs_syscalls_43.c: revision 1.58
fill in the tv_nsec parts of the converted timespec in cvtstat().


To generate a diff of this commit:
cvs rdiff -u -r1.54.14.1 -r1.54.14.2 src/sys/compat/common/vfs_syscalls_43.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/common/vfs_syscalls_43.c
diff -u src/sys/compat/common/vfs_syscalls_43.c:1.54.14.1 src/sys/compat/common/vfs_syscalls_43.c:1.54.14.2
--- src/sys/compat/common/vfs_syscalls_43.c:1.54.14.1	Thu Mar 14 16:33:09 2013
+++ src/sys/compat/common/vfs_syscalls_43.c	Sat Aug 27 14:51:29 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls_43.c,v 1.54.14.1 2013/03/14 16:33:09 riz Exp $	*/
+/*	$NetBSD: vfs_syscalls_43.c,v 1.54.14.2 2016/08/27 14:51:29 bouyer Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.14.1 2013/03/14 16:33:09 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.14.2 2016/08/27 14:51:29 bouyer Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -74,15 +74,42 @@ __KERNEL_RCSID(0, "$NetBSD: vfs_syscalls
 #include 
 #include 
 
+static void cvttimespec(struct timespec *, struct timespec50 *);
 static void cvtstat(struct stat *, struct stat43 *);
 
 /*
+ * Convert from an old to a new timespec structure.
+ */
+static void
+cvttimespec(struct timespec *ts, struct timespec50 *ots)
+{
+
+	if (ts->tv_sec > INT_MAX) {
+#if defined(DEBUG) || 1
+		static bool first = true;
+
+		if (first) {
+			first = false;
+			printf("%s[%s:%d]: time_t does not fit\n",
+			__func__, curlwp->l_proc->p_comm,
+			curlwp->l_lid);
+		}
+#endif
+		ots->tv_sec = INT_MAX;
+	} else
+		ots->tv_sec = ts->tv_sec;
+	ots->tv_nsec = ts->tv_nsec;
+}
+
+/*
  * Convert from an old to a new stat structure.
  */
 static void
 cvtstat(struct stat *st, struct stat43 *ost)
 {
 
+	/* Handle any padding. */
+	memset(ost, 0, sizeof *ost);
 	ost->st_dev = st->st_dev;
 	ost->st_ino = st->st_ino;
 	ost->st_mode = st->st_mode & 0x;
@@ -94,9 +121,9 @@ cvtstat(struct stat *st, struct stat43 *
 		ost->st_size = st->st_size;
 	else
 		ost->st_size = -2;
-	ost->st_atime = st->st_atime;
-	ost->st_mtime = st->st_mtime;
-	ost->st_ctime = st->st_ctime;
+	cvttimespec(>st_atimespec, >st_atimespec);
+	cvttimespec(>st_mtimespec, >st_mtimespec);
+	cvttimespec(>st_ctimespec, >st_ctimespec);
 	ost->st_blksize = st->st_blksize;
 	ost->st_blocks = st->st_blocks;
 	ost->st_flags = st->st_flags;

CVS commit: [netbsd-6] src/sys/dev

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sat Aug 27 14:47:48 UTC 2016

Modified Files:
src/sys/dev [netbsd-6]: fss.c

Log Message:
Pull up following revision(s) (requested by hannken in ticket #1399):
sys/dev/fss.c: revision 1.95
Disestablish COW handler on error.  No need to do further copies after
the snapshot device failed.
Should fix PR kern/51377: fss(4) panic if snapshot mounted read/write


To generate a diff of this commit:
cvs rdiff -u -r1.81.4.3 -r1.81.4.4 src/sys/dev/fss.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/fss.c
diff -u src/sys/dev/fss.c:1.81.4.3 src/sys/dev/fss.c:1.81.4.4
--- src/sys/dev/fss.c:1.81.4.3	Mon Feb 11 20:39:28 2013
+++ src/sys/dev/fss.c	Sat Aug 27 14:47:47 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: fss.c,v 1.81.4.3 2013/02/11 20:39:28 riz Exp $	*/
+/*	$NetBSD: fss.c,v 1.81.4.4 2016/08/27 14:47:47 bouyer Exp $	*/
 
 /*-
  * Copyright (c) 2003 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: fss.c,v 1.81.4.3 2013/02/11 20:39:28 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: fss.c,v 1.81.4.4 2016/08/27 14:47:47 bouyer Exp $");
 
 #include 
 #include 
@@ -430,17 +430,20 @@ fss_dump(dev_t dev, daddr_t blkno, void 
 
 /*
  * An error occurred reading or writing the snapshot or backing store.
- * If it is the first error log to console.
+ * If it is the first error log to console and disestablish cow handler.
  * The caller holds the mutex.
  */
 static inline void
 fss_error(struct fss_softc *sc, const char *msg)
 {
 
-	if ((sc->sc_flags & (FSS_ACTIVE|FSS_ERROR)) == FSS_ACTIVE)
-		aprint_error_dev(sc->sc_dev, "snapshot invalid: %s\n", msg);
-	if ((sc->sc_flags & FSS_ACTIVE) == FSS_ACTIVE)
-		sc->sc_flags |= FSS_ERROR;
+	if ((sc->sc_flags & (FSS_ACTIVE | FSS_ERROR)) != FSS_ACTIVE)
+		return;
+
+	aprint_error_dev(sc->sc_dev, "snapshot invalid: %s\n", msg);
+	if ((sc->sc_flags & FSS_PERSISTENT) == 0)
+		fscow_disestablish(sc->sc_mount, fss_copy_on_write, sc);
+	sc->sc_flags |= FSS_ERROR;
 }
 
 /*
@@ -560,9 +563,8 @@ fss_unmount_hook(struct mount *mp)
 		if ((sc = device_lookup_private(_cd, i)) == NULL)
 			continue;
 		mutex_enter(>sc_slock);
-		if ((sc->sc_flags & FSS_ACTIVE) != 0 &&
-		sc->sc_mount == mp)
-			fss_error(sc, "forced unmount");
+		if ((sc->sc_flags & FSS_ACTIVE) != 0 && sc->sc_mount == mp)
+			fss_error(sc, "forced by unmount");
 		mutex_exit(>sc_slock);
 	}
 	mutex_exit(_device_lock);
@@ -888,7 +890,7 @@ static int
 fss_delete_snapshot(struct fss_softc *sc, struct lwp *l)
 {
 
-	if ((sc->sc_flags & FSS_PERSISTENT) == 0)
+	if ((sc->sc_flags & (FSS_PERSISTENT | FSS_ERROR)) == 0)
 		fscow_disestablish(sc->sc_mount, fss_copy_on_write, sc);
 
 	mutex_enter(>sc_slock);

CVS commit: [netbsd-6] src/sys/arch/evbppc/conf

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sat Aug 27 14:44:11 UTC 2016

Modified Files:
src/sys/arch/evbppc/conf [netbsd-6]: Makefile.ev64260.inc
Makefile.obs405.inc Makefile.walnut.inc

Log Message:
Pull up following revision(s) (requested by maya in ticket #1396):
sys/arch/evbppc/conf/Makefile.walnut.inc: revision 1.9
sys/arch/evbppc/conf/Makefile.obs405.inc: revision 1.13
sys/arch/evbppc/conf/Makefile.ev64260.inc: revision 1.8
Fix typo in Makefile which resulted in kernel image not being generated
>From Rin Okuyama in PR/51369


To generate a diff of this commit:
cvs rdiff -u -r1.5.14.1 -r1.5.14.2 \
src/sys/arch/evbppc/conf/Makefile.ev64260.inc
cvs rdiff -u -r1.6.14.1 -r1.6.14.2 \
src/sys/arch/evbppc/conf/Makefile.obs405.inc
cvs rdiff -u -r1.6.2.1 -r1.6.2.2 src/sys/arch/evbppc/conf/Makefile.walnut.inc

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/evbppc/conf/Makefile.ev64260.inc
diff -u src/sys/arch/evbppc/conf/Makefile.ev64260.inc:1.5.14.1 src/sys/arch/evbppc/conf/Makefile.ev64260.inc:1.5.14.2
--- src/sys/arch/evbppc/conf/Makefile.ev64260.inc:1.5.14.1	Fri Apr 11 08:31:56 2014
+++ src/sys/arch/evbppc/conf/Makefile.ev64260.inc	Sat Aug 27 14:44:10 2016
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile.ev64260.inc,v 1.5.14.1 2014/04/11 08:31:56 msaitoh Exp $
+#	$NetBSD: Makefile.ev64260.inc,v 1.5.14.2 2016/08/27 14:44:10 bouyer Exp $
 
 MKIMG?=	${HOST_SH} ${THISPPC}/compile/walnut-mkimg.sh
 
@@ -9,5 +9,5 @@ SYSTEM_FIRST_SFILE=	${THISPPC}/${BOARDTY
 
 SYSTEM_LD_TAIL_EXTRA+=; \
 	echo ${MKIMG} $@ $@.img ; \
-	OBJDUMP=${OBJDUMP}; OBJCOPY=${OBJCOPY}; STAT=${TOOL_STAT]; \
+	OBJDUMP=${OBJDUMP}; OBJCOPY=${OBJCOPY}; STAT=${TOOL_STAT}; \
 		export OBJDUMP OBJCOPY STAT; ${MKIMG} $@ $@.img

Index: src/sys/arch/evbppc/conf/Makefile.obs405.inc
diff -u src/sys/arch/evbppc/conf/Makefile.obs405.inc:1.6.14.1 src/sys/arch/evbppc/conf/Makefile.obs405.inc:1.6.14.2
--- src/sys/arch/evbppc/conf/Makefile.obs405.inc:1.6.14.1	Fri Apr 11 08:31:56 2014
+++ src/sys/arch/evbppc/conf/Makefile.obs405.inc	Sat Aug 27 14:44:10 2016
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile.obs405.inc,v 1.6.14.1 2014/04/11 08:31:56 msaitoh Exp $
+#	$NetBSD: Makefile.obs405.inc,v 1.6.14.2 2016/08/27 14:44:10 bouyer Exp $
 
 CFLAGS+=-mcpu=405
 AFLAGS+=-mcpu=405
@@ -15,7 +15,7 @@ SYSTEM_FIRST_SFILE=	${THISPPC}/obs405/ob
 
 SYSTEM_LD_TAIL_EXTRA+=; \
 	echo ${MKIMG} $@ $@.img ; \
-	OBJDUMP=${OBJDUMP}; OBJCOPY=${OBJCOPY}; STAT=${TOOL_STAT]; \
+	OBJDUMP=${OBJDUMP}; OBJCOPY=${OBJCOPY}; STAT=${TOOL_STAT}; \
 		export OBJDUMP OBJCOPY STAT; ${MKIMG} $@ $@.img
 
 
@@ -30,7 +30,7 @@ SYSTEM_FIRST_SFILE=	${POWERPC}/${PPCDIR}
 
 SYSTEM_LD_TAIL_EXTRA+=; \
 	echo ${MKIMG} $@ $@.img ; \
-	OBJDUMP=${OBJDUMP}; OBJCOPY=${OBJCOPY}; STAT=${TOOL_STAT]; \
+	OBJDUMP=${OBJDUMP}; OBJCOPY=${OBJCOPY}; STAT=${TOOL_STAT}; \
 		export OBJDUMP OBJCOPY STAT; ${MKIMG} $@ $@.img
 
 

Index: src/sys/arch/evbppc/conf/Makefile.walnut.inc
diff -u src/sys/arch/evbppc/conf/Makefile.walnut.inc:1.6.2.1 src/sys/arch/evbppc/conf/Makefile.walnut.inc:1.6.2.2
--- src/sys/arch/evbppc/conf/Makefile.walnut.inc:1.6.2.1	Fri Apr 11 08:31:56 2014
+++ src/sys/arch/evbppc/conf/Makefile.walnut.inc	Sat Aug 27 14:44:10 2016
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile.walnut.inc,v 1.6.2.1 2014/04/11 08:31:56 msaitoh Exp $
+#	$NetBSD: Makefile.walnut.inc,v 1.6.2.2 2016/08/27 14:44:10 bouyer Exp $
 
 MKIMG?=	${HOST_SH} ${THISPPC}/compile/walnut-mkimg.sh
 CFLAGS+=-mcpu=403
@@ -10,5 +10,5 @@ SYSTEM_FIRST_SFILE=	${THISPPC}/walnut/wa
 
 SYSTEM_LD_TAIL_EXTRA_EXTRA+=; \
 	echo ${MKIMG} $@ $@.img ; \
-	OBJDUMP=${OBJDUMP}; OBJCOPY=${OBJCOPY}; STAT=${TOOL_STAT]; \
+	OBJDUMP=${OBJDUMP}; OBJCOPY=${OBJCOPY}; STAT=${TOOL_STAT}; \
 		export OBJDUMP OBJCOPY STAT; ${MKIMG} $@ $@.img

CVS commit: [netbsd-6] src/sys/netinet

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sat Aug 27 14:39:10 UTC 2016

Modified Files:
src/sys/netinet [netbsd-6]: ip_carp.c

Log Message:
Pull up following revision(s) (requested by is in ticket #1394):
sys/netinet/ip_carp.c: revision 1.76
Print the IPv6 or IPv4 source addresses of packets with wrong hash, to
help debugging.


To generate a diff of this commit:
cvs rdiff -u -r1.47.4.3 -r1.47.4.4 src/sys/netinet/ip_carp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet/ip_carp.c
diff -u src/sys/netinet/ip_carp.c:1.47.4.3 src/sys/netinet/ip_carp.c:1.47.4.4
--- src/sys/netinet/ip_carp.c:1.47.4.3	Tue Jun  3 15:34:00 2014
+++ src/sys/netinet/ip_carp.c	Sat Aug 27 14:39:10 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_carp.c,v 1.47.4.3 2014/06/03 15:34:00 msaitoh Exp $	*/
+/*	$NetBSD: ip_carp.c,v 1.47.4.4 2016/08/27 14:39:10 bouyer Exp $	*/
 /*	$OpenBSD: ip_carp.c,v 1.113 2005/11/04 08:11:54 mcbride Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
 #include "opt_mbuftrace.h"
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.47.4.3 2014/06/03 15:34:00 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.47.4.4 2016/08/27 14:39:10 bouyer Exp $");
 
 /*
  * TODO:
@@ -92,6 +92,7 @@ __KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 
 #include 
 #include 
 #include 
+#include 
 #endif
 
 #include 
@@ -673,9 +674,29 @@ carp_proto_input_c(struct mbuf *m, struc
 
 	/* verify the hash */
 	if (carp_hmac_verify(sc, ch->carp_counter, ch->carp_md)) {
+		struct ip *ip;
+		struct ip6_hdr *ip6;
+
 		CARP_STATINC(CARP_STAT_BADAUTH);
 		sc->sc_if.if_ierrors++;
-		CARP_LOG(sc, ("incorrect hash"));
+
+		switch(af) {
+		
+		case AF_INET:
+			ip = mtod(m, struct ip *);
+			CARP_LOG(sc, ("incorrect hash from %s", 
+			in_fmtaddr(ip->ip_src)));
+			break;
+
+		case AF_INET6:
+			ip6 = mtod(m, struct ip6_hdr *);
+			CARP_LOG(sc, ("incorrect hash from %s",
+ip6_sprintf(>ip6_src)));
+			break;
+
+		default: CARP_LOG(sc, ("incorrect hash"));
+			break;
+		}
 		m_freem(m);
 		return;
 	}

CVS commit: [netbsd-6] src/sys/arch/mips/mips

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sat Aug 27 14:34:55 UTC 2016

Modified Files:
src/sys/arch/mips/mips [netbsd-6]: pmap.c

Log Message:
Pull up following revision(s) (requested by skrll in ticket #1390):
sys/arch/mips/mips/pmap.c: revision 1.221
sys/arch/mips/mips/pmap.c: revision 1.222
sys/arch/mips/mips/pmap.c: revision 1.223
Fix a bug introduced by me in 1.214 where unmanaged mappings would be
affected by calls to pmap_page_protect which is wrong.  Now PV_KENTER
mappings are left intact.
Thanks to chuq for spotting my mistake and reviewing this diff.
Thanks to everyone who tested it as well.
Fix PR/51288 reproducable panic on evbmips64-eb (erlite)
pmap_page_remove from the previous change neglected to terminate the pv
list correctly when it started with an initial unmanaged mapping and
subsequent managed mappings.  Fix this.
Fix MIPS3_NO_PV_UNCACHED alias handling by looping through the pv_list
looking for bad aliases and removing the bad entries.  That is, revert
to the code before the matt-mips64 merge.
Additionally, fix the pmap_update call to not use the (recently
  removed/freed) pv for the pmap_t.
Fixes the following two PRs
PR/49903: Panic during installation on WorkPad Z50 (hpcmips) whilst 
uncompressing base.tgz
PR/51226: Install bug for hpcmips NetBSD V7 using FTP Full installation


To generate a diff of this commit:
cvs rdiff -u -r1.207.2.3 -r1.207.2.4 src/sys/arch/mips/mips/pmap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/mips/mips/pmap.c
diff -u src/sys/arch/mips/mips/pmap.c:1.207.2.3 src/sys/arch/mips/mips/pmap.c:1.207.2.4
--- src/sys/arch/mips/mips/pmap.c:1.207.2.3	Wed Jun 11 15:38:05 2014
+++ src/sys/arch/mips/mips/pmap.c	Sat Aug 27 14:34:55 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: pmap.c,v 1.207.2.3 2014/06/11 15:38:05 msaitoh Exp $	*/
+/*	$NetBSD: pmap.c,v 1.207.2.4 2016/08/27 14:34:55 bouyer Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2001 The NetBSD Foundation, Inc.
@@ -67,7 +67,7 @@
 
 #include 
 
-__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.207.2.3 2014/06/11 15:38:05 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.207.2.4 2016/08/27 14:34:55 bouyer Exp $");
 
 /*
  *	Manages physical address maps.
@@ -316,6 +316,7 @@ u_int		pmap_page_colormask;
 	 (pm) == curlwp->l_proc->p_vmspace->vm_map.pmap)
 
 /* Forward function declarations */
+void pmap_page_remove(struct vm_page *);
 void pmap_remove_pv(pmap_t, vaddr_t, struct vm_page *, bool);
 void pmap_enter_pv(pmap_t, vaddr_t, struct vm_page *, u_int *, int);
 pt_entry_t *pmap_pte(pmap_t, vaddr_t);
@@ -1063,6 +1064,10 @@ pmap_page_protect(struct vm_page *pg, vm
 			while (pv != NULL) {
 const pmap_t pmap = pv->pv_pmap;
 const uint16_t gen = PG_MD_PVLIST_GEN(md);
+if (pv->pv_va & PV_KENTER) {
+	pv = pv->pv_next;
+	continue;
+}
 va = trunc_page(pv->pv_va);
 PG_MD_PVLIST_UNLOCK(md);
 pmap_protect(pmap, va, va + PAGE_SIZE, prot);
@@ -1087,17 +1092,7 @@ pmap_page_protect(struct vm_page *pg, vm
 		if (pmap_clear_mdpage_attributes(md, PG_MD_EXECPAGE)) {
 			PMAP_COUNT(exec_uncached_page_protect);
 		}
-		(void)PG_MD_PVLIST_LOCK(md, false);
-		pv = >pvh_first;
-		while (pv->pv_pmap != NULL) {
-			const pmap_t pmap = pv->pv_pmap;
-			va = trunc_page(pv->pv_va);
-			PG_MD_PVLIST_UNLOCK(md);
-			pmap_remove(pmap, va, va + PAGE_SIZE);
-			pmap_update(pmap);
-			(void)PG_MD_PVLIST_LOCK(md, false);
-		}
-		PG_MD_PVLIST_UNLOCK(md);
+		pmap_page_remove(pg);
 	}
 }
 
@@ -2069,6 +2064,32 @@ pmap_set_modified(paddr_t pa)
 / pv_entry management /
 
 static void
+pmap_check_alias(struct vm_page *pg)
+{
+#ifdef MIPS3_PLUS	/* XXX mmu XXX */
+#ifndef MIPS3_NO_PV_UNCACHED
+	struct vm_page_md * const md = VM_PAGE_TO_MD(pg);
+
+	if (MIPS_HAS_R4K_MMU && PG_MD_UNCACHED_P(md)) {
+		/*
+		 * Page is currently uncached, check if alias mapping has been
+		 * removed.  If it was, then reenable caching.
+		 */
+		pv_entry_t pv = >pvh_first;
+		pv_entry_t pv0 = pv->pv_next;
+
+		for (; pv0; pv0 = pv0->pv_next) {
+			if (mips_cache_badalias(pv->pv_va, pv0->pv_va))
+break;
+		}
+		if (pv0 == NULL)
+			pmap_page_cache(pg, true);
+	}
+#endif
+#endif	/* MIPS3_PLUS */
+}
+
+static void
 pmap_check_pvlist(struct vm_page_md *md)
 {
 #ifdef PARANOIADIAG
@@ -2155,12 +2176,12 @@ again:
 			 * be mapped with one index at any given time.
 			 */
 
-			if (mips_cache_badalias(pv->pv_va, va)) {
-for (npv = pv; npv; npv = npv->pv_next) {
-	vaddr_t nva = trunc_page(npv->pv_va);
-	pmap_remove(npv->pv_pmap, nva,
-	nva + PAGE_SIZE);
-	pmap_update(npv->pv_pmap);
+			for (npv = pv; npv; npv = npv->pv_next) {
+vaddr_t nva = trunc_page(npv->pv_va);
+pmap_t npm = npv->pv_pmap;
+if (mips_cache_badalias(nva, va)) {
+	pmap_remove(npm, nva, nva + PAGE_SIZE);
+	pmap_update(npm);
 	goto again;
 }
 			}
@@ -2283,6 

CVS commit: [netbsd-6] src/sys/ufs/lfs

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sat Aug 27 14:13:18 UTC 2016

Modified Files:
src/sys/ufs/lfs [netbsd-6]: lfs_vnops.c

Log Message:
Pull up following revision(s) (requested by dholland in ticket #1389):
sys/ufs/lfs/lfs_vnops.c: revision 1.304
Fix a deadlock
ok dholland@


To generate a diff of this commit:
cvs rdiff -u -r1.239.2.1 -r1.239.2.2 src/sys/ufs/lfs/lfs_vnops.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/ufs/lfs/lfs_vnops.c
diff -u src/sys/ufs/lfs/lfs_vnops.c:1.239.2.1 src/sys/ufs/lfs/lfs_vnops.c:1.239.2.2
--- src/sys/ufs/lfs/lfs_vnops.c:1.239.2.1	Sat Mar 17 17:40:06 2012
+++ src/sys/ufs/lfs/lfs_vnops.c	Sat Aug 27 14:13:18 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: lfs_vnops.c,v 1.239.2.1 2012/03/17 17:40:06 bouyer Exp $	*/
+/*	$NetBSD: lfs_vnops.c,v 1.239.2.2 2016/08/27 14:13:18 bouyer Exp $	*/
 
 /*-
  * Copyright (c) 1999, 2000, 2001, 2002, 2003 The NetBSD Foundation, Inc.
@@ -60,7 +60,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: lfs_vnops.c,v 1.239.2.1 2012/03/17 17:40:06 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: lfs_vnops.c,v 1.239.2.2 2016/08/27 14:13:18 bouyer Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_compat_netbsd.h"
@@ -443,8 +443,10 @@ lfs_set_dirop(struct vnode *dvp, struct 
 		if ((error = mtsleep(_dirvcount,
 		PCATCH | PUSER | PNORELOCK, "lfs_maxdirop", 0,
 		_lock)) != 0) {
+			mutex_exit(_lock);
 			goto unreserve;
 		}
+		mutex_exit(_lock);
 		goto restart;
 	}