CVS commit: [netbsd-6-1] src/sys/arch/sparc64/conf

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Jun  7 18:04:12 UTC 2018

Modified Files:
src/sys/arch/sparc64/conf [netbsd-6-1]: GENERIC32 NONPLUS

Log Message:
Fix fallout from ticket #1500: COMPAT_SVR4* has been disabled, do not
disable it here again.


To generate a diff of this commit:
cvs rdiff -u -r1.140 -r1.140.118.1 src/sys/arch/sparc64/conf/GENERIC32
cvs rdiff -u -r1.58 -r1.58.118.1 src/sys/arch/sparc64/conf/NONPLUS

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/sparc64/conf/GENERIC32
diff -u src/sys/arch/sparc64/conf/GENERIC32:1.140 src/sys/arch/sparc64/conf/GENERIC32:1.140.118.1
--- src/sys/arch/sparc64/conf/GENERIC32:1.140	Fri Jun 30 10:27:48 2006
+++ src/sys/arch/sparc64/conf/GENERIC32	Thu Jun  7 18:04:12 2018
@@ -1,13 +1,13 @@
-# $NetBSD: GENERIC32,v 1.140 2006/06/30 10:27:48 tsutsui Exp $
+# $NetBSD: GENERIC32,v 1.140.118.1 2018/06/07 18:04:12 martin Exp $
 #
 # GENERIC machine description file for 32-bit kernel
 #
 
 include 	"arch/sparc64/conf/GENERIC"
 
-#ident		"GENERIC32-$Revision: 1.140 $"
+#ident		"GENERIC32-$Revision: 1.140.118.1 $"
 
 include 	"arch/sparc64/conf/std.sparc64-32"
 
 no options 	COMPAT_NETBSD32
-no options 	COMPAT_SVR4_32
+#no options 	COMPAT_SVR4_32

Index: src/sys/arch/sparc64/conf/NONPLUS
diff -u src/sys/arch/sparc64/conf/NONPLUS:1.58 src/sys/arch/sparc64/conf/NONPLUS:1.58.118.1
--- src/sys/arch/sparc64/conf/NONPLUS:1.58	Fri Jun 30 10:27:48 2006
+++ src/sys/arch/sparc64/conf/NONPLUS	Thu Jun  7 18:04:12 2018
@@ -1,9 +1,9 @@
-# 	$NetBSD: NONPLUS,v 1.58 2006/06/30 10:27:48 tsutsui Exp $
+# 	$NetBSD: NONPLUS,v 1.58.118.1 2018/06/07 18:04:12 martin Exp $
 
 include "arch/sparc64/conf/NONPLUS64"
 include "arch/sparc64/conf/std.sparc64-32"
 
-#ident 		"NONPLUS-$Revision: 1.58 $"
+#ident 		"NONPLUS-$Revision: 1.58.118.1 $"
 
 no options 	COMPAT_NETBSD32	# NetBSD/sparc binary compatibility
-no options 	COMPAT_SVR4_32	# 32-bit SVR4 binaries
+#no options 	COMPAT_SVR4_32	# 32-bit SVR4 binaries

CVS commit: [netbsd-6-1] src/sys

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue May 22 14:44:31 UTC 2018

Modified Files:
src/sys/arch/amiga/conf [netbsd-6-1]: DRACO GENERIC GENERIC.in
src/sys/arch/hp300/conf [netbsd-6-1]: GENERIC
src/sys/arch/i386/conf [netbsd-6-1]: GENERIC XEN3_DOM0 XEN3_DOMU
src/sys/arch/sparc/conf [netbsd-6-1]: BILL-THE-CAT GENERIC KRUPS
MRCOFFEE TADPOLE3GX
src/sys/arch/sparc64/conf [netbsd-6-1]: GENERIC NONPLUS64
src/sys/kern [netbsd-6-1]: kern_exec.c

Log Message:
Apply patch requested by maxv in ticket #1500:

 * disable compat_svr4 and compat_svr4_32 everywhere
 * disable compat_ibcs2 everywhere but on Vax
 * remove the svr4/svr4_32/ibcs2/freebsd entries from the autoload list


To generate a diff of this commit:
cvs rdiff -u -r1.154 -r1.154.8.1 src/sys/arch/amiga/conf/DRACO
cvs rdiff -u -r1.284 -r1.284.8.1 src/sys/arch/amiga/conf/GENERIC
cvs rdiff -u -r1.96 -r1.96.8.1 src/sys/arch/amiga/conf/GENERIC.in
cvs rdiff -u -r1.169 -r1.169.8.1 src/sys/arch/hp300/conf/GENERIC
cvs rdiff -u -r1.1066.2.7.6.1 -r1.1066.2.7.6.2 src/sys/arch/i386/conf/GENERIC
cvs rdiff -u -r1.60.2.7 -r1.60.2.7.2.1 src/sys/arch/i386/conf/XEN3_DOM0
cvs rdiff -u -r1.41.2.2 -r1.41.2.2.6.1 src/sys/arch/i386/conf/XEN3_DOMU
cvs rdiff -u -r1.51 -r1.51.10.1 src/sys/arch/sparc/conf/BILL-THE-CAT
cvs rdiff -u -r1.230 -r1.230.8.1 src/sys/arch/sparc/conf/GENERIC
cvs rdiff -u -r1.56.4.1 -r1.56.4.1.6.1 src/sys/arch/sparc/conf/KRUPS
cvs rdiff -u -r1.34 -r1.34.10.1 src/sys/arch/sparc/conf/MRCOFFEE
cvs rdiff -u -r1.54.4.1 -r1.54.4.1.6.1 src/sys/arch/sparc/conf/TADPOLE3GX
cvs rdiff -u -r1.148.2.2 -r1.148.2.2.6.1 src/sys/arch/sparc64/conf/GENERIC
cvs rdiff -u -r1.34 -r1.34.10.1 src/sys/arch/sparc64/conf/NONPLUS64
cvs rdiff -u -r1.339.2.6.2.3 -r1.339.2.6.2.4 src/sys/kern/kern_exec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amiga/conf/DRACO
diff -u src/sys/arch/amiga/conf/DRACO:1.154 src/sys/arch/amiga/conf/DRACO:1.154.8.1
--- src/sys/arch/amiga/conf/DRACO:1.154	Tue Jan 24 00:19:39 2012
+++ src/sys/arch/amiga/conf/DRACO	Tue May 22 14:44:30 2018
@@ -1,4 +1,4 @@
-# $NetBSD: DRACO,v 1.154 2012/01/24 00:19:39 rkujawa Exp $
+# $NetBSD: DRACO,v 1.154.8.1 2018/05/22 14:44:30 martin Exp $
 #
 # This file was automatically created.
 # Changes will be lost when make is run in this directory.
@@ -29,7 +29,7 @@ include "arch/amiga/conf/std.amiga"
 
 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary
 
-#ident 		"GENERIC-$Revision: 1.154 $"
+#ident 		"GENERIC-$Revision: 1.154.8.1 $"
 
 
 maxusers	8
@@ -143,7 +143,7 @@ options 	COMPAT_30	# NetBSD 3.0 compatib
 options 	COMPAT_40	# NetBSD 4.0 compatibility.
 options 	COMPAT_50	# NetBSD 5.0 compatibility.
 options 	COMPAT_SUNOS	# Support to run Sun (m68k) executables
-options 	COMPAT_SVR4	# Support to run SVR4 (m68k) executables
+#options 	COMPAT_SVR4	# Support to run SVR4 (m68k) executables
 options 	COMPAT_NOMID	# allow nonvalid machine id executables
 #options 	COMPAT_LINUX	# Support to run Linux/m68k executables
 

Index: src/sys/arch/amiga/conf/GENERIC
diff -u src/sys/arch/amiga/conf/GENERIC:1.284 src/sys/arch/amiga/conf/GENERIC:1.284.8.1
--- src/sys/arch/amiga/conf/GENERIC:1.284	Tue Jan 24 00:19:39 2012
+++ src/sys/arch/amiga/conf/GENERIC	Tue May 22 14:44:30 2018
@@ -1,4 +1,4 @@
-# $NetBSD: GENERIC,v 1.284 2012/01/24 00:19:39 rkujawa Exp $
+# $NetBSD: GENERIC,v 1.284.8.1 2018/05/22 14:44:30 martin Exp $
 #
 # This file was automatically created.
 # Changes will be lost when make is run in this directory.
@@ -29,7 +29,7 @@ include "arch/amiga/conf/std.amiga"
 
 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary
 
-#ident 		"GENERIC-$Revision: 1.284 $"
+#ident 		"GENERIC-$Revision: 1.284.8.1 $"
 
 
 maxusers	8
@@ -155,7 +155,7 @@ options 	COMPAT_30	# NetBSD 3.0 compatib
 options 	COMPAT_40	# NetBSD 4.0 compatibility.
 options 	COMPAT_50	# NetBSD 5.0 compatibility.
 options 	COMPAT_SUNOS	# Support to run Sun (m68k) executables
-options 	COMPAT_SVR4	# Support to run SVR4 (m68k) executables
+#options 	COMPAT_SVR4	# Support to run SVR4 (m68k) executables
 options 	COMPAT_NOMID	# allow nonvalid machine id executables
 #options 	COMPAT_LINUX	# Support to run Linux/m68k executables
 

Index: src/sys/arch/amiga/conf/GENERIC.in
diff -u src/sys/arch/amiga/conf/GENERIC.in:1.96 src/sys/arch/amiga/conf/GENERIC.in:1.96.8.1
--- src/sys/arch/amiga/conf/GENERIC.in:1.96	Tue Jan 24 00:19:39 2012
+++ src/sys/arch/amiga/conf/GENERIC.in	Tue May 22 14:44:30 2018
@@ -1,4 +1,4 @@
-# $NetBSD: GENERIC.in,v 1.96 2012/01/24 00:19:39 rkujawa Exp $
+# $NetBSD: GENERIC.in,v 1.96.8.1 2018/05/22 14:44:30 martin Exp $
 #
 ##
 # GENERIC machine description file
@@ -52,7 +52,7 @@ include "arch/amiga/conf/std.amiga"
 
 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary
 
-#ident 		"GENERIC-$Revision: 1.96 $"
+#ident 		"GENERIC-$Revision: 

CVS commit: [netbsd-6-1] src/sys/net/npf

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu May 17 13:47:24 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-6-1]: npf_alg_icmp.c npf_inet.c

Log Message:
Pull up following revision(s) via patch (requested by maxv in ticket #1549):

sys/net/npf/npf_inet.c: revision 1.45
sys/net/npf/npf_alg_icmp.c: revision 1.27,1.28

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.

We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).

Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.

Discussed with rmind@.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.

In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).

This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.


To generate a diff of this commit:
cvs rdiff -u -r1.8.4.7 -r1.8.4.7.2.1 src/sys/net/npf/npf_alg_icmp.c
cvs rdiff -u -r1.10.4.9.2.1 -r1.10.4.9.2.2 src/sys/net/npf/npf_inet.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_alg_icmp.c
diff -u src/sys/net/npf/npf_alg_icmp.c:1.8.4.7 src/sys/net/npf/npf_alg_icmp.c:1.8.4.7.2.1
--- src/sys/net/npf/npf_alg_icmp.c:1.8.4.7	Mon Feb 11 21:49:49 2013
+++ src/sys/net/npf/npf_alg_icmp.c	Thu May 17 13:47:24 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_alg_icmp.c,v 1.8.4.7 2013/02/11 21:49:49 riz Exp $	*/
+/*	$NetBSD: npf_alg_icmp.c,v 1.8.4.7.2.1 2018/05/17 13:47:24 martin Exp $	*/
 
 /*-
  * Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.8.4.7 2013/02/11 21:49:49 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.8.4.7.2.1 2018/05/17 13:47:24 martin Exp $");
 
 #include 
 #include 
@@ -162,12 +162,14 @@ npfa_icmp_match(npf_cache_t *npc, nbuf_t
 /*
  * npfa_icmp{4,6}_inspect: retrieve unique identifiers - either ICMP query
  * ID or TCP/UDP ports of the original packet, which is embedded.
+ *
+ * => Sets hasqid=true if the packet has a Query Id. In this case neither
+ *the nbuf nor npc is touched.
  */
 
 static bool
-npfa_icmp4_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf)
+npfa_icmp4_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf, bool *hasqid)
 {
-	u_int offby;
 
 	/* Per RFC 792. */
 	switch (type) {
@@ -191,12 +193,8 @@ npfa_icmp4_inspect(const int type, npf_c
 	case ICMP_TSTAMPREPLY:
 	case ICMP_IREQ:
 	case ICMP_IREQREPLY:
-		/* Should contain ICMP query ID - ensure. */
-		offby = offsetof(struct icmp, icmp_id);
-		if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) {
-			return false;
-		}
-		npc->npc_info |= NPC_ICMP_ID;
+		/* Contains ICMP query ID. */
+		*hasqid = true;
 		return true;
 	default:
 		break;
@@ -205,9 +203,8 @@ npfa_icmp4_inspect(const int type, npf_c
 }
 
 static bool
-npfa_icmp6_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf)
+npfa_icmp6_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf, bool *hasqid)
 {
-	u_int offby;
 
 	/* Per RFC 4443. */
 	switch (type) {
@@ -226,12 +223,8 @@ npfa_icmp6_inspect(const int type, npf_c
 
 	case ICMP6_ECHO_REQUEST:
 	case ICMP6_ECHO_REPLY:
-		/* Should contain ICMP query ID - ensure. */
-		offby = offsetof(struct icmp6_hdr, icmp6_id);
-		if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) {
-			return false;
-		}
-		npc->npc_info |= NPC_ICMP_ID;
+		/* Contains ICMP query ID. */
+		*hasqid = true;
 		return true;
 	default:
 		break;
@@ -242,12 +235,12 @@ npfa_icmp6_inspect(const int type, npf_c
 /*
  * npfa_icmp_session: ALG ICMP inspector.
  *
- * => Returns true if "enpc" is filled.
+ * => Returns false if there is a problem with the format.
  */
 static bool
 npfa_icmp_inspect(npf_cache_t *npc, nbuf_t *nbuf, npf_cache_t *enpc)
 {
-	bool ret;
+	bool ret, hasqid = false;
 
 	KASSERT(npf_iscached(npc, NPC_IP46));
 	KASSERT(npf_iscached(npc, NPC_ICMP));
@@ -265,10 +258,10 @@ npfa_icmp_inspect(npf_cache_t *npc, nbuf
 	 */
 	if (npf_iscached(npc, NPC_IP4)) {
 		const struct icmp *ic = npc->npc_l4.icmp;
-		ret = npfa_icmp4_inspect(ic->icmp_type, enpc, nbuf);
+		ret = npfa_icmp4_inspect(ic->icmp_type, enpc, nbuf, );
 	} else if 

CVS commit: [netbsd-6-1] src/sys/kern

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu May  3 15:01:20 UTC 2018

Modified Files:
src/sys/kern [netbsd-6-1]: uipc_mbuf.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1547):

sys/kern/uipc_mbuf.c: revision 1.211 (via patch)

Modify m_defrag, so that it never frees the first mbuf of the chain. While
here use the given 'flags' argument, and not M_DONTWAIT.

We have a problem with several drivers: they poll an mbuf chain from their
queues and call m_defrag on them, but m_defrag could update the mbuf
pointer, so the mbuf in the queue is no longer valid. It is not easy to
fix each driver, because doing pop+push will reorder the queue, and we
don't really want that to happen.

This problem was independently spotted by me, Kengo, Masanobu, and other
people too it seems (perhaps PR/53218).

Now m_defrag leaves the first mbuf in place, and compresses the chain
only starting from the second mbuf in the chain.

It is important not to compress the first mbuf with hacks, because the
storage of this first mbuf may be shared with other mbufs.


To generate a diff of this commit:
cvs rdiff -u -r1.145.2.1 -r1.145.2.1.2.1 src/sys/kern/uipc_mbuf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/uipc_mbuf.c
diff -u src/sys/kern/uipc_mbuf.c:1.145.2.1 src/sys/kern/uipc_mbuf.c:1.145.2.1.2.1
--- src/sys/kern/uipc_mbuf.c:1.145.2.1	Fri Feb  8 19:18:12 2013
+++ src/sys/kern/uipc_mbuf.c	Thu May  3 15:01:20 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: uipc_mbuf.c,v 1.145.2.1 2013/02/08 19:18:12 riz Exp $	*/
+/*	$NetBSD: uipc_mbuf.c,v 1.145.2.1.2.1 2018/05/03 15:01:20 martin Exp $	*/
 
 /*-
  * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.145.2.1 2013/02/08 19:18:12 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.145.2.1.2.1 2018/05/03 15:01:20 martin Exp $");
 
 #include "opt_mbuftrace.h"
 #include "opt_nmbclusters.h"
@@ -1266,30 +1266,35 @@ m_makewritable(struct mbuf **mp, int off
 }
 
 /*
- * Copy the mbuf chain to a new mbuf chain that is as short as possible.
- * Return the new mbuf chain on success, NULL on failure.  On success,
- * free the old mbuf chain.
+ * Compress the mbuf chain. Return the new mbuf chain on success, NULL on
+ * failure. The first mbuf is preserved, and on success the pointer returned
+ * is the same as the one passed.
  */
 struct mbuf *
 m_defrag(struct mbuf *mold, int flags)
 {
 	struct mbuf *m0, *mn, *n;
-	size_t sz = mold->m_pkthdr.len;
+	int sz;
 
 #ifdef DIAGNOSTIC
 	if ((mold->m_flags & M_PKTHDR) == 0)
 		panic("m_defrag: not a mbuf chain header");
 #endif
 
-	MGETHDR(m0, flags, MT_DATA);
+	if (mold->m_next == NULL)
+		return mold;
+
+	m0 = m_get(flags, MT_DATA);
 	if (m0 == NULL)
 		return NULL;
-	M_COPY_PKTHDR(m0, mold);
 	mn = m0;
 
+	sz = mold->m_pkthdr.len - mold->m_len;
+	KASSERT(sz >= 0);
+
 	do {
-		if (sz > MHLEN) {
-			MCLGET(mn, M_DONTWAIT);
+		if (sz > MLEN) {
+			MCLGET(mn, flags);
 			if ((mn->m_flags & M_EXT) == 0) {
 m_freem(m0);
 return NULL;
@@ -1305,7 +1310,7 @@ m_defrag(struct mbuf *mold, int flags)
 
 		if (sz > 0) {
 			/* need more mbufs */
-			MGET(n, M_NOWAIT, MT_DATA);
+			n = m_get(flags, MT_DATA);
 			if (n == NULL) {
 m_freem(m0);
 return NULL;
@@ -1316,9 +1321,10 @@ m_defrag(struct mbuf *mold, int flags)
 		}
 	} while (sz > 0);
 
-	m_freem(mold);
+	m_freem(mold->m_next);
+	mold->m_next = m0;
 
-	return m0;
+	return mold;
 }
 
 int

CVS commit: [netbsd-6-1] src/sys/netipsec

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu May  3 14:36:30 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6-1]: ipsec_output.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1546):

sys/netipsec/ipsec_output.c: revision 1.67,1.75 (via patch)

Strengthen this check, to make sure there is room for an ip6_ext structure.
Seems possible to crash m_copydata here (but I didn't test more than that).

Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I
already fixed half of the problem two months ago in rev1.67, back then I
thought it was not triggerable because each packet we emit is guaranteed
to have correctly formed IPv6 options; but it is actually triggerable via
IPv6 forwarding, we emit a packet we just received, and we don't sanitize
its options before invoking IPsec.

Since it would be wrong to just stop the iteration and continue the IPsec
processing, allow compute_ipsec_pos to fail, and when it does, drop the
packet entirely.


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.38.16.1 src/sys/netipsec/ipsec_output.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec_output.c
diff -u src/sys/netipsec/ipsec_output.c:1.38 src/sys/netipsec/ipsec_output.c:1.38.16.1
--- src/sys/netipsec/ipsec_output.c:1.38	Tue Jan 10 20:01:57 2012
+++ src/sys/netipsec/ipsec_output.c	Thu May  3 14:36:30 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_output.c,v 1.38 2012/01/10 20:01:57 drochner Exp $	*/
+/*	$NetBSD: ipsec_output.c,v 1.38.16.1 2018/05/03 14:36:30 martin Exp $	*/
 
 /*-
  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.38 2012/01/10 20:01:57 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.38.16.1 2018/05/03 14:36:30 martin Exp $");
 
 /*
  * IPsec output processing.
@@ -632,7 +632,7 @@ bad:
 #endif
 
 #ifdef INET6
-static void
+static int
 compute_ipsec_pos(struct mbuf *m, int *i, int *off)
 {
 	int nxt;
@@ -649,7 +649,11 @@ compute_ipsec_pos(struct mbuf *m, int *i
 	 * put AH/ESP/IPcomp header.
 	 *  IPv6 hbh dest1 rthdr ah* [esp* dest2 payload]
 	 */
-	do {
+	while (1) {
+		if (*i + sizeof(ip6e) > m->m_pkthdr.len) {
+			return EINVAL;
+		}
+
 		switch (nxt) {
 		case IPPROTO_AH:
 		case IPPROTO_ESP:
@@ -658,7 +662,7 @@ compute_ipsec_pos(struct mbuf *m, int *i
 		 * we should not skip security header added
 		 * beforehand.
 		 */
-			return;
+			return 0;
 
 		case IPPROTO_HOPOPTS:
 		case IPPROTO_DSTOPTS:
@@ -668,7 +672,7 @@ compute_ipsec_pos(struct mbuf *m, int *i
 		 * we should stop there.
 		 */
 			if (nxt == IPPROTO_DSTOPTS && dstopt)
-return;
+return 0;
 
 			if (nxt == IPPROTO_DSTOPTS) {
 /*
@@ -688,16 +692,14 @@ compute_ipsec_pos(struct mbuf *m, int *i
 			m_copydata(m, *i, sizeof(ip6e), );
 			nxt = ip6e.ip6e_nxt;
 			*off = *i + offsetof(struct ip6_ext, ip6e_nxt);
-			/*
-			 * we will never see nxt == IPPROTO_AH
-			 * so it is safe to omit AH case.
-			 */
 			*i += (ip6e.ip6e_len + 1) << 3;
 			break;
 		default:
-			return;
+			return 0;
 		}
-	} while (*i < m->m_pkthdr.len);
+	}
+
+	return 0;
 }
 
 static int
@@ -799,7 +801,9 @@ ipsec6_process_packet(
 		i = ip->ip_hl << 2;
 		off = offsetof(struct ip, ip_p);
 	} else {	
-		compute_ipsec_pos(m, , );
+		error = compute_ipsec_pos(m, , );
+		if (error)
+			goto bad;
 	}
 	error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off);
 	splx(s);

CVS commit: [netbsd-6-1] src/sys/netipsec

[SAITOH Masanobu]

Module Name:src
Committed By:   msaitoh
Date:   Wed Apr 18 07:17:24 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6-1]: ipsec_mbuf.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1545):
sys/netipsec/ipsec_mbuf.c: revision 1.23
sys/netipsec/ipsec_mbuf.c: revision 1.24
Don't assume M_PKTHDR is set only on the first mbuf of the chain. It
should, but it looks like there are several places that can put M_PKTHDR
on secondary mbufs (PR/53189), so drop this assumption right now to
prevent further bugs.
The check is replaced by (m1 != m), which is equivalent to the previous
code: we want to modify m->m_pkthdr.len only when 'm' was not passed in
m_adj().
Fix a pretty bad mistake, that has always been there.
 m_adj(m1, -(m1->m_len - roff));
 if (m1 != m)
 m->m_pkthdr.len -= (m1->m_len - roff);
This is wrong: m_adj will modify m1->m_len, so we're using a wrong value
when manually adjusting m->m_pkthdr.len.
Because of that, it is possible to exploit the attack I described in
uipc_mbuf.c::rev1.182. The exploit is more complicated, but works 100%
reliably.


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.12.24.1 src/sys/netipsec/ipsec_mbuf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec_mbuf.c
diff -u src/sys/netipsec/ipsec_mbuf.c:1.12 src/sys/netipsec/ipsec_mbuf.c:1.12.24.1
--- src/sys/netipsec/ipsec_mbuf.c:1.12	Mon May 16 10:05:23 2011
+++ src/sys/netipsec/ipsec_mbuf.c	Wed Apr 18 07:17:24 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_mbuf.c,v 1.12 2011/05/16 10:05:23 drochner Exp $	*/
+/*	$NetBSD: ipsec_mbuf.c,v 1.12.24.1 2018/04/18 07:17:24 msaitoh Exp $	*/
 /*-
  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
  * All rights reserved.
@@ -28,7 +28,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.12 2011/05/16 10:05:23 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.12.24.1 2018/04/18 07:17:24 msaitoh Exp $");
 
 /*
  * IPsec-specific mbuf routines.
@@ -407,10 +407,11 @@ m_striphdr(struct mbuf *m, int skip, int
 		/* The header was at the beginning of the mbuf */
 		IPSEC_STATINC(IPSEC_STAT_INPUT_FRONT);
 		m_adj(m1, hlen);
-		if ((m1->m_flags & M_PKTHDR) == 0)
+		if (m1 != m)
 			m->m_pkthdr.len -= hlen;
 	} else if (roff + hlen >= m1->m_len) {
 		struct mbuf *mo;
+		int adjlen;
 
 		/*
 		 * Part or all of the header is at the end of this mbuf,
@@ -419,11 +420,13 @@ m_striphdr(struct mbuf *m, int skip, int
 		 */
 		IPSEC_STATINC(IPSEC_STAT_INPUT_END);
 		if (roff + hlen > m1->m_len) {
+			adjlen = roff + hlen - m1->m_len;
+
 			/* Adjust the next mbuf by the remainder */
-			m_adj(m1->m_next, roff + hlen - m1->m_len);
+			m_adj(m1->m_next, adjlen);
 
 			/* The second mbuf is guaranteed not to have a pkthdr... */
-			m->m_pkthdr.len -= (roff + hlen - m1->m_len);
+			m->m_pkthdr.len -= adjlen;
 		}
 
 		/* Now, let's unlink the mbuf chain for a second...*/
@@ -431,9 +434,10 @@ m_striphdr(struct mbuf *m, int skip, int
 		m1->m_next = NULL;
 
 		/* ...and trim the end of the first part of the chain...sick */
-		m_adj(m1, -(m1->m_len - roff));
-		if ((m1->m_flags & M_PKTHDR) == 0)
-			m->m_pkthdr.len -= (m1->m_len - roff);
+		adjlen = m1->m_len - roff;
+		m_adj(m1, -adjlen);
+		if (m1 != m)
+			m->m_pkthdr.len -= adjlen;
 
 		/* Finally, let's relink */
 		m1->m_next = mo;

CVS commit: [netbsd-6-1] src/sys/arch/amiga/amiga

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue Apr 10 11:28:56 UTC 2018

Modified Files:
src/sys/arch/amiga/amiga [netbsd-6-1]: cc.c

Log Message:
Pull up following revision(s) (requested by msaitoh in ticket #1544):

sys/arch/amiga/amiga/cc.c: revision 1.27 (patch)

spl leak, found by mootja


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.22.28.1 src/sys/arch/amiga/amiga/cc.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amiga/amiga/cc.c
diff -u src/sys/arch/amiga/amiga/cc.c:1.22 src/sys/arch/amiga/amiga/cc.c:1.22.28.1
--- src/sys/arch/amiga/amiga/cc.c:1.22	Mon Dec 20 00:25:25 2010
+++ src/sys/arch/amiga/amiga/cc.c	Tue Apr 10 11:28:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: cc.c,v 1.22 2010/12/20 00:25:25 matt Exp $	*/
+/*	$NetBSD: cc.c,v 1.22.28.1 2018/04/10 11:28:56 martin Exp $	*/
 
 /*
  * Copyright (c) 1994 Christian E. Hopps
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: cc.c,v 1.22 2010/12/20 00:25:25 matt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: cc.c,v 1.22.28.1 2018/04/10 11:28:56 martin Exp $");
 
 #include 
 #include 
@@ -504,9 +504,10 @@ alloc_chipmem(u_long size)
 	while (size > mn->size && mn != (void *)_list)
 		mn = mn->free_link.cqe_next;
 
-	if (mn == (void *)_list)
+	if (mn == (void *)_list) {
+		splx(s);
 		return(NULL);
-
+	}
 	if ((mn->size - size) <= sizeof (*mn)) {
 		/*
 		 * our allocation would not leave room

CVS commit: [netbsd-6-1] src/sys/net/npf

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:35:58 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-6-1]: npf.h

Log Message:
Pullup the following revision, requested by maxv in ticket #1542:

sys/net/npf/npf.h   1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet +   0 = IP6 Header
packet +  40 = IP6 Routing header (ip6r_len = 31)
packet +  48 = Crafted UDP header (uh_dport = )
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = )
Will bypass a rule of the kind "block port ". Here NPF reads the
crafted UDP header, sees , lets the packet in; later the kernel reads
the real UDP header, and delivers it on port .

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.14.2.12 -r1.14.2.12.2.1 src/sys/net/npf/npf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.14.2.12 src/sys/net/npf/npf.h:1.14.2.12.2.1
--- src/sys/net/npf/npf.h:1.14.2.12	Mon Feb 11 21:49:49 2013
+++ src/sys/net/npf/npf.h	Thu Apr  5 11:35:57 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf.h,v 1.14.2.12 2013/02/11 21:49:49 riz Exp $	*/
+/*	$NetBSD: npf.h,v 1.14.2.12.2.1 2018/04/05 11:35:57 martin Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -99,7 +99,7 @@ typedef struct {
 	npf_addr_t *		npc_dstip;
 	/* Size (v4 or v6) of IP addresses. */
 	uint8_t			npc_alen;
-	uint8_t			npc_hlen;
+	uint32_t		npc_hlen;
 	uint16_t		npc_proto;
 	/* IPv4, IPv6. */
 	union {

CVS commit: [netbsd-6-1] src/sys/netinet6

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Sun Apr  1 09:23:39 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-1]: raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1541):

sys/netinet6/raw_ip6.c: revision 1.161

Fix use-after-free, the first m_copyback_cow may have freed the mbuf, so
it is wrong to read ip6->ip6_nxt.


To generate a diff of this commit:
cvs rdiff -u -r1.109.8.1 -r1.109.8.2 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/raw_ip6.c
diff -u src/sys/netinet6/raw_ip6.c:1.109.8.1 src/sys/netinet6/raw_ip6.c:1.109.8.2
--- src/sys/netinet6/raw_ip6.c:1.109.8.1	Tue Jan 30 18:45:59 2018
+++ src/sys/netinet6/raw_ip6.c	Sun Apr  1 09:23:39 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: raw_ip6.c,v 1.109.8.1 2018/01/30 18:45:59 martin Exp $	*/
+/*	$NetBSD: raw_ip6.c,v 1.109.8.2 2018/04/01 09:23:39 martin Exp $	*/
 /*	$KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.109.8.1 2018/01/30 18:45:59 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.109.8.2 2018/04/01 09:23:39 martin Exp $");
 
 #include "opt_ipsec.h"
 
@@ -502,6 +502,7 @@ rip6_output(struct mbuf *m, struct socke
 
 	if (so->so_proto->pr_protocol == IPPROTO_ICMPV6 ||
 	in6p->in6p_cksum != -1) {
+		const uint8_t nxt = ip6->ip6_nxt;
 		int off;
 		u_int16_t sum;
 
@@ -523,7 +524,7 @@ rip6_output(struct mbuf *m, struct socke
 			error = ENOBUFS;
 			goto bad;
 		}
-		sum = in6_cksum(m, ip6->ip6_nxt, sizeof(*ip6), plen);
+		sum = in6_cksum(m, nxt, sizeof(*ip6), plen);
 		m = m_copyback_cow(m, off, sizeof(sum), (void *),
 		M_DONTWAIT);
 		if (m == NULL) {

CVS commit: [netbsd-6-1] src/sys/netinet6

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Sun Apr  1 09:19:32 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-1]: ip6_forward.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1540):

sys/netinet6/ip6_forward.c: revision 1.91 (via patch)

Fix two pretty bad mistakes. If ipsec6_check_policy fails m is not freed,
and a 'goto out' is missing after ipsec6_process_packet.


To generate a diff of this commit:
cvs rdiff -u -r1.69.8.1 -r1.69.8.2 src/sys/netinet6/ip6_forward.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ip6_forward.c
diff -u src/sys/netinet6/ip6_forward.c:1.69.8.1 src/sys/netinet6/ip6_forward.c:1.69.8.2
--- src/sys/netinet6/ip6_forward.c:1.69.8.1	Tue Mar 13 16:43:04 2018
+++ src/sys/netinet6/ip6_forward.c	Sun Apr  1 09:19:32 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_forward.c,v 1.69.8.1 2018/03/13 16:43:04 snj Exp $	*/
+/*	$NetBSD: ip6_forward.c,v 1.69.8.2 2018/04/01 09:19:32 martin Exp $	*/
 /*	$KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69.8.1 2018/03/13 16:43:04 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69.8.2 2018/04/01 09:19:32 martin Exp $");
 
 #include "opt_gateway.h"
 #include "opt_ipsec.h"
@@ -361,9 +361,10 @@ ip6_forward(struct mbuf *m, int srcrt)
 		 * because we asked key management for an SA and
 		 * it was delayed (e.g. kicked up to IKE).
 		 */
-	if (error == -EINVAL)
-		error = 0;
-	goto freecopy;
+		if (error == -EINVAL)
+			error = 0;
+		m_freem(m);
+		goto freecopy;
 	}
 #endif /* FAST_IPSEC */
 
@@ -467,8 +468,10 @@ ip6_forward(struct mbuf *m, int srcrt)
 		s = splsoftnet();
 		error = ipsec6_process_packet(m,sp->req);
 		splx(s);
+		/* m is freed */
 		if (mcopy)
 			goto freecopy;
+		return;
 }
 #endif   
 

CVS commit: [netbsd-6-1] src/sys/netipsec

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 17:47:13 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6-1]: ipsec_input.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1536):
sys/netipsec/ipsec_input.c: 1.57-1.58
Extend these #ifdef notyet. The m_copydata's in these branches are wrong,
we are not guaranteed to have enough room for another struct ip, and we
may crash here. Triggerable remotely, but after authentication, by sending
an AH packet that has a one-byte-sized IPIP payload.
--
Argh, in my previous commit in this file I forgot to fix the IPv6
entry point; apply the same fix there.


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.16.1 src/sys/netipsec/ipsec_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec_input.c
diff -u src/sys/netipsec/ipsec_input.c:1.29 src/sys/netipsec/ipsec_input.c:1.29.16.1
--- src/sys/netipsec/ipsec_input.c:1.29	Wed Jan 25 21:58:10 2012
+++ src/sys/netipsec/ipsec_input.c	Tue Mar 13 17:47:12 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_input.c,v 1.29 2012/01/25 21:58:10 drochner Exp $	*/
+/*	$NetBSD: ipsec_input.c,v 1.29.16.1 2018/03/13 17:47:12 snj Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $	*/
 /*	$OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $	*/
 
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.29 2012/01/25 21:58:10 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.29.16.1 2018/03/13 17:47:12 snj Exp $");
 
 /*
  * IPsec input processing.
@@ -332,14 +332,15 @@ ipsec4_common_input_cb(struct mbuf *m, s
 	ip->ip_len = htons(m->m_pkthdr.len);
 	prot = ip->ip_p;
 
+#ifdef notyet
 	/* IP-in-IP encapsulation */
 	if (prot == IPPROTO_IPIP) {
 		struct ip ipn;
 
 		/* ipn will now contain the inner IPv4 header */
+		/* XXX: check m_pkthdr.len */
 		m_copydata(m, ip->ip_hl << 2, sizeof(struct ip), );
 
-#ifdef notyet
 		/* XXX PROXY address isn't recorded in SAH */
 		/*
 		 * Check that the inner source address is the same as
@@ -367,7 +368,6 @@ ipsec4_common_input_cb(struct mbuf *m, s
 			error = EACCES;
 			goto bad;
 		}
-#endif /*XXX*/
 	}
 #if INET6
 	/* IPv6-in-IP encapsulation. */
@@ -375,9 +375,9 @@ ipsec4_common_input_cb(struct mbuf *m, s
 		struct ip6_hdr ip6n;
 
 		/* ip6n will now contain the inner IPv6 header. */
+		/* XXX: check m_pkthdr.len */
 		m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr), );
 
-#ifdef notyet
 		/*
 		 * Check that the inner source address is the same as
 		 * the proxy address, if available.
@@ -403,9 +403,9 @@ ipsec4_common_input_cb(struct mbuf *m, s
 			error = EACCES;
 			goto bad;
 		}
-#endif /*XXX*/
 	}
 #endif /* INET6 */
+#endif /* notyet */
 
 	/*
 	 * Record what we've done to the packet (under what SA it was
@@ -651,15 +651,16 @@ ipsec6_common_input_cb(struct mbuf *m, s
 	/* Save protocol */
 	m_copydata(m, protoff, 1, );
 
+#ifdef notyet
 #ifdef INET
 	/* IP-in-IP encapsulation */
 	if (prot == IPPROTO_IPIP) {
 		struct ip ipn;
 
 		/* ipn will now contain the inner IPv4 header */
+		/* XXX: check m_pkthdr.len */
 		m_copydata(m, skip, sizeof(struct ip), );
 
-#ifdef notyet
 		/*
 		 * Check that the inner source address is the same as
 		 * the proxy address, if available.
@@ -683,18 +684,16 @@ ipsec6_common_input_cb(struct mbuf *m, s
 			error = EACCES;
 			goto bad;
 		}
-#endif /*XXX*/
 	}
 #endif /* INET */
-
 	/* IPv6-in-IP encapsulation */
 	if (prot == IPPROTO_IPV6) {
 		struct ip6_hdr ip6n;
 
 		/* ip6n will now contain the inner IPv6 header. */
+		/* XXX: check m_pkthdr.len */
 		m_copydata(m, skip, sizeof(struct ip6_hdr), );
 
-#ifdef notyet
 		/*
 		 * Check that the inner source address is the same as
 		 * the proxy address, if available.
@@ -719,8 +718,8 @@ ipsec6_common_input_cb(struct mbuf *m, s
 			error = EACCES;
 			goto bad;
 		}
-#endif /*XXX*/
 	}
+#endif /* notyet */
 
 	/*
 	 * Record what we've done to the packet (under what SA it was

CVS commit: [netbsd-6-1] src/sys

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 17:42:39 UTC 2018

Modified Files:
src/sys/net [netbsd-6-1]: if_mpls.c
src/sys/netmpls [netbsd-6-1]: mpls_ttl.c

Log Message:
Pull up following revision(s) (requested by uwe in ticket #1534):
sys/net/if_mpls.c: 1.31-1.33 via patch
sys/netmpls/mpls_ttl.c: 1.9 via patch
Style, and fix several bugs:
 - ip4_check(), mpls_unlabel_inet() and mpls_unlabel_inet6() perform
   pullups, so we need to pass the updated pointers back
 - in mpls_lse() the route is not always freed
Looks a little better now.
--
Kick MPLS packets earlier.
--
Several changes:
 * In mpls_unlabel_inet, copy the label locally. It's not incorrect to
   keep a pointer on the mbuf, but it's bug-friendly.
 * In mpls_label_inetX, fix the length check. Meanwhile add an XXX: we
   just want to make sure that m_copydata won't fail, but if we were
   guaranteed that m has M_PKTHDR set, we could simply check the length
   against m->m_pkthdr.len.


To generate a diff of this commit:
cvs rdiff -u -r1.8.22.1 -r1.8.22.2 src/sys/net/if_mpls.c
cvs rdiff -u -r1.3 -r1.3.32.1 src/sys/netmpls/mpls_ttl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/if_mpls.c
diff -u src/sys/net/if_mpls.c:1.8.22.1 src/sys/net/if_mpls.c:1.8.22.2
--- src/sys/net/if_mpls.c:1.8.22.1	Tue Jul 30 03:06:42 2013
+++ src/sys/net/if_mpls.c	Tue Mar 13 17:42:39 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_mpls.c,v 1.8.22.1 2013/07/30 03:06:42 msaitoh Exp $ */
+/*	$NetBSD: if_mpls.c,v 1.8.22.2 2018/03/13 17:42:39 snj Exp $ */
 
 /*
  * Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_mpls.c,v 1.8.22.1 2013/07/30 03:06:42 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_mpls.c,v 1.8.22.2 2018/03/13 17:42:39 snj Exp $");
 
 #include "opt_inet.h"
 #include "opt_mpls.h"
@@ -83,12 +83,12 @@ static int mpls_send_frame(struct mbuf *
 static int mpls_lse(struct mbuf *);
 
 #ifdef INET
-static int mpls_unlabel_inet(struct mbuf *);
+static struct mbuf *mpls_unlabel_inet(struct mbuf *, int *error);
 static struct mbuf *mpls_label_inet(struct mbuf *, union mpls_shim *, uint);
 #endif
 
 #ifdef INET6
-static int mpls_unlabel_inet6(struct mbuf *);
+static struct mbuf *mpls_unlabel_inet6(struct mbuf *, int *error);
 static struct mbuf *mpls_label_inet6(struct mbuf *, union mpls_shim *, uint);
 #endif
 
@@ -308,6 +308,12 @@ mpls_lse(struct mbuf *m)
 	int error = ENOBUFS;
 	uint psize = sizeof(struct sockaddr_mpls);
 
+	/* If we're not accepting MPLS frames, leave now. */
+	if (!mpls_accept) {
+		error = EINVAL;
+		goto done;
+	}
+
 	if (m->m_len < sizeof(union mpls_shim) &&
 	(m = m_pullup(m, sizeof(union mpls_shim))) == NULL)
 		goto done;
@@ -316,10 +322,7 @@ mpls_lse(struct mbuf *m)
 	dst.smpls_family = AF_MPLS;
 	dst.smpls_addr.s_addr = ntohl(mtod(m, union mpls_shim *)->s_addr);
 
-	/* Check if we're accepting MPLS Frames */
 	error = EINVAL;
-	if (!mpls_accept)
-		goto done;
 
 	/* TTL decrement */
 	if ((m = mpls_ttl_dec(m)) == NULL)
@@ -331,15 +334,17 @@ mpls_lse(struct mbuf *m)
 #ifdef INET
 		case MPLS_LABEL_IPV4NULL:
 			/* Pop shim and push mbuf to IP stack */
-			if (dst.smpls_addr.shim.bos)
-error = mpls_unlabel_inet(m);
+			if (dst.smpls_addr.shim.bos) {
+m = mpls_unlabel_inet(m, );
+			}
 			break;
 #endif
 #ifdef INET6
 		case MPLS_LABEL_IPV6NULL:
 			/* Pop shim and push mbuf to IPv6 stack */
-			if (dst.smpls_addr.shim.bos)
-error = mpls_unlabel_inet6(m);
+			if (dst.smpls_addr.shim.bos) {
+m = mpls_unlabel_inet6(m, );
+			}
 			break;
 #endif
 		case MPLS_LABEL_RTALERT:	/* Yeah, I'm all alerted */
@@ -393,8 +398,10 @@ mpls_lse(struct mbuf *m)
 		tshim.shim.bos = tshim.shim.exp = 0;
 		tshim.shim.ttl = mpls_defttl;
 		if (tshim.shim.label != MPLS_LABEL_IMPLNULL &&
-		((m = mpls_prepend_shim(m, )) == NULL))
-			return ENOBUFS;
+		((m = mpls_prepend_shim(m, )) == NULL)) {
+			error = ENOBUFS;
+			goto done;
+		}
 		psize += sizeof(tshim);
 	}
 
@@ -439,11 +446,9 @@ mpls_send_frame(struct mbuf *m, struct i
 	return 0;
 }
 
-
-
 #ifdef INET
-static int
-mpls_unlabel_inet(struct mbuf *m)
+static struct mbuf *
+mpls_unlabel_inet(struct mbuf *m, int *error)
 {
 	int s, iphlen;
 	struct ip *iph;
@@ -451,7 +456,6 @@ mpls_unlabel_inet(struct mbuf *m)
 	struct ifqueue *inq;
 
 	if (mpls_mapttl_inet || mpls_mapprec_inet) {
-
 		/* get shim info */
 		ms = mtod(m, union mpls_shim *);
 		ms->s_addr = ntohl(ms->s_addr);
@@ -460,23 +464,29 @@ mpls_unlabel_inet(struct mbuf *m)
 		m_adj(m, sizeof(union mpls_shim));
 
 		/* get ip header */
-		if (m->m_len < sizeof (struct ip) &&
-		(m = m_pullup(m, sizeof(struct ip))) == NULL)
-			return ENOBUFS;
+		if (m->m_len < sizeof(struct ip) &&
+		(m = m_pullup(m, sizeof(struct ip))) == NULL) {
+			*error = ENOBUFS;
+			return NULL;
+		}
+
 		iph = mtod(m, struct ip *);
 		

CVS commit: [netbsd-6-1] src/sys/netipsec

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 17:18:14 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6-1]: xform_ah.c xform_esp.c xform_ipip.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1532):
sys/netipsec/xform_ah.c: 1.77 via patch
sys/netipsec/xform_esp.c: 1.73 via patch
sys/netipsec/xform_ipip.c: 1.56-1.57 via patch
Reinforce and clarify.
--
Add missing NULL check. Normally that's not triggerable remotely, since we
are guaranteed that 8 bytes are valid at mbuf+skip.
--
Fix use-after-free. There is a path where the mbuf gets pulled up without
a proper mtod afterwards:
218 ipo = mtod(m, struct ip *);
281 m = m_pullup(m, hlen);
232 ipo->ip_src.s_addr
Found by Mootja.
Meanwhile it seems to me that 'ipo' should be set to NULL if the inner
packet is IPv6, but I'll revisit that later.
--
As I said in my last commit in this file, ipo should be set to NULL;
otherwise the 'local address spoofing' check below is always wrong on
IPv6.


To generate a diff of this commit:
cvs rdiff -u -r1.37.8.3 -r1.37.8.4 src/sys/netipsec/xform_ah.c
cvs rdiff -u -r1.40 -r1.40.8.1 src/sys/netipsec/xform_esp.c
cvs rdiff -u -r1.28.22.1 -r1.28.22.2 src/sys/netipsec/xform_ipip.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.37.8.3 src/sys/netipsec/xform_ah.c:1.37.8.4
--- src/sys/netipsec/xform_ah.c:1.37.8.3	Thu Feb 15 16:49:35 2018
+++ src/sys/netipsec/xform_ah.c	Tue Mar 13 17:18:14 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ah.c,v 1.37.8.3 2018/02/15 16:49:35 martin Exp $	*/
+/*	$NetBSD: xform_ah.c,v 1.37.8.4 2018/03/13 17:18:14 snj Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.8.3 2018/02/15 16:49:35 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.8.4 2018/03/13 17:18:14 snj Exp $");
 
 #include "opt_inet.h"
 #ifdef __FreeBSD__
@@ -498,54 +498,45 @@ ah_massage_headers(struct mbuf **m0, int
 
 		nxt = ip6.ip6_nxt & 0xff; /* Next header type. */
 
-		for (off = 0; off < skip - sizeof(struct ip6_hdr);)
+		for (off = 0; off < skip - sizeof(struct ip6_hdr);) {
+			int noff;
+
 			switch (nxt) {
 			case IPPROTO_HOPOPTS:
 			case IPPROTO_DSTOPTS:
-ip6e = (struct ip6_ext *) (ptr + off);
+ip6e = (struct ip6_ext *)(ptr + off);
+noff = off + ((ip6e->ip6e_len + 1) << 3);
+
+/* Sanity check. */
+if (noff > skip - sizeof(struct ip6_hdr)) {
+	goto error6;
+}
 
 /*
- * Process the mutable/immutable
- * options -- borrows heavily from the
- * KAME code.
+ * Zero out mutable options.
  */
 for (count = off + sizeof(struct ip6_ext);
- count < off + ((ip6e->ip6e_len + 1) << 3);) {
+ count < noff;) {
 	if (ptr[count] == IP6OPT_PAD1) {
 		count++;
-		continue; /* Skip padding. */
-	}
-
-	/* Sanity check. */
-	if (count > off +
-	((ip6e->ip6e_len + 1) << 3)) {
-		m_freem(m);
-
-		/* Free, if we allocated. */
-		if (alloc)
-			free(ptr, M_XDATA);
-		return EINVAL;
+		continue;
 	}
 
 	ad = ptr[count + 1] + 2;
 
-	/* If mutable option, zeroize. */
-	if (ptr[count] & IP6OPT_MUTABLE)
-		memcpy(ptr + count, ipseczeroes,
-		ad);
+	if (count + ad > noff) {
+		goto error6;
+	}
+
+	if (ptr[count] & IP6OPT_MUTABLE) {
+		memset(ptr + count, 0, ad);
+	}
 
 	count += ad;
+}
 
-	/* Sanity check. */
-	if (count >
-	skip - sizeof(struct ip6_hdr)) {
-		m_freem(m);
-
-		/* Free, if we allocated. */
-		if (alloc)
-			free(ptr, M_XDATA);
-		return EINVAL;
-	}
+if (count != noff) {
+	goto error6;
 }
 
 /* Advance. */
@@ -603,11 +594,13 @@ ah_massage_headers(struct mbuf **m0, int
 			default:
 DPRINTF(("ah_massage_headers: unexpected "
 "IPv6 header type %d", off));
+error6:
 if (alloc)
 	free(ptr, M_XDATA);
 m_freem(m);
 return EINVAL;
 			}
+		}
 
 		/* Copyback and free, if we allocated. */
 		if (alloc) {

Index: src/sys/netipsec/xform_esp.c
diff -u src/sys/netipsec/xform_esp.c:1.40 src/sys/netipsec/xform_esp.c:1.40.8.1
--- src/sys/netipsec/xform_esp.c:1.40	Wed Jan 25 20:31:23 2012
+++ src/sys/netipsec/xform_esp.c	Tue Mar 13 17:18:14 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_esp.c,v 1.40 2012/01/25 20:31:23 drochner Exp $	*/
+/*	$NetBSD: xform_esp.c,v 1.40.8.1 2018/03/13 17:18:14 snj Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.40 2012/01/25 20:31:23 

CVS commit: [netbsd-6-1] src/sys/arch/sparc/sparc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 16:48:03 UTC 2018

Modified Files:
src/sys/arch/sparc/sparc [netbsd-6-1]: timer.c timer_sun4m.c timerreg.h

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1519):
sys/arch/sparc/sparc/timer_sun4m.c: 1.33 1.34 1.31
sys/arch/sparc/sparc/timer.c: 1.33
sys/arch/sparc/sparc/timer.c: 1.33 1.34
sys/arch/sparc/sparc/timerreg.h: 1.33 1.34 1.31 1.10
fix time goes backwards problems on sparc.
there are a few things here:
- there's a race between reading the limit register (which clears
  the interrupt and the limit bit) and increasing the latest offset.
  this can happen easily if an interrupt comes between the read and
  the call to tickle_tc() that increases the offset (i obverved this
  actually happening.)
- in early boot, sometimes the counter can cycle twice before the
  tickle happens.
to handle these issues, add two workarounds:
- if the limit bit isn't set, but the counter value is less than
  the previous value, and the offset hasn't changed, use the same
  fixup as if the limit bit was set.  this handles the first case
  above.
- add a hard-workaround for never allowing returning a smaller
  value (except during 32 bit overflow): if the result is less than
  the last result, add fixups until it does (or until it would
  overflow.)
the first workaround fixes general run-time issues, and the second
fixes issues only seen during boot.
also expand some comments in timer_sun4m.c and re-enable the sun4m
sub-microsecond tmr_ustolim4m() support (but it's always called with
at least 'tick' microseconds, so the end result is the same.)
fix hang at 4B microseconds (1h12 or so), and simplify part of the previous


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.14.1 src/sys/arch/sparc/sparc/timer.c
cvs rdiff -u -r1.28 -r1.28.22.1 src/sys/arch/sparc/sparc/timer_sun4m.c
cvs rdiff -u -r1.9 -r1.9.134.1 src/sys/arch/sparc/sparc/timerreg.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/sparc/sparc/timer.c
diff -u src/sys/arch/sparc/sparc/timer.c:1.29 src/sys/arch/sparc/sparc/timer.c:1.29.14.1
--- src/sys/arch/sparc/sparc/timer.c:1.29	Sun Jul 17 23:18:23 2011
+++ src/sys/arch/sparc/sparc/timer.c	Tue Mar 13 16:48:03 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: timer.c,v 1.29 2011/07/17 23:18:23 mrg Exp $ */
+/*	$NetBSD: timer.c,v 1.29.14.1 2018/03/13 16:48:03 snj Exp $ */
 
 /*
  * Copyright (c) 1992, 1993
@@ -60,7 +60,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: timer.c,v 1.29 2011/07/17 23:18:23 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: timer.c,v 1.29.14.1 2018/03/13 16:48:03 snj Exp $");
 
 #include 
 #include 
@@ -83,56 +83,93 @@ static u_int timer_get_timecount(struct 
  * timecounter local state
  */
 static struct counter {
-	volatile u_int *cntreg;	/* counter register */
+	__cpu_simple_lock_t lock; /* protects access to offset, reg, last* */
+	volatile u_int *cntreg;	/* counter register to read */
 	u_int limit;		/* limit we count up to */
 	u_int offset;		/* accumulated offet due to wraps */
 	u_int shift;		/* scaling for valid bits */
 	u_int mask;		/* valid bit mask */
-} cntr;
+	u_int lastcnt;		/* the last* values are used to notice */
+	u_int lastres;		/* and fix up cases where it would appear */
+	u_int lastoffset;	/* time went backwards. */
+} cntr __aligned(CACHE_LINE_SIZE);
 
 /*
  * define timecounter
  */
 
 static struct timecounter counter_timecounter = {
-	timer_get_timecount,	/* get_timecount */
-	0,			/* no poll_pps */
-	~0u,			/* counter_mask */
-	0,  /* frequency - set at initialisation */
-	"timer-counter",	/* name */
-	100,			/* quality */
-/* private reference */
+	.tc_get_timecount =	timer_get_timecount,
+	.tc_poll_pps =		NULL,
+	.tc_counter_mask =	~0u,
+	.tc_frequency =		0,
+	.tc_name =		"timer-counter",
+	.tc_quality =		100,
+	.tc_priv =		,
 };
 
 /*
  * timer_get_timecount provide current counter value
  */
+__attribute__((__optimize__("Os")))
 static u_int
 timer_get_timecount(struct timecounter *tc)
 {
-	struct counter *ctr = (struct counter *)tc->tc_priv;
-
-	u_int c, res, r;
+	u_int cnt, res, fixup, offset;
 	int s;
 
-
+	/*
+	 * We use splhigh/__cpu_simple_lock here as we don't want
+	 * any mutex or lockdebug overhead.  The lock protects a
+	 * bunch of the members of cntr that are written here to
+	 * deal with the various minor races to be observed and
+	 * worked around.
+	 */
 	s = splhigh();
 
-	res = c = *ctr->cntreg;
+	__cpu_simple_lock();
+	res = cnt = *cntr.cntreg;
 
 	res  &= ~TMR_LIMIT;
+	offset = cntr.offset;
 
-	if (c != res) {
-		r = ctr->limit;
+	/*
+	 * There are 3 cases here:
+	 * - limit reached, interrupt not yet processed.
+	 * - count reset but offset the same, race between handling
+	 *   the interrupt and tickle_tc() updating the offset.
+	 * - normal case.
+	 *
+	 * For the first two cases, add the 

CVS commit: [netbsd-6-1] src/sys/netinet6

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 16:43:05 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-1]: ip6_forward.c

Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #1518):
sys/netinet6/ip6_forward.c: 1.89-1.90 via patch
Fix use-after-free of mbuf by ip6flow_create
This fixes recent failures of some ATF tests such as t_ipsec_tunnel_odd.
--
Fix use-after-free of mbuf by ip6flow_create (one more)


To generate a diff of this commit:
cvs rdiff -u -r1.69 -r1.69.8.1 src/sys/netinet6/ip6_forward.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ip6_forward.c
diff -u src/sys/netinet6/ip6_forward.c:1.69 src/sys/netinet6/ip6_forward.c:1.69.8.1
--- src/sys/netinet6/ip6_forward.c:1.69	Mon Dec 19 11:59:58 2011
+++ src/sys/netinet6/ip6_forward.c	Tue Mar 13 16:43:04 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_forward.c,v 1.69 2011/12/19 11:59:58 drochner Exp $	*/
+/*	$NetBSD: ip6_forward.c,v 1.69.8.1 2018/03/13 16:43:04 snj Exp $	*/
 /*	$KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69 2011/12/19 11:59:58 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69.8.1 2018/03/13 16:43:04 snj Exp $");
 
 #include "opt_gateway.h"
 #include "opt_ipsec.h"
@@ -645,8 +645,8 @@ ip6_forward(struct mbuf *m, int srcrt)
 			IP6_STATINC(IP6_STAT_REDIRECTSENT);
 		else {
 #ifdef GATEWAY
-			if (m->m_flags & M_CANFASTFWD)
-ip6flow_create(_forward_rt, m);
+			if (mcopy->m_flags & M_CANFASTFWD)
+ip6flow_create(_forward_rt, mcopy);
 #endif
 			if (mcopy)
 goto freecopy;

CVS commit: [netbsd-6-1] src/sys

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Mar  3 20:44:36 UTC 2018

Modified Files:
src/sys/dev [netbsd-6-1]: rndpseudo.c
src/sys/kern [netbsd-6-1]: subr_cprng.c
src/sys/sys [netbsd-6-1]: cprng.h

Log Message:
Apply patch (requested by riastradh in ticket #1512):
Fix panic when waiting with kqueue/kevent for a read from
/dev/random.


To generate a diff of this commit:
cvs rdiff -u -r1.6.2.3 -r1.6.2.3.6.1 src/sys/dev/rndpseudo.c
cvs rdiff -u -r1.5.2.8 -r1.5.2.8.2.1 src/sys/kern/subr_cprng.c
cvs rdiff -u -r1.4.2.1 -r1.4.2.1.6.1 src/sys/sys/cprng.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/rndpseudo.c
diff -u src/sys/dev/rndpseudo.c:1.6.2.3 src/sys/dev/rndpseudo.c:1.6.2.3.6.1
--- src/sys/dev/rndpseudo.c:1.6.2.3	Mon May 21 16:49:54 2012
+++ src/sys/dev/rndpseudo.c	Sat Mar  3 20:44:35 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: rndpseudo.c,v 1.6.2.3 2012/05/21 16:49:54 jdc Exp $	*/
+/*	$NetBSD: rndpseudo.c,v 1.6.2.3.6.1 2018/03/03 20:44:35 snj Exp $	*/
 
 /*-
  * Copyright (c) 1997-2011 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: rndpseudo.c,v 1.6.2.3 2012/05/21 16:49:54 jdc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rndpseudo.c,v 1.6.2.3.6.1 2018/03/03 20:44:35 snj Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -673,13 +673,13 @@ rnd_poll(struct file *fp, int events)
 		}   
 	}
 
+	mutex_enter(>cprng->mtx);
 	if (cprng_strong_ready(ctx->cprng)) {
 		revents |= events & (POLLIN | POLLRDNORM);
 	} else {
-		mutex_enter(>cprng->mtx);
 		selrecord(curlwp, >cprng->selq);
-		mutex_exit(>cprng->mtx);
 	}
+	mutex_exit(>cprng->mtx);
 
 	return (revents);
 }
@@ -731,12 +731,24 @@ static int
 filt_rndread(struct knote *kn, long hint)
 {
 	cprng_strong_t *c = kn->kn_hook;
+	int ret;
 
+	if (hint & NOTE_SUBMIT)
+		KASSERT(mutex_owned(>mtx));
+	else
+		mutex_enter(>mtx);
 	if (cprng_strong_ready(c)) {
 		kn->kn_data = RND_TEMP_BUFFER_SIZE;
-		return 1;
+		ret = 1;
+	} else {
+		ret = 0;
 	}
-	return 0;
+	if (hint & NOTE_SUBMIT)
+		KASSERT(mutex_owned(>mtx));
+	else
+		mutex_exit(>mtx);
+
+	return ret;
 }
 
 static const struct filterops rnd_seltrue_filtops =

Index: src/sys/kern/subr_cprng.c
diff -u src/sys/kern/subr_cprng.c:1.5.2.8 src/sys/kern/subr_cprng.c:1.5.2.8.2.1
--- src/sys/kern/subr_cprng.c:1.5.2.8	Fri Mar 29 00:44:28 2013
+++ src/sys/kern/subr_cprng.c	Sat Mar  3 20:44:35 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: subr_cprng.c,v 1.5.2.8 2013/03/29 00:44:28 msaitoh Exp $ */
+/*	$NetBSD: subr_cprng.c,v 1.5.2.8.2.1 2018/03/03 20:44:35 snj Exp $ */
 
 /*-
  * Copyright (c) 2011 The NetBSD Foundation, Inc.
@@ -46,7 +46,7 @@
 
 #include 
 
-__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.5.2.8 2013/03/29 00:44:28 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.5.2.8.2.1 2018/03/03 20:44:35 snj Exp $");
 
 void
 cprng_init(void)
@@ -95,7 +95,7 @@ cprng_strong_doreseed(cprng_strong_t *co
 	if (c->flags & CPRNG_USE_CV) {
 		cv_broadcast(>cv);
 	}
-	selnotify(>selq, 0, 0);
+	selnotify(>selq, 0, NOTE_SUBMIT);
 }
 
 static void
@@ -397,7 +397,7 @@ cprng_strong_setflags(cprng_strong_t *co
 			if (c->flags & CPRNG_USE_CV) {
 cv_broadcast(>cv);
 			}
-			selnotify(>selq, 0, 0);
+			selnotify(>selq, 0, NOTE_SUBMIT);
 		}
 	}
 	c->flags = flags;

Index: src/sys/sys/cprng.h
diff -u src/sys/sys/cprng.h:1.4.2.1 src/sys/sys/cprng.h:1.4.2.1.6.1
--- src/sys/sys/cprng.h:1.4.2.1	Fri Apr 20 23:35:20 2012
+++ src/sys/sys/cprng.h	Sat Mar  3 20:44:36 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: cprng.h,v 1.4.2.1 2012/04/20 23:35:20 riz Exp $ */
+/*	$NetBSD: cprng.h,v 1.4.2.1.6.1 2018/03/03 20:44:36 snj Exp $ */
 
 /*-
  * Copyright (c) 2011 The NetBSD Foundation, Inc.
@@ -121,12 +121,11 @@ static inline int
 cprng_strong_ready(cprng_strong_t *c)
 {
 	int ret = 0;
-	
-	mutex_enter(>mtx);
+
+	KASSERT(mutex_owned(>mtx));
 	if (c->drbg.reseed_counter < NIST_CTR_DRBG_RESEED_INTERVAL) {
 		ret = 1;
 	}
-	mutex_exit(>mtx);
 	return ret;
 }
 

CVS commit: [netbsd-6-1] src/sys/arch

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Mon Feb 19 20:54:53 UTC 2018

Modified Files:
src/sys/arch/amd64/amd64 [netbsd-6-1]: machdep.c
src/sys/arch/amd64/include [netbsd-6-1]: segments.h
src/sys/arch/i386/i386 [netbsd-6-1]: machdep.c
src/sys/arch/i386/include [netbsd-6-1]: segments.h
src/sys/arch/x86/x86 [netbsd-6-1]: vm_machdep.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1517):
sys/arch/amd64/amd64/machdep.c: 1.280 via patch
sys/arch/amd64/include/segments.h: 1.34 via patch
sys/arch/i386/i386/machdep.c: 1.800
sys/arch/i386/include/segments.h: 1.64
sys/arch/x86/x86/vm_machdep.c: 1.30
Fix a huge privilege separation vulnerability in Xen-amd64.
On amd64 the kernel runs in ring3, like userland, and therefore SEL_KPL
equals SEL_UPL. While Xen can make a distinction between usermode and
kernelmode in %cs, it can't when it comes to iopl. Since we set SEL_KPL
in iopl, Xen sees SEL_UPL, and allows (unprivileged) userland processes
to read and write to the CPU ports.
It is easy, then, to completely escalate privileges; by reprogramming the
PIC, by reading the ATA disks, by intercepting the keyboard interrupts
(keylogger), etc.
Declare IOPL_KPL, set to 1 on Xen-amd64, which allows the kernel to use
the ports but not userland. I didn't test this change on i386, but it
seems fine enough.


To generate a diff of this commit:
cvs rdiff -u -r1.175.2.8.2.1 -r1.175.2.8.2.2 \
src/sys/arch/amd64/amd64/machdep.c
cvs rdiff -u -r1.22 -r1.22.16.1 src/sys/arch/amd64/include/segments.h
cvs rdiff -u -r1.717.2.7.6.1 -r1.717.2.7.6.2 src/sys/arch/i386/i386/machdep.c
cvs rdiff -u -r1.54 -r1.54.24.1 src/sys/arch/i386/include/segments.h
cvs rdiff -u -r1.14 -r1.14.8.1 src/sys/arch/x86/x86/vm_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amd64/amd64/machdep.c
diff -u src/sys/arch/amd64/amd64/machdep.c:1.175.2.8.2.1 src/sys/arch/amd64/amd64/machdep.c:1.175.2.8.2.2
--- src/sys/arch/amd64/amd64/machdep.c:1.175.2.8.2.1	Tue Aug  8 11:59:16 2017
+++ src/sys/arch/amd64/amd64/machdep.c	Mon Feb 19 20:54:52 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: machdep.c,v 1.175.2.8.2.1 2017/08/08 11:59:16 martin Exp $	*/
+/*	$NetBSD: machdep.c,v 1.175.2.8.2.2 2018/02/19 20:54:52 snj Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1998, 2000, 2006, 2007, 2008, 2011
@@ -111,7 +111,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.175.2.8.2.1 2017/08/08 11:59:16 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.175.2.8.2.2 2018/02/19 20:54:52 snj Exp $");
 
 /* #define XENDEBUG_LOW  */
 
@@ -477,7 +477,7 @@ x86_64_proc0_tss_ldt_init(void)
 	pcb->pcb_fs = 0;
 	pcb->pcb_gs = 0;
 	pcb->pcb_rsp0 = (uvm_lwp_getuarea(l) + KSTACK_SIZE - 16) & ~0xf;
-	pcb->pcb_iopl = SEL_KPL;
+	pcb->pcb_iopl = IOPL_KPL;
 
 	pmap_kernel()->pm_ldt_sel = GSYSSEL(GLDT_SEL, SEL_KPL);
 	pcb->pcb_cr0 = rcr0() & ~CR0_TS;

Index: src/sys/arch/amd64/include/segments.h
diff -u src/sys/arch/amd64/include/segments.h:1.22 src/sys/arch/amd64/include/segments.h:1.22.16.1
--- src/sys/arch/amd64/include/segments.h:1.22	Mon Feb  7 03:54:45 2011
+++ src/sys/arch/amd64/include/segments.h	Mon Feb 19 20:54:52 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: segments.h,v 1.22 2011/02/07 03:54:45 chs Exp $	*/
+/*	$NetBSD: segments.h,v 1.22.16.1 2018/02/19 20:54:52 snj Exp $	*/
 
 /*-
  * Copyright (c) 1990 The Regents of the University of California.
@@ -107,6 +107,12 @@
 #define	ISLDT(s)	((s) & SEL_LDT)	/* is it local or global */
 #define	SEL_LDT		4		/* local descriptor table */	
 
+#ifdef XEN
+#define IOPL_KPL	1
+#else
+#define IOPL_KPL	SEL_KPL
+#endif
+
 /* Dynamically allocated TSSs and LDTs start (byte offset) */
 #define SYSSEL_START	(NGDT_MEM << 3)
 #define DYNSEL_START	(SYSSEL_START + (NGDT_SYS << 4))

Index: src/sys/arch/i386/i386/machdep.c
diff -u src/sys/arch/i386/i386/machdep.c:1.717.2.7.6.1 src/sys/arch/i386/i386/machdep.c:1.717.2.7.6.2
--- src/sys/arch/i386/i386/machdep.c:1.717.2.7.6.1	Tue Aug  8 11:59:16 2017
+++ src/sys/arch/i386/i386/machdep.c	Mon Feb 19 20:54:53 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: machdep.c,v 1.717.2.7.6.1 2017/08/08 11:59:16 martin Exp $	*/
+/*	$NetBSD: machdep.c,v 1.717.2.7.6.2 2018/02/19 20:54:53 snj Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1998, 2000, 2004, 2006, 2008, 2009
@@ -67,7 +67,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.717.2.7.6.1 2017/08/08 11:59:16 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.717.2.7.6.2 2018/02/19 20:54:53 snj Exp $");
 
 #include "opt_beep.h"
 #include "opt_compat_ibcs2.h"
@@ -509,7 +509,7 @@ i386_proc0_tss_ldt_init(void)
 	pmap_kernel()->pm_ldt_sel = GSEL(GLDT_SEL, SEL_KPL);
 	pcb->pcb_cr0 = rcr0() & ~CR0_TS;
 	pcb->pcb_esp0 = uvm_lwp_getuarea(l) + KSTACK_SIZE - 16;
-	pcb->pcb_iopl = SEL_KPL;
+	pcb->pcb_iopl = IOPL_KPL;
 	l->l_md.md_regs = (struct trapframe 

CVS commit: [netbsd-6-1] src/sys/netipsec

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Fri Feb 16 18:11:27 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6-1]: ipsec.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1531):

sys/netipsec/ipsec.c: revision 1.130

Fix inverted logic, otherwise the kernel crashes when receiving a 1-byte
AH packet. Triggerable before authentication when IPsec and forwarding
are both enabled.


To generate a diff of this commit:
cvs rdiff -u -r1.55 -r1.55.14.1 src/sys/netipsec/ipsec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec.c
diff -u src/sys/netipsec/ipsec.c:1.55 src/sys/netipsec/ipsec.c:1.55.14.1
--- src/sys/netipsec/ipsec.c:1.55	Thu Jun  9 19:54:18 2011
+++ src/sys/netipsec/ipsec.c	Fri Feb 16 18:11:27 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.c,v 1.55 2011/06/09 19:54:18 drochner Exp $	*/
+/*	$NetBSD: ipsec.c,v 1.55.14.1 2018/02/16 18:11:27 martin Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $	*/
 /*	$KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.55 2011/06/09 19:54:18 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.55.14.1 2018/02/16 18:11:27 martin Exp $");
 
 /*
  * IPsec controller part.
@@ -979,7 +979,7 @@ ipsec4_get_ulp(struct mbuf *m, struct se
 			spidx->dst.sin.sin_port = uh.uh_dport;
 			return;
 		case IPPROTO_AH:
-			if (m->m_pkthdr.len > off + sizeof(ip6e))
+			if (off + sizeof(ip6e) > m->m_pkthdr.len)
 goto done;
 			/* XXX sigh, this works but is totally bogus */
 			m_copydata(m, off, sizeof(ip6e), );

CVS commit: [netbsd-6-1] src/sys/netipsec

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Feb 15 16:49:35 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6-1]: xform_ah.c

Log Message:
Fix previous (Ticket #1530)


To generate a diff of this commit:
cvs rdiff -u -r1.37.8.2 -r1.37.8.3 src/sys/netipsec/xform_ah.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.37.8.2 src/sys/netipsec/xform_ah.c:1.37.8.3
--- src/sys/netipsec/xform_ah.c:1.37.8.2	Thu Feb 15 08:09:30 2018
+++ src/sys/netipsec/xform_ah.c	Thu Feb 15 16:49:35 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ah.c,v 1.37.8.2 2018/02/15 08:09:30 martin Exp $	*/
+/*	$NetBSD: xform_ah.c,v 1.37.8.3 2018/02/15 16:49:35 martin Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.8.2 2018/02/15 08:09:30 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.8.3 2018/02/15 16:49:35 martin Exp $");
 
 #include "opt_inet.h"
 #ifdef __FreeBSD__
@@ -687,11 +687,10 @@ ah_input(struct mbuf *m, const struct se
 		return EACCES;
 	}
 	if (skip + authsize + rplen > m->m_pkthdr.len) {
-		char buf[IPSEC_ADDRSTRLEN];
 		DPRINTF(("%s: bad mbuf length %u (expecting >= %lu)"
 			" for packet in SA %s/%08lx\n", __func__,
 			m->m_pkthdr.len, (u_long)(skip + authsize + rplen),
-			ipsec_address(>sah->saidx.dst, buf, sizeof(buf)),
+			ipsec_address(>sah->saidx.dst),
 			(u_long) ntohl(sav->spi)));
 		AH_STATINC(AH_STAT_BADAUTHL);
 		m_freem(m);

CVS commit: [netbsd-6-1] src/sys/netipsec

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Feb 15 14:50:17 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6-1]: xform_ipip.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1529):
sys/netipsec/xform_ipip.c: revision 1.44 via patch

PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right,
don't forget to subtract the ipv6 header length.


To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.28.22.1 src/sys/netipsec/xform_ipip.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform_ipip.c
diff -u src/sys/netipsec/xform_ipip.c:1.28 src/sys/netipsec/xform_ipip.c:1.28.22.1
--- src/sys/netipsec/xform_ipip.c:1.28	Sun Jul 17 20:54:54 2011
+++ src/sys/netipsec/xform_ipip.c	Thu Feb 15 14:50:17 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ipip.c,v 1.28 2011/07/17 20:54:54 joerg Exp $	*/
+/*	$NetBSD: xform_ipip.c,v 1.28.22.1 2018/02/15 14:50:17 martin Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.28 2011/07/17 20:54:54 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.28.22.1 2018/02/15 14:50:17 martin Exp $");
 
 /*
  * IP-inside-IP processing
@@ -566,7 +566,7 @@ ipip_output(
 		ip6o->ip6_flow = 0;
 		ip6o->ip6_vfc &= ~IPV6_VERSION_MASK;
 		ip6o->ip6_vfc |= IPV6_VERSION;
-		ip6o->ip6_plen = htons(m->m_pkthdr.len);
+		ip6o->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6o));
 		ip6o->ip6_hlim = ip_defttl;
 		ip6o->ip6_dst = saidx->dst.sin6.sin6_addr;
 		ip6o->ip6_src = saidx->src.sin6.sin6_addr;

CVS commit: [netbsd-6-1] src/sys/netipsec

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Feb 15 08:09:30 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6-1]: xform_ah.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1530):
sys/netipsec/xform_ah.c: revision 1.80-1.81 via patch

Fix use-after-free, 'ah' may not be valid after m_makewritable and
ah_massage_headers.

Make sure the Authentication Header fits the mbuf chain, otherwise panic.


To generate a diff of this commit:
cvs rdiff -u -r1.37.8.1 -r1.37.8.2 src/sys/netipsec/xform_ah.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.37.8.1 src/sys/netipsec/xform_ah.c:1.37.8.2
--- src/sys/netipsec/xform_ah.c:1.37.8.1	Mon Jan 29 19:29:00 2018
+++ src/sys/netipsec/xform_ah.c	Thu Feb 15 08:09:30 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ah.c,v 1.37.8.1 2018/01/29 19:29:00 martin Exp $	*/
+/*	$NetBSD: xform_ah.c,v 1.37.8.2 2018/02/15 08:09:30 martin Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.8.1 2018/01/29 19:29:00 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.8.2 2018/02/15 08:09:30 martin Exp $");
 
 #include "opt_inet.h"
 #ifdef __FreeBSD__
@@ -636,6 +636,7 @@ ah_input(struct mbuf *m, const struct se
 	struct m_tag *mtag;
 	struct newah *ah;
 	int hl, rplen, authsize, error;
+	uint8_t nxt;
 
 	struct cryptodesc *crda;
 	struct cryptop *crp;
@@ -660,6 +661,8 @@ ah_input(struct mbuf *m, const struct se
 		return ENOBUFS;
 	}
 
+	nxt = ah->ah_nxt;
+
 	/* Check replay window, if applicable. */
 	if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
 		AH_STATINC(AH_STAT_REPLAY);
@@ -683,6 +686,18 @@ ah_input(struct mbuf *m, const struct se
 		m_freem(m);
 		return EACCES;
 	}
+	if (skip + authsize + rplen > m->m_pkthdr.len) {
+		char buf[IPSEC_ADDRSTRLEN];
+		DPRINTF(("%s: bad mbuf length %u (expecting >= %lu)"
+			" for packet in SA %s/%08lx\n", __func__,
+			m->m_pkthdr.len, (u_long)(skip + authsize + rplen),
+			ipsec_address(>sah->saidx.dst, buf, sizeof(buf)),
+			(u_long) ntohl(sav->spi)));
+		AH_STATINC(AH_STAT_BADAUTHL);
+		m_freem(m);
+		return EACCES;
+	}
+
 	AH_STATADD(AH_STAT_IBYTES, m->m_pkthdr.len - skip - hl);
 
 	/* Get crypto descriptors. */
@@ -780,7 +795,7 @@ ah_input(struct mbuf *m, const struct se
 	tc->tc_spi = sav->spi;
 	tc->tc_dst = sav->sah->saidx.dst;
 	tc->tc_proto = sav->sah->saidx.proto;
-	tc->tc_nxt = ah->ah_nxt;
+	tc->tc_nxt = nxt;
 	tc->tc_protoff = protoff;
 	tc->tc_skip = skip;
 	tc->tc_ptr = mtag; /* Save the mtag we've identified. */

CVS commit: [netbsd-6-1] src/sys/dist/pf/net

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Feb 10 04:25:36 UTC 2018

Modified Files:
src/sys/dist/pf/net [netbsd-6-1]: pf.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1527):
sys/dist/pf/net/pf.c: revision 1.78 via patch
Oh, what is this. Fix a remotely-triggerable integer overflow: the way we
define TCPOLEN_SACK makes it unsigned, and the comparison in the while()
is unsigned too. That's not the expected behavior, the original code
wanted a signed comparison.
It's pretty easy to make 'hlen' go negative and trigger a buffer overflow.
This bug was reported 8 years ago by Lucio Albornoz in PR/44059.


To generate a diff of this commit:
cvs rdiff -u -r1.68 -r1.68.8.1 src/sys/dist/pf/net/pf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dist/pf/net/pf.c
diff -u src/sys/dist/pf/net/pf.c:1.68 src/sys/dist/pf/net/pf.c:1.68.8.1
--- src/sys/dist/pf/net/pf.c:1.68	Mon Dec 19 16:10:07 2011
+++ src/sys/dist/pf/net/pf.c	Sat Feb 10 04:25:36 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: pf.c,v 1.68 2011/12/19 16:10:07 drochner Exp $	*/
+/*	$NetBSD: pf.c,v 1.68.8.1 2018/02/10 04:25:36 snj Exp $	*/
 /*	$OpenBSD: pf.c,v 1.552.2.1 2007/11/27 16:37:57 henning Exp $ */
 
 /*
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.68 2011/12/19 16:10:07 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.68.8.1 2018/02/10 04:25:36 snj Exp $");
 
 #include "pflog.h"
 
@@ -1590,7 +1590,7 @@ pf_modulate_sack(struct mbuf *m, int off
 	struct sackblk sack;
 
 #ifdef __NetBSD__
-#define	TCPOLEN_SACK (2 * sizeof(uint32_t))
+#define	TCPOLEN_SACK		8		/* 2*sizeof(tcp_seq) */
 #endif
 
 #define TCPOLEN_SACKLEN	(TCPOLEN_SACK + 2)

CVS commit: [netbsd-6-1] src/sys/netinet

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Fri Feb  9 14:11:21 UTC 2018

Modified Files:
src/sys/netinet [netbsd-6-1]: ip_input.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1526):
sys/netinet/ip_input.c: revision 1.366

Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a
completely dumb idea, because they have security implications.

By sending an IPv4 packet containing an LSRR option, an attacker will
cause the system to forward the packet to another IPv4 address - and
this way he white-washes the source of the packet.

It is also possible for an attacker to reach hidden networks: if a server
has a public address, and a private one on an internal network (network
which has several internal machines connected), the attacker can send a
packet with:
source = 0.0.0.0
destination = public address of the server
LSRR first address = address of a machine on the internal network
And the packet will be forwarded, by the server, to the internal machine,
in some cases even with the internal IP address of the server as a source.


To generate a diff of this commit:
cvs rdiff -u -r1.298 -r1.298.8.1 src/sys/netinet/ip_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet/ip_input.c
diff -u src/sys/netinet/ip_input.c:1.298 src/sys/netinet/ip_input.c:1.298.8.1
--- src/sys/netinet/ip_input.c:1.298	Mon Jan  9 14:31:22 2012
+++ src/sys/netinet/ip_input.c	Fri Feb  9 14:11:21 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_input.c,v 1.298 2012/01/09 14:31:22 liamjfoy Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.298.8.1 2018/02/09 14:11:21 martin Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.298 2012/01/09 14:31:22 liamjfoy Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.298.8.1 2018/02/09 14:11:21 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_compat_netbsd.h"
@@ -161,10 +161,10 @@ __KERNEL_RCSID(0, "$NetBSD: ip_input.c,v
 #define	IPSENDREDIRECTS	1
 #endif
 #ifndef IPFORWSRCRT
-#define	IPFORWSRCRT	1	/* forward source-routed packets */
+#define	IPFORWSRCRT	0	/* forward source-routed packets */
 #endif
 #ifndef IPALLOWSRCRT
-#define	IPALLOWSRCRT	1	/* allow source-routed packets */
+#define	IPALLOWSRCRT	0	/* allow source-routed packets */
 #endif
 #ifndef IPMTUDISC
 #define IPMTUDISC	1

CVS commit: [netbsd-6-1] src/sys/netinet6

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Fri Feb  2 13:11:32 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-1]: nd6_nbr.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1525):
sys/netinet6/nd6_nbr.c: revision 1.145 (patch)

Fix memory leak. Contrary to what the XXX indicates, this place is 100%
reachable remotely.


To generate a diff of this commit:
cvs rdiff -u -r1.95 -r1.95.8.1 src/sys/netinet6/nd6_nbr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/nd6_nbr.c
diff -u src/sys/netinet6/nd6_nbr.c:1.95 src/sys/netinet6/nd6_nbr.c:1.95.8.1
--- src/sys/netinet6/nd6_nbr.c:1.95	Mon Dec 19 11:59:58 2011
+++ src/sys/netinet6/nd6_nbr.c	Fri Feb  2 13:11:32 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: nd6_nbr.c,v 1.95 2011/12/19 11:59:58 drochner Exp $	*/
+/*	$NetBSD: nd6_nbr.c,v 1.95.8.1 2018/02/02 13:11:32 martin Exp $	*/
 /*	$KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.95 2011/12/19 11:59:58 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.95.8.1 2018/02/02 13:11:32 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -589,7 +589,7 @@ nd6_na_input(struct mbuf *m, int off, in
 
 	taddr6 = nd_na->nd_na_target;
 	if (in6_setscope(, ifp, NULL))
-		return;		/* XXX: impossible */
+		goto bad;
 
 	if (IN6_IS_ADDR_MULTICAST()) {
 		nd6log((LOG_ERR,

CVS commit: [netbsd-6-1] src/sys/netinet6

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Fri Feb  2 11:08:30 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-1]: ip6_mroute.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1524):
sys/netinet6/ip6_mroute.c: revision 1.120
Fix a pretty simple, yet pretty tragic typo: we should return IPPROTO_DONE,
not IPPROTO_NONE. With IPPROTO_NONE we will keep parsing the header chain
on an mbuf that was already freed.


To generate a diff of this commit:
cvs rdiff -u -r1.103 -r1.103.16.1 src/sys/netinet6/ip6_mroute.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ip6_mroute.c
diff -u src/sys/netinet6/ip6_mroute.c:1.103 src/sys/netinet6/ip6_mroute.c:1.103.16.1
--- src/sys/netinet6/ip6_mroute.c:1.103	Sat Dec 31 20:41:59 2011
+++ src/sys/netinet6/ip6_mroute.c	Fri Feb  2 11:08:30 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_mroute.c,v 1.103 2011/12/31 20:41:59 christos Exp $	*/
+/*	$NetBSD: ip6_mroute.c,v 1.103.16.1 2018/02/02 11:08:30 martin Exp $	*/
 /*	$KAME: ip6_mroute.c,v 1.49 2001/07/25 09:21:18 jinmei Exp $	*/
 
 /*
@@ -117,7 +117,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_mroute.c,v 1.103 2011/12/31 20:41:59 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_mroute.c,v 1.103.16.1 2018/02/02 11:08:30 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_mrouting.h"
@@ -1864,7 +1864,7 @@ pim6_input(struct mbuf **mp, int *offp, 
 			(eip6->ip6_vfc & IPV6_VERSION));
 #endif
 			m_freem(m);
-			return (IPPROTO_NONE);
+			return (IPPROTO_DONE);
 		}
 
 		/* verify the inner packet is destined to a mcast group */

CVS commit: [netbsd-6-1] src/sys/netinet6

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue Jan 30 22:10:56 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-1]: ah_input.c esp_input.c ipcomp_input.c

Log Message:
Ooops, remainder of Ticket #1523, accidently not commited previously


To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.59.14.1 src/sys/netinet6/ah_input.c
cvs rdiff -u -r1.50 -r1.50.14.1 src/sys/netinet6/esp_input.c
cvs rdiff -u -r1.38 -r1.38.14.1 src/sys/netinet6/ipcomp_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ah_input.c
diff -u src/sys/netinet6/ah_input.c:1.59 src/sys/netinet6/ah_input.c:1.59.14.1
--- src/sys/netinet6/ah_input.c:1.59	Sun Jul 17 20:54:53 2011
+++ src/sys/netinet6/ah_input.c	Tue Jan 30 22:10:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: ah_input.c,v 1.59.14.1 2018/01/30 22:10:56 martin Exp $	*/
 /*	$KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59.14.1 2018/01/30 22:10:56 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -858,7 +858,8 @@ ah6_input(struct mbuf **mp, int *offp, i
 		 * next header field of the previous header.
 		 * This is necessary because AH will be stripped off below.
 		 */
-		prvnxtp = ip6_get_prevhdr(m, off); /* XXX */
+		const int prvnxt = ip6_get_prevhdr(m, off);
+		prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */
 		*prvnxtp = nxt;
 
 		ip6 = mtod(m, struct ip6_hdr *);

Index: src/sys/netinet6/esp_input.c
diff -u src/sys/netinet6/esp_input.c:1.50 src/sys/netinet6/esp_input.c:1.50.14.1
--- src/sys/netinet6/esp_input.c:1.50	Sun Jul 17 20:54:53 2011
+++ src/sys/netinet6/esp_input.c	Tue Jan 30 22:10:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: esp_input.c,v 1.50.14.1 2018/01/30 22:10:56 martin Exp $	*/
 /*	$KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50.14.1 2018/01/30 22:10:56 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -834,7 +834,8 @@ noreplaycheck:
 		/*
 		 * Set the next header field of the previous header correctly.
 		 */
-		prvnxtp = ip6_get_prevhdr(m, off); /* XXX */
+		const int prvnxt = ip6_get_prevhdr(m, off);
+		prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */
 		*prvnxtp = nxt;
 
 		stripsiz = esplen + ivlen;

Index: src/sys/netinet6/ipcomp_input.c
diff -u src/sys/netinet6/ipcomp_input.c:1.38 src/sys/netinet6/ipcomp_input.c:1.38.14.1
--- src/sys/netinet6/ipcomp_input.c:1.38	Sun Jul 17 20:54:53 2011
+++ src/sys/netinet6/ipcomp_input.c	Tue Jan 30 22:10:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: ipcomp_input.c,v 1.38.14.1 2018/01/30 22:10:56 martin Exp $	*/
 /*	$KAME: ipcomp_input.c,v 1.29 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38.14.1 2018/01/30 22:10:56 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -352,7 +352,8 @@ ipcomp6_input(struct mbuf **mp, int *off
 	m->m_flags |= M_DECRYPTED;
 
 	/* update next header field */
-	prvnxtp = ip6_get_prevhdr(m, off);
+	const int prvnxt = ip6_get_prevhdr(m, off);
+	prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */
 	*prvnxtp = nxt;
 
 	/*

CVS commit: [netbsd-6-1] src/sys/netinet6

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:45:59 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-1]: frag6.c ip6_input.c ip6_var.h raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1523):
sys/netinet6/frag6.c: revision 1.65
sys/netinet6/ip6_input.c: revision 1.187
sys/netinet6/ip6_var.h: revision 1.78
sys/netinet6/raw_ip6.c: revision 1.160 (patch)
sys/netinet6/ah_input.c: adjust other callers (patch)
sys/netinet6/esp_input.c: adjust other callers (patch)
sys/netinet6/ipcomp_input.c: adjust other callers (patch)
Fix a buffer overflow in ip6_get_prevhdr. Doing
mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.


To generate a diff of this commit:
cvs rdiff -u -r1.52.2.2 -r1.52.2.2.2.1 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.136.8.1 -r1.136.8.2 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.58.8.1 -r1.58.8.2 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.109 -r1.109.8.1 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/frag6.c
diff -u src/sys/netinet6/frag6.c:1.52.2.2 src/sys/netinet6/frag6.c:1.52.2.2.2.1
--- src/sys/netinet6/frag6.c:1.52.2.2	Thu Oct 25 17:23:33 2012
+++ src/sys/netinet6/frag6.c	Tue Jan 30 18:45:59 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $	*/
+/*	$NetBSD: frag6.c,v 1.52.2.2.2.1 2018/01/30 18:45:59 martin Exp $	*/
 /*	$KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.2.2.1 2018/01/30 18:45:59 martin Exp $");
 
 #include 
 #include 
@@ -441,14 +441,6 @@ insert:
 		m_cat(m, t);
 	}
 
-	/*
-	 * Store NXT to the original.
-	 */
-	{
-		u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */
-		*prvnxtp = nxt;
-	}
-
 	frag6_remque(q6);
 	frag6_nfrags -= q6->ip6q_nfrag;
 	kmem_intr_free(q6, sizeof(struct ip6q));
@@ -461,6 +453,21 @@ insert:
 		m->m_pkthdr.len = plen;
 	}
 
+	/*
+	 * Restore NXT to the original.
+	 */
+	{
+		const int prvnxt = ip6_get_prevhdr(m, offset);
+		uint8_t *prvnxtp;
+
+		IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt,
+		sizeof(*prvnxtp));
+		if (prvnxtp == NULL) {
+			goto dropfrag;
+		}
+		*prvnxtp = nxt;
+	}
+
 	IP6_STATINC(IP6_STAT_REASSEMBLED);
 	in6_ifstat_inc(dstifp, ifs6_reass_ok);
 

Index: src/sys/netinet6/ip6_input.c
diff -u src/sys/netinet6/ip6_input.c:1.136.8.1 src/sys/netinet6/ip6_input.c:1.136.8.2
--- src/sys/netinet6/ip6_input.c:1.136.8.1	Mon Jul  8 07:40:56 2013
+++ src/sys/netinet6/ip6_input.c	Tue Jan 30 18:45:59 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.136.8.1 2013/07/08 07:40:56 jdc Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.136.8.2 2018/01/30 18:45:59 martin Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.8.1 2013/07/08 07:40:56 jdc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.8.2 2018/01/30 18:45:59 martin Exp $");
 
 #include "opt_gateway.h"
 #include "opt_inet.h"
@@ -1419,50 +1419,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of
 }
 
 /*
- * Get pointer to the previous header followed by the header
+ * Get offset to the previous header followed by the header
  * currently processed.
- * XXX: This 

CVS commit: [netbsd-6-1] src/sys/netipsec

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Mon Jan 29 19:29:00 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6-1]: xform_ah.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1521):
sys/netipsec/xform_ah.c: revision 1.76
Fix a vulnerability in IPsec-IPv6-AH, that allows an attacker to remotely
crash the kernel with a single packet.
In this loop we need to increment 'ad' by two, because the length field
of the option header does not count the size of the option header itself.
If the length is zero, then 'count' is incremented by zero, and there's
an infinite loop. Beyond that, this code was written with the assumption
that since the IPv6 packet already went through the generic IPv6 option
parser, several fields are guaranteed to be valid; but this assumption
does not hold because of the missing '+2', and there's as a result a
triggerable buffer overflow (write zeros after the end of the mbuf,
potentially to the next mbuf in memory since it's a pool).
Add the missing '+2', this place will be reinforced in separate commits.


To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.37.8.1 src/sys/netipsec/xform_ah.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.37 src/sys/netipsec/xform_ah.c:1.37.8.1
--- src/sys/netipsec/xform_ah.c:1.37	Thu Jan 26 21:10:24 2012
+++ src/sys/netipsec/xform_ah.c	Mon Jan 29 19:29:00 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ah.c,v 1.37 2012/01/26 21:10:24 drochner Exp $	*/
+/*	$NetBSD: xform_ah.c,v 1.37.8.1 2018/01/29 19:29:00 martin Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37 2012/01/26 21:10:24 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.8.1 2018/01/29 19:29:00 martin Exp $");
 
 #include "opt_inet.h"
 #ifdef __FreeBSD__
@@ -527,12 +527,12 @@ ah_massage_headers(struct mbuf **m0, int
 		return EINVAL;
 	}
 
-	ad = ptr[count + 1];
+	ad = ptr[count + 1] + 2;
 
 	/* If mutable option, zeroize. */
 	if (ptr[count] & IP6OPT_MUTABLE)
 		memcpy(ptr + count, ipseczeroes,
-		ptr[count + 1]);
+		ad);
 
 	count += ad;
 

CVS commit: [netbsd-6-1] src/sys/arch/mips/mips

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Wed Nov  8 21:28:24 UTC 2017

Modified Files:
src/sys/arch/mips/mips [netbsd-6-1]: pmap.c

Log Message:
Pull up following revision(s) (requested by skrll in ticket #1390):
sys/arch/mips/mips/pmap.c: 1.221-1.223
Fix a bug introduced by me in 1.214 where unmanaged mappings would be
affected by calls to pmap_page_protect which is wrong.  Now PV_KENTER
mappings are left intact.
Thanks to chuq for spotting my mistake and reviewing this diff.
Thanks to everyone who tested it as well.
Fix PR/51288 reproducable panic on evbmips64-eb (erlite)
pmap_page_remove from the previous change neglected to terminate the pv
list correctly when it started with an initial unmanaged mapping and
subsequent managed mappings.  Fix this.
Fix MIPS3_NO_PV_UNCACHED alias handling by looping through the pv_list
looking for bad aliases and removing the bad entries.  That is, revert
to the code before the matt-mips64 merge.
Additionally, fix the pmap_update call to not use the (recently
  removed/freed) pv for the pmap_t.
Fixes the following two PRs
PR/49903: Panic during installation on WorkPad Z50 (hpcmips) whilst 
uncompressing base.tgz
PR/51226: Install bug for hpcmips NetBSD V7 using FTP Full installation


To generate a diff of this commit:
cvs rdiff -u -r1.207.2.1.6.2 -r1.207.2.1.6.3 src/sys/arch/mips/mips/pmap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/mips/mips/pmap.c
diff -u src/sys/arch/mips/mips/pmap.c:1.207.2.1.6.2 src/sys/arch/mips/mips/pmap.c:1.207.2.1.6.3
--- src/sys/arch/mips/mips/pmap.c:1.207.2.1.6.2	Wed Nov  8 21:22:57 2017
+++ src/sys/arch/mips/mips/pmap.c	Wed Nov  8 21:28:24 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pmap.c,v 1.207.2.1.6.2 2017/11/08 21:22:57 snj Exp $	*/
+/*	$NetBSD: pmap.c,v 1.207.2.1.6.3 2017/11/08 21:28:24 snj Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2001 The NetBSD Foundation, Inc.
@@ -67,7 +67,7 @@
 
 #include 
 
-__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.207.2.1.6.2 2017/11/08 21:22:57 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.207.2.1.6.3 2017/11/08 21:28:24 snj Exp $");
 
 /*
  *	Manages physical address maps.
@@ -316,6 +316,7 @@ u_int		pmap_page_colormask;
 	 (pm) == curlwp->l_proc->p_vmspace->vm_map.pmap)
 
 /* Forward function declarations */
+void pmap_page_remove(struct vm_page *);
 void pmap_remove_pv(pmap_t, vaddr_t, struct vm_page *, bool);
 void pmap_enter_pv(pmap_t, vaddr_t, struct vm_page *, u_int *, int);
 pt_entry_t *pmap_pte(pmap_t, vaddr_t);
@@ -1063,6 +1064,10 @@ pmap_page_protect(struct vm_page *pg, vm
 			while (pv != NULL) {
 const pmap_t pmap = pv->pv_pmap;
 const uint16_t gen = PG_MD_PVLIST_GEN(md);
+if (pv->pv_va & PV_KENTER) {
+	pv = pv->pv_next;
+	continue;
+}
 va = trunc_page(pv->pv_va);
 PG_MD_PVLIST_UNLOCK(md);
 pmap_protect(pmap, va, va + PAGE_SIZE, prot);
@@ -1087,17 +1092,7 @@ pmap_page_protect(struct vm_page *pg, vm
 		if (pmap_clear_mdpage_attributes(md, PG_MD_EXECPAGE)) {
 			PMAP_COUNT(exec_uncached_page_protect);
 		}
-		(void)PG_MD_PVLIST_LOCK(md, false);
-		pv = >pvh_first;
-		while (pv->pv_pmap != NULL) {
-			const pmap_t pmap = pv->pv_pmap;
-			va = trunc_page(pv->pv_va);
-			PG_MD_PVLIST_UNLOCK(md);
-			pmap_remove(pmap, va, va + PAGE_SIZE);
-			pmap_update(pmap);
-			(void)PG_MD_PVLIST_LOCK(md, false);
-		}
-		PG_MD_PVLIST_UNLOCK(md);
+		pmap_page_remove(pg);
 	}
 }
 
@@ -2069,6 +2064,32 @@ pmap_set_modified(paddr_t pa)
 / pv_entry management /
 
 static void
+pmap_check_alias(struct vm_page *pg)
+{
+#ifdef MIPS3_PLUS	/* XXX mmu XXX */
+#ifndef MIPS3_NO_PV_UNCACHED
+	struct vm_page_md * const md = VM_PAGE_TO_MD(pg);
+
+	if (MIPS_HAS_R4K_MMU && PG_MD_UNCACHED_P(md)) {
+		/*
+		 * Page is currently uncached, check if alias mapping has been
+		 * removed.  If it was, then reenable caching.
+		 */
+		pv_entry_t pv = >pvh_first;
+		pv_entry_t pv0 = pv->pv_next;
+
+		for (; pv0; pv0 = pv0->pv_next) {
+			if (mips_cache_badalias(pv->pv_va, pv0->pv_va))
+break;
+		}
+		if (pv0 == NULL)
+			pmap_page_cache(pg, true);
+	}
+#endif
+#endif	/* MIPS3_PLUS */
+}
+
+static void
 pmap_check_pvlist(struct vm_page_md *md)
 {
 #ifdef PARANOIADIAG
@@ -2155,12 +2176,12 @@ again:
 			 * be mapped with one index at any given time.
 			 */
 
-			if (mips_cache_badalias(pv->pv_va, va)) {
-for (npv = pv; npv; npv = npv->pv_next) {
-	vaddr_t nva = trunc_page(npv->pv_va);
-	pmap_remove(npv->pv_pmap, nva,
-	nva + PAGE_SIZE);
-	pmap_update(npv->pv_pmap);
+			for (npv = pv; npv; npv = npv->pv_next) {
+vaddr_t nva = trunc_page(npv->pv_va);
+pmap_t npm = npv->pv_pmap;
+if (mips_cache_badalias(nva, va)) {
+	pmap_remove(npm, nva, nva + PAGE_SIZE);
+	pmap_update(npm);
 	goto again;
 }
 			}
@@ -2283,6 +2304,114 @@ again:
 }
 
 /*
+ * Remove this page from all physical maps in which 

CVS commit: [netbsd-6-1] src/sys/arch/mips

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Wed Nov  8 21:22:58 UTC 2017

Modified Files:
src/sys/arch/mips/include [netbsd-6-1]: pmap.h
src/sys/arch/mips/mips [netbsd-6-1]: pmap.c pmap_segtab.c

Log Message:
Pull up following revision(s) (requested by skrll in ticket #1068):
sys/arch/mips/include/pmap.h: revision 1.63
sys/arch/mips/mips/pmap.c: revision 1.214
sys/arch/mips/mips/pmap_segtab.c: revision 1.8
Deal with incompatible cache aliases. Specifically,
- always flush an ephemeral page on unmap
- track unmanaged mappings (mappings entered via pmap_kenter_pa) for
aliases where required and handle appropriately (via pmap_enter_pv)
Hopefully this (finally) addresses the instability reported in the
following PRs:
PR/44900 - R5000/Rm5200 mips ports are broken
PR/46890 - upcoming NetBSD 6.0 release is very unstable / unusable on cobalt 
qube 2
PR/48628 - cobalt and hpcmips ports are dead


To generate a diff of this commit:
cvs rdiff -u -r1.61.8.1 -r1.61.8.1.6.1 src/sys/arch/mips/include/pmap.h
cvs rdiff -u -r1.207.2.1.6.1 -r1.207.2.1.6.2 src/sys/arch/mips/mips/pmap.c
cvs rdiff -u -r1.4.2.1 -r1.4.2.1.6.1 src/sys/arch/mips/mips/pmap_segtab.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/mips/include/pmap.h
diff -u src/sys/arch/mips/include/pmap.h:1.61.8.1 src/sys/arch/mips/include/pmap.h:1.61.8.1.6.1
--- src/sys/arch/mips/include/pmap.h:1.61.8.1	Thu Jul  5 18:39:42 2012
+++ src/sys/arch/mips/include/pmap.h	Wed Nov  8 21:22:57 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pmap.h,v 1.61.8.1 2012/07/05 18:39:42 riz Exp $	*/
+/*	$NetBSD: pmap.h,v 1.61.8.1.6.1 2017/11/08 21:22:57 snj Exp $	*/
 
 /*
  * Copyright (c) 1992, 1993
@@ -283,6 +283,7 @@ void	pmap_prefer(vaddr_t, vaddr_t *, vsi
 #endif /* MIPS3_PLUS */
 
 #define	PMAP_STEAL_MEMORY	/* enable pmap_steal_memory() */
+#define	PMAP_ENABLE_PMAP_KMPAGE	/* enable the PMAP_KMPAGE flag */
 
 /*
  * Alternate mapping hooks for pool pages.  Avoids thrashing the TLB.
@@ -329,6 +330,7 @@ typedef struct pv_entry {
 	struct pv_entry	*pv_next;	/* next pv_entry */
 	struct pmap	*pv_pmap;	/* pmap where mapping lies */
 	vaddr_t		pv_va;		/* virtual address for mapping */
+#define	PV_KENTER	0x001
 } *pv_entry_t;
 
 #define	PG_MD_UNCACHED		0x0001	/* page is mapped uncached */

Index: src/sys/arch/mips/mips/pmap.c
diff -u src/sys/arch/mips/mips/pmap.c:1.207.2.1.6.1 src/sys/arch/mips/mips/pmap.c:1.207.2.1.6.2
--- src/sys/arch/mips/mips/pmap.c:1.207.2.1.6.1	Wed Nov  8 21:19:46 2017
+++ src/sys/arch/mips/mips/pmap.c	Wed Nov  8 21:22:57 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pmap.c,v 1.207.2.1.6.1 2017/11/08 21:19:46 snj Exp $	*/
+/*	$NetBSD: pmap.c,v 1.207.2.1.6.2 2017/11/08 21:22:57 snj Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2001 The NetBSD Foundation, Inc.
@@ -67,7 +67,7 @@
 
 #include 
 
-__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.207.2.1.6.1 2017/11/08 21:19:46 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.207.2.1.6.2 2017/11/08 21:22:57 snj Exp $");
 
 /*
  *	Manages physical address maps.
@@ -317,7 +317,7 @@ u_int		pmap_page_colormask;
 
 /* Forward function declarations */
 void pmap_remove_pv(pmap_t, vaddr_t, struct vm_page *, bool);
-void pmap_enter_pv(pmap_t, vaddr_t, struct vm_page *, u_int *);
+void pmap_enter_pv(pmap_t, vaddr_t, struct vm_page *, u_int *, int);
 pt_entry_t *pmap_pte(pmap_t, vaddr_t);
 
 /*
@@ -386,13 +386,13 @@ pmap_page_syncicache(struct vm_page *pg)
 	}
 	PG_MD_PVLIST_UNLOCK(md);
 	kpreempt_disable();
-	pmap_tlb_syncicache(md->pvh_first.pv_va, onproc);
+	pmap_tlb_syncicache(trunc_page(md->pvh_first.pv_va), onproc);
 	kpreempt_enable();
 #else
 	if (MIPS_HAS_R4K_MMU) {
 		if (PG_MD_CACHED_P(md)) {
 			mips_icache_sync_range_index(
-			md->pvh_first.pv_va, PAGE_SIZE);
+			trunc_page(md->pvh_first.pv_va), PAGE_SIZE);
 		}
 	} else {
 		mips_icache_sync_range(MIPS_PHYS_TO_KSEG0(VM_PAGE_TO_PHYS(pg)),
@@ -436,10 +436,10 @@ pmap_map_ephemeral_page(struct vm_page *
 		 */
 		(void)PG_MD_PVLIST_LOCK(md, false);
 		if (PG_MD_CACHED_P(md)
-		&& mips_cache_badalias(pv->pv_va, va))
-			mips_dcache_wbinv_range_index(pv->pv_va, PAGE_SIZE);
-		if (pv->pv_pmap == NULL)
-			pv->pv_va = va;
+		&& mips_cache_badalias(pv->pv_va, va)) {
+			mips_dcache_wbinv_range_index(trunc_page(pv->pv_va),
+			PAGE_SIZE);
+		}
 		PG_MD_PVLIST_UNLOCK(md);
 	}
 
@@ -450,23 +450,13 @@ static void
 pmap_unmap_ephemeral_page(struct vm_page *pg, vaddr_t va,
 	pt_entry_t old_pt_entry)
 {
-	struct vm_page_md * const md = VM_PAGE_TO_MD(pg);
-	pv_entry_t pv = >pvh_first;
-	
-	if (MIPS_CACHE_VIRTUAL_ALIAS) {
-		(void)PG_MD_PVLIST_LOCK(md, false);
-		if (PG_MD_CACHED_P(md)
-		|| (pv->pv_pmap != NULL
-			&& mips_cache_badalias(pv->pv_va, va))) {
 
-			/*
-			 * If this page was previously cached or we had to use an
-			 * incompatible alias and it has a valid mapping, flush it
-			 * from the cache.
-			 */
-			

CVS commit: [netbsd-6-1] src/sys/arch/mips/mips

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Wed Nov  8 21:19:46 UTC 2017

Modified Files:
src/sys/arch/mips/mips [netbsd-6-1]: pmap.c vm_machdep.c

Log Message:
Pull up following revision(s) (requested by skrll in ticket #1056):
sys/arch/mips/mips/pmap.c: revision 1.210-1.213
sys/arch/mips/mips/vm_machdep.c: revision 1.143
Fix a logic inversion introduced with the matt-nb5-mips64 for
pmap_{zero,copy}_page cache alias handing. The check previously used
PG_MD_UNCACHED_P, where it now uses PG_MD_CACHED_P, when considering if
a cache invalidation is required.
Additionally flush the cache for the uarea va to avoid potential (future)
cache aliases in cpu_uarea_free when handing pages back to uvm for later
use.
ok matt@
Hopefully this addresses the instability reported in the following PRs:
PR/44900 - R5000/Rm5200 mips ports are broken
PR/46170 - NetBSD/cobalt 6.0_BETA does not boot
PR/46890 - upcoming NetBSD 6.0 release is very unstable / unusable on cobalt 
qube 2
PR/48628 - cobalt and hpcmips ports are dead
Grab pv_list lock in pmap_unmap_ephemeral_page only when needed.
Make PARANOIADIAG compile.
Use pmap_tlb_asid_check to reduce code c


To generate a diff of this commit:
cvs rdiff -u -r1.207.2.1 -r1.207.2.1.6.1 src/sys/arch/mips/mips/pmap.c
cvs rdiff -u -r1.141 -r1.141.14.1 src/sys/arch/mips/mips/vm_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/mips/mips/pmap.c
diff -u src/sys/arch/mips/mips/pmap.c:1.207.2.1 src/sys/arch/mips/mips/pmap.c:1.207.2.1.6.1
--- src/sys/arch/mips/mips/pmap.c:1.207.2.1	Thu Jul  5 18:39:42 2012
+++ src/sys/arch/mips/mips/pmap.c	Wed Nov  8 21:19:46 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pmap.c,v 1.207.2.1 2012/07/05 18:39:42 riz Exp $	*/
+/*	$NetBSD: pmap.c,v 1.207.2.1.6.1 2017/11/08 21:19:46 snj Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2001 The NetBSD Foundation, Inc.
@@ -67,7 +67,7 @@
 
 #include 
 
-__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.207.2.1 2012/07/05 18:39:42 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.207.2.1.6.1 2017/11/08 21:19:46 snj Exp $");
 
 /*
  *	Manages physical address maps.
@@ -453,19 +453,21 @@ pmap_unmap_ephemeral_page(struct vm_page
 	struct vm_page_md * const md = VM_PAGE_TO_MD(pg);
 	pv_entry_t pv = >pvh_first;
 	
-	(void)PG_MD_PVLIST_LOCK(md, false);
-	if (MIPS_CACHE_VIRTUAL_ALIAS
-	&& (PG_MD_UNCACHED_P(md)
-		|| (pv->pv_pmap != NULL
-		&& mips_cache_badalias(pv->pv_va, va {
-		/*
-		 * If this page was previously uncached or we had to use an
-		 * incompatible alias and it has a valid mapping, flush it
-		 * from the cache.
-		 */
-		mips_dcache_wbinv_range(va, PAGE_SIZE);
+	if (MIPS_CACHE_VIRTUAL_ALIAS) {
+		(void)PG_MD_PVLIST_LOCK(md, false);
+		if (PG_MD_CACHED_P(md)
+		|| (pv->pv_pmap != NULL
+			&& mips_cache_badalias(pv->pv_va, va))) {
+
+			/*
+			 * If this page was previously cached or we had to use an
+			 * incompatible alias and it has a valid mapping, flush it
+			 * from the cache.
+			 */
+			mips_dcache_wbinv_range(va, PAGE_SIZE);
+		}
+		PG_MD_PVLIST_UNLOCK(md);
 	}
-	PG_MD_PVLIST_UNLOCK(md);
 #ifndef _LP64
 	/*
 	 * If we had to map using a page table entry, unmap it now.
@@ -575,7 +577,7 @@ pmap_bootstrap(void)
 
 	/*
 	 * Now actually allocate the kernel PTE array (must be done
-	 * after virtual_end is initialized).
+	 * after mips_virtual_end is initialized).
 	 */
 	Sysmap = (pt_entry_t *)
 	uvm_pageboot_alloc(sizeof(pt_entry_t) * Sysmapsize);
@@ -1023,15 +1025,7 @@ pmap_remove(pmap_t pmap, vaddr_t sva, va
 	if (eva > VM_MAXUSER_ADDRESS)
 		panic("pmap_remove: uva not in range");
 	if (PMAP_IS_ACTIVE(pmap)) {
-		struct pmap_asid_info * const pai = PMAP_PAI(pmap, curcpu());
-		uint32_t asid;
-
-		__asm volatile("mfc0 %0,$10; nop" : "=r"(asid));
-		asid = (MIPS_HAS_R4K_MMU) ? (asid & 0xff) : (asid & 0xfc0) >> 6;
-		if (asid != pai->pai_asid) {
-			panic("inconsistency for active TLB flush: %d <-> %d",
-			asid, pai->pai_asid);
-		}
+		pmap_tlb_asid_check();
 	}
 #endif
 #ifdef PMAP_FAULTINFO
@@ -1214,15 +1208,7 @@ pmap_protect(pmap_t pmap, vaddr_t sva, v
 	if (eva > VM_MAXUSER_ADDRESS)
 		panic("pmap_protect: uva not in range");
 	if (PMAP_IS_ACTIVE(pmap)) {
-		struct pmap_asid_info * const pai = PMAP_PAI(pmap, curcpu());
-		uint32_t asid;
-
-		__asm volatile("mfc0 %0,$10; nop" : "=r"(asid));
-		asid = (MIPS_HAS_R4K_MMU) ? (asid & 0xff) : (asid & 0xfc0) >> 6;
-		if (asid != pai->pai_asid) {
-			panic("inconsistency for active TLB update: %d <-> %d",
-			asid, pai->pai_asid);
-		}
+		pmap_tlb_asid_check();
 	}
 #endif
 
@@ -1586,6 +1572,7 @@ pmap_enter(pmap_t pmap, vaddr_t va, padd
 
 #ifdef PARANOIADIAG
 	if (PMAP_IS_ACTIVE(pmap)) {
+		struct pmap_asid_info * const pai = PMAP_PAI(pmap, curcpu());
 		uint32_t asid;
 
 		__asm volatile("mfc0 %0,$10; nop" : "=r"(asid));
@@ -1774,7 +1761,7 @@ pmap_unwire(pmap_t pmap, vaddr_t va)
 	if (pmap == pmap_kernel()) {
 

CVS commit: [netbsd-6-1] src/sys/arch/i386/i386

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Oct 13 08:03:02 UTC 2017

Modified Files:
src/sys/arch/i386/i386 [netbsd-6-1]: vector.S

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1505):
sys/arch/i386/i386/i386_trap.S: revision 1.12 via patch
Pfff, use %ss and not %ds. The latter is controlled by userland, the former
contains the kernel value (flat); FreeBSD fixed this too a few weeks ago.
As I said earlier, this dtrace code is complete bullshit.


To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.59.14.1 src/sys/arch/i386/i386/vector.S

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/i386/i386/vector.S
diff -u src/sys/arch/i386/i386/vector.S:1.59 src/sys/arch/i386/i386/vector.S:1.59.14.1
--- src/sys/arch/i386/i386/vector.S:1.59	Sun Jun 12 03:35:42 2011
+++ src/sys/arch/i386/i386/vector.S	Fri Oct 13 08:03:02 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: vector.S,v 1.59 2011/06/12 03:35:42 rmind Exp $	*/
+/*	$NetBSD: vector.S,v 1.59.14.1 2017/10/13 08:03:02 snj Exp $	*/
 
 /*
  * Copyright 2002 (c) Wasabi Systems, Inc.
@@ -65,7 +65,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vector.S,v 1.59 2011/06/12 03:35:42 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vector.S,v 1.59.14.1 2017/10/13 08:03:02 snj Exp $");
 
 #include "opt_ddb.h"
 #include "opt_multiprocessor.h"
@@ -773,7 +773,7 @@ IDTVEC(trap05)
 	SUPERALIGN_TEXT
 IDTVEC(trap06)
 	/* Check if there is no DTrace hook registered. */
-	cmpl	$0,dtrace_invop_jump_addr
+	cmpl	$0,%ss:dtrace_invop_jump_addr
 	je	norm_ill
 
 	/* Check if this is a user fault. */

CVS commit: [netbsd-6-1] src/sys/compat/linux32/arch/amd64

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Sep  9 16:53:35 UTC 2017

Modified Files:
src/sys/compat/linux32/arch/amd64 [netbsd-6-1]: linux32_machdep.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1502):
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39
Fix a ring0 escalation vulnerability in compat_linux32 where the
index of %cs is controlled by userland, making it easy to trigger
the page fault and get kernel privileges.


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.16.1 \
src/sys/compat/linux32/arch/amd64/linux32_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/linux32/arch/amd64/linux32_machdep.c
diff -u src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29 src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29.16.1
--- src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29	Fri Mar  4 22:25:31 2011
+++ src/sys/compat/linux32/arch/amd64/linux32_machdep.c	Sat Sep  9 16:53:34 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux32_machdep.c,v 1.29 2011/03/04 22:25:31 joerg Exp $ */
+/*	$NetBSD: linux32_machdep.c,v 1.29.16.1 2017/09/09 16:53:34 snj Exp $ */
 
 /*-
  * Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved.
@@ -31,7 +31,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 #include 
-__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.29 2011/03/04 22:25:31 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.29.16.1 2017/09/09 16:53:34 snj Exp $");
 
 #include 
 #include 
@@ -428,8 +428,9 @@ linux32_restore_sigcontext(struct lwp *l
 	/*
 	 * Check for security violations.
 	 */
-	if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0 ||
-	!USERMODE(scp->sc_cs, scp->sc_eflags))
+	if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0)
+		return EINVAL;
+	if (!VALID_USER_CSEL32(scp->sc_cs))
 		return EINVAL;
 
 	if (scp->sc_fs != 0 && !VALID_USER_DSEL32(scp->sc_fs) &&

CVS commit: [netbsd-6-1] src/sys/arch/sparc64/sparc64

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Mon Sep  4 16:04:23 UTC 2017

Modified Files:
src/sys/arch/sparc64/sparc64 [netbsd-6-1]: compat_13_machdep.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1501):
sys/arch/sparc64/sparc64/compat_13_machdep.c: revision 1.24
Apply only CCR. Otherwise userland could set PSTATE_PRIV in %pstate and get
kernel privileges on the hardware.
ok martin


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.23.32.1 \
src/sys/arch/sparc64/sparc64/compat_13_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/sparc64/sparc64/compat_13_machdep.c
diff -u src/sys/arch/sparc64/sparc64/compat_13_machdep.c:1.23 src/sys/arch/sparc64/sparc64/compat_13_machdep.c:1.23.32.1
--- src/sys/arch/sparc64/sparc64/compat_13_machdep.c:1.23	Sat Nov 21 04:16:52 2009
+++ src/sys/arch/sparc64/sparc64/compat_13_machdep.c	Mon Sep  4 16:04:23 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: compat_13_machdep.c,v 1.23 2009/11/21 04:16:52 rmind Exp $	*/
+/*	$NetBSD: compat_13_machdep.c,v 1.23.32.1 2017/09/04 16:04:23 snj Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1998 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: compat_13_machdep.c,v 1.23 2009/11/21 04:16:52 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: compat_13_machdep.c,v 1.23.32.1 2017/09/04 16:04:23 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ddb.h"
@@ -129,7 +129,7 @@ compat_13_sys_sigreturn(struct lwp *l, c
 		return (EINVAL);
 	/* take only psr ICC field */
 #ifdef __arch64__
-	tf->tf_tstate = (int64_t)(tf->tf_tstate & ~TSTATE_CCR) | scp->sc_tstate;
+	tf->tf_tstate = (int64_t)(tf->tf_tstate & ~TSTATE_CCR) | (scp->sc_tstate & TSTATE_CCR);
 #else
 	tf->tf_tstate = (int64_t)(tf->tf_tstate & ~TSTATE_CCR) | PSRCC_TO_TSTATE(scp->sc_psr);
 #endif

CVS commit: [netbsd-6-1] src/sys/arch/i386/conf

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 26 16:26:29 UTC 2017

Modified Files:
src/sys/arch/i386/conf [netbsd-6-1]: GENERIC

Log Message:
Apply patch (requested by maxv in ticket #1466):
Disable vm86 by default. The use case is limited, and the potential
for damage is too high.


To generate a diff of this commit:
cvs rdiff -u -r1.1066.2.7 -r1.1066.2.7.6.1 src/sys/arch/i386/conf/GENERIC

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/i386/conf/GENERIC
diff -u src/sys/arch/i386/conf/GENERIC:1.1066.2.7 src/sys/arch/i386/conf/GENERIC:1.1066.2.7.6.1
--- src/sys/arch/i386/conf/GENERIC:1.1066.2.7	Wed Aug 15 15:33:00 2012
+++ src/sys/arch/i386/conf/GENERIC	Sat Aug 26 16:26:29 2017
@@ -1,4 +1,4 @@
-# $NetBSD: GENERIC,v 1.1066.2.7 2012/08/15 15:33:00 sborrill Exp $
+# $NetBSD: GENERIC,v 1.1066.2.7.6.1 2017/08/26 16:26:29 snj Exp $
 #
 # GENERIC machine description file
 #
@@ -22,12 +22,12 @@ include 	"arch/i386/conf/std.i386"
 
 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary
 
-#ident 		"GENERIC-$Revision: 1.1066.2.7 $"
+#ident 		"GENERIC-$Revision: 1.1066.2.7.6.1 $"
 
 maxusers	64		# estimated number of users
 
 # CPU-related options.
-options 	VM86		# virtual 8086 emulation
+#options 	VM86		# virtual 8086 emulation
 options 	USER_LDT	# user-settable LDT; used by WINE
 #options 	PAE		# PAE mode (36 bits physical addressing)
 

CVS commit: [netbsd-6-1] src/sys/lib/libkern

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Wed Aug 23 19:37:20 UTC 2017

Modified Files:
src/sys/lib/libkern [netbsd-6-1]: Makefile.libkern

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1481):
sys/lib/libkern/Makefile.libkern: revision 1.19
Add strnlen.c to SRCS (which will automatically use the .S version if it
exists).


To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.17.8.1 src/sys/lib/libkern/Makefile.libkern

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/lib/libkern/Makefile.libkern
diff -u src/sys/lib/libkern/Makefile.libkern:1.17 src/sys/lib/libkern/Makefile.libkern:1.17.8.1
--- src/sys/lib/libkern/Makefile.libkern:1.17	Sun Feb  5 14:19:03 2012
+++ src/sys/lib/libkern/Makefile.libkern	Wed Aug 23 19:37:20 2017
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile.libkern,v 1.17 2012/02/05 14:19:03 dholland Exp $
+#	$NetBSD: Makefile.libkern,v 1.17.8.1 2017/08/23 19:37:20 snj Exp $
 
 # 
 # Variable definitions for libkern.  
@@ -84,7 +84,7 @@ SRCS+=	random.c
 SRCS+=	rngtest.c
 
 SRCS+=	memchr.c
-SRCS+=	strcat.c strcmp.c strcpy.c strlen.c
+SRCS+=	strcat.c strcmp.c strcpy.c strlen.c strnlen.c
 SRCS+=	strncmp.c strncpy.c
 SRCS+=	strcasecmp.c strncasecmp.c
 

CVS commit: [netbsd-6-1] src/sys/altq

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 05:37:04 UTC 2017

Modified Files:
src/sys/altq [netbsd-6-1]: altq_cbq.c altq_hfsc.c altq_jobs.c
altq_priq.c altq_wfq.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1488):
sys/altq/altq_cbq.c: revision 1.31
sys/altq/altq_hfsc.c: revision 1.27
sys/altq/altq_jobs.c: revision 1.11
sys/altq/altq_priq.c: revision 1.24
sys/altq/altq_wfq.c: revision 1.22
Zero buffers copied to userland to avoid stack disclosure.
>From Ilja Van Sprundel.
--
Reject negative indices.
(Would be nice to change the types too, and it's *probably* safe to
replace int by u_int, but I'm reluctant to touch the ioctl
definitions without at least a modicum more thought.  Also one of
them is a u_long, because why not?)
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.26.32.1 src/sys/altq/altq_cbq.c
cvs rdiff -u -r1.24 -r1.24.52.1 src/sys/altq/altq_hfsc.c
cvs rdiff -u -r1.6.28.1 -r1.6.28.2 src/sys/altq/altq_jobs.c
cvs rdiff -u -r1.21 -r1.21.32.1 src/sys/altq/altq_priq.c
cvs rdiff -u -r1.19 -r1.19.50.1 src/sys/altq/altq_wfq.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/altq/altq_cbq.c
diff -u src/sys/altq/altq_cbq.c:1.26 src/sys/altq/altq_cbq.c:1.26.32.1
--- src/sys/altq/altq_cbq.c:1.26	Sun Nov 22 18:40:26 2009
+++ src/sys/altq/altq_cbq.c	Sat Aug 19 05:37:04 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_cbq.c,v 1.26 2009/11/22 18:40:26 mbalmer Exp $	*/
+/*	$NetBSD: altq_cbq.c,v 1.26.32.1 2017/08/19 05:37:04 snj Exp $	*/
 /*	$KAME: altq_cbq.c,v 1.21 2005/04/13 03:44:24 suz Exp $	*/
 
 /*
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: altq_cbq.c,v 1.26 2009/11/22 18:40:26 mbalmer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_cbq.c,v 1.26.32.1 2017/08/19 05:37:04 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@@ -472,6 +472,7 @@ cbq_getqstats(struct pf_altq *a, void *u
 	if (*nbytes < sizeof(stats))
 		return (EINVAL);
 
+	memset(, 0, sizeof(stats));
 	get_class_stats(, cl);
 
 	if ((error = copyout((void *), ubuf, sizeof(stats))) != 0)
@@ -876,6 +877,7 @@ cbq_getstats(struct cbq_getstats *gsp)
 			if (++i >= CBQ_MAX_CLASSES)
 goto out;
 
+		memset(, 0, sizeof(stats));
 		get_class_stats(, cl);
 		stats.handle = cl->stats_.handle;
 

Index: src/sys/altq/altq_hfsc.c
diff -u src/sys/altq/altq_hfsc.c:1.24 src/sys/altq/altq_hfsc.c:1.24.52.1
--- src/sys/altq/altq_hfsc.c:1.24	Wed Jun 18 09:06:27 2008
+++ src/sys/altq/altq_hfsc.c	Sat Aug 19 05:37:04 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_hfsc.c,v 1.24 2008/06/18 09:06:27 yamt Exp $	*/
+/*	$NetBSD: altq_hfsc.c,v 1.24.52.1 2017/08/19 05:37:04 snj Exp $	*/
 /*	$KAME: altq_hfsc.c,v 1.26 2005/04/13 03:44:24 suz Exp $	*/
 
 /*
@@ -43,7 +43,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: altq_hfsc.c,v 1.24 2008/06/18 09:06:27 yamt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_hfsc.c,v 1.24.52.1 2017/08/19 05:37:04 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@@ -313,6 +313,7 @@ hfsc_getqstats(struct pf_altq *a, void *
 	if (*nbytes < sizeof(stats))
 		return (EINVAL);
 
+	memset(, 0, sizeof(stats));
 	get_class_stats(, cl);
 
 	if ((error = copyout((void *), ubuf, sizeof(stats))) != 0)

Index: src/sys/altq/altq_jobs.c
diff -u src/sys/altq/altq_jobs.c:1.6.28.1 src/sys/altq/altq_jobs.c:1.6.28.2
--- src/sys/altq/altq_jobs.c:1.6.28.1	Mon Nov  3 15:10:39 2014
+++ src/sys/altq/altq_jobs.c	Sat Aug 19 05:37:04 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_jobs.c,v 1.6.28.1 2014/11/03 15:10:39 msaitoh Exp $	*/
+/*	$NetBSD: altq_jobs.c,v 1.6.28.2 2017/08/19 05:37:04 snj Exp $	*/
 /*	$KAME: altq_jobs.c,v 1.11 2005/04/13 03:44:25 suz Exp $	*/
 /*
  * Copyright (c) 2001, the Rector and Board of Visitors of the
@@ -59,7 +59,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: altq_jobs.c,v 1.6.28.1 2014/11/03 15:10:39 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_jobs.c,v 1.6.28.2 2017/08/19 05:37:04 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@@ -2111,10 +2111,9 @@ jobscmd_class_stats(struct jobs_class_st
 	usp = ap->stats;
 	for (pri = 0; pri <= jif->jif_maxpri; pri++) {
 		cl = jif->jif_classes[pri];
+		(void)memset(, 0, sizeof(stats));
 		if (cl != NULL)
 			get_class_stats(, cl);
-		else
-			(void)memset(, 0, sizeof(stats));
 		if ((error = copyout((void *), (void *)usp++,
  sizeof(stats))) != 0)
 			return (error);

Index: src/sys/altq/altq_priq.c
diff -u src/sys/altq/altq_priq.c:1.21 src/sys/altq/altq_priq.c:1.21.32.1
--- src/sys/altq/altq_priq.c:1.21	Sat Mar 14 15:35:58 2009
+++ src/sys/altq/altq_priq.c	Sat Aug 19 05:37:04 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_priq.c,v 1.21 2009/03/14 15:35:58 dsl Exp $	*/
+/*	$NetBSD: altq_priq.c,v 1.21.32.1 2017/08/19 05:37:04 snj Exp $	*/
 /*	$KAME: altq_priq.c,v 1.13 2005/04/13 03:44:25 suz Exp $	*/
 /*
  * Copyright (C) 2000-2003
@@ 

CVS commit: [netbsd-6-1] src/sys/compat/linux/common

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 05:03:58 UTC 2017

Modified Files:
src/sys/compat/linux/common [netbsd-6-1]: linux_time.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1489):
sys/compat/linux/common/linux_time.c: 1.38-1.39 via patch
Only let the superuser set the compat_linux timezone.
Not really keen to invent a new kauth cookie for this useless purpose.
>From Ilja Van Sprundel.
--
Put suser check in the right function: settimeofday, not gettimeofday.
While here, remove wrong comment.
Noted by kre@.


To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.35.14.1 src/sys/compat/linux/common/linux_time.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/linux/common/linux_time.c
diff -u src/sys/compat/linux/common/linux_time.c:1.35 src/sys/compat/linux/common/linux_time.c:1.35.14.1
--- src/sys/compat/linux/common/linux_time.c:1.35	Fri Nov 18 04:07:44 2011
+++ src/sys/compat/linux/common/linux_time.c	Sat Aug 19 05:03:58 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_time.c,v 1.35 2011/11/18 04:07:44 christos Exp $ */
+/*	$NetBSD: linux_time.c,v 1.35.14.1 2017/08/19 05:03:58 snj Exp $ */
 
 /*-
  * Copyright (c) 2001 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.35 2011/11/18 04:07:44 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.35.14.1 2017/08/19 05:03:58 snj Exp $");
 
 #include 
 #include 
@@ -109,11 +109,10 @@ linux_sys_settimeofday(struct lwp *l, co
 			return (error);
 	}
 
-	/*
-	 * If user is not the superuser, we returned
-	 * after the sys_settimeofday() call.
-	 */
 	if (SCARG(uap, tzp)) {
+		if (kauth_authorize_generic(kauth_cred_get(),
+			KAUTH_GENERIC_ISSUSER, NULL) != 0)
+			return (EPERM);
 		error = copyin(SCARG(uap, tzp), _sys_tz, sizeof(linux_sys_tz));
 		if (error)
 			return (error);

CVS commit: [netbsd-6-1] src/sys/netsmb

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:44:54 UTC 2017

Modified Files:
src/sys/netsmb [netbsd-6-1]: smb_dev.c smb_subr.c smb_subr.h smb_usr.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1487):
sys/netsmb/smb_dev.c: 1.50
sys/netsmb/smb_subr.c: 1.38
sys/netsmb/smb_subr.h: 1.22
sys/netsmb/smb_usr.c: 1.17-1.19
Reject allocations for too-small buffers from userland.
>From Ilja Van Sprundel.
--
Plug another overflow: refuse bogus sa_len from user.
--
Reject negative ioc_setupcnt.
--
Reject negative offset/count for smb read/write.
Not clear that this is actually a problem for the kernel -- might
overwrite user's buffers or return garbage to user, but that's their
own damn fault.  But it's hard to imagine that negative offset/count
ever makes sense, and I haven't ruled out a problem for the kernel.


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.39.20.1 src/sys/netsmb/smb_dev.c
cvs rdiff -u -r1.36 -r1.36.22.1 src/sys/netsmb/smb_subr.c
cvs rdiff -u -r1.20 -r1.20.20.1 src/sys/netsmb/smb_subr.h
cvs rdiff -u -r1.16 -r1.16.32.1 src/sys/netsmb/smb_usr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netsmb/smb_dev.c
diff -u src/sys/netsmb/smb_dev.c:1.39 src/sys/netsmb/smb_dev.c:1.39.20.1
--- src/sys/netsmb/smb_dev.c:1.39	Fri Dec 17 14:27:34 2010
+++ src/sys/netsmb/smb_dev.c	Sat Aug 19 04:44:53 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_dev.c,v 1.39 2010/12/17 14:27:34 pooka Exp $	*/
+/*	$NetBSD: smb_dev.c,v 1.39.20.1 2017/08/19 04:44:53 snj Exp $	*/
 
 /*
  * Copyright (c) 2000-2001 Boris Popov
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: smb_dev.c,v 1.39 2010/12/17 14:27:34 pooka Exp $");
+__KERNEL_RCSID(0, "$NetBSD: smb_dev.c,v 1.39.20.1 2017/08/19 04:44:53 snj Exp $");
 
 #include 
 #include 
@@ -334,6 +334,8 @@ nsmb_dev_ioctl(dev_t dev, u_long cmd, vo
 		struct uio auio;
 		struct iovec iov;
 
+		if (rwrq->ioc_cnt < 0 || rwrq->ioc_offset < 0)
+			return EINVAL;
 		if ((ssp = sdp->sd_share) == NULL)
 			return ENOTCONN;
 		iov.iov_base = rwrq->ioc_base;

Index: src/sys/netsmb/smb_subr.c
diff -u src/sys/netsmb/smb_subr.c:1.36 src/sys/netsmb/smb_subr.c:1.36.22.1
--- src/sys/netsmb/smb_subr.c:1.36	Sun Sep 25 13:42:30 2011
+++ src/sys/netsmb/smb_subr.c	Sat Aug 19 04:44:53 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_subr.c,v 1.36 2011/09/25 13:42:30 chs Exp $	*/
+/*	$NetBSD: smb_subr.c,v 1.36.22.1 2017/08/19 04:44:53 snj Exp $	*/
 
 /*
  * Copyright (c) 2000-2001 Boris Popov
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: smb_subr.c,v 1.36 2011/09/25 13:42:30 chs Exp $");
+__KERNEL_RCSID(0, "$NetBSD: smb_subr.c,v 1.36.22.1 2017/08/19 04:44:53 snj Exp $");
 
 #include 
 #include 
@@ -371,3 +371,32 @@ dup_sockaddr(struct sockaddr *sa, int ca
 		memcpy(sa2, sa, sa->sa_len);
 	return sa2;
 }
+
+int
+dup_sockaddr_copyin(struct sockaddr **ksap, struct sockaddr *usa,
+size_t usalen)
+{
+	struct sockaddr *ksa;
+
+	/* Make sure user provided enough data for a generic sockaddr.  */
+	if (usalen < sizeof(*ksa))
+		return EINVAL;
+
+	/* Don't let the user overfeed us.  */
+	usalen = MIN(usalen, sizeof(struct sockaddr_storage));
+
+	/* Copy the buffer in from userland.  */
+	ksa = smb_memdupin(usa, usalen);
+	if (ksa == NULL)
+		return ENOMEM;
+
+	/* Make sure the user's idea of sa_len is reasonable.  */
+	if (ksa->sa_len > usalen) {
+		smb_memfree(ksa);
+		return EINVAL;
+	}
+
+	/* Success!  */
+	*ksap = ksa;
+	return 0;
+}

Index: src/sys/netsmb/smb_subr.h
diff -u src/sys/netsmb/smb_subr.h:1.20 src/sys/netsmb/smb_subr.h:1.20.20.1
--- src/sys/netsmb/smb_subr.h:1.20	Fri Dec 17 13:05:29 2010
+++ src/sys/netsmb/smb_subr.h	Sat Aug 19 04:44:53 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_subr.h,v 1.20 2010/12/17 13:05:29 pooka Exp $	*/
+/*	$NetBSD: smb_subr.h,v 1.20.20.1 2017/08/19 04:44:53 snj Exp $	*/
 
 /*
  * Copyright (c) 2000-2001, Boris Popov
@@ -127,5 +127,6 @@ int  smb_put_asunistring(struct smb_rq *
 #endif
 
 struct sockaddr *dup_sockaddr(struct sockaddr *, int);
+int dup_sockaddr_copyin(struct sockaddr **, struct sockaddr *, size_t);
 
 #endif /* !_NETSMB_SMB_SUBR_H_ */

Index: src/sys/netsmb/smb_usr.c
diff -u src/sys/netsmb/smb_usr.c:1.16 src/sys/netsmb/smb_usr.c:1.16.32.1
--- src/sys/netsmb/smb_usr.c:1.16	Wed Mar 18 16:00:24 2009
+++ src/sys/netsmb/smb_usr.c	Sat Aug 19 04:44:53 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_usr.c,v 1.16 2009/03/18 16:00:24 cegger Exp $	*/
+/*	$NetBSD: smb_usr.c,v 1.16.32.1 2017/08/19 04:44:53 snj Exp $	*/
 
 /*
  * Copyright (c) 2000-2001 Boris Popov
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: smb_usr.c,v 1.16 2009/03/18 16:00:24 cegger Exp $");
+__KERNEL_RCSID(0, "$NetBSD: smb_usr.c,v 1.16.32.1 2017/08/19 04:44:53 snj Exp $");
 
 #include 
 #include 
@@ -65,6 +65,7 @@ static int
 smb_usr_vc2spec(struct smbioc_ossn *dp, struct smb_vcspec *spec)
 {
 

CVS commit: [netbsd-6-1] src/sys/dev/ic

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:29:12 UTC 2017

Modified Files:
src/sys/dev/ic [netbsd-6-1]: ciss.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1486):
sys/dev/ic/ciss.c: revision 1.37
Reject negative indices from userland.


To generate a diff of this commit:
cvs rdiff -u -r1.27.8.1 -r1.27.8.1.2.1 src/sys/dev/ic/ciss.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/ciss.c
diff -u src/sys/dev/ic/ciss.c:1.27.8.1 src/sys/dev/ic/ciss.c:1.27.8.1.2.1
--- src/sys/dev/ic/ciss.c:1.27.8.1	Thu Nov 22 17:24:52 2012
+++ src/sys/dev/ic/ciss.c	Sat Aug 19 04:29:12 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ciss.c,v 1.27.8.1 2012/11/22 17:24:52 riz Exp $	*/
+/*	$NetBSD: ciss.c,v 1.27.8.1.2.1 2017/08/19 04:29:12 snj Exp $	*/
 /*	$OpenBSD: ciss.c,v 1.14 2006/03/13 16:02:23 mickey Exp $	*/
 
 /*
@@ -19,7 +19,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.27.8.1 2012/11/22 17:24:52 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.27.8.1.2.1 2017/08/19 04:29:12 snj Exp $");
 
 #include "bio.h"
 
@@ -1198,12 +1198,12 @@ ciss_ioctl(device_t dev, u_long cmd, voi
 		/* FALLTHROUGH */
 	case BIOCDISK:
 		bd = (struct bioc_disk *)addr;
-		if (bd->bd_volid > sc->maxunits) {
+		if (bd->bd_volid < 0 || bd->bd_volid > sc->maxunits) {
 			error = EINVAL;
 			break;
 		}
 		ldp = sc->sc_lds[0];
-		if (!ldp || (pd = bd->bd_diskid) > ldp->ndrives) {
+		if (!ldp || (pd = bd->bd_diskid) < 0 || pd > ldp->ndrives) {
 			error = EINVAL;
 			break;
 		}
@@ -1304,7 +1304,7 @@ ciss_ioctl_vol(struct ciss_softc *sc, st
 	int error = 0;
 	u_int blks;
 
-	if (bv->bv_volid > sc->maxunits) {
+	if (bv->bv_volid < 0 || bv->bv_volid > sc->maxunits) {
 		return EINVAL;
 	}
 	ldp = sc->sc_lds[bv->bv_volid];

CVS commit: [netbsd-6-1] src/sys/dev/ic

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:27:37 UTC 2017

Modified Files:
src/sys/dev/ic [netbsd-6-1]: isp_netbsd.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1485):
sys/dev/ic/isp_netbsd.c: revision 1.89
Reject out-of-bounds channel index.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.85.2.1 -r1.85.2.1.4.1 src/sys/dev/ic/isp_netbsd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/isp_netbsd.c
diff -u src/sys/dev/ic/isp_netbsd.c:1.85.2.1 src/sys/dev/ic/isp_netbsd.c:1.85.2.1.4.1
--- src/sys/dev/ic/isp_netbsd.c:1.85.2.1	Mon Sep  3 18:38:34 2012
+++ src/sys/dev/ic/isp_netbsd.c	Sat Aug 19 04:27:37 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: isp_netbsd.c,v 1.85.2.1 2012/09/03 18:38:34 riz Exp $ */
+/* $NetBSD: isp_netbsd.c,v 1.85.2.1.4.1 2017/08/19 04:27:37 snj Exp $ */
 /*
  * Platform (NetBSD) dependent common attachment code for Qlogic adapters.
  */
@@ -33,7 +33,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.85.2.1 2012/09/03 18:38:34 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.85.2.1.4.1 2017/08/19 04:27:37 snj Exp $");
 
 #include 
 #include 
@@ -475,6 +475,10 @@ ispioctl(struct scsipi_channel *chan, u_
 		}
 		lim = local.count;
 		channel = local.channel;
+		if (channel >= isp->isp_nchan) {
+			retval = EINVAL;
+			break;
+		}
 
 		ua = *(isp_dlist_t **)addr;
 		uptr = >wwns[0];

CVS commit: [netbsd-6-1] src/sys/kern

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:24:22 UTC 2017

Modified Files:
src/sys/kern [netbsd-6-1]: kern_ktrace.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1484):
sys/kern/kern_ktrace.c: revision 1.171 via patch
Clamp the length we use, not the length we don't.
Avoids uninitialized memory disclosure to userland.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.160 -r1.160.8.1 src/sys/kern/kern_ktrace.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/kern_ktrace.c
diff -u src/sys/kern/kern_ktrace.c:1.160 src/sys/kern/kern_ktrace.c:1.160.8.1
--- src/sys/kern/kern_ktrace.c:1.160	Fri Dec 30 20:33:04 2011
+++ src/sys/kern/kern_ktrace.c	Sat Aug 19 04:24:22 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_ktrace.c,v 1.160 2011/12/30 20:33:04 christos Exp $	*/
+/*	$NetBSD: kern_ktrace.c,v 1.160.8.1 2017/08/19 04:24:22 snj Exp $	*/
 
 /*-
  * Copyright (c) 2006, 2007, 2008 The NetBSD Foundation, Inc.
@@ -61,7 +61,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.160 2011/12/30 20:33:04 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.160.8.1 2017/08/19 04:24:22 snj Exp $");
 
 #include 
 #include 
@@ -952,7 +952,7 @@ ktruser(const char *id, void *addr, size
 
 	user_dta = (void *)(ktp + 1);
 	if ((error = copyin(addr, (void *)user_dta, len)) != 0)
-		len = 0;
+		kte->kte_kth.ktr_len = 0;
 
 	ktraddentry(l, kte, KTA_WAITOK);
 	return error;

CVS commit: [netbsd-6-1] src/sys/compat

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:19:59 UTC 2017

Modified Files:
src/sys/compat/common [netbsd-6-1]: vfs_syscalls_12.c vfs_syscalls_43.c
src/sys/compat/ibcs2 [netbsd-6-1]: ibcs2_misc.c
src/sys/compat/linux/common [netbsd-6-1]: linux_file64.c linux_misc.c
src/sys/compat/linux32/common [netbsd-6-1]: linux32_dirent.c
src/sys/compat/osf1 [netbsd-6-1]: osf1_file.c
src/sys/compat/sunos [netbsd-6-1]: sunos_misc.c
src/sys/compat/sunos32 [netbsd-6-1]: sunos32_misc.c
src/sys/compat/svr4 [netbsd-6-1]: svr4_misc.c
src/sys/compat/svr4_32 [netbsd-6-1]: svr4_32_misc.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1483):
sys/compat/common/vfs_syscalls_12.c: revision 1.34
sys/compat/svr4_32/svr4_32_misc.c: revision 1.78
sys/compat/sunos32/sunos32_misc.c: revision 1.78
sys/compat/linux/common/linux_misc.c: revision 1.239
sys/compat/osf1/osf1_file.c: revision 1.44
sys/compat/common/vfs_syscalls_43.c: revision 1.60
sys/compat/svr4/svr4_misc.c: revision 1.158
sys/compat/ibcs2/ibcs2_misc.c: revision 1.114
sys/compat/linux/common/linux_file64.c: revision 1.59
sys/compat/linux32/common/linux32_dirent.c: revision 1.18
sys/compat/sunos/sunos_misc.c: revision 1.171
Fail, don't panic, on bad dirents from file system.
Controllable via puffs from userland.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.29.26.1 -r1.29.26.2 src/sys/compat/common/vfs_syscalls_12.c
cvs rdiff -u -r1.54.14.1.2.2 -r1.54.14.1.2.3 \
src/sys/compat/common/vfs_syscalls_43.c
cvs rdiff -u -r1.111 -r1.111.22.1 src/sys/compat/ibcs2/ibcs2_misc.c
cvs rdiff -u -r1.53 -r1.53.22.1 src/sys/compat/linux/common/linux_file64.c
cvs rdiff -u -r1.219 -r1.219.16.1 src/sys/compat/linux/common/linux_misc.c
cvs rdiff -u -r1.13 -r1.13.22.1 \
src/sys/compat/linux32/common/linux32_dirent.c
cvs rdiff -u -r1.41.22.1 -r1.41.22.2 src/sys/compat/osf1/osf1_file.c
cvs rdiff -u -r1.168 -r1.168.28.1 src/sys/compat/sunos/sunos_misc.c
cvs rdiff -u -r1.74 -r1.74.16.1 src/sys/compat/sunos32/sunos32_misc.c
cvs rdiff -u -r1.155 -r1.155.22.1 src/sys/compat/svr4/svr4_misc.c
cvs rdiff -u -r1.74 -r1.74.22.1 src/sys/compat/svr4_32/svr4_32_misc.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/common/vfs_syscalls_12.c
diff -u src/sys/compat/common/vfs_syscalls_12.c:1.29.26.1 src/sys/compat/common/vfs_syscalls_12.c:1.29.26.2
--- src/sys/compat/common/vfs_syscalls_12.c:1.29.26.1	Sat Aug 12 16:22:30 2017
+++ src/sys/compat/common/vfs_syscalls_12.c	Sat Aug 19 04:19:58 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls_12.c,v 1.29.26.1 2017/08/12 16:22:30 snj Exp $	*/
+/*	$NetBSD: vfs_syscalls_12.c,v 1.29.26.2 2017/08/19 04:19:58 snj Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29.26.1 2017/08/12 16:22:30 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29.26.2 2017/08/19 04:19:58 snj Exp $");
 
 #include 
 #include 
@@ -171,8 +171,10 @@ again:
 	for (cookie = cookiebuf; len > 0; len -= reclen) {
 		bdp = (struct dirent *)inp;
 		reclen = bdp->d_reclen;
-		if (reclen & 3)
-			panic(__func__);
+		if (reclen & 3) {
+			error = EIO;
+			goto out;
+		}
 		if (bdp->d_fileno == 0) {
 			inp += reclen;	/* it is a hole; squish it out */
 			if (cookie)

Index: src/sys/compat/common/vfs_syscalls_43.c
diff -u src/sys/compat/common/vfs_syscalls_43.c:1.54.14.1.2.2 src/sys/compat/common/vfs_syscalls_43.c:1.54.14.1.2.3
--- src/sys/compat/common/vfs_syscalls_43.c:1.54.14.1.2.2	Sat Aug 12 16:22:30 2017
+++ src/sys/compat/common/vfs_syscalls_43.c	Sat Aug 19 04:19:58 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls_43.c,v 1.54.14.1.2.2 2017/08/12 16:22:30 snj Exp $	*/
+/*	$NetBSD: vfs_syscalls_43.c,v 1.54.14.1.2.3 2017/08/19 04:19:58 snj Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.14.1.2.2 2017/08/12 16:22:30 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.14.1.2.3 2017/08/19 04:19:58 snj Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -450,8 +450,10 @@ again:
 	for (cookie = cookiebuf; len > 0; len -= reclen) {
 		bdp = (struct dirent *)inp;
 		reclen = bdp->d_reclen;
-		if (reclen & 3)
-			panic(__func__);
+		if (reclen & 3) {
+			error = EIO;
+			goto out;
+		}
 		if (bdp->d_fileno == 0) {
 			inp += reclen;	/* it is a hole; squish it out */
 			if (cookie)

Index: src/sys/compat/ibcs2/ibcs2_misc.c
diff -u src/sys/compat/ibcs2/ibcs2_misc.c:1.111 src/sys/compat/ibcs2/ibcs2_misc.c:1.111.22.1
--- src/sys/compat/ibcs2/ibcs2_misc.c:1.111	Thu Jun 24 13:03:06 2010
+++ src/sys/compat/ibcs2/ibcs2_misc.c	Sat Aug 19 04:19:58 2017
@@ -1,4 +1,4 @@
-/*	

CVS commit: [netbsd-6-1] src/sys/kern

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:17:10 UTC 2017

Modified Files:
src/sys/kern [netbsd-6-1]: vfs_getcwd.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1482):
sys/kern/vfs_getcwd.c: revision 1.52
Don't walk off the end of the dirent buffer.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.47.22.1 src/sys/kern/vfs_getcwd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/vfs_getcwd.c
diff -u src/sys/kern/vfs_getcwd.c:1.47 src/sys/kern/vfs_getcwd.c:1.47.22.1
--- src/sys/kern/vfs_getcwd.c:1.47	Tue Nov 30 10:30:02 2010
+++ src/sys/kern/vfs_getcwd.c	Sat Aug 19 04:17:10 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_getcwd.c,v 1.47 2010/11/30 10:30:02 dholland Exp $ */
+/* $NetBSD: vfs_getcwd.c,v 1.47.22.1 2017/08/19 04:17:10 snj Exp $ */
 
 /*-
  * Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.47 2010/11/30 10:30:02 dholland Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.47.22.1 2017/08/19 04:17:10 snj Exp $");
 
 #include 
 #include 
@@ -207,7 +207,8 @@ unionread:
 reclen = dp->d_reclen;
 
 /* check for malformed directory.. */
-if (reclen < _DIRENT_MINSIZE(dp)) {
+if (reclen < _DIRENT_MINSIZE(dp) ||
+reclen > len) {
 	error = EINVAL;
 	goto out;
 }

CVS commit: [netbsd-6-1] src/sys/compat/ibcs2

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:13:50 UTC 2017

Modified Files:
src/sys/compat/ibcs2 [netbsd-6-1]: ibcs2_exec_coff.c ibcs2_ioctl.c
ibcs2_stat.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1481):
sys/compat/ibcs2/ibcs2_exec_coff.c: 1.27-1.29
sys/compat/ibcs2/ibcs2_ioctl.c: 1.46
sys/compat/ibcs2/ibcs2_stat.c: 1.49-1.50
Check for NUL termination within the buffer we have.
>From Ilja Van Sprundel.
--
Make sure we have enough space in the buffer before reading it.
>From Ilja Van Sprundel.
--
Make sure we move forward over the buffer.
>From Ilja Van Sprundel.
--
Zero buffers in ibcs2 ioctl to avoid disclosing stack to userland.
>From Ilja Van Sprundel.
--
Don't drop vnode ref until we're done with mount in ibcs2_stat(v)fs.
Nothing else guarantees the mount will stick around.
>From Ilja Van Sprundel.
--
Little happy on the commit trigger.  Actually use the out label.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.25.28.1 src/sys/compat/ibcs2/ibcs2_exec_coff.c
cvs rdiff -u -r1.45 -r1.45.52.1 src/sys/compat/ibcs2/ibcs2_ioctl.c
cvs rdiff -u -r1.47 -r1.47.32.1 src/sys/compat/ibcs2/ibcs2_stat.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/ibcs2/ibcs2_exec_coff.c
diff -u src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.25 src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.25.28.1
--- src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.25	Thu Jul 22 03:19:02 2010
+++ src/sys/compat/ibcs2/ibcs2_exec_coff.c	Sat Aug 19 04:13:50 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_exec_coff.c,v 1.25 2010/07/22 03:19:02 christos Exp $	*/
+/*	$NetBSD: ibcs2_exec_coff.c,v 1.25.28.1 2017/08/19 04:13:50 snj Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995, 1998 Scott Bartram
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.25 2010/07/22 03:19:02 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.25.28.1 2017/08/19 04:13:50 snj Exp $");
 
 #include 
 #include 
@@ -454,6 +454,10 @@ exec_ibcs2_coff_prep_zmagic(struct lwp *
 		}
 		bufp = tbuf;
 		while (len) {
+			if (len < sizeof(struct coff_slhdr)) {
+free(tbuf, M_TEMP);
+return ENOEXEC;
+			}
 			slhdr = (struct coff_slhdr *)bufp;
 
 			if (slhdr->path_index > LONG_MAX / sizeof(long) ||
@@ -465,7 +469,9 @@ exec_ibcs2_coff_prep_zmagic(struct lwp *
 			path_index = slhdr->path_index * sizeof(long);
 			entry_len = slhdr->entry_len * sizeof(long);
 
-			if (entry_len > len) {
+			if (entry_len < sizeof(struct coff_slhdr) ||
+			entry_len > len ||
+			strnlen(slhdr->sl_name, entry_len) == entry_len) {
 free(tbuf, M_TEMP);
 return ENOEXEC;
 			}

Index: src/sys/compat/ibcs2/ibcs2_ioctl.c
diff -u src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45 src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45.52.1
--- src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45	Tue Jun 24 10:03:17 2008
+++ src/sys/compat/ibcs2/ibcs2_ioctl.c	Sat Aug 19 04:13:50 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $	*/
+/*	$NetBSD: ibcs2_ioctl.c,v 1.45.52.1 2017/08/19 04:13:50 snj Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995 Scott Bartram
@@ -27,7 +27,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.45.52.1 2017/08/19 04:13:50 snj Exp $");
 
 #include 
 #include 
@@ -402,8 +402,10 @@ ibcs2_sys_ioctl(struct lwp *l, const str
 		if ((error = (*ctl)(fp, TIOCGETA, )) != 0)
 			goto out;
 
+		memset(, 0, sizeof(sts));
 		btios2stios(, );
 		if (SCARG(uap, cmd) == IBCS2_TCGETA) {
+			memset(, 0, sizeof(st));
 			stios2stio(, );
 			error = copyout(, SCARG(uap, data), sizeof(st));
 			if (error)
@@ -559,6 +561,7 @@ ibcs2_sys_gtty(struct lwp *l, const stru
 
 	fd_putfile(SCARG(uap, fd));
 
+	memset(, 0, sizeof(itb));
 	itb.sg_ispeed = tb.sg_ispeed;
 	itb.sg_ospeed = tb.sg_ospeed;
 	itb.sg_erase = tb.sg_erase;

Index: src/sys/compat/ibcs2/ibcs2_stat.c
diff -u src/sys/compat/ibcs2/ibcs2_stat.c:1.47 src/sys/compat/ibcs2/ibcs2_stat.c:1.47.32.1
--- src/sys/compat/ibcs2/ibcs2_stat.c:1.47	Mon Jun 29 05:08:16 2009
+++ src/sys/compat/ibcs2/ibcs2_stat.c	Sat Aug 19 04:13:50 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_stat.c,v 1.47 2009/06/29 05:08:16 dholland Exp $	*/
+/*	$NetBSD: ibcs2_stat.c,v 1.47.32.1 2017/08/19 04:13:50 snj Exp $	*/
 /*
  * Copyright (c) 1995, 1998 Scott Bartram
  * All rights reserved.
@@ -27,7 +27,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.47 2009/06/29 05:08:16 dholland Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.47.32.1 2017/08/19 04:13:50 snj Exp $");
 
 #include 
 #include 
@@ -147,11 +147,13 @@ ibcs2_sys_statfs(struct lwp *l, const st
 		return (error);
 	mp = vp->v_mount;
 	sp = >mnt_stat;
-	vrele(vp);
 	if ((error = VFS_STATVFS(mp, sp)) != 0)
-		return (error);
+		goto out;
 	sp->f_flag = 

CVS commit: [netbsd-6-1] src/sys/compat/svr4_32

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:02:22 UTC 2017

Modified Files:
src/sys/compat/svr4_32 [netbsd-6-1]: svr4_32_signal.c

Log Message:
Pull up following revision(s) (requested by martin in ticket #1481):
sys/compat/svr4_32/svr4_32_signal.c: 1.30
make it compile again.


To generate a diff of this commit:
cvs rdiff -u -r1.26.56.1 -r1.26.56.2 src/sys/compat/svr4_32/svr4_32_signal.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/svr4_32/svr4_32_signal.c
diff -u src/sys/compat/svr4_32/svr4_32_signal.c:1.26.56.1 src/sys/compat/svr4_32/svr4_32_signal.c:1.26.56.2
--- src/sys/compat/svr4_32/svr4_32_signal.c:1.26.56.1	Sat Aug 19 03:40:48 2017
+++ src/sys/compat/svr4_32/svr4_32_signal.c	Sat Aug 19 04:02:22 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_32_signal.c,v 1.26.56.1 2017/08/19 03:40:48 snj Exp $	 */
+/*	$NetBSD: svr4_32_signal.c,v 1.26.56.2 2017/08/19 04:02:22 snj Exp $	 */
 
 /*-
  * Copyright (c) 1994, 1998 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: svr4_32_signal.c,v 1.26.56.1 2017/08/19 03:40:48 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_32_signal.c,v 1.26.56.2 2017/08/19 04:02:22 snj Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_svr4.h"
@@ -397,16 +397,16 @@ svr4_32_sys_signal(struct lwp *l, const 
 		nbsa.sa_handler = (sig_t)SCARG(uap, handler);
 		sigemptyset(_mask);
 		nbsa.sa_flags = 0;
-		error = sigaction1(l, signum, , , NULL, 0);
+		error = sigaction1(l, native_signo, , , NULL, 0);
 		if (error)
-			return (error);
+			return error;
 		*retval = (u_int)(u_long)obsa.sa_handler;
-		return (0);
+		return 0;
 
 	case SVR4_SIGHOLD_MASK:
 	sighold:
 		sigemptyset();
-		sigaddset(, signum);
+		sigaddset(, native_signo);
 		mutex_enter(p->p_lock);
 		error = sigprocmask1(l, SIG_BLOCK, , 0);
 		mutex_exit(p->p_lock);
@@ -414,7 +414,7 @@ svr4_32_sys_signal(struct lwp *l, const 
 
 	case SVR4_SIGRELSE_MASK:
 		sigemptyset();
-		sigaddset(, signum);
+		sigaddset(, native_signo);
 		mutex_enter(p->p_lock);
 		error = sigprocmask1(l, SIG_UNBLOCK, , 0);
 		mutex_exit(p->p_lock);
@@ -424,17 +424,17 @@ svr4_32_sys_signal(struct lwp *l, const 
 		nbsa.sa_handler = SIG_IGN;
 		sigemptyset(_mask);
 		nbsa.sa_flags = 0;
-		return (sigaction1(l, signum, , 0, NULL, 0));
+		return sigaction1(l, native_signo, , 0, NULL, 0);
 
 	case SVR4_SIGPAUSE_MASK:
 		mutex_enter(p->p_lock);
 		ss = l->l_sigmask;
 		mutex_exit(p->p_lock);
-		sigdelset(, signum);
-		return (sigsuspend1(l, ));
+		sigdelset(, native_signo);
+		return sigsuspend1(l, );
 
 	default:
-		return (ENOSYS);
+		return ENOSYS;
 	}
 }
 

CVS commit: [netbsd-6-1] src/sys/compat

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 03:40:48 UTC 2017

Modified Files:
src/sys/compat/svr4 [netbsd-6-1]: svr4_lwp.c svr4_signal.c
svr4_stream.c
src/sys/compat/svr4_32 [netbsd-6-1]: svr4_32_signal.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1479):
sys/compat/svr4/svr4_lwp.c: 1.20
sys/compat/svr4/svr4_signal.c: 1.67
sys/compat/svr4/svr4_stream.c: 1.89-1.91 via patch
sys/compat/svr4_32/svr4_32_signal.c: 1.29
Fix some of the multitudinous holes in svr4 streams.
We should never have enabled this by default; it is a minefield.
>From Ilja Van Sprundel.
--
Zero stack data before copyout.
>From Ilja Van Sprundel.
--
Fix indexing of svr4 signals.
>From Ilja Van Sprundel.
--
Feebly attempt to get this reference counting less bad.
This svr4 streams code is bad and it should feel bad.
>From Ilja Van Sprundel.
--
Check bounds in svr4_sys_putmsg.  Check more svr4_strmcmd bounds.
svr4 streams code is still a disaster.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.19.32.1 src/sys/compat/svr4/svr4_lwp.c
cvs rdiff -u -r1.65 -r1.65.24.1 src/sys/compat/svr4/svr4_signal.c
cvs rdiff -u -r1.79 -r1.79.22.1 src/sys/compat/svr4/svr4_stream.c
cvs rdiff -u -r1.26 -r1.26.56.1 src/sys/compat/svr4_32/svr4_32_signal.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/svr4/svr4_lwp.c
diff -u src/sys/compat/svr4/svr4_lwp.c:1.19 src/sys/compat/svr4/svr4_lwp.c:1.19.32.1
--- src/sys/compat/svr4/svr4_lwp.c:1.19	Mon Nov 23 00:46:07 2009
+++ src/sys/compat/svr4/svr4_lwp.c	Sat Aug 19 03:40:48 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $	*/
+/*	$NetBSD: svr4_lwp.c,v 1.19.32.1 2017/08/19 03:40:48 snj Exp $	*/
 
 /*-
  * Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19.32.1 2017/08/19 03:40:48 snj Exp $");
 
 #include 
 #include 
@@ -108,6 +108,8 @@ svr4_sys__lwp_info(struct lwp *l, const 
 	struct svr4_lwpinfo lwpinfo;
 	int error;
 
+	memset(, 0, sizeof(lwpinfo));
+
 	/* XXX NJWLWP */
 	TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_stime, _stime);
 	TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_utime, _utime);

Index: src/sys/compat/svr4/svr4_signal.c
diff -u src/sys/compat/svr4/svr4_signal.c:1.65 src/sys/compat/svr4/svr4_signal.c:1.65.24.1
--- src/sys/compat/svr4/svr4_signal.c:1.65	Thu Feb  3 21:45:31 2011
+++ src/sys/compat/svr4/svr4_signal.c	Sat Aug 19 03:40:48 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_signal.c,v 1.65 2011/02/03 21:45:31 joerg Exp $	 */
+/*	$NetBSD: svr4_signal.c,v 1.65.24.1 2017/08/19 03:40:48 snj Exp $	 */
 
 /*-
  * Copyright (c) 1994, 1998 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65 2011/02/03 21:45:31 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65.24.1 2017/08/19 03:40:48 snj Exp $");
 
 #include 
 #include 
@@ -73,6 +73,21 @@ void native_to_svr4_sigaction(const stru
 extern const int native_to_svr4_signo[];
 extern const int svr4_to_native_signo[];
 
+static int
+svr4_decode_signum(int signum, int *native_signo, int *sigcall)
+{
+
+	if (SVR4_SIGNO(signum) >= SVR4_NSIG)
+		return EINVAL;
+
+	if (native_signo)
+		*native_signo = svr4_to_native_signo[SVR4_SIGNO(signum)];
+	if (sigcall)
+		*sigcall = SVR4_SIGCALL(signum);
+
+	return 0;
+}
+
 static inline void
 svr4_sigfillset(svr4_sigset_t *s)
 {
@@ -174,6 +189,7 @@ svr4_sys_sigaction(struct lwp *l, const 
 	} */
 	struct svr4_sigaction nssa, ossa;
 	struct sigaction nbsa, obsa;
+	int native_signo;
 	int error;
 
 	if (SCARG(uap, nsa)) {
@@ -182,7 +198,12 @@ svr4_sys_sigaction(struct lwp *l, const 
 			return (error);
 		svr4_to_native_sigaction(, );
 	}
-	error = sigaction1(l, svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))],
+
+	error = svr4_decode_signum(SCARG(uap, signum), _signo, NULL);
+	if (error)
+		return error;
+
+	error = sigaction1(l, native_signo,
 	SCARG(uap, nsa) ?  : 0, SCARG(uap, osa) ?  : 0,
 	NULL, 0);
 	if (error)
@@ -217,16 +238,18 @@ svr4_sys_signal(struct lwp *l, const str
 		syscallarg(int) signum;
 		syscallarg(svr4_sig_t) handler;
 	} */
-	int signum = svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))];
+	int native_signo, sigcall;
 	struct proc *p = l->l_proc;
 	struct sigaction nbsa, obsa;
 	sigset_t ss;
 	int error;
 
-	if (signum <= 0 || signum >= SVR4_NSIG)
-		return (EINVAL);
+	error = svr4_decode_signum(SCARG(uap, signum), _signo,
+	);
+	if (error)
+		return error;
 
-	switch (SVR4_SIGCALL(SCARG(uap, signum))) {
+	switch (sigcall) {
 	case SVR4_SIGDEFER_MASK:
 		if (SCARG(uap, handler) == SVR4_SIG_HOLD)
 			goto sighold;
@@ -236,7 +259,7 @@ svr4_sys_signal(struct lwp *l, const str
 		

CVS commit: [netbsd-6-1] src/sys/dev/ic

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 03:15:55 UTC 2017

Modified Files:
src/sys/dev/ic [netbsd-6-1]: bwi.c

Log Message:
`cat ~/releng/r-commit`


To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.18.14.1 src/sys/dev/ic/bwi.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/bwi.c
diff -u src/sys/dev/ic/bwi.c:1.18 src/sys/dev/ic/bwi.c:1.18.14.1
--- src/sys/dev/ic/bwi.c:1.18	Mon Oct 10 11:15:24 2011
+++ src/sys/dev/ic/bwi.c	Sat Aug 19 03:15:55 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: bwi.c,v 1.18 2011/10/10 11:15:24 njoly Exp $	*/
+/*	$NetBSD: bwi.c,v 1.18.14.1 2017/08/19 03:15:55 snj Exp $	*/
 /*	$OpenBSD: bwi.c,v 1.74 2008/02/25 21:13:30 mglocker Exp $	*/
 
 /*
@@ -48,7 +48,7 @@
 
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: bwi.c,v 1.18 2011/10/10 11:15:24 njoly Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bwi.c,v 1.18.14.1 2017/08/19 03:15:55 snj Exp $");
 
 #include 
 #include 
@@ -8315,7 +8315,7 @@ bwi_newbuf(struct bwi_softc *sc, int buf
 	if (m == NULL)
 		return (ENOBUFS);
 	MCLGET(m, init ? M_WAITOK : M_DONTWAIT);
-	if (m == NULL) {
+	if ((m->m_flags & M_EXT) == 0) {
 		error = ENOBUFS;
 
 		/*

CVS commit: [netbsd-6-1] src/sys/dev/ic

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Aug 18 15:08:02 UTC 2017

Modified Files:
src/sys/dev/ic [netbsd-6-1]: dm9000.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1477):
sys/dev/ic/dm9000.c: revision 1.12
Check for MCLGET failure in dme_alloc_receive_buffer.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.4.16.1 src/sys/dev/ic/dm9000.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/dm9000.c
diff -u src/sys/dev/ic/dm9000.c:1.4 src/sys/dev/ic/dm9000.c:1.4.16.1
--- src/sys/dev/ic/dm9000.c:1.4	Sat Jan 28 08:29:55 2012
+++ src/sys/dev/ic/dm9000.c	Fri Aug 18 15:08:02 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: dm9000.c,v 1.4 2012/01/28 08:29:55 nisimura Exp $	*/
+/*	$NetBSD: dm9000.c,v 1.4.16.1 2017/08/18 15:08:02 snj Exp $	*/
 
 /*
  * Copyright (c) 2009 Paul Fleischer
@@ -1123,8 +1123,13 @@ dme_alloc_receive_buffer(struct ifnet *i
 		sizeof(struct ether_header);
 	/* All our frames have the CRC attached */
 	m->m_flags |= M_HASFCS;
-	if (m->m_pkthdr.len + pad > MHLEN )
+	if (m->m_pkthdr.len + pad > MHLEN) {
 		MCLGET(m, M_DONTWAIT);
+		if ((m->m_flags & M_EXT) == 0) {
+			m_freem(m);
+			return NULL;
+		}
+	}
 
 	m->m_data += pad;
 	m->m_len = frame_length + (frame_length % sc->sc_data_width);

CVS commit: [netbsd-6-1] src/sys/dev/ic

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Aug 18 15:05:29 UTC 2017

Modified Files:
src/sys/dev/ic [netbsd-6-1]: dp83932.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1476):
sys/dev/ic/dp83932.c: revision 1.41
Plug mbuf leak on MCLGET failure in sonic_rxintr.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.35.28.1 src/sys/dev/ic/dp83932.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/dp83932.c
diff -u src/sys/dev/ic/dp83932.c:1.35 src/sys/dev/ic/dp83932.c:1.35.28.1
--- src/sys/dev/ic/dp83932.c:1.35	Sat Nov 13 13:52:00 2010
+++ src/sys/dev/ic/dp83932.c	Fri Aug 18 15:05:29 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: dp83932.c,v 1.35 2010/11/13 13:52:00 uebayasi Exp $	*/
+/*	$NetBSD: dp83932.c,v 1.35.28.1 2017/08/18 15:05:29 snj Exp $	*/
 
 /*-
  * Copyright (c) 2001 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: dp83932.c,v 1.35 2010/11/13 13:52:00 uebayasi Exp $");
+__KERNEL_RCSID(0, "$NetBSD: dp83932.c,v 1.35.28.1 2017/08/18 15:05:29 snj Exp $");
 
 
 #include 
@@ -785,8 +785,10 @@ sonic_rxintr(struct sonic_softc *sc)
 goto dropit;
 			if (len > (MHLEN - 2)) {
 MCLGET(m, M_DONTWAIT);
-if ((m->m_flags & M_EXT) == 0)
+if ((m->m_flags & M_EXT) == 0) {
+	m_freem(m);
 	goto dropit;
+}
 			}
 			m->m_data += 2;
 			/*

CVS commit: [netbsd-6-1] src/sys/dev/ic

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Aug 18 15:03:04 UTC 2017

Modified Files:
src/sys/dev/ic [netbsd-6-1]: i82596.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1475):
sys/dev/ic/i82596.c: revision 1.37
Null out sc_rx_mbuf[i] after m_freem to avoid double-free later.
>From Ilja Van Sprundel.
Also null out sc_tx_mbuf[i] after m_freem, out of paranoia.
XXX Not entirely clear to how tx mbufs are freed, but no way to test
this since it's ews4800mips- and hp700-only, so not keen to make any
more elaborate changes...


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.28.1 src/sys/dev/ic/i82596.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/i82596.c
diff -u src/sys/dev/ic/i82596.c:1.29 src/sys/dev/ic/i82596.c:1.29.28.1
--- src/sys/dev/ic/i82596.c:1.29	Mon Apr  5 07:19:35 2010
+++ src/sys/dev/ic/i82596.c	Fri Aug 18 15:03:03 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: i82596.c,v 1.29 2010/04/05 07:19:35 joerg Exp $ */
+/* $NetBSD: i82596.c,v 1.29.28.1 2017/08/18 15:03:03 snj Exp $ */
 
 /*
  * Copyright (c) 2003 Jochen Kunz.
@@ -43,7 +43,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: i82596.c,v 1.29 2010/04/05 07:19:35 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: i82596.c,v 1.29.28.1 2017/08/18 15:03:03 snj Exp $");
 
 /* autoconfig and device stuff */
 #include 
@@ -754,6 +754,7 @@ iee_start(struct ifnet *ifp)
 printf("%s: iee_start: can't allocate mbuf\n",
 device_xname(sc->sc_dev));
 m_freem(sc->sc_tx_mbuf[t]);
+sc->sc_tx_mbuf[t] = NULL;
 t--;
 continue;
 			}
@@ -763,6 +764,7 @@ iee_start(struct ifnet *ifp)
 printf("%s: iee_start: can't allocate mbuf "
 "cluster\n", device_xname(sc->sc_dev));
 m_freem(sc->sc_tx_mbuf[t]);
+sc->sc_tx_mbuf[t] = NULL;
 m_freem(m);
 t--;
 continue;
@@ -778,6 +780,7 @@ iee_start(struct ifnet *ifp)
 printf("%s: iee_start: can't load TX DMA map\n",
 device_xname(sc->sc_dev));
 m_freem(sc->sc_tx_mbuf[t]);
+sc->sc_tx_mbuf[t] = NULL;
 t--;
 continue;
 			}
@@ -927,6 +930,7 @@ iee_init(struct ifnet *ifp)
 printf("%s: iee_init: can't allocate mbuf"
 " cluster\n", device_xname(sc->sc_dev));
 m_freem(sc->sc_rx_mbuf[r]);
+sc->sc_rx_mbuf[r] = NULL;
 err = 1;
 break;
 			}
@@ -940,6 +944,7 @@ iee_init(struct ifnet *ifp)
 printf("%s: iee_init: can't create RX "
 "DMA map\n", device_xname(sc->sc_dev));
 m_freem(sc->sc_rx_mbuf[r]);
+sc->sc_rx_mbuf[r] = NULL;
 err = 1;
 break;
 			}
@@ -949,6 +954,7 @@ iee_init(struct ifnet *ifp)
 			device_xname(sc->sc_dev));
 			bus_dmamap_destroy(sc->sc_dmat, sc->sc_rx_map[r]);
 			m_freem(sc->sc_rx_mbuf[r]);
+			sc->sc_rx_mbuf[r] = NULL;
 			err = 1;
 			break;
 		}

CVS commit: [netbsd-6-1] src/sys/dev/pci

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Aug 18 15:00:32 UTC 2017

Modified Files:
src/sys/dev/pci [netbsd-6-1]: if_et.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1474):
sys/dev/pci/if_et.c: revision 1.15
Check for MCLGET failure in et_newbuf.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.3.2.1 -r1.3.2.1.2.1 src/sys/dev/pci/if_et.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/pci/if_et.c
diff -u src/sys/dev/pci/if_et.c:1.3.2.1 src/sys/dev/pci/if_et.c:1.3.2.1.2.1
--- src/sys/dev/pci/if_et.c:1.3.2.1	Mon Nov 19 18:41:59 2012
+++ src/sys/dev/pci/if_et.c	Fri Aug 18 15:00:32 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_et.c,v 1.3.2.1 2012/11/19 18:41:59 riz Exp $	*/
+/*	$NetBSD: if_et.c,v 1.3.2.1.2.1 2017/08/18 15:00:32 snj Exp $	*/
 /*	$OpenBSD: if_et.c,v 1.11 2008/06/08 06:18:07 jsg Exp $	*/
 /*
  * Copyright (c) 2007 The DragonFly Project.  All rights reserved.
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_et.c,v 1.3.2.1 2012/11/19 18:41:59 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_et.c,v 1.3.2.1.2.1 2017/08/18 15:00:32 snj Exp $");
 
 #include "opt_inet.h"
 #include "vlan.h"
@@ -2048,6 +2048,10 @@ et_newbuf(struct et_rxbuf_data *rbd, int
 		if (m == NULL)
 			return (ENOBUFS);
 		MCLGET(m, init ? M_WAITOK : M_DONTWAIT);
+		if ((m->m_flags & M_EXT) == 0) {
+			m_freem(m);
+			return (ENOBUFS);
+		}
 		len = MCLBYTES;
 	} else {
 		MGETHDR(m, init ? M_WAITOK : M_DONTWAIT, MT_DATA);

CVS commit: [netbsd-6-1] src/sys/dev/pci

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Aug 18 14:57:55 UTC 2017

Modified Files:
src/sys/dev/pci [netbsd-6-1]: if_ipw.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1473):
sys/dev/pci/if_ipw.c: revision 1.65 via patch
Null out sbuf->m on failure to avoid double-free later.
>From Ilja Van Sprundel.
Also null out sbuf->map out of paranoia.


To generate a diff of this commit:
cvs rdiff -u -r1.53 -r1.53.10.1 src/sys/dev/pci/if_ipw.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/pci/if_ipw.c
diff -u src/sys/dev/pci/if_ipw.c:1.53 src/sys/dev/pci/if_ipw.c:1.53.10.1
--- src/sys/dev/pci/if_ipw.c:1.53	Mon Jan 30 19:41:20 2012
+++ src/sys/dev/pci/if_ipw.c	Fri Aug 18 14:57:55 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_ipw.c,v 1.53 2012/01/30 19:41:20 drochner Exp $	*/
+/*	$NetBSD: if_ipw.c,v 1.53.10.1 2017/08/18 14:57:55 snj Exp $	*/
 /*	FreeBSD: src/sys/dev/ipw/if_ipw.c,v 1.15 2005/11/13 17:17:40 damien Exp 	*/
 
 /*-
@@ -29,7 +29,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_ipw.c,v 1.53 2012/01/30 19:41:20 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ipw.c,v 1.53.10.1 2017/08/18 14:57:55 snj Exp $");
 
 /*-
  * Intel(R) PRO/Wireless 2100 MiniPCI driver
@@ -590,6 +590,7 @@ ipw_dma_alloc(struct ipw_softc *sc)
 		MCLGET(sbuf->m, M_DONTWAIT);
 		if (!(sbuf->m->m_flags & M_EXT)) {
 			m_freem(sbuf->m);
+			sbuf->m = NULL;
 			aprint_error_dev(>sc_dev, "could not allocate rx mbuf cluster\n");
 			error = ENOMEM;
 			goto fail;
@@ -602,6 +603,7 @@ ipw_dma_alloc(struct ipw_softc *sc)
 		if (error != 0) {
 			aprint_error_dev(>sc_dev, "could not create rxbuf dma map\n");
 			m_freem(sbuf->m);
+			sbuf->m = NULL;
 			goto fail;
 		}
 
@@ -609,7 +611,9 @@ ipw_dma_alloc(struct ipw_softc *sc)
 		sbuf->m, BUS_DMA_READ | BUS_DMA_NOWAIT);
 		if (error != 0) {
 			bus_dmamap_destroy(sc->sc_dmat, sbuf->map);
+			sbuf->map = NULL;
 			m_freem(sbuf->m);
+			sbuf->m = NULL;
 			aprint_error_dev(>sc_dev, "could not map rxbuf dma memory\n");
 			goto fail;
 		}

CVS commit: [netbsd-6-1] src/sys/kern

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Aug 18 14:52:43 UTC 2017

Modified Files:
src/sys/kern [netbsd-6-1]: kern_malloc.c

Log Message:
Pull up following revision(s) (requested by martin in ticket #1465):
sys/kern/kern_malloc.c: revision 1.146
Avoid integer overflow in kern_malloc(). Reported by Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.138 -r1.138.8.1 src/sys/kern/kern_malloc.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/kern_malloc.c
diff -u src/sys/kern/kern_malloc.c:1.138 src/sys/kern/kern_malloc.c:1.138.8.1
--- src/sys/kern/kern_malloc.c:1.138	Mon Feb  6 12:13:44 2012
+++ src/sys/kern/kern_malloc.c	Fri Aug 18 14:52:43 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_malloc.c,v 1.138 2012/02/06 12:13:44 drochner Exp $	*/
+/*	$NetBSD: kern_malloc.c,v 1.138.8.1 2017/08/18 14:52:43 snj Exp $	*/
 
 /*
  * Copyright (c) 1987, 1991, 1993
@@ -66,7 +66,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.138 2012/02/06 12:13:44 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.138.8.1 2017/08/18 14:52:43 snj Exp $");
 
 #include 
 #include 
@@ -113,7 +113,10 @@ kern_malloc(unsigned long size, struct m
 	void *p;
 
 	if (size >= PAGE_SIZE) {
-		allocsize = PAGE_SIZE + size; /* for page alignment */
+		if (size > (ULONG_MAX-PAGE_SIZE))
+			allocsize = ULONG_MAX;	/* this will fail later */
+		else
+			allocsize = PAGE_SIZE + size; /* for page alignment */
 		hdroffset = PAGE_SIZE - sizeof(struct malloc_header);
 	} else {
 		allocsize = sizeof(struct malloc_header) + size;

CVS commit: [netbsd-6-1] src/sys/arch/mac68k/nubus

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 12 16:36:20 UTC 2017

Modified Files:
src/sys/arch/mac68k/nubus [netbsd-6-1]: if_netdock_nubus.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1472):
sys/arch/mac68k/nubus/if_netdock_nubus.c: revision 1.26
Avoid memory leak in netdock_get.
If top is null, this is the first time through and nothing else will
free m.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.21.22.1 src/sys/arch/mac68k/nubus/if_netdock_nubus.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/mac68k/nubus/if_netdock_nubus.c
diff -u src/sys/arch/mac68k/nubus/if_netdock_nubus.c:1.21 src/sys/arch/mac68k/nubus/if_netdock_nubus.c:1.21.22.1
--- src/sys/arch/mac68k/nubus/if_netdock_nubus.c:1.21	Mon Apr  5 07:19:30 2010
+++ src/sys/arch/mac68k/nubus/if_netdock_nubus.c	Sat Aug 12 16:36:20 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_netdock_nubus.c,v 1.21 2010/04/05 07:19:30 joerg Exp $	*/
+/*	$NetBSD: if_netdock_nubus.c,v 1.21.22.1 2017/08/12 16:36:20 snj Exp $	*/
 
 /*
  * Copyright (C) 2000,2002 Daishi Kato 
@@ -43,7 +43,7 @@
 /***/
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_netdock_nubus.c,v 1.21 2010/04/05 07:19:30 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_netdock_nubus.c,v 1.21.22.1 2017/08/12 16:36:20 snj Exp $");
 
 #include 
 #include 
@@ -803,6 +803,8 @@ netdock_get(struct netdock_softc *sc, in
 			if ((m->m_flags & M_EXT) == 0) {
 if (top)
 	m_freem(top);
+else
+	m_freem(m);
 return (NULL);
 			}
 			len = MCLBYTES;

CVS commit: [netbsd-6-1] src/sys/arch/newsmips/apbus

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 12 16:29:24 UTC 2017

Modified Files:
src/sys/arch/newsmips/apbus [netbsd-6-1]: if_sn.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1471):
sys/arch/newsmips/apbus/if_sn.c: revision 1.39
Avoid memory leak in sonic_get.
If this is the first time around, top is null and nothing else will
free m.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.33.22.1 src/sys/arch/newsmips/apbus/if_sn.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/newsmips/apbus/if_sn.c
diff -u src/sys/arch/newsmips/apbus/if_sn.c:1.33 src/sys/arch/newsmips/apbus/if_sn.c:1.33.22.1
--- src/sys/arch/newsmips/apbus/if_sn.c:1.33	Mon Apr  5 07:19:31 2010
+++ src/sys/arch/newsmips/apbus/if_sn.c	Sat Aug 12 16:29:24 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_sn.c,v 1.33 2010/04/05 07:19:31 joerg Exp $	*/
+/*	$NetBSD: if_sn.c,v 1.33.22.1 2017/08/12 16:29:24 snj Exp $	*/
 
 /*
  * National Semiconductor  DP8393X SONIC Driver
@@ -16,7 +16,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_sn.c,v 1.33 2010/04/05 07:19:31 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_sn.c,v 1.33.22.1 2017/08/12 16:29:24 snj Exp $");
 
 #include "opt_inet.h"
 
@@ -1093,7 +1093,10 @@ sonic_get(struct sn_softc *sc, void *pkt
 		if (datalen >= MINCLSIZE) {
 			MCLGET(m, M_DONTWAIT);
 			if ((m->m_flags & M_EXT) == 0) {
-if (top) m_freem(top);
+if (top)
+	m_freem(top);
+else
+	m_freem(m);
 return 0;
 			}
 			len = MCLBYTES;

CVS commit: [netbsd-6-1] src/sys/dev/usb

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 12 16:27:22 UTC 2017

Modified Files:
src/sys/dev/usb [netbsd-6-1]: if_ural.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1470):
sys/dev/usb/if_ural.c: revision 1.52
Free the RX list if ural_alloc_rx_list fails part way through.
Reported by Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.39.8.1 src/sys/dev/usb/if_ural.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/usb/if_ural.c
diff -u src/sys/dev/usb/if_ural.c:1.39 src/sys/dev/usb/if_ural.c:1.39.8.1
--- src/sys/dev/usb/if_ural.c:1.39	Fri Dec 23 00:51:44 2011
+++ src/sys/dev/usb/if_ural.c	Sat Aug 12 16:27:22 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_ural.c,v 1.39 2011/12/23 00:51:44 jakllsch Exp $ */
+/*	$NetBSD: if_ural.c,v 1.39.8.1 2017/08/12 16:27:22 snj Exp $ */
 /*	$FreeBSD: /repoman/r/ncvs/src/sys/dev/usb/if_ural.c,v 1.40 2006/06/02 23:14:40 sam Exp $	*/
 
 /*-
@@ -24,7 +24,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_ural.c,v 1.39 2011/12/23 00:51:44 jakllsch Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ural.c,v 1.39.8.1 2017/08/12 16:27:22 snj Exp $");
 
 
 #include 
@@ -678,7 +678,7 @@ ural_alloc_rx_list(struct ural_softc *sc
 
 	return 0;
 
-fail:	ural_free_tx_list(sc);
+fail:	ural_free_rx_list(sc);
 	return error;
 }
 

CVS commit: [netbsd-6-1] src/sys/compat

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 12 16:22:31 UTC 2017

Modified Files:
src/sys/compat/common [netbsd-6-1]: vfs_syscalls_12.c vfs_syscalls_43.c
src/sys/compat/sys [netbsd-6-1]: dirent.h

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1469):
sys/compat/common/vfs_syscalls_12.c: revision 1.30
sys/compat/common/vfs_syscalls_43.c: revision 1.56
sys/compat/sys/dirent.h: revision 1.3
It is wishful thinking that vn_readdir will return dirent12 structures.
--
Fix the compat-4.3 getdirentries call (pre d_type). This is used in NetBSD-0.9.
--
add a struct for the 4.3BSD struct direct


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.26.1 src/sys/compat/common/vfs_syscalls_12.c
cvs rdiff -u -r1.54.14.1.2.1 -r1.54.14.1.2.2 \
src/sys/compat/common/vfs_syscalls_43.c
cvs rdiff -u -r1.2 -r1.2.134.1 src/sys/compat/sys/dirent.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/common/vfs_syscalls_12.c
diff -u src/sys/compat/common/vfs_syscalls_12.c:1.29 src/sys/compat/common/vfs_syscalls_12.c:1.29.26.1
--- src/sys/compat/common/vfs_syscalls_12.c:1.29	Wed Jan 19 10:21:16 2011
+++ src/sys/compat/common/vfs_syscalls_12.c	Sat Aug 12 16:22:30 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls_12.c,v 1.29 2011/01/19 10:21:16 tsutsui Exp $	*/
+/*	$NetBSD: vfs_syscalls_12.c,v 1.29.26.1 2017/08/12 16:22:30 snj Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29 2011/01/19 10:21:16 tsutsui Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29.26.1 2017/08/12 16:22:30 snj Exp $");
 
 #include 
 #include 
@@ -56,6 +56,7 @@ __KERNEL_RCSID(0, "$NetBSD: vfs_syscalls
 #include 
 
 #include 
+#include 
 
 /*
  * Convert from a new to an old stat structure.
@@ -96,28 +97,140 @@ compat_12_sys_getdirentries(struct lwp *
 		syscallarg(u_int) count;
 		syscallarg(long *) basep;
 	} */
+	struct dirent *bdp;
+	struct vnode *vp;
+	char *inp, *tbuf;		/* Current-format */
+	int len, reclen;		/* Current-format */
+	char *outp;			/* Dirent12-format */
+	int resid, old_reclen = 0;	/* Dirent12-format */
 	struct file *fp;
-	int error, done;
+	struct uio auio;
+	struct iovec aiov;
+	struct dirent12 idb;
+	off_t off;		/* true file offset */
+	int buflen, error, eofflag, nbytes;
+	struct vattr va;
+	off_t *cookiebuf = NULL, *cookie;
+	int ncookies;
 	long loff;
-
+		 
 	/* fd_getvnode() will use the descriptor for us */
 	if ((error = fd_getvnode(SCARG(uap, fd), )) != 0)
-		return error;
+		return (error);
+
 	if ((fp->f_flag & FREAD) == 0) {
 		error = EBADF;
-		goto out;
+		goto out1;
+	}
+
+	vp = (struct vnode *)fp->f_data;
+	if (vp->v_type != VDIR) {
+		error = ENOTDIR;
+		goto out1;
 	}
 
+	vn_lock(vp, LK_SHARED | LK_RETRY);
+	error = VOP_GETATTR(vp, , l->l_cred);
+	VOP_UNLOCK(vp);
+	if (error)
+		goto out1;
+
 	loff = fp->f_offset;
+	nbytes = SCARG(uap, count);
+	buflen = min(MAXBSIZE, nbytes);
+	if (buflen < va.va_blocksize)
+		buflen = va.va_blocksize;
+	tbuf = malloc(buflen, M_TEMP, M_WAITOK);
+
+	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
+	off = fp->f_offset;
+again:
+	aiov.iov_base = tbuf;
+	aiov.iov_len = buflen;
+	auio.uio_iov = 
+	auio.uio_iovcnt = 1;
+	auio.uio_rw = UIO_READ;
+	auio.uio_resid = buflen;
+	auio.uio_offset = off;
+	UIO_SETUP_SYSSPACE();
+	/*
+ * First we read into the malloc'ed buffer, then
+ * we massage it into user space, one record at a time.
+ */
+	error = VOP_READDIR(vp, , fp->f_cred, , ,
+	);
+	if (error)
+		goto out;
+
+	inp = tbuf;
+	outp = SCARG(uap, buf);
+	resid = nbytes;
+	if ((len = buflen - auio.uio_resid) == 0)
+		goto eof;
+
+	for (cookie = cookiebuf; len > 0; len -= reclen) {
+		bdp = (struct dirent *)inp;
+		reclen = bdp->d_reclen;
+		if (reclen & 3)
+			panic(__func__);
+		if (bdp->d_fileno == 0) {
+			inp += reclen;	/* it is a hole; squish it out */
+			if (cookie)
+off = *cookie++;
+			else
+off += reclen;
+			continue;
+		}
+		old_reclen = _DIRENT_RECLEN(, bdp->d_namlen);
+		if (reclen > len || resid < old_reclen) {
+			/* entry too big for buffer, so just stop */
+			outp++;
+			break;
+		}
+		/*
+		 * Massage in place to make a Dirent12-shaped dirent (otherwise
+		 * we have to worry about touching user memory outside of
+		 * the copyout() call).
+		 */
+		idb.d_fileno = (uint32_t)bdp->d_fileno;
+		idb.d_reclen = (uint16_t)old_reclen;
+		idb.d_type = (uint8_t)bdp->d_type;
+		idb.d_namlen = (uint8_t)bdp->d_namlen;
+		strcpy(idb.d_name, bdp->d_name);
+		if ((error = copyout(, outp, old_reclen)))
+			goto out;
+		/* advance past this real entry */
+		inp += reclen;
+		if (cookie)
+			off = *cookie++; /* each entry points to itself */
+		else
+			off += reclen;
+		/* advance output past Dirent12-shaped entry */
+		outp += old_reclen;
+		resid -= old_reclen;
+	}
 
-	error = 

CVS commit: [netbsd-6-1] src/sys/arch

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue Aug  8 11:59:16 UTC 2017

Modified Files:
src/sys/arch/amd64/amd64 [netbsd-6-1]: locore.S machdep.c trap.c
src/sys/arch/i386/i386 [netbsd-6-1]: locore.S machdep.c trap.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1464):

sys/arch/i386/i386/trap.c: revision 1.288   (patch)
sys/arch/i386/i386/machdep.c:  revision 1.783   (patch)
sys/arch/i386/i386/locore.S:   revision 1.146   (patch)
sys/arch/amd64/amd64/locore.S: revision 1.122,1.124 (patch)
sys/arch/amd64/amd64/machdep.c revision 1.254   (patch)
sys/arch/amd64/amd64/trap.c:   revision 1.95-1.96   (patch)

Remove the osyscall call gate and emulate it. There is a
one-instruction race in it that could panic the kernel.

Restore the ability to run netbsd 1.0 32-bit executables by checking
for the relevant lcall instruction in the trap handler and treating it
as a syscall.


To generate a diff of this commit:
cvs rdiff -u -r1.66.2.1 -r1.66.2.1.6.1 src/sys/arch/amd64/amd64/locore.S
cvs rdiff -u -r1.175.2.8 -r1.175.2.8.2.1 src/sys/arch/amd64/amd64/machdep.c
cvs rdiff -u -r1.69.2.1.6.1 -r1.69.2.1.6.2 src/sys/arch/amd64/amd64/trap.c
cvs rdiff -u -r1.95.10.3 -r1.95.10.3.2.1 src/sys/arch/i386/i386/locore.S
cvs rdiff -u -r1.717.2.7 -r1.717.2.7.6.1 src/sys/arch/i386/i386/machdep.c
cvs rdiff -u -r1.262.14.1 -r1.262.14.2 src/sys/arch/i386/i386/trap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amd64/amd64/locore.S
diff -u src/sys/arch/amd64/amd64/locore.S:1.66.2.1 src/sys/arch/amd64/amd64/locore.S:1.66.2.1.6.1
--- src/sys/arch/amd64/amd64/locore.S:1.66.2.1	Fri Apr 20 23:32:14 2012
+++ src/sys/arch/amd64/amd64/locore.S	Tue Aug  8 11:59:16 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: locore.S,v 1.66.2.1 2012/04/20 23:32:14 riz Exp $	*/
+/*	$NetBSD: locore.S,v 1.66.2.1.6.1 2017/08/08 11:59:16 martin Exp $	*/
 
 /*
  * Copyright-o-rama!
@@ -1209,26 +1209,6 @@ NENTRY(child_trampoline)
 	.globl  _C_LABEL(osyscall_return)
 
 /*
- * oosyscall()
- *
- * Old call gate entry for syscall. only needed if we're
- * going to support running old i386 NetBSD 1.0 or ibcs2 binaries, etc,
- * on NetBSD/amd64.
- * The 64bit call gate can't request that arguments be copied from the
- * user stack (which the i386 code uses to get a gap for the flags).
- * push/pop are :: cycles.
- */
-IDTVEC(oosyscall)
-	/* Set rflags in trap frame. */
-	pushq	(%rsp)		# move user's %eip
-	pushq	16(%rsp)	# and %cs
-	popq	8(%rsp)
-	pushfq
-	popq	16(%rsp)
-	pushq	$7		# size of instruction for restart
-	jmp	osyscall1
-
-/*
  * osyscall()
  *
  * Trap gate entry for int $80 syscall, also used by sigreturn.
@@ -1240,7 +1220,6 @@ IDTVEC(osyscall)
 	addq $0x10,%rsp
 #endif
 	pushq	$2		# size of instruction for restart
-osyscall1:
 	pushq	$T_ASTFLT	# trap # for doing ASTs
 	INTRENTRY
 	STI(si)

Index: src/sys/arch/amd64/amd64/machdep.c
diff -u src/sys/arch/amd64/amd64/machdep.c:1.175.2.8 src/sys/arch/amd64/amd64/machdep.c:1.175.2.8.2.1
--- src/sys/arch/amd64/amd64/machdep.c:1.175.2.8	Sat Apr 20 09:59:39 2013
+++ src/sys/arch/amd64/amd64/machdep.c	Tue Aug  8 11:59:16 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: machdep.c,v 1.175.2.8 2013/04/20 09:59:39 bouyer Exp $	*/
+/*	$NetBSD: machdep.c,v 1.175.2.8.2.1 2017/08/08 11:59:16 martin Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1998, 2000, 2006, 2007, 2008, 2011
@@ -111,7 +111,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.175.2.8 2013/04/20 09:59:39 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.175.2.8.2.1 2017/08/08 11:59:16 martin Exp $");
 
 /* #define XENDEBUG_LOW  */
 
@@ -1575,7 +1575,6 @@ typedef void (vector)(void);
 extern vector IDTVEC(syscall);
 extern vector IDTVEC(syscall32);
 extern vector IDTVEC(osyscall);
-extern vector IDTVEC(oosyscall);
 extern vector *IDTVEC(exceptions)[];
 
 static void
@@ -1838,10 +1837,7 @@ init_x86_64(paddr_t first_avail)
 	set_mem_segment(GDT_ADDR_MEM(gdtstore, GUDATA_SEL), 0,
 	x86_btop(VM_MAXUSER_ADDRESS) - 1, SDT_MEMRWA, SEL_UPL, 1, 0, 1);
 
-	/* make ldt gates and memory segments */
-	setgate((struct gate_descriptor *)(ldtstore + LSYS5CALLS_SEL),
-	(oosyscall), 0, SDT_SYS386CGT, SEL_UPL,
-	GSEL(GCODE_SEL, SEL_KPL));
+	/* make ldt memory segments */
 	*(struct mem_segment_descriptor *)(ldtstore + LUCODE_SEL) =
 	*GDT_ADDR_MEM(gdtstore, GUCODE_SEL);
 	*(struct mem_segment_descriptor *)(ldtstore + LUDATA_SEL) =
@@ -1873,16 +1869,6 @@ init_x86_64(paddr_t first_avail)
 	set_mem_segment(ldt_segp, 0, x86_btop(VM_MAXUSER_ADDRESS32) - 1,
 	SDT_MEMRWA, SEL_UPL, 1, 1, 0);
 
-	/*
-	 * Other entries.
-	 */
-	memcpy((struct gate_descriptor *)(ldtstore + LSOL26CALLS_SEL),
-	(struct gate_descriptor *)(ldtstore + LSYS5CALLS_SEL),
-	sizeof (struct gate_descriptor));
-	memcpy((struct gate_descriptor 

CVS commit: [netbsd-6-1] src/sys/dev

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Jul 21 04:02:34 UTC 2017

Modified Files:
src/sys/dev [netbsd-6-1]: cgd.c

Log Message:
Apply patch (requested by chs in ticket #1455):
Avoid crashes by checking if a cgd device has been configured before
processing most ioctls, and failing with ENXIO if the device is not
configured.


To generate a diff of this commit:
cvs rdiff -u -r1.76 -r1.76.12.1 src/sys/dev/cgd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/cgd.c
diff -u src/sys/dev/cgd.c:1.76 src/sys/dev/cgd.c:1.76.12.1
--- src/sys/dev/cgd.c:1.76	Sun Nov 13 23:03:24 2011
+++ src/sys/dev/cgd.c	Fri Jul 21 04:02:34 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: cgd.c,v 1.76 2011/11/13 23:03:24 christos Exp $ */
+/* $NetBSD: cgd.c,v 1.76.12.1 2017/07/21 04:02:34 snj Exp $ */
 
 /*-
  * Copyright (c) 2002 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: cgd.c,v 1.76 2011/11/13 23:03:24 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: cgd.c,v 1.76.12.1 2017/07/21 04:02:34 snj Exp $");
 
 #include 
 #include 
@@ -549,12 +549,16 @@ cgdioctl(dev_t dev, u_long cmd, void *da
 		 */
 		if ((flag & FWRITE) == 0)
 			return (EBADF);
+		if ((dksc->sc_flags & DKF_INITED) == 0)
+			return ENXIO;
 
 		/*
 		 * We pass this call down to the underlying disk.
 		 */
 		return VOP_IOCTL(cs->sc_tvn, cmd, data, flag, l->l_cred);
 	default:
+		if ((dksc->sc_flags & DKF_INITED) == 0)
+			return ENXIO;
 		return dk_ioctl(di, dksc, dev, cmd, data, flag, l);
 	}
 }

CVS commit: [netbsd-6-1] src/sys/kern

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Thu Jul  6 15:19:01 UTC 2017

Modified Files:
src/sys/kern [netbsd-6-1]: subr_xcall.c

Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #1419):
sys/kern/subr_xcall.c: revision 1.19
Fix a race condition of low priority xcall
xc_lowpri and xc_thread are racy and xc_wait may return during/before
executing all xcall callbacks, resulting in a kernel panic at worst.
xc_lowpri serializes multiple jobs by a mutex and a cv. If all xcall
callbacks are done, xc_wait returns and also xc_lowpri accepts a next job.
The problem is that a counter that counts the number of finished xcall
callbacks is incremented *before* actually executing a xcall callback
(see xc_tailp++ in xc_thread). So xc_lowpri accepts a next job before
all xcall callbacks complete and a next job begins to run its xcall callbacks.
Even worse the counter is global and shared between jobs, so if a xcall
callback of the next job completes, the shared counter is incremented,
which confuses wc_wait of the previous job as all xcall callbacks of the
previous job are done and wc_wait of the previous job returns during/before
executing its xcall callbacks.
How to fix: there are actually two counters that count the number of finished
xcall callbacks for low priority xcall for historical reasons (I guess):
xc_tailp and xc_low_pri.xc_donep. xc_low_pri.xc_donep is incremented correctly
while xc_tailp is incremented wrongly, i.e., before executing a xcall callback.
We can fix the issue by dropping xc_tailp and using only xc_low_pri.xc_donep.
PR kern/51632


To generate a diff of this commit:
cvs rdiff -u -r1.13.10.1 -r1.13.10.1.2.1 src/sys/kern/subr_xcall.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/subr_xcall.c
diff -u src/sys/kern/subr_xcall.c:1.13.10.1 src/sys/kern/subr_xcall.c:1.13.10.1.2.1
--- src/sys/kern/subr_xcall.c:1.13.10.1	Sat Apr 20 10:05:22 2013
+++ src/sys/kern/subr_xcall.c	Thu Jul  6 15:19:01 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: subr_xcall.c,v 1.13.10.1 2013/04/20 10:05:22 bouyer Exp $	*/
+/*	$NetBSD: subr_xcall.c,v 1.13.10.1.2.1 2017/07/06 15:19:01 snj Exp $	*/
 
 /*-
  * Copyright (c) 2007-2010 The NetBSD Foundation, Inc.
@@ -74,7 +74,7 @@
  */
  
 #include 
-__KERNEL_RCSID(0, "$NetBSD: subr_xcall.c,v 1.13.10.1 2013/04/20 10:05:22 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_xcall.c,v 1.13.10.1.2.1 2017/07/06 15:19:01 snj Exp $");
 
 #include 
 #include 
@@ -101,7 +101,6 @@ typedef struct {
 
 /* Low priority xcall structures. */
 static xc_state_t	xc_low_pri	__cacheline_aligned;
-static uint64_t		xc_tailp	__cacheline_aligned;
 
 /* High priority xcall structures. */
 static xc_state_t	xc_high_pri	__cacheline_aligned;
@@ -131,7 +130,6 @@ xc_init(void)
 	memset(xclo, 0, sizeof(xc_state_t));
 	mutex_init(>xc_lock, MUTEX_DEFAULT, IPL_NONE);
 	cv_init(>xc_busy, "xclocv");
-	xc_tailp = 0;
 
 	memset(xchi, 0, sizeof(xc_state_t));
 	mutex_init(>xc_lock, MUTEX_DEFAULT, IPL_SOFTCLOCK);
@@ -253,7 +251,7 @@ xc_lowpri(xcfunc_t func, void *arg1, voi
 	uint64_t where;
 
 	mutex_enter(>xc_lock);
-	while (xc->xc_headp != xc_tailp) {
+	while (xc->xc_headp != xc->xc_donep) {
 		cv_wait(>xc_busy, >xc_lock);
 	}
 	xc->xc_arg1 = arg1;
@@ -274,7 +272,7 @@ xc_lowpri(xcfunc_t func, void *arg1, voi
 		ci->ci_data.cpu_xcall_pending = true;
 		cv_signal(>ci_data.cpu_xcall);
 	}
-	KASSERT(xc_tailp < xc->xc_headp);
+	KASSERT(xc->xc_donep < xc->xc_headp);
 	where = xc->xc_headp;
 	mutex_exit(>xc_lock);
 
@@ -299,7 +297,7 @@ xc_thread(void *cookie)
 	mutex_enter(>xc_lock);
 	for (;;) {
 		while (!ci->ci_data.cpu_xcall_pending) {
-			if (xc->xc_headp == xc_tailp) {
+			if (xc->xc_headp == xc->xc_donep) {
 cv_broadcast(>xc_busy);
 			}
 			cv_wait(>ci_data.cpu_xcall, >xc_lock);
@@ -309,7 +307,6 @@ xc_thread(void *cookie)
 		func = xc->xc_func;
 		arg1 = xc->xc_arg1;
 		arg2 = xc->xc_arg2;
-		xc_tailp++;
 		mutex_exit(>xc_lock);
 
 		KASSERT(func != NULL);

CVS commit: [netbsd-6-1] src/sys

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Thu Jun 15 06:02:58 UTC 2017

Modified Files:
src/sys/arch/ews4800mips/sbd [netbsd-6-1]: fb_sbdio.c
src/sys/arch/pmax/ibus [netbsd-6-1]: pm.c
src/sys/dev/hpc [netbsd-6-1]: bivideo.c
src/sys/dev/ic [netbsd-6-1]: sti.c

Log Message:
Pull up following revision(s) (requested by spz in ticket #1456):
sys/arch/ews4800mips/sbd/fb_sbdio.c: revision 1.16
sys/arch/pmax/ibus/pm.c: revision 1.13
sys/dev/hpc/bivideo.c: revision 1.34
sys/dev/ic/sti.c: revision 1.19
correct size checks so they cannot be circumvented by integer overflows
reported by CTurt, thanks for the notification


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.12.16.1 src/sys/arch/ews4800mips/sbd/fb_sbdio.c
cvs rdiff -u -r1.11 -r1.11.16.1 src/sys/arch/pmax/ibus/pm.c
cvs rdiff -u -r1.32 -r1.32.22.1 src/sys/dev/hpc/bivideo.c
cvs rdiff -u -r1.16 -r1.16.22.1 src/sys/dev/ic/sti.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/ews4800mips/sbd/fb_sbdio.c
diff -u src/sys/arch/ews4800mips/sbd/fb_sbdio.c:1.12 src/sys/arch/ews4800mips/sbd/fb_sbdio.c:1.12.16.1
--- src/sys/arch/ews4800mips/sbd/fb_sbdio.c:1.12	Wed Jan 11 21:17:33 2012
+++ src/sys/arch/ews4800mips/sbd/fb_sbdio.c	Thu Jun 15 06:02:57 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: fb_sbdio.c,v 1.12 2012/01/11 21:17:33 macallan Exp $	*/
+/*	$NetBSD: fb_sbdio.c,v 1.12.16.1 2017/06/15 06:02:57 snj Exp $	*/
 
 /*-
  * Copyright (c) 2004, 2005 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
 #define WIRED_FB_TLB
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: fb_sbdio.c,v 1.12 2012/01/11 21:17:33 macallan Exp $");
+__KERNEL_RCSID(0, "$NetBSD: fb_sbdio.c,v 1.12.16.1 2017/06/15 06:02:57 snj Exp $");
 
 #include 
 #include 
@@ -304,6 +304,8 @@ _fb_ioctl(void *v, void *vs, u_long cmd,
 		if (ri->ri_flg == RI_FORCEMONO)
 			break;
 		ga_clut_get(ga);
+		if (cmap->index >= 256 || cmap->count > 256 - cmap->index)
+			return (EINVAL);
 		for (i = 0; i < cmap->count; i++) {
 			cmap->red[i] = ga->clut[cmap->index + i][0];
 			cmap->green[i] = ga->clut[cmap->index + i][1];
@@ -314,6 +316,8 @@ _fb_ioctl(void *v, void *vs, u_long cmd,
 	case WSDISPLAYIO_PUTCMAP:
 		if (ri->ri_flg == RI_FORCEMONO)
 			break;
+		if (cmap->index >= 256 || cmap->count > 256 - cmap->index)
+			return (EINVAL);
 		for (i = 0; i < cmap->count; i++) {
 			ga->clut[cmap->index + i][0] = cmap->red[i];
 			ga->clut[cmap->index + i][1] = cmap->green[i];

Index: src/sys/arch/pmax/ibus/pm.c
diff -u src/sys/arch/pmax/ibus/pm.c:1.11 src/sys/arch/pmax/ibus/pm.c:1.11.16.1
--- src/sys/arch/pmax/ibus/pm.c:1.11	Wed Jan 11 21:17:33 2012
+++ src/sys/arch/pmax/ibus/pm.c	Thu Jun 15 06:02:57 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pm.c,v 1.11 2012/01/11 21:17:33 macallan Exp $	*/
+/*	$NetBSD: pm.c,v 1.11.16.1 2017/06/15 06:02:57 snj Exp $	*/
 
 /*-
  * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: pm.c,v 1.11 2012/01/11 21:17:33 macallan Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pm.c,v 1.11.16.1 2017/06/15 06:02:57 snj Exp $");
 
 #include 
 #include 
@@ -668,7 +668,7 @@ pm_get_cmap(struct pm_softc *sc, struct 
 	index = p->index;
 	count = p->count;
 
-	if (index >= sc->sc_cmap_size || (index + count) > sc->sc_cmap_size)
+	if (index >= sc->sc_cmap_size || count > sc->sc_cmap_size - index)
 		return (EINVAL);
 
 	if ((rv = copyout(>sc_cmap.r[index], p->red, count)) != 0)
@@ -687,7 +687,7 @@ pm_set_cmap(struct pm_softc *sc, struct 
 	index = p->index;
 	count = p->count;
 
-	if (index >= sc->sc_cmap_size || (index + count) > sc->sc_cmap_size)
+	if (index >= sc->sc_cmap_size || count > sc->sc_cmap_size - index)
 		return (EINVAL);
 
 	if ((rv = copyin(p->red, >sc_cmap.r[index], count)) != 0)

Index: src/sys/dev/hpc/bivideo.c
diff -u src/sys/dev/hpc/bivideo.c:1.32 src/sys/dev/hpc/bivideo.c:1.32.22.1
--- src/sys/dev/hpc/bivideo.c:1.32	Sat Nov 13 13:51:58 2010
+++ src/sys/dev/hpc/bivideo.c	Thu Jun 15 06:02:57 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: bivideo.c,v 1.32 2010/11/13 13:51:58 uebayasi Exp $	*/
+/*	$NetBSD: bivideo.c,v 1.32.22.1 2017/06/15 06:02:57 snj Exp $	*/
 
 /*-
  * Copyright (c) 1999-2001
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: bivideo.c,v 1.32 2010/11/13 13:51:58 uebayasi Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bivideo.c,v 1.32.22.1 2017/06/15 06:02:57 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_hpcfb.h"
@@ -403,8 +403,8 @@ bivideo_ioctl(void *v, u_long cmd, void 
 
 		if (sc->sc_fbconf.hf_class != HPCFB_CLASS_INDEXCOLOR ||
 		sc->sc_fbconf.hf_pack_width != 8 ||
-		256 <= cmap->index ||
-		256 < (cmap->index + cmap->count))
+		cmap->index >= 256 ||
+		cmap->count > 256 - cmap->index)
 			return (EINVAL);
 
 		error = copyout(_cmap_r[cmap->index], cmap->red,

Index: src/sys/dev/ic/sti.c
diff -u src/sys/dev/ic/sti.c:1.16 

CVS commit: [netbsd-6-1] src/sys/arch/i386/stand/misc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Jun  3 16:48:20 UTC 2017

Modified Files:
src/sys/arch/i386/stand/misc [netbsd-6-1]: rawr32.exe.uue

Log Message:
Pull up following revision(s) (requested by martin in ticket #1454):
sys/arch/i386/stand/misc/rawr32.exe.uue: revision 1.7
Update to rawrite32 1.0.5 (new signatures to avoid scary windows
warnings)


To generate a diff of this commit:
cvs rdiff -u -r1.4.18.1 -r1.4.18.2 \
src/sys/arch/i386/stand/misc/rawr32.exe.uue

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffs are larger than 1MB and have been omitted

CVS commit: [netbsd-6-1] src/sys/arch

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Mar 25 17:19:32 UTC 2017

Modified Files:
src/sys/arch/amd64/amd64 [netbsd-6-1]: trap.c
src/sys/arch/i386/i386 [netbsd-6-1]: trap.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1446):
sys/arch/amd64/amd64/trap.c: revision 1.94
sys/arch/i386/i386/trap.c: revision 1.287
Mmh, allow iret to be handled when an #SS fault (T_STKFLT) happens. Even
if the sdm is far from being clear, it appears that iret can trigger an #SS
fault if %ss points to a writable but non-present segment; in which case
the kernel would panic, thinking the fault was internal to it.
In particular, userland can create a broken segment in the ldt with
USER_LDT, update its %ss with setcontext and trigger the panic. I don't
think amd64 is affected since USER_LDT does not exist there, and the
changes on tf_ss seem correct - but I'm still adding T_STKFLT for safety.


To generate a diff of this commit:
cvs rdiff -u -r1.69.2.1 -r1.69.2.1.6.1 src/sys/arch/amd64/amd64/trap.c
cvs rdiff -u -r1.262 -r1.262.14.1 src/sys/arch/i386/i386/trap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amd64/amd64/trap.c
diff -u src/sys/arch/amd64/amd64/trap.c:1.69.2.1 src/sys/arch/amd64/amd64/trap.c:1.69.2.1.6.1
--- src/sys/arch/amd64/amd64/trap.c:1.69.2.1	Sun Jun  3 21:45:10 2012
+++ src/sys/arch/amd64/amd64/trap.c	Sat Mar 25 17:19:32 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: trap.c,v 1.69.2.1 2012/06/03 21:45:10 jdc Exp $	*/
+/*	$NetBSD: trap.c,v 1.69.2.1.6.1 2017/03/25 17:19:32 snj Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2000 The NetBSD Foundation, Inc.
@@ -68,7 +68,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.69.2.1 2012/06/03 21:45:10 jdc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.69.2.1.6.1 2017/03/25 17:19:32 snj Exp $");
 
 #include "opt_ddb.h"
 #include "opt_kgdb.h"
@@ -294,6 +294,7 @@ trap(struct trapframe *frame)
 	case T_PROTFLT:
 	case T_SEGNPFLT:
 	case T_ALIGNFLT:
+	case T_STKFLT:
 	case T_TSSFLT:
 		if (p == NULL)
 			goto we_re_toast;

Index: src/sys/arch/i386/i386/trap.c
diff -u src/sys/arch/i386/i386/trap.c:1.262 src/sys/arch/i386/i386/trap.c:1.262.14.1
--- src/sys/arch/i386/i386/trap.c:1.262	Wed Sep  7 09:24:55 2011
+++ src/sys/arch/i386/i386/trap.c	Sat Mar 25 17:19:32 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: trap.c,v 1.262 2011/09/07 09:24:55 reinoud Exp $	*/
+/*	$NetBSD: trap.c,v 1.262.14.1 2017/03/25 17:19:32 snj Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2000, 2005, 2006, 2007, 2008 The NetBSD Foundation, Inc.
@@ -68,7 +68,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.262 2011/09/07 09:24:55 reinoud Exp $");
+__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.262.14.1 2017/03/25 17:19:32 snj Exp $");
 
 #include "opt_ddb.h"
 #include "opt_kgdb.h"
@@ -405,6 +405,7 @@ trap(struct trapframe *frame)
 #endif
 	case T_SEGNPFLT:
 	case T_ALIGNFLT:
+	case T_STKFLT:
 	case T_TSSFLT:
 		if (p == NULL)
 			goto we_re_toast;

CVS commit: [netbsd-6-1] src/sys/arch/x86

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Mon Mar  6 08:18:14 UTC 2017

Modified Files:
src/sys/arch/x86/include [netbsd-6-1]: pmap.h
src/sys/arch/x86/x86 [netbsd-6-1]: pmap.c

Log Message:
Pull up following revision(s) (requested by bouyer in ticket #1441):
sys/arch/x86/x86/pmap.c: revision 1.241 via patch
sys/arch/x86/include/pmap.h: revision 1.63 via patch
Should be PG_k, doesn't change anything.
--
Remove PG_u from the kernel pages on Xen. Otherwise there is no privilege
separation between the kernel and userland.
On Xen-amd64, the kernel runs in ring3 just like userland, and the
separation is guaranteed by the hypervisor - each syscall/trap is
intercepted by Xen and sent manually to the kernel. Before that, the
hypervisor modifies the page tables so that the kernel becomes accessible.
Later, when returning to userland, the hypervisor removes the kernel pages
and flushes the TLB.
However, TLB flushes are costly, and in order to reduce the number of pages
flushed Xen marks the userland pages as global, while keeping the kernel
ones as local. This way, when returning to userland, only the kernel pages
get flushed - which makes sense since they are the only ones that got
removed from the mapping.
Xen differentiates the userland pages by looking at their PG_u bit in the
PTE; if a page has this bit then Xen tags it as global, otherwise Xen
manually adds the bit but keeps the page as local. The thing is, since we
set PG_u in the kernel pages, Xen believes our kernel pages are in fact
userland pages, so it marks them as global. Therefore, when returning to
userland, the kernel pages indeed get removed from the page tree, but are
not flushed from the TLB. Which means that they are still accessible.
With this - and depending on the DTLB size - userland has a small window
where it can read/write to the last kernel pages accessed, which is enough
to completely escalate privileges: the sysent structure systematically gets
read when performing a syscall, and chances are that it will still be
cached in the TLB. Userland can then use this to patch a chosen syscall,
make it point to a userland function, retrieve %gs and compute the address
of its credentials, and finally grant itself root privileges.


To generate a diff of this commit:
cvs rdiff -u -r1.49.2.2 -r1.49.2.2.6.1 src/sys/arch/x86/include/pmap.h
cvs rdiff -u -r1.164.2.4.6.1 -r1.164.2.4.6.2 src/sys/arch/x86/x86/pmap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/x86/include/pmap.h
diff -u src/sys/arch/x86/include/pmap.h:1.49.2.2 src/sys/arch/x86/include/pmap.h:1.49.2.2.6.1
--- src/sys/arch/x86/include/pmap.h:1.49.2.2	Wed May  9 03:22:52 2012
+++ src/sys/arch/x86/include/pmap.h	Mon Mar  6 08:18:14 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pmap.h,v 1.49.2.2 2012/05/09 03:22:52 riz Exp $	*/
+/*	$NetBSD: pmap.h,v 1.49.2.2.6.1 2017/03/06 08:18:14 snj Exp $	*/
 
 /*
  * Copyright (c) 1997 Charles D. Cranor and Washington University.
@@ -182,15 +182,7 @@ struct pmap {
 	((pmap)->pm_pdirpa[0] + (index) * sizeof(pd_entry_t))
 #endif
 
-/* 
- * flag to be used for kernel mappings: PG_u on Xen/amd64, 
- * 0 otherwise.
- */
-#if defined(XEN) && defined(__x86_64__)
-#define PG_k PG_u
-#else
 #define PG_k 0
-#endif
 
 /*
  * MD flags that we use for pmap_enter and pmap_kenter_pa:

Index: src/sys/arch/x86/x86/pmap.c
diff -u src/sys/arch/x86/x86/pmap.c:1.164.2.4.6.1 src/sys/arch/x86/x86/pmap.c:1.164.2.4.6.2
--- src/sys/arch/x86/x86/pmap.c:1.164.2.4.6.1	Thu Jul 14 07:10:22 2016
+++ src/sys/arch/x86/x86/pmap.c	Mon Mar  6 08:18:14 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pmap.c,v 1.164.2.4.6.1 2016/07/14 07:10:22 snj Exp $	*/
+/*	$NetBSD: pmap.c,v 1.164.2.4.6.2 2017/03/06 08:18:14 snj Exp $	*/
 
 /*-
  * Copyright (c) 2008, 2010 The NetBSD Foundation, Inc.
@@ -171,7 +171,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.164.2.4.6.1 2016/07/14 07:10:22 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.164.2.4.6.2 2017/03/06 08:18:14 snj Exp $");
 
 #include "opt_user_ldt.h"
 #include "opt_lockdebug.h"
@@ -1467,7 +1467,7 @@ pmap_bootstrap(vaddr_t kva_start)
 	memset((void *) (xen_dummy_user_pgd + KERNBASE), 0, PAGE_SIZE);
 	/* Mark read-only */
 	HYPERVISOR_update_va_mapping(xen_dummy_user_pgd + KERNBASE,
-	pmap_pa2pte(xen_dummy_user_pgd) | PG_u | PG_V, UVMF_INVLPG);
+	pmap_pa2pte(xen_dummy_user_pgd) | PG_k | PG_V, UVMF_INVLPG);
 	/* Pin as L4 */
 	xpq_queue_pin_l4_table(xpmap_ptom_masked(xen_dummy_user_pgd));
 #endif /* __x86_64__ */
@@ -2064,7 +2064,7 @@ pmap_pdp_ctor(void *arg, void *v, int fl
 	 * this pdir will NEVER be active in kernel mode
 	 * so mark recursive entry invalid
 	 */
-	pdir[PDIR_SLOT_PTE] = pmap_pa2pte(pdirpa) | PG_u;
+	pdir[PDIR_SLOT_PTE] = pmap_pa2pte(pdirpa) | PG_k;
 	/*
 	 * PDP constructed this way won't be for kernel,
 	 * hence we don't put kernel mappings on Xen.

CVS commit: [netbsd-6-1] src/sys/compat/linux/arch/amd64

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Feb 14 16:58:44 UTC 2017

Modified Files:
src/sys/compat/linux/arch/amd64 [netbsd-6-1]: linux_machdep.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1433):
sys/compat/linux/arch/amd64/linux_machdep.c: 1.50, 1.51
Don't let userland choose %rip. This is the Intel Sysret vulnerability
again.
--
Make sure %rip is in userland. This is harmless, since the return to
userland is made with iret instead of sysret in this path. While here, use
size_t.


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.39.12.1 \
src/sys/compat/linux/arch/amd64/linux_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/linux/arch/amd64/linux_machdep.c
diff -u src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39 src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39.12.1
--- src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39	Fri Nov 18 04:07:43 2011
+++ src/sys/compat/linux/arch/amd64/linux_machdep.c	Tue Feb 14 16:58:44 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_machdep.c,v 1.39 2011/11/18 04:07:43 christos Exp $ */
+/*	$NetBSD: linux_machdep.c,v 1.39.12.1 2017/02/14 16:58:44 snj Exp $ */
 
 /*-
  * Copyright (c) 2005 Emmanuel Dreyfus, all rights reserved.
@@ -33,7 +33,7 @@
 
 #include 
 
-__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.39 2011/11/18 04:07:43 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.39.12.1 2017/02/14 16:58:44 snj Exp $");
 
 #include 
 #include 
@@ -254,7 +254,12 @@ linux_sendsig(const ksiginfo_t *ksi, con
 	if (error != 0) {
 		sigexit(l, SIGILL);
 		return;
-	}	
+	}
+
+	if ((vaddr_t)catcher >= VM_MAXUSER_ADDRESS) {
+		sigexit(l, SIGILL);
+		return;
+	}
 
 	linux_buildcontext(l, catcher, sp);
 	tf->tf_rdi = sigframe.info.lsi_signo;
@@ -485,7 +490,7 @@ linux_usertrap(struct lwp *l, vaddr_t tr
 {
 	struct trapframe *tf = arg;
 	uint64_t retaddr;
-	int vsyscallnr;
+	size_t vsyscallnr;
 
 	/*
 	 * Check for a vsyscall. %rip must be the fault address,
@@ -515,6 +520,8 @@ linux_usertrap(struct lwp *l, vaddr_t tr
 	 */
 	if (copyin((void *)tf->tf_rsp, , sizeof retaddr) != 0)
 		return 0;
+	if ((vaddr_t)retaddr >= VM_MAXUSER_ADDRESS)
+		return 0;
 	tf->tf_rip = retaddr;
 	tf->tf_rax = linux_vsyscall_to_syscall[vsyscallnr];
 	tf->tf_rsp += 8;	/* "pop" the return address */

CVS commit: [netbsd-6-1] src/sys/netinet

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sun Feb  5 06:07:15 UTC 2017

Modified Files:
src/sys/netinet [netbsd-6-1]: if_arp.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1432):
sys/netinet/if_arp.c: 1.238, 1.239 via patch
Make sure the protocol address length equals that of IPv4. Also, make sure
the hardware address length equals that of the interface we received the
packet on. Otherwise a packet could easily set them both to zero and make
the kernel read beyond the allocated mbuf, which is terrible.
Note: for the latter we drop the packet instead of replying, since it is
malformed.
Note: I also added an ugly hack in CARP, since it apparently expects at
least six bytes.
--
Add some checks, mostly same as in_arpinput.


To generate a diff of this commit:
cvs rdiff -u -r1.154.16.1 -r1.154.16.2 src/sys/netinet/if_arp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet/if_arp.c
diff -u src/sys/netinet/if_arp.c:1.154.16.1 src/sys/netinet/if_arp.c:1.154.16.2
--- src/sys/netinet/if_arp.c:1.154.16.1	Wed Jun 18 09:34:27 2014
+++ src/sys/netinet/if_arp.c	Sun Feb  5 06:07:15 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_arp.c,v 1.154.16.1 2014/06/18 09:34:27 msaitoh Exp $	*/
+/*	$NetBSD: if_arp.c,v 1.154.16.2 2017/02/05 06:07:15 snj Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2000, 2008 The NetBSD Foundation, Inc.
@@ -68,7 +68,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_arp.c,v 1.154.16.1 2014/06/18 09:34:27 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_arp.c,v 1.154.16.2 2017/02/05 06:07:15 snj Exp $");
 
 #include "opt_ddb.h"
 #include "opt_inet.h"
@@ -974,6 +974,9 @@ in_arpinput(struct mbuf *m)
 		break;
 	}
 
+	if (ah->ar_pln != sizeof(struct in_addr))
+		goto out;
+
 	memcpy(, ar_spa(ah), sizeof (isaddr));
 	memcpy(, ar_tpa(ah), sizeof (itaddr));
 
@@ -1004,7 +1007,10 @@ in_arpinput(struct mbuf *m)
 		((ia->ia_ifp->if_flags & (IFF_UP|IFF_RUNNING)) ==
 		(IFF_UP|IFF_RUNNING))) {
 			index++;
+
+			/* XXX: ar_hln? */
 			if (ia->ia_ifp == m->m_pkthdr.rcvif &&
+			(ah->ar_hln >= 6) &&
 			carp_iamatch(ia, ar_sha(ah),
 			, index)) {
 break;
@@ -1036,6 +1042,14 @@ in_arpinput(struct mbuf *m)
 	}
 #endif
 
+	if (ah->ar_hln != ifp->if_addrlen) {
+		ARP_STATINC(ARP_STAT_RCVBADLEN);
+		log(LOG_WARNING,
+		"arp from %s: addr len: new %d, i/f %d (ignored)\n",
+		in_fmtaddr(isaddr), ah->ar_hln, ifp->if_addrlen);
+		goto out;
+	}
+
 	if (ia == NULL) {
 		INADDR_TO_IA(isaddr, ia);
 		while ((ia != NULL) && ia->ia_ifp != m->m_pkthdr.rcvif)
@@ -1130,14 +1144,7 @@ in_arpinput(struct mbuf *m)
 			"arp from %s: new addr len %d, was %d\n",
 			in_fmtaddr(isaddr), ah->ar_hln, sdl->sdl_alen);
 		}
-		if (ifp->if_addrlen != ah->ar_hln) {
-			ARP_STATINC(ARP_STAT_RCVBADLEN);
-			log(LOG_WARNING,
-			"arp from %s: addr len: new %d, i/f %d (ignored)\n",
-			in_fmtaddr(isaddr), ah->ar_hln,
-			ifp->if_addrlen);
-			goto reply;
-		}
+
 #if NTOKEN > 0
 		/*
 		 * XXX uses m_data and assumes the complete answer including
@@ -1433,6 +1440,10 @@ in_revarpinput(struct mbuf *m)
 	tha = ar_tha(ah);
 	if (tha == NULL)
 		goto out;
+	if (ah->ar_pln != sizeof(struct in_addr))
+		goto out;
+	if (ah->ar_hln != ifp->if_sadl->sdl_alen)
+		goto out;
 	if (memcmp(tha, CLLADDR(ifp->if_sadl), ifp->if_sadl->sdl_alen))
 		goto out;
 	memcpy(_ip, ar_spa(ah), sizeof(srv_ip));

CVS commit: [netbsd-6-1] src/sys/arch/amd64/amd64

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sun Feb  5 05:59:59 UTC 2017

Modified Files:
src/sys/arch/amd64/amd64 [netbsd-6-1]: copy.S

Log Message:
Apply patch (requested by maxv in ticket #1431):
suword: Don't allow 4 bytes to overflow beyond the userland space.


To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.18.28.1 src/sys/arch/amd64/amd64/copy.S

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amd64/amd64/copy.S
diff -u src/sys/arch/amd64/amd64/copy.S:1.18 src/sys/arch/amd64/amd64/copy.S:1.18.28.1
--- src/sys/arch/amd64/amd64/copy.S:1.18	Wed Jul  7 01:13:29 2010
+++ src/sys/arch/amd64/amd64/copy.S	Sun Feb  5 05:59:59 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: copy.S,v 1.18 2010/07/07 01:13:29 chs Exp $	*/
+/*	$NetBSD: copy.S,v 1.18.28.1 2017/02/05 05:59:59 snj Exp $	*/
 
 /*
  * Copyright (c) 2001 Wasabi Systems, Inc.
@@ -413,7 +413,7 @@ ENTRY(fubyte)
 
 ENTRY(suword)
 	DEFERRED_SWITCH_CHECK
-	movq	$VM_MAXUSER_ADDRESS-4,%r11
+	movq	$VM_MAXUSER_ADDRESS-8,%r11
 	cmpq	%r11,%rdi
 	ja	_C_LABEL(fusuaddrfault)
 

CVS commit: [netbsd-6-1] src/sys/net

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sun Feb  5 05:47:28 UTC 2017

Modified Files:
src/sys/net [netbsd-6-1]: if_arcsubr.c if_ecosubr.c if_ethersubr.c
if_fddisubr.c if_tokensubr.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1429):
sys/net/if_arcsubr.c: revision 1.76 via patch
sys/net/if_ecosubr.c: revision 1.50 via patch
sys/net/if_ethersubr.c: revision 1.236 via patch
sys/net/if_fddisubr.c: revision 1.104 via patch
sys/net/if_tokensubr.c: revision 1.80 via patch
Don't forget to free the mbuf when we decide not to reply to an ARP
request. This obviously is a terrible bug, since it allows a remote sender
to DoS the system with specially-crafted requests sent in a loop.


To generate a diff of this commit:
cvs rdiff -u -r1.63.14.1 -r1.63.14.1.2.1 src/sys/net/if_arcsubr.c
cvs rdiff -u -r1.36 -r1.36.18.1 src/sys/net/if_ecosubr.c
cvs rdiff -u -r1.188.8.3.2.1 -r1.188.8.3.2.2 src/sys/net/if_ethersubr.c
cvs rdiff -u -r1.81.14.1 -r1.81.14.1.2.1 src/sys/net/if_fddisubr.c
cvs rdiff -u -r1.61 -r1.61.18.1 src/sys/net/if_tokensubr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/if_arcsubr.c
diff -u src/sys/net/if_arcsubr.c:1.63.14.1 src/sys/net/if_arcsubr.c:1.63.14.1.2.1
--- src/sys/net/if_arcsubr.c:1.63.14.1	Tue Oct 23 16:19:47 2012
+++ src/sys/net/if_arcsubr.c	Sun Feb  5 05:47:28 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_arcsubr.c,v 1.63.14.1 2012/10/23 16:19:47 riz Exp $	*/
+/*	$NetBSD: if_arcsubr.c,v 1.63.14.1.2.1 2017/02/05 05:47:28 snj Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995 Ignatios Souvatzis
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_arcsubr.c,v 1.63.14.1 2012/10/23 16:19:47 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_arcsubr.c,v 1.63.14.1.2.1 2017/02/05 05:47:28 snj Exp $");
 
 #include "opt_inet.h"
 
@@ -196,8 +196,10 @@ arc_output(struct ifnet *ifp, struct mbu
 			adst = arcbroadcastaddr;
 		else {
 			uint8_t *tha = ar_tha(arph);
-			if (tha == NULL)
+			if (tha == NULL) {
+m_freem(m);
 return 0;
+			}
 			adst = *tha;
 		}
 

Index: src/sys/net/if_ecosubr.c
diff -u src/sys/net/if_ecosubr.c:1.36 src/sys/net/if_ecosubr.c:1.36.18.1
--- src/sys/net/if_ecosubr.c:1.36	Sun Nov 20 12:15:38 2011
+++ src/sys/net/if_ecosubr.c	Sun Feb  5 05:47:28 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_ecosubr.c,v 1.36 2011/11/20 12:15:38 kiyohara Exp $	*/
+/*	$NetBSD: if_ecosubr.c,v 1.36.18.1 2017/02/05 05:47:28 snj Exp $	*/
 
 /*-
  * Copyright (c) 2001 Ben Harris
@@ -58,7 +58,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_ecosubr.c,v 1.36 2011/11/20 12:15:38 kiyohara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ecosubr.c,v 1.36.18.1 2017/02/05 05:47:28 snj Exp $");
 
 #include "opt_inet.h"
 #include "opt_pfil_hooks.h"
@@ -242,8 +242,10 @@ eco_output(struct ifnet *ifp, struct mbu
 	case AF_ARP:
 		ah = mtod(m, struct arphdr *);
 
-		if (ntohs(ah->ar_pro) != ETHERTYPE_IP)
-			return EAFNOSUPPORT;
+		if (ntohs(ah->ar_pro) != ETHERTYPE_IP) {
+			error = EAFNOSUPPORT;
+			goto bad;
+		}
 		ehdr.eco_port = ECO_PORT_IP;
 		switch (ntohs(ah->ar_op)) {
 		case ARPOP_REQUEST:
@@ -253,7 +255,8 @@ eco_output(struct ifnet *ifp, struct mbu
 			ehdr.eco_control = ECO_CTL_ARP_REPLY;
 			break;
 		default:
-			return EOPNOTSUPP;
+			error = EOPNOTSUPP;
+			goto bad;
 		}
 
 		if (m->m_flags & M_BCAST)
@@ -261,8 +264,10 @@ eco_output(struct ifnet *ifp, struct mbu
 			ECO_ADDR_LEN);
 		else {
 			tha = ar_tha(ah);
-			if (tha == NULL)
+			if (tha == NULL) {
+m_freem(m);
 return 0;
+			}
 			memcpy(ehdr.eco_dhost, tha, ECO_ADDR_LEN);
 		}
 

Index: src/sys/net/if_ethersubr.c
diff -u src/sys/net/if_ethersubr.c:1.188.8.3.2.1 src/sys/net/if_ethersubr.c:1.188.8.3.2.2
--- src/sys/net/if_ethersubr.c:1.188.8.3.2.1	Wed Jun 18 09:34:27 2014
+++ src/sys/net/if_ethersubr.c	Sun Feb  5 05:47:28 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_ethersubr.c,v 1.188.8.3.2.1 2014/06/18 09:34:27 msaitoh Exp $	*/
+/*	$NetBSD: if_ethersubr.c,v 1.188.8.3.2.2 2017/02/05 05:47:28 snj Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -61,7 +61,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_ethersubr.c,v 1.188.8.3.2.1 2014/06/18 09:34:27 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ethersubr.c,v 1.188.8.3.2.2 2017/02/05 05:47:28 snj Exp $");
 
 #include "opt_inet.h"
 #include "opt_atalk.h"
@@ -307,6 +307,7 @@ ether_output(struct ifnet * const ifp0, 
 
 			if (tha == NULL) {
 /* fake with ARPHDR_IEEE1394 */
+m_freem(m);
 return 0;
 			}
 			memcpy(edst, tha, sizeof(edst));

Index: src/sys/net/if_fddisubr.c
diff -u src/sys/net/if_fddisubr.c:1.81.14.1 src/sys/net/if_fddisubr.c:1.81.14.1.2.1
--- src/sys/net/if_fddisubr.c:1.81.14.1	Wed Oct 31 16:07:46 2012
+++ src/sys/net/if_fddisubr.c	Sun Feb  5 05:47:28 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_fddisubr.c,v 1.81.14.1 2012/10/31 16:07:46 riz Exp 

CVS commit: [netbsd-6-1] src/sys/kern

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Nov 11 07:07:08 UTC 2016

Modified Files:
src/sys/kern [netbsd-6-1]: uipc_usrreq.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1415):
sys/kern/uipc_usrreq.c: revision 1.181
Memory leak, found by Mootja. It is easily triggerable from userland.


To generate a diff of this commit:
cvs rdiff -u -r1.136.8.3 -r1.136.8.3.2.1 src/sys/kern/uipc_usrreq.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/uipc_usrreq.c
diff -u src/sys/kern/uipc_usrreq.c:1.136.8.3 src/sys/kern/uipc_usrreq.c:1.136.8.3.2.1
--- src/sys/kern/uipc_usrreq.c:1.136.8.3	Mon Feb 18 22:00:49 2013
+++ src/sys/kern/uipc_usrreq.c	Fri Nov 11 07:07:08 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: uipc_usrreq.c,v 1.136.8.3 2013/02/18 22:00:49 riz Exp $	*/
+/*	$NetBSD: uipc_usrreq.c,v 1.136.8.3.2.1 2016/11/11 07:07:08 snj Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2000, 2004, 2008, 2009 The NetBSD Foundation, Inc.
@@ -96,7 +96,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: uipc_usrreq.c,v 1.136.8.3 2013/02/18 22:00:49 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_usrreq.c,v 1.136.8.3.2.1 2016/11/11 07:07:08 snj Exp $");
 
 #include 
 #include 
@@ -1014,11 +1014,11 @@ unp_connect(struct socket *so, struct mb
 		goto bad2;
 	}
 	vp = nd.ni_vp;
+	pathbuf_destroy(pb);
 	if (vp->v_type != VSOCK) {
 		error = ENOTSOCK;
 		goto bad;
 	}
-	pathbuf_destroy(pb);
 	if ((error = VOP_ACCESS(vp, VWRITE, l->l_cred)) != 0)
 		goto bad;
 	/* Acquire v_interlock to protect against unp_detach(). */

CVS commit: [netbsd-6-1] src/sys/arch/sparc64/sparc64

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sat Sep 24 13:19:08 UTC 2016

Modified Files:
src/sys/arch/sparc64/sparc64 [netbsd-6-1]: locore.s

Log Message:
Pull up following revision(s) (requested by nakayama in ticket #1408):
sys/arch/sparc64/sparc64/locore.s: revision 1.401
Fix RAS for 32-bit kernels.  trapframe is always 64-bit.


To generate a diff of this commit:
cvs rdiff -u -r1.338.8.4.2.2 -r1.338.8.4.2.3 \
src/sys/arch/sparc64/sparc64/locore.s

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/sparc64/sparc64/locore.s
diff -u src/sys/arch/sparc64/sparc64/locore.s:1.338.8.4.2.2 src/sys/arch/sparc64/sparc64/locore.s:1.338.8.4.2.3
--- src/sys/arch/sparc64/sparc64/locore.s:1.338.8.4.2.2	Sun Nov 15 21:02:22 2015
+++ src/sys/arch/sparc64/sparc64/locore.s	Sat Sep 24 13:19:08 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: locore.s,v 1.338.8.4.2.2 2015/11/15 21:02:22 bouyer Exp $	*/
+/*	$NetBSD: locore.s,v 1.338.8.4.2.3 2016/09/24 13:19:08 bouyer Exp $	*/
 
 /*
  * Copyright (c) 2006-2010 Matthew R. Green
@@ -5206,12 +5206,12 @@ ENTRY(cpu_switchto)
 	brz,pt	%o1, Lsw_noras		! no, skip RAS check
 	 LDPTR	[%i1 + L_TF], %l3	! pointer to trap frame
 	call	_C_LABEL(ras_lookup)
-	 LDPTR	[%l3 + TF_PC], %o1
+	 ldx	[%l3 + TF_PC], %o1
 	cmp	%o0, -1
-	be,pt	%xcc, Lsw_noras
+	be,pt	CCCR, Lsw_noras
 	 add	%o0, 4, %o1
-	STPTR	%o0, [%l3 + TF_PC]	! store rewound %pc
-	STPTR	%o1, [%l3 + TF_NPC]	! and %npc
+	stx	%o0, [%l3 + TF_PC]	! store rewound %pc
+	stx	%o1, [%l3 + TF_NPC]	! and %npc
 
 Lsw_noras:
 

CVS commit: [netbsd-6-1] src/sys/lib/libsa

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sat Sep 24 13:10:55 UTC 2016

Modified Files:
src/sys/lib/libsa [netbsd-6-1]: checkpasswd.c

Log Message:
Pull up following revision(s) (requested by dholland in ticket #1406):
sys/lib/libsa/checkpasswd.c: revision 1.10
Check bounds on input. From Michael Plass.


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.9.28.1 src/sys/lib/libsa/checkpasswd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/lib/libsa/checkpasswd.c
diff -u src/sys/lib/libsa/checkpasswd.c:1.9 src/sys/lib/libsa/checkpasswd.c:1.9.28.1
--- src/sys/lib/libsa/checkpasswd.c:1.9	Thu Jan  6 02:45:13 2011
+++ src/sys/lib/libsa/checkpasswd.c	Sat Sep 24 13:10:55 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: checkpasswd.c,v 1.9 2011/01/06 02:45:13 jakllsch Exp $	*/
+/*	$NetBSD: checkpasswd.c,v 1.9.28.1 2016/09/24 13:10:55 bouyer Exp $	*/
 
 /*-
  * Copyright (c) 1993
@@ -84,8 +84,10 @@ getpass(const char *prompt)
 			putchar('\n');
 			break;
 		default:
-			*lp++ = c;
-			putchar('*');
+			if ((size_t)(lp - buf) < sizeof(buf) - 1) {
+*lp++ = c;
+putchar('*');
+			}
 			break;
 		}
 	}

CVS commit: [netbsd-6-1] src/sys/arch/sparc64/sparc64

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sat Sep 24 13:06:45 UTC 2016

Modified Files:
src/sys/arch/sparc64/sparc64 [netbsd-6-1]: kobj_machdep.c

Log Message:
Pull up following revision(s) (requested by martin in ticket #1405):
sys/arch/sparc64/sparc64/kobj_machdep.c: revision 1.5
sys/arch/sparc64/sparc64/kobj_machdep.c: revision 1.6
Follow rev. 1.54, 1.55 of libexec/ld.elf_so/arch/sparc64/mdreloc.c.
The target of the OLO10 relocation is the simd13 field of the instruction,
so use a 13 bit target mask.
Fixes PR kern/51436 (I broke this myself in rev 1.4)


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.4.28.1 src/sys/arch/sparc64/sparc64/kobj_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/sparc64/sparc64/kobj_machdep.c
diff -u src/sys/arch/sparc64/sparc64/kobj_machdep.c:1.4 src/sys/arch/sparc64/sparc64/kobj_machdep.c:1.4.28.1
--- src/sys/arch/sparc64/sparc64/kobj_machdep.c:1.4	Sun May  2 11:43:30 2010
+++ src/sys/arch/sparc64/sparc64/kobj_machdep.c	Sat Sep 24 13:06:45 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: kobj_machdep.c,v 1.4 2010/05/02 11:43:30 martin Exp $	*/
+/*	$NetBSD: kobj_machdep.c,v 1.4.28.1 2016/09/24 13:06:45 bouyer Exp $	*/
 
 /*-
  * Copyright (c) 2001 Jake Burkholder.
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: kobj_machdep.c,v 1.4 2010/05/02 11:43:30 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kobj_machdep.c,v 1.4.28.1 2016/09/24 13:06:45 bouyer Exp $");
 
 #define	ELFSIZE		ARCH_ELFSIZE
 
@@ -164,15 +164,15 @@ static const long reloc_target_bitmask[]
 	_BM(22), _BM(10),		/* _HIPLT22, LOPLT10 */
 	_BM(32), _BM(22), _BM(10),	/* _PCPLT32, _PCPLT22, _PCPLT10 */
 	_BM(10), _BM(11), -1,		/* _10, _11, _64 */
-	_BM(10), _BM(22),		/* _OLO10, _HH22 */
+	_BM(13), _BM(22),		/* _OLO10, _HH22 */
 	_BM(10), _BM(22),		/* _HM10, _LM22 */
 	_BM(22), _BM(10), _BM(22),	/* _PC_HH22, _PC_HM10, _PC_LM22 */
 	_BM(16), _BM(19),		/* _WDISP16, _WDISP19 */
 	-1,/* GLOB_JMP */
-	_BM(7), _BM(5), _BM(6)		/* _7, _5, _6 */
+	_BM(7), _BM(5), _BM(6),		/* _7, _5, _6 */
 	-1, -1,/* DISP64, PLT64 */
 	_BM(22), _BM(13),		/* HIX22, LOX10 */
-	_BM(22), _BM(10), _BM(13),	/* H44, M44, L44 */
+	_BM(22), _BM(10), _BM(12),	/* H44, M44, L44 */
 	-1, -1, _BM(16),		/* REGISTER, UA64, UA16 */
 #undef _BM
 };

CVS commit: [netbsd-6-1] src/sys/arch/i386/stand/misc

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sun Aug 28 10:44:11 UTC 2016

Modified Files:
src/sys/arch/i386/stand/misc [netbsd-6-1]: rawr32.exe.uue

Log Message:
Pull up following revision(s) (requested by martin in ticket #1385):
sys/arch/i386/stand/misc/rawr32.exe.uue: sync to revision 1.6
New Rawrite32 release


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.4.18.1 src/sys/arch/i386/stand/misc/rawr32.exe.uue

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffs are larger than 1MB and have been omitted

CVS commit: [netbsd-6-1] src/sys/compat/common

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sat Aug 27 14:52:25 UTC 2016

Modified Files:
src/sys/compat/common [netbsd-6-1]: vfs_syscalls_43.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1400):
sys/compat/common/vfs_syscalls_43.c: revision 1.58
fill in the tv_nsec parts of the converted timespec in cvtstat().


To generate a diff of this commit:
cvs rdiff -u -r1.54.14.1 -r1.54.14.1.2.1 \
src/sys/compat/common/vfs_syscalls_43.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/common/vfs_syscalls_43.c
diff -u src/sys/compat/common/vfs_syscalls_43.c:1.54.14.1 src/sys/compat/common/vfs_syscalls_43.c:1.54.14.1.2.1
--- src/sys/compat/common/vfs_syscalls_43.c:1.54.14.1	Thu Mar 14 16:33:09 2013
+++ src/sys/compat/common/vfs_syscalls_43.c	Sat Aug 27 14:52:25 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls_43.c,v 1.54.14.1 2013/03/14 16:33:09 riz Exp $	*/
+/*	$NetBSD: vfs_syscalls_43.c,v 1.54.14.1.2.1 2016/08/27 14:52:25 bouyer Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.14.1 2013/03/14 16:33:09 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.14.1.2.1 2016/08/27 14:52:25 bouyer Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -74,15 +74,42 @@ __KERNEL_RCSID(0, "$NetBSD: vfs_syscalls
 #include 
 #include 
 
+static void cvttimespec(struct timespec *, struct timespec50 *);
 static void cvtstat(struct stat *, struct stat43 *);
 
 /*
+ * Convert from an old to a new timespec structure.
+ */
+static void
+cvttimespec(struct timespec *ts, struct timespec50 *ots)
+{
+
+	if (ts->tv_sec > INT_MAX) {
+#if defined(DEBUG) || 1
+		static bool first = true;
+
+		if (first) {
+			first = false;
+			printf("%s[%s:%d]: time_t does not fit\n",
+			__func__, curlwp->l_proc->p_comm,
+			curlwp->l_lid);
+		}
+#endif
+		ots->tv_sec = INT_MAX;
+	} else
+		ots->tv_sec = ts->tv_sec;
+	ots->tv_nsec = ts->tv_nsec;
+}
+
+/*
  * Convert from an old to a new stat structure.
  */
 static void
 cvtstat(struct stat *st, struct stat43 *ost)
 {
 
+	/* Handle any padding. */
+	memset(ost, 0, sizeof *ost);
 	ost->st_dev = st->st_dev;
 	ost->st_ino = st->st_ino;
 	ost->st_mode = st->st_mode & 0x;
@@ -94,9 +121,9 @@ cvtstat(struct stat *st, struct stat43 *
 		ost->st_size = st->st_size;
 	else
 		ost->st_size = -2;
-	ost->st_atime = st->st_atime;
-	ost->st_mtime = st->st_mtime;
-	ost->st_ctime = st->st_ctime;
+	cvttimespec(>st_atimespec, >st_atimespec);
+	cvttimespec(>st_mtimespec, >st_mtimespec);
+	cvttimespec(>st_ctimespec, >st_ctimespec);
 	ost->st_blksize = st->st_blksize;
 	ost->st_blocks = st->st_blocks;
 	ost->st_flags = st->st_flags;

CVS commit: [netbsd-6-1] src/sys/dev

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sat Aug 27 14:48:50 UTC 2016

Modified Files:
src/sys/dev [netbsd-6-1]: fss.c

Log Message:
Pull up following revision(s) (requested by hannken in ticket #1399):
sys/dev/fss.c: revision 1.95
Disestablish COW handler on error.  No need to do further copies after
the snapshot device failed.
Should fix PR kern/51377: fss(4) panic if snapshot mounted read/write


To generate a diff of this commit:
cvs rdiff -u -r1.81.4.3 -r1.81.4.3.2.1 src/sys/dev/fss.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/fss.c
diff -u src/sys/dev/fss.c:1.81.4.3 src/sys/dev/fss.c:1.81.4.3.2.1
--- src/sys/dev/fss.c:1.81.4.3	Mon Feb 11 20:39:28 2013
+++ src/sys/dev/fss.c	Sat Aug 27 14:48:50 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: fss.c,v 1.81.4.3 2013/02/11 20:39:28 riz Exp $	*/
+/*	$NetBSD: fss.c,v 1.81.4.3.2.1 2016/08/27 14:48:50 bouyer Exp $	*/
 
 /*-
  * Copyright (c) 2003 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: fss.c,v 1.81.4.3 2013/02/11 20:39:28 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: fss.c,v 1.81.4.3.2.1 2016/08/27 14:48:50 bouyer Exp $");
 
 #include 
 #include 
@@ -430,17 +430,20 @@ fss_dump(dev_t dev, daddr_t blkno, void 
 
 /*
  * An error occurred reading or writing the snapshot or backing store.
- * If it is the first error log to console.
+ * If it is the first error log to console and disestablish cow handler.
  * The caller holds the mutex.
  */
 static inline void
 fss_error(struct fss_softc *sc, const char *msg)
 {
 
-	if ((sc->sc_flags & (FSS_ACTIVE|FSS_ERROR)) == FSS_ACTIVE)
-		aprint_error_dev(sc->sc_dev, "snapshot invalid: %s\n", msg);
-	if ((sc->sc_flags & FSS_ACTIVE) == FSS_ACTIVE)
-		sc->sc_flags |= FSS_ERROR;
+	if ((sc->sc_flags & (FSS_ACTIVE | FSS_ERROR)) != FSS_ACTIVE)
+		return;
+
+	aprint_error_dev(sc->sc_dev, "snapshot invalid: %s\n", msg);
+	if ((sc->sc_flags & FSS_PERSISTENT) == 0)
+		fscow_disestablish(sc->sc_mount, fss_copy_on_write, sc);
+	sc->sc_flags |= FSS_ERROR;
 }
 
 /*
@@ -560,9 +563,8 @@ fss_unmount_hook(struct mount *mp)
 		if ((sc = device_lookup_private(_cd, i)) == NULL)
 			continue;
 		mutex_enter(>sc_slock);
-		if ((sc->sc_flags & FSS_ACTIVE) != 0 &&
-		sc->sc_mount == mp)
-			fss_error(sc, "forced unmount");
+		if ((sc->sc_flags & FSS_ACTIVE) != 0 && sc->sc_mount == mp)
+			fss_error(sc, "forced by unmount");
 		mutex_exit(>sc_slock);
 	}
 	mutex_exit(_device_lock);
@@ -888,7 +890,7 @@ static int
 fss_delete_snapshot(struct fss_softc *sc, struct lwp *l)
 {
 
-	if ((sc->sc_flags & FSS_PERSISTENT) == 0)
+	if ((sc->sc_flags & (FSS_PERSISTENT | FSS_ERROR)) == 0)
 		fscow_disestablish(sc->sc_mount, fss_copy_on_write, sc);
 
 	mutex_enter(>sc_slock);

CVS commit: [netbsd-6-1] src/sys/arch/x86/x86

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Thu Jul 14 07:10:22 UTC 2016

Modified Files:
src/sys/arch/x86/x86 [netbsd-6-1]: pmap.c

Log Message:
Pull up following revision(s) (requested by hannken in ticket #1365):
sys/arch/x86/x86/pmap.c: revision 1.190
Operation pmap_pp_clear_attrs() may remove the "used" attribute from a page
that is still cached in the TLB of other CPUs.
Call pmap_tlb_shootnow() here before enabling preemption to clear the
TLB entries on other CPUs.
Should prevent tmpfs data corruption under load.
Ok: Chuck Silvers


To generate a diff of this commit:
cvs rdiff -u -r1.164.2.4 -r1.164.2.4.6.1 src/sys/arch/x86/x86/pmap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/x86/x86/pmap.c
diff -u src/sys/arch/x86/x86/pmap.c:1.164.2.4 src/sys/arch/x86/x86/pmap.c:1.164.2.4.6.1
--- src/sys/arch/x86/x86/pmap.c:1.164.2.4	Wed May  9 03:22:53 2012
+++ src/sys/arch/x86/x86/pmap.c	Thu Jul 14 07:10:22 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: pmap.c,v 1.164.2.4 2012/05/09 03:22:53 riz Exp $	*/
+/*	$NetBSD: pmap.c,v 1.164.2.4.6.1 2016/07/14 07:10:22 snj Exp $	*/
 
 /*-
  * Copyright (c) 2008, 2010 The NetBSD Foundation, Inc.
@@ -171,7 +171,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.164.2.4 2012/05/09 03:22:53 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.164.2.4.6.1 2016/07/14 07:10:22 snj Exp $");
 
 #include "opt_user_ldt.h"
 #include "opt_lockdebug.h"
@@ -3717,6 +3717,7 @@ startover:
 	}
 	result = pp->pp_attrs & clearbits;
 	pp->pp_attrs &= ~clearbits;
+	pmap_tlb_shootnow();
 	kpreempt_enable();
 
 	return result != 0;

CVS commit: [netbsd-6-1] src/sys/nfs

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Thu Jul 14 06:55:08 UTC 2016

Modified Files:
src/sys/nfs [netbsd-6-1]: nfs_vnops.c

Log Message:
Pull up following revision(s) (requested by hannken in ticket #1363):
sys/nfs/nfs_vnops.c: revision 1.309
Return an error if NFSPROC_LOOKUP returns the file handle of the current
directory.  Treating it as DOT lookup would put garbage into the name
cache and could panic on future lookups.
Seen with ZFS file system exported from OmniOS, an OpenSolaris derivative.
Fixes PR kern/50664 "cd .." over NFS/ZFS can panic kernel


To generate a diff of this commit:
cvs rdiff -u -r1.293.4.1 -r1.293.4.1.6.1 src/sys/nfs/nfs_vnops.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/nfs/nfs_vnops.c
diff -u src/sys/nfs/nfs_vnops.c:1.293.4.1 src/sys/nfs/nfs_vnops.c:1.293.4.1.6.1
--- src/sys/nfs/nfs_vnops.c:1.293.4.1	Sun Aug 12 12:59:48 2012
+++ src/sys/nfs/nfs_vnops.c	Thu Jul 14 06:55:08 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: nfs_vnops.c,v 1.293.4.1 2012/08/12 12:59:48 martin Exp $	*/
+/*	$NetBSD: nfs_vnops.c,v 1.293.4.1.6.1 2016/07/14 06:55:08 snj Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: nfs_vnops.c,v 1.293.4.1 2012/08/12 12:59:48 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: nfs_vnops.c,v 1.293.4.1.6.1 2016/07/14 06:55:08 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_nfs.h"
@@ -949,18 +949,11 @@ dorpc:
 
 	if (NFS_CMPFH(np, fhp, fhsize)) {
 		/*
-		 * as we handle "." lookup locally, this should be
+		 * As we handle "." lookup locally, this is
 		 * a broken server.
 		 */
-		vref(dvp);
-		newvp = dvp;
-#ifndef NFS_V2_ONLY
-		if (v3) {
-			nfsm_postop_attr(newvp, attrflag, 0);
-			nfsm_postop_attr(dvp, attrflag, 0);
-		} else
-#endif
-			nfsm_loadattr(newvp, (struct vattr *)0, 0);
+		m_freem(mrep);
+		return EBADRPC;
 	} else if (flags & ISDOTDOT) {
 		/*
 		 * ".." lookup

CVS commit: [netbsd-6-1] src/sys/arch/x86

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Thu Jul 14 06:48:53 UTC 2016

Modified Files:
src/sys/arch/x86/include [netbsd-6-1]: cpufunc.h
src/sys/arch/x86/x86 [netbsd-6-1]: errata.c

Log Message:
Pull up following revision(s) (requested by hannken in ticket #1361):
sys/arch/x86/include/cpufunc.h: revision 1.19
sys/arch/x86/x86/errata.c: revision 1.23
Adapt prototypes and usage of rdmsr_locked() and wrmsr_locked() to
their implementation.  Both functions don't take the passcode as
argument.
As wrmsr_locked() no longer writes the passcode to the msr the
erratum 721 on my Opteron 2356 really gets patched and cc1 no longer
crashes with SIGSEGV.


To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.13.22.1 src/sys/arch/x86/include/cpufunc.h
cvs rdiff -u -r1.19.14.1 -r1.19.14.1.6.1 src/sys/arch/x86/x86/errata.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/x86/include/cpufunc.h
diff -u src/sys/arch/x86/include/cpufunc.h:1.13 src/sys/arch/x86/include/cpufunc.h:1.13.22.1
--- src/sys/arch/x86/include/cpufunc.h:1.13	Sat Sep 24 10:32:52 2011
+++ src/sys/arch/x86/include/cpufunc.h	Thu Jul 14 06:48:53 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: cpufunc.h,v 1.13 2011/09/24 10:32:52 jym Exp $	*/
+/*	$NetBSD: cpufunc.h,v 1.13.22.1 2016/07/14 06:48:53 snj Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2007 The NetBSD Foundation, Inc.
@@ -117,12 +117,12 @@ void	x86_reset(void);
 #define	OPTERON_MSR_PASSCODE	0x9c5a203aU
 
 uint64_t	rdmsr(u_int);
-uint64_t	rdmsr_locked(u_int, u_int);
+uint64_t	rdmsr_locked(u_int);
 int		rdmsr_safe(u_int, uint64_t *);
 uint64_t	rdtsc(void);
 uint64_t	rdpmc(u_int);
 void		wrmsr(u_int, uint64_t);
-void		wrmsr_locked(u_int, u_int, uint64_t);
+void		wrmsr_locked(u_int, uint64_t);
 void		setfs(int);
 void		setusergs(int);
 

Index: src/sys/arch/x86/x86/errata.c
diff -u src/sys/arch/x86/x86/errata.c:1.19.14.1 src/sys/arch/x86/x86/errata.c:1.19.14.1.6.1
--- src/sys/arch/x86/x86/errata.c:1.19.14.1	Mon Apr  9 18:02:25 2012
+++ src/sys/arch/x86/x86/errata.c	Thu Jul 14 06:48:53 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: errata.c,v 1.19.14.1 2012/04/09 18:02:25 riz Exp $	*/
+/*	$NetBSD: errata.c,v 1.19.14.1.6.1 2016/07/14 06:48:53 snj Exp $	*/
 
 /*-
  * Copyright (c) 2007 The NetBSD Foundation, Inc.
@@ -45,7 +45,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: errata.c,v 1.19.14.1 2012/04/09 18:02:25 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: errata.c,v 1.19.14.1.6.1 2016/07/14 06:48:53 snj Exp $");
 
 #include 
 #include 
@@ -294,7 +294,7 @@ x86_errata_testmsr(struct cpu_info *ci, 
 
 	(void)ci;
 
-	val = rdmsr_locked(e->e_data1, OPTERON_MSR_PASSCODE);
+	val = rdmsr_locked(e->e_data1);
 	if ((val & e->e_data2) != 0)
 		return FALSE;
 
@@ -309,10 +309,10 @@ x86_errata_setmsr(struct cpu_info *ci, e
 
 	(void)ci;
 
-	val = rdmsr_locked(e->e_data1, OPTERON_MSR_PASSCODE);
+	val = rdmsr_locked(e->e_data1);
 	if ((val & e->e_data2) != 0)
 		return FALSE;
-	wrmsr_locked(e->e_data1, OPTERON_MSR_PASSCODE, val | e->e_data2);
+	wrmsr_locked(e->e_data1, val | e->e_data2);
 	aprint_debug_dev(ci->ci_dev, "erratum %d patched\n",
 	e->e_num);
 

CVS commit: [netbsd-6-1] src/sys/kern

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Thu Jul 14 06:44:50 UTC 2016

Modified Files:
src/sys/kern [netbsd-6-1]: kern_softint.c

Log Message:
Pull up following revision(s) (requested by knakahara in ticket #1356):
sys/kern/kern_softint.c: revision 1.42
fix the following softint parallel operation problem.
(0) softint handler "handler A" is established
(1) CPU#X does softint_schedule() for "handler A"
- the softhand_t is set SOFTINT_PENDING flag
- the softhand_t is NOT set SOFTINT_ACTIVE flag yet
(2) CPU#X begins other H/W interrupt processing
(3) CPU#Y does softint_disestablish() for "handler A"
- waits until softhand_t's SOFTINT_ACTIVE of all CPUs is clear
- the softhand_t is set not SOFTINT_ACTIVE but SOFTINT_PENDING,
  so CPU#Y does not wait
- unset the function of "handler A"
(4) CPU#X does softint_execute()
- the function of "handler A" is already clear, so panic


To generate a diff of this commit:
cvs rdiff -u -r1.38.8.1 -r1.38.8.1.2.1 src/sys/kern/kern_softint.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/kern_softint.c
diff -u src/sys/kern/kern_softint.c:1.38.8.1 src/sys/kern/kern_softint.c:1.38.8.1.2.1
--- src/sys/kern/kern_softint.c:1.38.8.1	Fri Feb  8 19:32:07 2013
+++ src/sys/kern/kern_softint.c	Thu Jul 14 06:44:50 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_softint.c,v 1.38.8.1 2013/02/08 19:32:07 riz Exp $	*/
+/*	$NetBSD: kern_softint.c,v 1.38.8.1.2.1 2016/07/14 06:44:50 snj Exp $	*/
 
 /*-
  * Copyright (c) 2007, 2008 The NetBSD Foundation, Inc.
@@ -176,7 +176,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: kern_softint.c,v 1.38.8.1 2013/02/08 19:32:07 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_softint.c,v 1.38.8.1.2.1 2016/07/14 06:44:50 snj Exp $");
 
 #include 
 #include 
@@ -424,8 +424,8 @@ softint_disestablish(void *arg)
 			KASSERT(sh->sh_func != NULL);
 			flags |= sh->sh_flags;
 		}
-		/* Inactive on all CPUs? */
-		if ((flags & SOFTINT_ACTIVE) == 0) {
+		/* Neither pending nor active on all CPUs? */
+		if ((flags & (SOFTINT_PENDING | SOFTINT_ACTIVE)) == 0) {
 			break;
 		}
 		/* Oops, still active.  Wait for it to clear. */

CVS commit: [netbsd-6-1] src/sys/miscfs/specfs

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue May 10 23:14:45 UTC 2016

Modified Files:
src/sys/miscfs/specfs [netbsd-6-1]: spec_vnops.c

Log Message:
Pull up following revision(s) (requested by hannken in ticket #1376):
sys/miscfs/specfs/spec_vnops.c: revisions 1.161, 1.162 via patch
Whhen spec_strategy() extracts v_rdev take care to avoid a
race with spec_revoke.
Fixes PR kern/50467 Panic from disconnecting phone while reading its contents
--
Avoid a race with spec_revoke for the assertion too.
Final fix for PR kern/50467 Panic from disconnecting phone while reading
its contents


To generate a diff of this commit:
cvs rdiff -u -r1.134.8.1 -r1.134.8.1.6.1 src/sys/miscfs/specfs/spec_vnops.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/miscfs/specfs/spec_vnops.c
diff -u src/sys/miscfs/specfs/spec_vnops.c:1.134.8.1 src/sys/miscfs/specfs/spec_vnops.c:1.134.8.1.6.1
--- src/sys/miscfs/specfs/spec_vnops.c:1.134.8.1	Mon May  7 03:01:14 2012
+++ src/sys/miscfs/specfs/spec_vnops.c	Tue May 10 23:14:45 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: spec_vnops.c,v 1.134.8.1 2012/05/07 03:01:14 riz Exp $	*/
+/*	$NetBSD: spec_vnops.c,v 1.134.8.1.6.1 2016/05/10 23:14:45 snj Exp $	*/
 
 /*-
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -58,7 +58,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: spec_vnops.c,v 1.134.8.1 2012/05/07 03:01:14 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: spec_vnops.c,v 1.134.8.1.6.1 2016/05/10 23:14:45 snj Exp $");
 
 #include 
 #include 
@@ -886,25 +886,44 @@ spec_strategy(void *v)
 	} */ *ap = v;
 	struct vnode *vp = ap->a_vp;
 	struct buf *bp = ap->a_bp;
+	dev_t dev;
 	int error;
 
-	KASSERT(vp == vp->v_specnode->sn_dev->sd_bdevvp);
+	dev = NODEV;
 
-	error = 0;
-	bp->b_dev = vp->v_rdev;
+	/*
+	 * Extract all the info we need from the vnode, taking care to
+	 * avoid a race with VOP_REVOKE().
+	 */
 
-	if (!(bp->b_flags & B_READ))
-		error = fscow_run(bp, false);
+	mutex_enter(vp->v_interlock);
+	if ((vp->v_iflag & VI_XLOCK) == 0 && vp->v_specnode != NULL) {
+		KASSERT(vp == vp->v_specnode->sn_dev->sd_bdevvp);
+		dev = vp->v_rdev;
+	}
+	mutex_exit(vp->v_interlock);
 
-	if (error) {
-		bp->b_error = error;
-		biodone(bp);
-		return (error);
+	if (dev == NODEV) {
+		error = ENXIO;
+		goto out;
 	}
+	bp->b_dev = dev;
 
+	if (!(bp->b_flags & B_READ)) {
+		error = fscow_run(bp, false);
+		if (error)
+			goto out;
+	}
 	bdev_strategy(bp);
 
-	return (0);
+	return 0;
+
+out:
+	bp->b_error = error;
+	bp->b_resid = bp->b_bcount;
+	biodone(bp);
+
+	return error;
 }
 
 int

CVS commit: [netbsd-6-1] src/sys/compat/netbsd32

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Apr 21 15:23:59 UTC 2016

Modified Files:
src/sys/compat/netbsd32 [netbsd-6-1]: netbsd32_socket.c

Log Message:
Pull up following revision(s) (requested by christos in ticket #1378):
sys/compat/netbsd32/netbsd32_socket.c: revision 1.42
Memory leak, triggerable from an unprivileged user.


To generate a diff of this commit:
cvs rdiff -u -r1.39.2.2 -r1.39.2.2.6.1 \
src/sys/compat/netbsd32/netbsd32_socket.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/netbsd32/netbsd32_socket.c
diff -u src/sys/compat/netbsd32/netbsd32_socket.c:1.39.2.2 src/sys/compat/netbsd32/netbsd32_socket.c:1.39.2.2.6.1
--- src/sys/compat/netbsd32/netbsd32_socket.c:1.39.2.2	Sat Aug 18 22:01:40 2012
+++ src/sys/compat/netbsd32/netbsd32_socket.c	Thu Apr 21 15:23:59 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: netbsd32_socket.c,v 1.39.2.2 2012/08/18 22:01:40 riz Exp $	*/
+/*	$NetBSD: netbsd32_socket.c,v 1.39.2.2.6.1 2016/04/21 15:23:59 martin Exp $	*/
 
 /*
  * Copyright (c) 1998, 2001 Matthew R. Green
@@ -27,7 +27,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.39.2.2 2012/08/18 22:01:40 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.39.2.2.6.1 2016/04/21 15:23:59 martin Exp $");
 
 #include 
 #include 
@@ -331,7 +331,7 @@ netbsd32_sendmsg(struct lwp *l, const st
 	} */
 	struct msghdr msg;
 	struct netbsd32_msghdr msg32;
-	struct iovec aiov[UIO_SMALLIOV], *iov;
+	struct iovec aiov[UIO_SMALLIOV], *iov = aiov;
 	struct netbsd32_iovec *iov32;
 	size_t iovsz;
 	int error;
@@ -346,6 +346,7 @@ netbsd32_sendmsg(struct lwp *l, const st
 		error = copyin32_msg_control(l, );
 		if (error)
 			return (error);
+		/* From here on, msg.msg_control is allocated */
 	} else {
 		msg.msg_control = NULL;
 		msg.msg_controllen = 0;
@@ -353,23 +354,32 @@ netbsd32_sendmsg(struct lwp *l, const st
 
 	iovsz = msg.msg_iovlen * sizeof(struct iovec);
 	if ((u_int)msg.msg_iovlen > UIO_SMALLIOV) {
-		if ((u_int)msg.msg_iovlen > IOV_MAX)
-			return (EMSGSIZE);
+		if ((u_int)msg.msg_iovlen > IOV_MAX) {
+			error = EMSGSIZE;
+			goto out;
+		}
 		iov = kmem_alloc(iovsz, KM_SLEEP);
-	} else
-		iov = aiov;
+	}
 
 	iov32 = NETBSD32PTR64(msg32.msg_iov);
 	error = netbsd32_to_iovecin(iov32, iov, msg.msg_iovlen);
 	if (error)
-		goto done;
+		goto out;
 	msg.msg_iov = iov;
 
 	error = do_sys_sendmsg(l, SCARG(uap, s), , SCARG(uap, flags), retval);
-done:
+	/* msg.msg_control freed by do_sys_sendmsg() */
+
 	if (iov != aiov)
 		kmem_free(iov, iovsz);
 	return (error);
+
+out:
+	if (iov != aiov)
+		kmem_free(iov, iovsz);
+	if (msg.msg_control)
+		m_free(msg.msg_control);
+	return error;
 }
 
 int

CVS commit: [netbsd-6-1] src/sys/arch/xen

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Jan  8 21:25:28 UTC 2016

Modified Files:
src/sys/arch/xen/include/xen-public/io [netbsd-6-1]: ring.h
src/sys/arch/xen/xen [netbsd-6-1]: pciback.c xbdback_xenbus.c
xennetback_xenbus.c

Log Message:
Pull up following revision(s) (requested by bouyer in ticket #1358):
sys/arch/xen/include/xen-public/io/ring.h: revision 1.3 via patch
sys/arch/xen/xen/pciback.c: revision 1.10 via patch
sys/arch/xen/xen/xbdback_xenbus.c: revision 1.62 via patch
sys/arch/xen/xen/xennetback_xenbus.c: revision 1.54 via patch
Apply patch from xsa155: make sure that the backend won't read parts of the
request again (possibly because of compiler optimisations), by using
copies and barrier.
>From XSA155:
The compiler can emit optimizations in the PV backend drivers which
can lead to double fetch vulnerabilities. Specifically the shared
memory between the frontend and backend can be fetched twice (during
which time the frontend can alter the contents) possibly leading to
arbitrary code execution in backend.


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.2.18.1 src/sys/arch/xen/include/xen-public/io/ring.h
cvs rdiff -u -r1.7 -r1.7.16.1 src/sys/arch/xen/xen/pciback.c
cvs rdiff -u -r1.55.2.1.6.2 -r1.55.2.1.6.3 \
src/sys/arch/xen/xen/xbdback_xenbus.c
cvs rdiff -u -r1.47 -r1.47.14.1 src/sys/arch/xen/xen/xennetback_xenbus.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/xen/include/xen-public/io/ring.h
diff -u src/sys/arch/xen/include/xen-public/io/ring.h:1.2 src/sys/arch/xen/include/xen-public/io/ring.h:1.2.18.1
--- src/sys/arch/xen/include/xen-public/io/ring.h:1.2	Wed Dec  7 15:40:15 2011
+++ src/sys/arch/xen/include/xen-public/io/ring.h	Fri Jan  8 21:25:28 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: ring.h,v 1.2 2011/12/07 15:40:15 cegger Exp $ */
+/* $NetBSD: ring.h,v 1.2.18.1 2016/01/08 21:25:28 snj Exp $ */
 /**
  * ring.h
  * 
@@ -236,6 +236,20 @@ typedef struct __name##_back_ring __name
 #define RING_GET_REQUEST(_r, _idx)  \
 (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req))
 
+/*
+ * Get a local copy of a request.
+ *
+ * Use this in preference to RING_GET_REQUEST() so all processing is
+ * done on a local copy that cannot be modified by the other end.
+ *
+ * Note that https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 may cause this
+ * to be ineffective where _req is a struct which consists of only bitfields.
+ */
+#define RING_COPY_REQUEST(_r, _idx, _req) do {\
+	/* Use volatile to force the copy into _req. */			\
+	*(_req) = *(volatile typeof(_req))RING_GET_REQUEST(_r, _idx);	\
+} while (0)
+
 #define RING_GET_RESPONSE(_r, _idx) \
 (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp))
 

Index: src/sys/arch/xen/xen/pciback.c
diff -u src/sys/arch/xen/xen/pciback.c:1.7 src/sys/arch/xen/xen/pciback.c:1.7.16.1
--- src/sys/arch/xen/xen/pciback.c:1.7	Thu Feb  2 19:43:01 2012
+++ src/sys/arch/xen/xen/pciback.c	Fri Jan  8 21:25:28 2016
@@ -1,4 +1,4 @@
-/*  $NetBSD: pciback.c,v 1.7 2012/02/02 19:43:01 tls Exp $  */
+/*  $NetBSD: pciback.c,v 1.7.16.1 2016/01/08 21:25:28 snj Exp $  */
 
 /*
  * Copyright (c) 2009 Manuel Bouyer.
@@ -26,7 +26,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: pciback.c,v 1.7 2012/02/02 19:43:01 tls Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pciback.c,v 1.7.16.1 2016/01/08 21:25:28 snj Exp $");
 
 #include "opt_xen.h"
 
@@ -188,6 +188,7 @@ struct pb_xenbus_instance {
 	/* communication with the domU */
 unsigned int pbx_evtchn; /* our even channel */
 struct xen_pci_sharedinfo *pbx_sh_info;
+struct xen_pci_op op;
 grant_handle_t pbx_shinfo_handle; /* to unmap shared page */
 };
 
@@ -712,13 +713,16 @@ pciback_xenbus_evthandler(void * arg)
 {
 	struct pb_xenbus_instance *pbxi = arg;
 	struct pciback_pci_dev *pbd;
-	struct xen_pci_op *op = >pbx_sh_info->op;
+	struct xen_pci_op *op = >op;
 	u_int bus, dev, func;
 
 	hypervisor_clear_event(pbxi->pbx_evtchn);
 	if (xen_atomic_test_bit(>pbx_sh_info->flags,
 	_XEN_PCIF_active) == 0)
 		return 0;
+
+	memcpy(op, >pbx_sh_info->op, sizeof (struct xen_pci_op));
+	__insn_barrier();
 	if (op->domain != 0) {
 		aprint_error("pciback: domain %d != 0", op->domain);
 		op->err = XEN_PCI_ERR_dev_not_found;
@@ -785,6 +789,8 @@ pciback_xenbus_evthandler(void * arg)
 		aprint_error("pciback: unknown cmd %d\n", op->cmd);
 		op->err = XEN_PCI_ERR_not_implemented;
 	}
+	pbxi->pbx_sh_info->op.value = op->value;
+	pbxi->pbx_sh_info->op.err = op->err;
 end:
 	xen_atomic_clear_bit(>pbx_sh_info->flags, _XEN_PCIF_active);
 	hypervisor_notify_via_evtchn(pbxi->pbx_evtchn);

Index: src/sys/arch/xen/xen/xbdback_xenbus.c
diff -u 

CVS commit: [netbsd-6-1] src/sys/net

[SAITOH Masanobu]

Module Name:src
Committed By:   msaitoh
Date:   Wed Nov 18 07:41:17 UTC 2015

Modified Files:
src/sys/net [netbsd-6-1]: if_gif.c

Log Message:
Pull up following revision(s) (requested by knakahara in ticket #1345):
sys/net/if_gif.c: revision 1.91
sys/net/if_gif.c: revision 1.92
fix panic after "ifconfig gifX tunnel src dst" failed for the reason of address 
pair duplication.
e.g.

# ifconfig gif0 create
# ifconfig gif0 tunnel 192.168.0.1 192.168.0.2
# ifconfig gif0 inet 172.16.0.1/24 172.16.0.2
# route add 10.1.0.0/24 172.16.0.1
# ifconfig gif1 create
# ifconfig gif1 tunnel 192.168.0.1 192.168.0.3
# ifconfig gif0 tunnel 192.168.0.1 192.168.0.3
ifconfig: SIOCSLIFPHYADDR: Can't assign requested address # expected
# ping 10.1.0.1
(panic)

fix CID 980463


To generate a diff of this commit:
cvs rdiff -u -r1.80.8.1.2.1 -r1.80.8.1.2.2 src/sys/net/if_gif.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/if_gif.c
diff -u src/sys/net/if_gif.c:1.80.8.1.2.1 src/sys/net/if_gif.c:1.80.8.1.2.2
--- src/sys/net/if_gif.c:1.80.8.1.2.1	Wed Nov 18 07:34:41 2015
+++ src/sys/net/if_gif.c	Wed Nov 18 07:41:17 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_gif.c,v 1.80.8.1.2.1 2015/11/18 07:34:41 msaitoh Exp $	*/
+/*	$NetBSD: if_gif.c,v 1.80.8.1.2.2 2015/11/18 07:41:17 msaitoh Exp $	*/
 /*	$KAME: if_gif.c,v 1.76 2001/08/20 02:01:02 kjc Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_gif.c,v 1.80.8.1.2.1 2015/11/18 07:34:41 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_gif.c,v 1.80.8.1.2.2 2015/11/18 07:41:17 msaitoh Exp $");
 
 #include "opt_inet.h"
 #include "opt_iso.h"
@@ -717,7 +717,8 @@ gif_set_tunnel(struct ifnet *ifp, struct
 		if (sockaddr_cmp(sc2->gif_pdst, dst) == 0 &&
 		sockaddr_cmp(sc2->gif_psrc, src) == 0) {
 			error = EADDRNOTAVAIL;
-			goto bad;
+			/* continue to use the old configureation. */
+			goto out;
 		}
 
 		/* XXX both end must be valid? (I mean, not 0.0.0.0) */
@@ -785,10 +786,8 @@ gif_set_tunnel(struct ifnet *ifp, struct
 	if (odst)
 		sockaddr_free(odst);
 
-	ifp->if_flags |= IFF_RUNNING;
-	splx(s);
-
-	return 0;
+	error = 0;
+	goto out;
 
 rollback:
 	if (sc->gif_psrc != NULL)
@@ -797,18 +796,19 @@ rollback:
 		sockaddr_free(sc->gif_pdst);
 	sc->gif_psrc = osrc;
 	sc->gif_pdst = odst;
-bad:
+
 	if (sc->gif_si) {
 		softint_disestablish(sc->gif_si);
 		sc->gif_si = NULL;
 	}
 
+out:
 	if (sc->gif_psrc && sc->gif_pdst)
 		ifp->if_flags |= IFF_RUNNING;
 	else
 		ifp->if_flags &= ~IFF_RUNNING;
-	splx(s);
 
+	splx(s);
 	return error;
 }
 

CVS commit: [netbsd-6-1] src/sys/net

[SAITOH Masanobu]

Module Name:src
Committed By:   msaitoh
Date:   Wed Nov 18 07:34:41 UTC 2015

Modified Files:
src/sys/net [netbsd-6-1]: if_gif.c

Log Message:
Pull up following revision(s) (requested by knakahara in ticket #1344):
sys/net/if_gif.c: revision 1.89
sys/net/if_gif.c: revision 1.90
CID 980463: Provide common error path for rollback. Remove extra check for
success.


To generate a diff of this commit:
cvs rdiff -u -r1.80.8.1 -r1.80.8.1.2.1 src/sys/net/if_gif.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/if_gif.c
diff -u src/sys/net/if_gif.c:1.80.8.1 src/sys/net/if_gif.c:1.80.8.1.2.1
--- src/sys/net/if_gif.c:1.80.8.1	Fri Feb  8 20:42:51 2013
+++ src/sys/net/if_gif.c	Wed Nov 18 07:34:41 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_gif.c,v 1.80.8.1 2013/02/08 20:42:51 riz Exp $	*/
+/*	$NetBSD: if_gif.c,v 1.80.8.1.2.1 2015/11/18 07:34:41 msaitoh Exp $	*/
 /*	$KAME: if_gif.c,v 1.76 2001/08/20 02:01:02 kjc Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_gif.c,v 1.80.8.1 2013/02/08 20:42:51 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_gif.c,v 1.80.8.1.2.1 2015/11/18 07:34:41 msaitoh Exp $");
 
 #include "opt_inet.h"
 #include "opt_iso.h"
@@ -743,17 +743,24 @@ gif_set_tunnel(struct ifnet *ifp, struct
 #endif
 		}
 
+	osrc = sc->gif_psrc;
+	odst = sc->gif_pdst;
+	sc->gif_psrc = sc->gif_pdst = NULL;
 	sc->gif_si = softint_establish(SOFTINT_NET, gifintr, sc);
 	if (sc->gif_si == NULL) {
 		error = ENOMEM;
-		goto bad;
+		goto rollback;
 	}
 
-	osrc = sc->gif_psrc;
-	sc->gif_psrc = sockaddr_dup(src, M_WAITOK);
+	if ((sc->gif_psrc = sockaddr_dup(src, M_WAITOK)) == NULL) {
+		error = ENOMEM;
+		goto rollback;
+	}
 
-	odst = sc->gif_pdst;
-	sc->gif_pdst = sockaddr_dup(dst, M_WAITOK);
+	if ((sc->gif_pdst = sockaddr_dup(dst, M_WAITOK)) == NULL) {
+		error = ENOMEM;
+		goto rollback;
+	}
 
 	switch (sc->gif_psrc->sa_family) {
 #ifdef INET
@@ -770,33 +777,32 @@ gif_set_tunnel(struct ifnet *ifp, struct
 		error = EINVAL;
 		break;
 	}
-	if (error) {
-		/* rollback */
-		sockaddr_free(sc->gif_psrc);
-		sockaddr_free(sc->gif_pdst);
-		sc->gif_psrc = osrc;
-		sc->gif_pdst = odst;
-		goto bad;
-	}
+	if (error)
+		goto rollback;
 
 	if (osrc)
 		sockaddr_free(osrc);
 	if (odst)
 		sockaddr_free(odst);
 
-	if (sc->gif_psrc && sc->gif_pdst)
-		ifp->if_flags |= IFF_RUNNING;
-	else
-		ifp->if_flags &= ~IFF_RUNNING;
+	ifp->if_flags |= IFF_RUNNING;
 	splx(s);
 
 	return 0;
 
- bad:
+rollback:
+	if (sc->gif_psrc != NULL)
+		sockaddr_free(sc->gif_psrc);
+	if (sc->gif_pdst != NULL)
+		sockaddr_free(sc->gif_pdst);
+	sc->gif_psrc = osrc;
+	sc->gif_pdst = odst;
+bad:
 	if (sc->gif_si) {
 		softint_disestablish(sc->gif_si);
 		sc->gif_si = NULL;
 	}
+
 	if (sc->gif_psrc && sc->gif_pdst)
 		ifp->if_flags |= IFF_RUNNING;
 	else

CVS commit: [netbsd-6-1] src/sys/dev/mii

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sun Nov 15 17:45:59 UTC 2015

Modified Files:
src/sys/dev/mii [netbsd-6-1]: atphy.c

Log Message:
Pull up following revision(s) (requested by msaitoh in ticket #1325):
sys/dev/mii/atphy.c: revision 1.17
  Fix incorrect argument of mii_anar(). Fixes PR#50206.
XXX pullup -[567]


To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.11.14.1 src/sys/dev/mii/atphy.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/mii/atphy.c
diff -u src/sys/dev/mii/atphy.c:1.11 src/sys/dev/mii/atphy.c:1.11.14.1
--- src/sys/dev/mii/atphy.c:1.11	Sun Oct  2 21:42:19 2011
+++ src/sys/dev/mii/atphy.c	Sun Nov 15 17:45:59 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: atphy.c,v 1.11 2011/10/02 21:42:19 jmcneill Exp $ */
+/*	$NetBSD: atphy.c,v 1.11.14.1 2015/11/15 17:45:59 bouyer Exp $ */
 /*	$OpenBSD: atphy.c,v 1.1 2008/09/25 20:47:16 brad Exp $	*/
 
 /*-
@@ -33,7 +33,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: atphy.c,v 1.11 2011/10/02 21:42:19 jmcneill Exp $");
+__KERNEL_RCSID(0, "$NetBSD: atphy.c,v 1.11.14.1 2015/11/15 17:45:59 bouyer Exp $");
 
 #include 
 #include 
@@ -226,7 +226,7 @@ atphy_service(struct mii_softc *sc, stru
 			return EINVAL;
 		}
 
-		anar = mii_anar(ife->ifm_media);
+		anar = mii_anar(IFM_SUBTYPE(ife->ifm_media));
 		if (((ife->ifm_media & IFM_GMASK) & IFM_FDX) != 0) {
 			bmcr |= BMCR_FDX;
 			/* Enable pause. */

CVS commit: [netbsd-6-1] src/sys/kern

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sun Nov 15 20:38:18 UTC 2015

Modified Files:
src/sys/kern [netbsd-6-1]: kern_exec.c kern_exit.c kern_synch.c

Log Message:
Pull up following revision(s) (requested by pgoyette in ticket #1333):
sys/kern/kern_exec.c: revision 1.420
sys/kern/kern_synch.c: revision 1.309
sys/kern/kern_exit.c: revision 1.246
sys/kern/kern_exit.c: revision 1.247
sys/kern/kern_exec.c: revision 1.419
In execve_runproc(), update the p_waited entry for the process being
moved to SSTOP state, not for its parent.  (It is correct to update
the parent's p_nstopchild count.)  If the value is not already zero,
it could prevent its parent from waiting for the process.
Fixes PR kern/50298
Pullups will be requested for:
NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2
When clearing out the scheduler queues during system shutdown, we move
all processes to the SSTOP state.  Make sure we update each process's
p_waited and the parents' p_nstopchild counters to maintain consistent
values.  Should not make any real difference this late in the shutdown
process, but we should still be consistent just in case.
Fixes PR kern/50318
Pullups will be requested for:
NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2
Currently, if a process is exiting and its parent has indicated no intent
of reaping the process (nor any other children), the process wil get
reparented to init.  Since the state of the exiting process at this point
is SDEAD, proc_reparent() will not update either the old or new parent's
p_nstopchild counters.
This change causes both old and new parents to be properly updated.
Fixes PR kern/50300
Pullups will be requested for:
NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2
For processes marked with PS_STOPEXIT, update the process's p_waited
value, and update its parent's p_nstopchild value when marking the
process's p_stat to SSTOP.  The process needed to be SACTIVE to get
here, so this transition represents an additional process for which
the parent needs to wait.
Fixes PR kern/50308
Pullups will be requested for:
NetBSD-7, -6, -6-0, -6-1, -5, -5-0, -5-1, and -5-2
In spawn_return() we temporarily move the process state to SSTOP, but
without updating its p_waited value or its parent's p_nstopchild
counter.  Later, we restore the original state, again without any
adjustment of the related values.  This leaves a relatively short
window when the values are inconsistent and could interfere with the
proper operation of sys_wait() for the parent (if it manages to be
scheduled;  it's not totally clear what, if anything, prevents
scheduling/execution of the parent).
If during this window, any of the checks being made result in an
error, we call exit1() which will eventually migrate the process's
state to SDEAD (with an intermediate transition to SDYING).  At
this point the other variables get updated, and we finally restore
a consistent state.
This change updates the p_waited and parent's p_nstopchild at each
step to eliminate any windows during which the values could lead to
incorrect decisions.
Fixes PR kern/50330
Pullups will be requested for NetBSD-7, -6, -6-0, and -6-1


To generate a diff of this commit:
cvs rdiff -u -r1.339.2.6.2.2 -r1.339.2.6.2.3 src/sys/kern/kern_exec.c
cvs rdiff -u -r1.236.2.2 -r1.236.2.2.4.1 src/sys/kern/kern_exit.c
cvs rdiff -u -r1.297.2.1 -r1.297.2.1.6.1 src/sys/kern/kern_synch.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/kern_exec.c
diff -u src/sys/kern/kern_exec.c:1.339.2.6.2.2 src/sys/kern/kern_exec.c:1.339.2.6.2.3
--- src/sys/kern/kern_exec.c:1.339.2.6.2.2	Mon Apr 21 10:00:33 2014
+++ src/sys/kern/kern_exec.c	Sun Nov 15 20:38:17 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_exec.c,v 1.339.2.6.2.2 2014/04/21 10:00:33 bouyer Exp $	*/
+/*	$NetBSD: kern_exec.c,v 1.339.2.6.2.3 2015/11/15 20:38:17 bouyer Exp $	*/
 
 /*-
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -59,7 +59,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.339.2.6.2.2 2014/04/21 10:00:33 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.339.2.6.2.3 2015/11/15 20:38:17 bouyer Exp $");
 
 #include "opt_exec.h"
 #include "opt_ktrace.h"
@@ -1408,7 +1408,7 @@ execve_runproc(struct lwp *l, struct exe
 	if (p->p_sflag & PS_STOPEXEC) {
 		KERNEL_UNLOCK_ALL(l, >l_biglocks);
 		p->p_pptr->p_nstopchild++;
-		p->p_pptr->p_waited = 0;
+		p->p_waited = 0;
 		mutex_enter(p->p_lock);
 		ksiginfo_queue_init();
 		sigclearall(p, , );
@@ -1845,6 +1845,7 @@ spawn_return(void *arg)
 	struct spawn_exec_data *spawn_data = arg;
 	struct lwp *l = curlwp;
 	int error, newfd;
+	int ostat;
 	size_t i;
 	const struct posix_spawn_file_actions_entry *fae;
 	pid_t ppid;
@@ -1917,7 +1918,6 @@ spawn_return(void *arg)
 
 	/* handle posix_spawnattr */
 	if (spawn_data->sed_attrs != NULL) {
-		int ostat;
 		

CVS commit: [netbsd-6-1] src/sys/kern

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sun Nov 15 20:40:31 UTC 2015

Modified Files:
src/sys/kern [netbsd-6-1]: kern_sig.c

Log Message:
Pull up following revision(s) (requested by pgoyette in ticket #1334):
sys/kern/kern_sig.c: revision 1.321
When delivering a signal, it's possible that the process's state in
p_stat is SACTIVE yet p_sflag is PS_STOPPING (while waiting for other
lwp's to stop).  In that case, we don't want to adjust the parent's
p_nstopchild count.
Found by Robert Elz.
XXX Pullups to: NetBSD-7, -6{,-0,-1}, and -5{,-0,-1,-2}


To generate a diff of this commit:
cvs rdiff -u -r1.316 -r1.316.14.1 src/sys/kern/kern_sig.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/kern_sig.c
diff -u src/sys/kern/kern_sig.c:1.316 src/sys/kern/kern_sig.c:1.316.14.1
--- src/sys/kern/kern_sig.c:1.316	Fri Sep 16 22:07:17 2011
+++ src/sys/kern/kern_sig.c	Sun Nov 15 20:40:31 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_sig.c,v 1.316 2011/09/16 22:07:17 reinoud Exp $	*/
+/*	$NetBSD: kern_sig.c,v 1.316.14.1 2015/11/15 20:40:31 bouyer Exp $	*/
 
 /*-
  * Copyright (c) 2006, 2007, 2008 The NetBSD Foundation, Inc.
@@ -70,7 +70,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: kern_sig.c,v 1.316 2011/09/16 22:07:17 reinoud Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_sig.c,v 1.316.14.1 2015/11/15 20:40:31 bouyer Exp $");
 
 #include "opt_ptrace.h"
 #include "opt_compat_sunos.h"
@@ -1461,14 +1461,13 @@ kpsignal2(struct proc *p, ksiginfo_t *ks
 		}
 		if ((prop & SA_CONT) != 0 || signo == SIGKILL) {
 			/*
-			 * Re-adjust p_nstopchild if the process wasn't
-			 * collected by its parent.
+			 * Re-adjust p_nstopchild if the process was
+			 * stopped but not yet collected by its parent.
 			 */
+			if (p->p_stat == SSTOP && !p->p_waited)
+p->p_pptr->p_nstopchild--;
 			p->p_stat = SACTIVE;
 			p->p_sflag &= ~PS_STOPPING;
-			if (!p->p_waited) {
-p->p_pptr->p_nstopchild--;
-			}
 			if (p->p_slflag & PSL_TRACED) {
 KASSERT(signo == SIGKILL);
 goto deliver;

CVS commit: [netbsd-6-1] src/sys/compat/linux/arch

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sun Nov 15 20:42:39 UTC 2015

Modified Files:
src/sys/compat/linux/arch/arm [netbsd-6-1]: linux_ptrace.c
src/sys/compat/linux/arch/i386 [netbsd-6-1]: linux_ptrace.c
src/sys/compat/linux/arch/powerpc [netbsd-6-1]: linux_ptrace.c

Log Message:
Pull up following revision(s) (requested by pgoyette in ticket #1335):
sys/compat/linux/arch/i386/linux_ptrace.c: revision 1.31
sys/compat/linux/arch/arm/linux_ptrace.c: revision 1.19
sys/compat/linux/arch/powerpc/linux_ptrace.c: revision 1.29
Don't release proc_lock until we're done looking at things that are
protected by the lock, particularly p_stat and p_waited.  Found by
Robert Elz.
XXX Pullup to NetBSD-7, -6, -6-0, and -6-1


To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.16.20.1 src/sys/compat/linux/arch/arm/linux_ptrace.c
cvs rdiff -u -r1.26 -r1.26.28.1 src/sys/compat/linux/arch/i386/linux_ptrace.c
cvs rdiff -u -r1.23 -r1.23.28.1 \
src/sys/compat/linux/arch/powerpc/linux_ptrace.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/linux/arch/arm/linux_ptrace.c
diff -u src/sys/compat/linux/arch/arm/linux_ptrace.c:1.16 src/sys/compat/linux/arch/arm/linux_ptrace.c:1.16.20.1
--- src/sys/compat/linux/arch/arm/linux_ptrace.c:1.16	Wed Jul  7 01:30:33 2010
+++ src/sys/compat/linux/arch/arm/linux_ptrace.c	Sun Nov 15 20:42:39 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_ptrace.c,v 1.16 2010/07/07 01:30:33 chs Exp $	*/
+/*	$NetBSD: linux_ptrace.c,v 1.16.20.1 2015/11/15 20:42:39 bouyer Exp $	*/
 
 /*-
  * Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
 
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: linux_ptrace.c,v 1.16 2010/07/07 01:30:33 chs Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_ptrace.c,v 1.16.20.1 2015/11/15 20:42:39 bouyer Exp $");
 
 #include 
 #include 
@@ -140,7 +140,6 @@ linux_sys_ptrace_arch(struct lwp *l, con
 		goto out;
 	}
 	mutex_enter(t->p_lock);
-	mutex_exit(proc_lock);
 
 	/*
 	 * You cannot do what you want to the process if:
@@ -148,6 +147,7 @@ linux_sys_ptrace_arch(struct lwp *l, con
 	 */
 	if (!ISSET(t->p_slflag, PSL_TRACED)) {
 		mutex_exit(t->p_lock);
+		mutex_exit(proc_lock);
 		error = EPERM;
 		goto out;
 	}
@@ -160,9 +160,11 @@ linux_sys_ptrace_arch(struct lwp *l, con
 	if (ISSET(t->p_slflag, PSL_FSTRACE) || t->p_pptr != p ||
 	t->p_stat != SSTOP || !t->p_waited) {
 		mutex_exit(t->p_lock);
+		mutex_exit(proc_lock);
 		error = EBUSY;
 		goto out;
 	}
+	mutex_exit(proc_lock);
 	/* XXX: ptrace needs revamp for multi-threading support. */
 	if (t->p_nlwps > 1) {
 		mutex_exit(t->p_lock);

Index: src/sys/compat/linux/arch/i386/linux_ptrace.c
diff -u src/sys/compat/linux/arch/i386/linux_ptrace.c:1.26 src/sys/compat/linux/arch/i386/linux_ptrace.c:1.26.28.1
--- src/sys/compat/linux/arch/i386/linux_ptrace.c:1.26	Wed Jul  7 01:30:34 2010
+++ src/sys/compat/linux/arch/i386/linux_ptrace.c	Sun Nov 15 20:42:39 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_ptrace.c,v 1.26 2010/07/07 01:30:34 chs Exp $	*/
+/*	$NetBSD: linux_ptrace.c,v 1.26.28.1 2015/11/15 20:42:39 bouyer Exp $	*/
 
 /*-
  * Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: linux_ptrace.c,v 1.26 2010/07/07 01:30:34 chs Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_ptrace.c,v 1.26.28.1 2015/11/15 20:42:39 bouyer Exp $");
 
 #include 
 #include 
@@ -184,7 +184,6 @@ linux_sys_ptrace_arch(struct lwp *l, con
 		return ESRCH;
 	}
 	mutex_enter(t->p_lock);
-	mutex_exit(proc_lock);
 
 	/*
 	 * You cannot do what you want to the process if:
@@ -192,6 +191,7 @@ linux_sys_ptrace_arch(struct lwp *l, con
 	 */
 	if (!ISSET(t->p_slflag, PSL_TRACED)) {
 		mutex_exit(t->p_lock);
+		mutex_exit(proc_lock);
 		error = EPERM;
 		goto out;
 	}
@@ -204,9 +204,11 @@ linux_sys_ptrace_arch(struct lwp *l, con
 	if (ISSET(t->p_slflag, PSL_FSTRACE) || t->p_pptr != p ||
 	t->p_stat != SSTOP || !t->p_waited) {
 		mutex_exit(t->p_lock);
+		mutex_exit(proc_lock);
 		error = EBUSY;
 		goto out;
 	}
+	mutex_exit(proc_lock);
 	/* XXX: ptrace needs revamp for multi-threading support. */
 	if (t->p_nlwps > 1) {
 		mutex_exit(t->p_lock);

Index: src/sys/compat/linux/arch/powerpc/linux_ptrace.c
diff -u src/sys/compat/linux/arch/powerpc/linux_ptrace.c:1.23 src/sys/compat/linux/arch/powerpc/linux_ptrace.c:1.23.28.1
--- src/sys/compat/linux/arch/powerpc/linux_ptrace.c:1.23	Thu Jul  1 02:38:28 2010
+++ src/sys/compat/linux/arch/powerpc/linux_ptrace.c	Sun Nov 15 20:42:39 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_ptrace.c,v 1.23 2010/07/01 02:38:28 rmind Exp $ */
+/*	$NetBSD: linux_ptrace.c,v 1.23.28.1 2015/11/15 20:42:39 bouyer Exp $ */
 
 /*-
  * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: linux_ptrace.c,v 1.23 2010/07/01 02:38:28 rmind Exp $");
+__KERNEL_RCSID(0, 

CVS commit: [netbsd-6-1] src/sys/kern

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sun Nov 15 20:44:13 UTC 2015

Modified Files:
src/sys/kern [netbsd-6-1]: kern_exit.c

Log Message:
Pull up following revision(s) (requested by pgoyette in ticket #1336):
sys/kern/kern_exit.c: revision 1.248
Update value of p_stat before we release the proc_lock.  Thanks to
Robert Elz.
XXX Pull-ups for -7, -6{,-0,-1} and -5{,-0,-1,-2}


To generate a diff of this commit:
cvs rdiff -u -r1.236.2.2.4.1 -r1.236.2.2.4.2 src/sys/kern/kern_exit.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/kern_exit.c
diff -u src/sys/kern/kern_exit.c:1.236.2.2.4.1 src/sys/kern/kern_exit.c:1.236.2.2.4.2
--- src/sys/kern/kern_exit.c:1.236.2.2.4.1	Sun Nov 15 20:38:18 2015
+++ src/sys/kern/kern_exit.c	Sun Nov 15 20:44:13 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_exit.c,v 1.236.2.2.4.1 2015/11/15 20:38:18 bouyer Exp $	*/
+/*	$NetBSD: kern_exit.c,v 1.236.2.2.4.2 2015/11/15 20:44:13 bouyer Exp $	*/
 
 /*-
  * Copyright (c) 1998, 1999, 2006, 2007, 2008 The NetBSD Foundation, Inc.
@@ -67,7 +67,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: kern_exit.c,v 1.236.2.2.4.1 2015/11/15 20:38:18 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_exit.c,v 1.236.2.2.4.2 2015/11/15 20:44:13 bouyer Exp $");
 
 #include "opt_ktrace.h"
 #include "opt_perfctrs.h"
@@ -248,8 +248,8 @@ exit1(struct lwp *l, int rv)
 		}
 		p->p_waited = 0;
 		p->p_pptr->p_nstopchild++;
-		mutex_exit(proc_lock);
 		p->p_stat = SSTOP;
+		mutex_exit(proc_lock);
 		lwp_lock(l);
 		p->p_nrlwps--;
 		l->l_stat = LSSTOP;

CVS commit: [netbsd-6-1] src/sys/compat/osf1

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sun Nov 15 20:48:45 UTC 2015

Modified Files:
src/sys/compat/osf1 [netbsd-6-1]: osf1_socket.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1338):
sys/compat/osf1/osf1_socket.c: revision 1.21
easy kmem_alloc(0)
ok shm@


To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.20.28.1 src/sys/compat/osf1/osf1_socket.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/osf1/osf1_socket.c
diff -u src/sys/compat/osf1/osf1_socket.c:1.20 src/sys/compat/osf1/osf1_socket.c:1.20.28.1
--- src/sys/compat/osf1/osf1_socket.c:1.20	Fri Apr 23 15:19:21 2010
+++ src/sys/compat/osf1/osf1_socket.c	Sun Nov 15 20:48:45 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: osf1_socket.c,v 1.20 2010/04/23 15:19:21 rmind Exp $ */
+/* $NetBSD: osf1_socket.c,v 1.20.28.1 2015/11/15 20:48:45 bouyer Exp $ */
 
 /*
  * Copyright (c) 1999 Christopher G. Demetriou.  All rights reserved.
@@ -58,7 +58,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: osf1_socket.c,v 1.20 2010/04/23 15:19:21 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: osf1_socket.c,v 1.20.28.1 2015/11/15 20:48:45 bouyer Exp $");
 
 #include 
 #include 
@@ -116,7 +116,7 @@ osf1_sys_sendmsg_xopen(struct lwp *l, co
 		return (EINVAL);
 
 	iov_len = bsd_msghdr.msg_iovlen;
-	if (iov_len > IOV_MAX)
+	if ((iov_len > IOV_MAX) || (iov_len == 0))
 		return EMSGSIZE;
 	bsd_iovec = kmem_alloc(iov_len * sizeof(struct iovec), KM_SLEEP);
 	bsd_msghdr.msg_iov = bsd_iovec;

CVS commit: [netbsd-6-1] src/sys/arch/x86/x86

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sun Nov 15 20:52:15 UTC 2015

Modified Files:
src/sys/arch/x86/x86 [netbsd-6-1]: bus_dma.c

Log Message:
Pull up following revision(s) (requested by christos in ticket #1339):
sys/arch/x86/x86/bus_dma.c: revision 1.72
sys/arch/x86/x86/bus_dma.c: revision 1.73
sys/arch/x86/x86/bus_dma.c: revision 1.74
- If we succeeded allocating a buffer that did not need bouncing before, but
  the buffer in the previous mapping did, clear the bounce bit. Fixes the
  ld_virtio.c bug with machines 8GB and dd if=/dev/zero of=crash bs=1g count=4.
- Allocate with M_ZERO instead of doing memset
- The panic string can take a format, use it.
- When checking for the bounce buffer boundary check addr + len < limit, not
  addr < limit.
make sure we have a cookie before we try to clear it.
fix operator precedence.


To generate a diff of this commit:
cvs rdiff -u -r1.68 -r1.68.16.1 src/sys/arch/x86/x86/bus_dma.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/x86/x86/bus_dma.c
diff -u src/sys/arch/x86/x86/bus_dma.c:1.68 src/sys/arch/x86/x86/bus_dma.c:1.68.16.1
--- src/sys/arch/x86/x86/bus_dma.c:1.68	Fri Oct 14 18:28:04 2011
+++ src/sys/arch/x86/x86/bus_dma.c	Sun Nov 15 20:52:15 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: bus_dma.c,v 1.68 2011/10/14 18:28:04 bouyer Exp $	*/
+/*	$NetBSD: bus_dma.c,v 1.68.16.1 2015/11/15 20:52:15 bouyer Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1998, 2007 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: bus_dma.c,v 1.68 2011/10/14 18:28:04 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bus_dma.c,v 1.68.16.1 2015/11/15 20:52:15 bouyer Exp $");
 
 /*
  * The following is included because _bus_dma_uiomove is derived from
@@ -283,11 +283,10 @@ _bus_dmamap_create(bus_dma_tag_t t, bus_
 	error = 0;
 	mapsize = sizeof(struct x86_bus_dmamap) +
 	(sizeof(bus_dma_segment_t) * (nsegments - 1));
-	if ((mapstore = malloc(mapsize, M_DMAMAP,
-	(flags & BUS_DMA_NOWAIT) ? M_NOWAIT : M_WAITOK)) == NULL)
+	if ((mapstore = malloc(mapsize, M_DMAMAP, M_ZERO |
+	((flags & BUS_DMA_NOWAIT) ? M_NOWAIT : M_WAITOK))) == NULL)
 		return (ENOMEM);
 
-	memset(mapstore, 0, mapsize);
 	map = (struct x86_bus_dmamap *)mapstore;
 	map->_dm_size = size;
 	map->_dm_segcnt = nsegments;
@@ -323,12 +322,11 @@ _bus_dmamap_create(bus_dma_tag_t t, bus_
 	/*
 	 * Allocate our cookie.
 	 */
-	if ((cookiestore = malloc(cookiesize, M_DMAMAP,
-	(flags & BUS_DMA_NOWAIT) ? M_NOWAIT : M_WAITOK)) == NULL) {
+	if ((cookiestore = malloc(cookiesize, M_DMAMAP, M_ZERO |
+	((flags & BUS_DMA_NOWAIT) ? M_NOWAIT : M_WAITOK))) == NULL) {
 		error = ENOMEM;
 		goto out;
 	}
-	memset(cookiestore, 0, cookiesize);
 	cookie = (struct x86_bus_dma_cookie *)cookiestore;
 	cookie->id_flags = cookieflags;
 	map->_dm_cookie = cookie;
@@ -391,6 +389,8 @@ _bus_dmamap_load(bus_dma_tag_t t, bus_dm
 	}
 	error = _bus_dmamap_load_buffer(t, map, buf, buflen, vm, flags);
 	if (error == 0) {
+		if (cookie != NULL)
+			cookie->id_flags &= ~X86_DMA_IS_BOUNCING;
 		map->dm_mapsize = buflen;
 		return 0;
 	}
@@ -789,7 +789,7 @@ _bus_dmamap_sync(bus_dma_tag_t t, bus_dm
 	 */
 	if ((ops & (BUS_DMASYNC_PREREAD|BUS_DMASYNC_PREWRITE)) != 0 &&
 	(ops & (BUS_DMASYNC_POSTREAD|BUS_DMASYNC_POSTWRITE)) != 0)
-		panic("_bus_dmamap_sync: mix PRE and POST");
+		panic("%s: mix PRE and POST", __func__);
 
 #ifdef DIAGNOSTIC
 	if ((ops & (BUS_DMASYNC_PREWRITE|BUS_DMASYNC_POSTREAD)) != 0) {
@@ -916,16 +916,17 @@ _bus_dmamap_sync(bus_dma_tag_t t, bus_dm
 	}
 
 	case X86_DMA_BUFTYPE_RAW:
-		panic("_bus_dmamap_sync: X86_DMA_BUFTYPE_RAW");
+		panic("%s: X86_DMA_BUFTYPE_RAW", __func__);
 		break;
 
 	case X86_DMA_BUFTYPE_INVALID:
-		panic("_bus_dmamap_sync: X86_DMA_BUFTYPE_INVALID");
+		panic("%s: X86_DMA_BUFTYPE_INVALID", __func__);
 		break;
 
 	default:
-		printf("unknown buffer type %d\n", cookie->id_buftype);
-		panic("_bus_dmamap_sync");
+		panic("%s: unknown buffer type %d", __func__,
+		cookie->id_buftype);
+		break;
 	}
 end:
 	if (ops & (BUS_DMASYNC_PREWRITE|BUS_DMASYNC_POSTWRITE)) {
@@ -1233,19 +1234,20 @@ _bus_dmamap_load_buffer(bus_dma_tag_t t,
 		curaddr = _BUS_VIRT_TO_BUS(pmap, vaddr);
 
 		/*
+		 * Compute the segment size, and adjust counts.
+		 */
+		sgsize = PAGE_SIZE - ((u_long)vaddr & PGOFSET);
+		if (buflen < sgsize)
+			sgsize = buflen;
+
+		/*
 		 * If we're beyond the bounce threshold, notify
 		 * the caller.
 		 */
 		if (map->_dm_bounce_thresh != 0 &&
-		curaddr >= map->_dm_bounce_thresh)
+		curaddr + sgsize >= map->_dm_bounce_thresh)
 			return (EINVAL);
 
-		/*
-		 * Compute the segment size, and adjust counts.
-		 */
-		sgsize = PAGE_SIZE - ((u_long)vaddr & PGOFSET);
-		if (buflen < sgsize)
-			sgsize = buflen;
 
 		error = _bus_dmamap_load_busaddr(t, map, curaddr, sgsize);
 		if (error)

CVS commit: [netbsd-6-1] src/sys/arch/x86/x86

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sun Nov 15 20:57:11 UTC 2015

Modified Files:
src/sys/arch/x86/x86 [netbsd-6-1]: sys_machdep.c

Log Message:
Pull up following revision(s) (requested by christos in ticket #1341):
sys/arch/x86/x86/sys_machdep.c: revision 1.29
fix broken error handling; error was used uninitialized. Changing the
compilation flags broke all threaded programs for me.
XXX: pullup-7


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.25.16.1 src/sys/arch/x86/x86/sys_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/x86/x86/sys_machdep.c
diff -u src/sys/arch/x86/x86/sys_machdep.c:1.25 src/sys/arch/x86/x86/sys_machdep.c:1.25.16.1
--- src/sys/arch/x86/x86/sys_machdep.c:1.25	Mon Oct 10 15:15:28 2011
+++ src/sys/arch/x86/x86/sys_machdep.c	Sun Nov 15 20:57:11 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: sys_machdep.c,v 1.25 2011/10/10 15:15:28 jakllsch Exp $	*/
+/*	$NetBSD: sys_machdep.c,v 1.25.16.1 2015/11/15 20:57:11 bouyer Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2007, 2009 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: sys_machdep.c,v 1.25 2011/10/10 15:15:28 jakllsch Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sys_machdep.c,v 1.25.16.1 2015/11/15 20:57:11 bouyer Exp $");
 
 #include "opt_mtrr.h"
 #include "opt_perfctrs.h"
@@ -657,7 +657,6 @@ x86_set_sdbase(void *arg, char which, lw
 #else
 	struct pcb *pcb;
 	vaddr_t base;
-	int error;
 
 	if (l->l_proc->p_flag & PK_32) {
 		return x86_set_sdbase32(arg, which, l, direct);
@@ -666,7 +665,7 @@ x86_set_sdbase(void *arg, char which, lw
 	if (direct) {
 		base = (vaddr_t)arg;
 	} else {
-		error = copyin(arg, , sizeof(base));
+		int error = copyin(arg, , sizeof(base));
 		if (error != 0)
 			return error;
 	}
@@ -674,10 +673,6 @@ x86_set_sdbase(void *arg, char which, lw
 	if (base >= VM_MAXUSER_ADDRESS)
 		return EINVAL;
 
-	if (error) {
-		return error;
-	}
-
 	pcb = lwp_getpcb(l);
 
 	kpreempt_disable();
@@ -697,7 +692,7 @@ x86_set_sdbase(void *arg, char which, lw
 	}
 	kpreempt_enable();
 
-	return error;
+	return 0;
 #endif
 }
 

CVS commit: [netbsd-6-1] src/sys/arch/sparc64/sparc64

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Sun Nov 15 21:02:22 UTC 2015

Modified Files:
src/sys/arch/sparc64/sparc64 [netbsd-6-1]: locore.s netbsd32_machdep.c
vm_machdep.c

Log Message:
Pull up following revision(s) (requested by martin in ticket #1343):
sys/arch/sparc64/sparc64/locore.s: revision 1.386
sys/arch/sparc64/sparc64/vm_machdep.c: revision 1.101
sys/arch/sparc64/sparc64/netbsd32_machdep.c: revision 1.105
sys/arch/sparc64/sparc64/netbsd32_machdep.c: revision 1.106
Basically revert r1.246 of locore.s and r1.73 of vm_machdep.c:
Remove special case handling for userland lwps from cpu_lwp_fork,
instead do it in lwp_trampoline when we first return to userland.
which was a stupid idea - since we did now set all fork child's %tstate
(and thus %pstate when back in userland) to the current kernel's userland
default. This meant we lost the address mask bit for 32bit processes and
all memory model details for 64bit ones.
Move it back to cpu_lwp_fork and fix the condition to only do it once when
forking init.
Fix kmem_free() size mismatch
Convert siginfo to 32bit version before copying it out to 32bit userland.


To generate a diff of this commit:
cvs rdiff -u -r1.338.8.4.2.1 -r1.338.8.4.2.2 \
src/sys/arch/sparc64/sparc64/locore.s
cvs rdiff -u -r1.96.2.1 -r1.96.2.1.6.1 \
src/sys/arch/sparc64/sparc64/netbsd32_machdep.c
cvs rdiff -u -r1.98 -r1.98.14.1 src/sys/arch/sparc64/sparc64/vm_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/sparc64/sparc64/locore.s
diff -u src/sys/arch/sparc64/sparc64/locore.s:1.338.8.4.2.1 src/sys/arch/sparc64/sparc64/locore.s:1.338.8.4.2.2
--- src/sys/arch/sparc64/sparc64/locore.s:1.338.8.4.2.1	Sat Dec 14 19:33:54 2013
+++ src/sys/arch/sparc64/sparc64/locore.s	Sun Nov 15 21:02:22 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: locore.s,v 1.338.8.4.2.1 2013/12/14 19:33:54 bouyer Exp $	*/
+/*	$NetBSD: locore.s,v 1.338.8.4.2.2 2015/11/15 21:02:22 bouyer Exp $	*/
 
 /*
  * Copyright (c) 2006-2010 Matthew R. Green
@@ -5372,12 +5372,6 @@ ENTRY(lwp_trampoline)
 	 mov	%l1, %o0
 
 	/*
-	 * Going to userland - set proper tstate in trap frame
-	 */
-	set	(ASI_PRIMARY_NO_FAULT<ksi_signo;
 	ucontext32_t uc;
 	struct sparc32_sigframe_siginfo *fp;
+	siginfo32_t si32;	
 	netbsd32_intptr_t catcher;
 	struct trapframe64 *tf = l->l_md.md_tf;
 	struct rwindow32 *oldsp, *newsp;
@@ -342,15 +343,16 @@ netbsd32_sendsig_siginfo(const ksiginfo_
 	else
 		fp = (struct sparc32_sigframe_siginfo *)oldsp;
 	fp = (struct sparc32_sigframe_siginfo*)((u_long)(fp - 1) & ~7);
+
 	/*
 	 * Build the signal context to be used by sigreturn.
 	 */
+	memset(, 0, sizeof uc);
 	uc.uc_flags = _UC_SIGMASK |
 		((l->l_sigstk.ss_flags & SS_ONSTACK)
 			? _UC_SETSTACK : _UC_CLRSTACK);
 	uc.uc_sigmask = *mask;
 	uc.uc_link = (uint32_t)(uintptr_t)l->l_ctxlink;
-	memset(_stack, 0, sizeof(uc.uc_stack));
 
 	sendsig_reset(l, sig);
 
@@ -365,9 +367,10 @@ netbsd32_sendsig_siginfo(const ksiginfo_
 	 */
 	mutex_exit(p->p_lock);
 	cpu_getmcontext32(l, _mcontext, _flags);
+	netbsd32_si_to_si32(, (const siginfo_t *)>ksi_info);
 	ucsz = (int)(intptr_t)__uc_pad - (int)(intptr_t)
 	newsp = (struct rwindow32*)((intptr_t)fp - sizeof(struct frame32));
-	error = (copyout(>ksi_info, >sf_si, sizeof ksi->ksi_info) ||
+	error = (copyout(, >sf_si, sizeof si32) ||
 	copyout(, >sf_uc, ucsz) ||
 	suword(>rw_in[6], (intptr_t)oldsp));
 	mutex_enter(p->p_lock);
@@ -1367,7 +1370,8 @@ startlwp32(void *arg)
 	error = cpu_setmcontext32(l, >uc_mcontext, uc->uc_flags);
 	KASSERT(error == 0);
 
-	kmem_free(uc, sizeof(ucontext32_t));
+	/* Note: we are freeing ucontext_t, not ucontext32_t. */
+	kmem_free(arg, sizeof(ucontext_t));
 	userret(l, 0, 0);
 }
 

CVS commit: [netbsd-6-1] src/sys/arch/xen/xen

[SAITOH Masanobu]

Module Name:src
Committed By:   msaitoh
Date:   Mon Nov 16 07:52:12 UTC 2015

Modified Files:
src/sys/arch/xen/xen [netbsd-6-1]: xbdback_xenbus.c

Log Message:
Pull up following revision(s) (requested by bouyer in ticket #1347):
sys/arch/xen/xen/xbdback_xenbus.c: revision 1.61
Fix typo which caused the kenrel thread to be created with a 0 priority.
This would cause the thread to be almost never scheduled when a userland
process could use all CPU.
Should fix the problem reported by Torbj?rn Granlund on port-xen@


To generate a diff of this commit:
cvs rdiff -u -r1.55.2.1.6.1 -r1.55.2.1.6.2 \
src/sys/arch/xen/xen/xbdback_xenbus.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/xen/xen/xbdback_xenbus.c
diff -u src/sys/arch/xen/xen/xbdback_xenbus.c:1.55.2.1.6.1 src/sys/arch/xen/xen/xbdback_xenbus.c:1.55.2.1.6.2
--- src/sys/arch/xen/xen/xbdback_xenbus.c:1.55.2.1.6.1	Thu Nov  7 20:19:40 2013
+++ src/sys/arch/xen/xen/xbdback_xenbus.c	Mon Nov 16 07:52:12 2015
@@ -1,4 +1,4 @@
-/*  $NetBSD: xbdback_xenbus.c,v 1.55.2.1.6.1 2013/11/07 20:19:40 snj Exp $  */
+/*  $NetBSD: xbdback_xenbus.c,v 1.55.2.1.6.2 2015/11/16 07:52:12 msaitoh Exp $  */
 
 /*
  * Copyright (c) 2006 Manuel Bouyer.
@@ -26,7 +26,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xbdback_xenbus.c,v 1.55.2.1.6.1 2013/11/07 20:19:40 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xbdback_xenbus.c,v 1.55.2.1.6.2 2015/11/16 07:52:12 msaitoh Exp $");
 
 #include 
 #include 
@@ -648,7 +648,7 @@ xbdback_connect(struct xbdback_instance 
 	hypervisor_enable_event(xbdi->xbdi_evtchn);
 	hypervisor_notify_via_evtchn(xbdi->xbdi_evtchn);
 
-	if (kthread_create(IPL_NONE, KTHREAD_MPSAFE, NULL,
+	if (kthread_create(PRI_NONE, KTHREAD_MPSAFE, NULL,
 	xbdback_thread, xbdi, NULL, "%s", xbdi->xbdi_name) == 0)
 		return 0;
 

CVS commit: [netbsd-6-1] src/sys/compat/netbsd32

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Sun Aug  2 12:53:00 UTC 2015

Modified Files:
src/sys/compat/netbsd32 [netbsd-6-1]: netbsd32_ioctl.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1318):
sys/compat/netbsd32/netbsd32_ioctl.c: revision 1.82
Wrong logic. Here, userland can control the size and the data copied, which
basically means it can overflow kernel memory.
ok martin@ christos@


To generate a diff of this commit:
cvs rdiff -u -r1.64 -r1.64.14.1 src/sys/compat/netbsd32/netbsd32_ioctl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/netbsd32/netbsd32_ioctl.c
diff -u src/sys/compat/netbsd32/netbsd32_ioctl.c:1.64 src/sys/compat/netbsd32/netbsd32_ioctl.c:1.64.14.1
--- src/sys/compat/netbsd32/netbsd32_ioctl.c:1.64	Thu Oct  6 03:19:32 2011
+++ src/sys/compat/netbsd32/netbsd32_ioctl.c	Sun Aug  2 12:52:59 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: netbsd32_ioctl.c,v 1.64 2011/10/06 03:19:32 macallan Exp $	*/
+/*	$NetBSD: netbsd32_ioctl.c,v 1.64.14.1 2015/08/02 12:52:59 martin Exp $	*/
 
 /*
  * Copyright (c) 1998, 2001 Matthew R. Green
@@ -31,7 +31,7 @@
  */
 
 #include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: netbsd32_ioctl.c,v 1.64 2011/10/06 03:19:32 macallan Exp $);
+__KERNEL_RCSID(0, $NetBSD: netbsd32_ioctl.c,v 1.64.14.1 2015/08/02 12:52:59 martin Exp $);
 
 #include sys/param.h
 #include sys/systm.h
@@ -192,7 +192,7 @@ netbsd32_to_if_addrprefreq(const struct 
 	strlcpy(ifap-ifap_name, ifap32-ifap_name, sizeof(ifap-ifap_name));
 	ifap-ifap_preference = ifap32-ifap_preference;
 	memcpy(ifap-ifap_addr, ifap32-ifap_addr,
-	max(ifap32-ifap_addr.ss_len, _SS_MAXSIZE));
+	min(ifap32-ifap_addr.ss_len, _SS_MAXSIZE));
 }
 
 static inline void
@@ -425,7 +425,7 @@ netbsd32_from_if_addrprefreq(const struc
 	strlcpy(ifap32-ifap_name, ifap-ifap_name, sizeof(ifap32-ifap_name));
 	ifap32-ifap_preference = ifap-ifap_preference;
 	memcpy(ifap32-ifap_addr, ifap-ifap_addr,
-	max(ifap-ifap_addr.ss_len, _SS_MAXSIZE));
+	min(ifap-ifap_addr.ss_len, _SS_MAXSIZE));
 }
 
 static inline void

CVS commit: [netbsd-6-1] src/sys/netinet

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Fri Jul 24 07:36:05 UTC 2015

Modified Files:
src/sys/netinet [netbsd-6-1]: tcp_input.c tcp_output.c

Log Message:
Pull up following revision(s) (requested by matt in ticket #1315):
sys/netinet/tcp_output.c: revision 1.184
sys/netinet/tcp_input.c: revision 1.343

If we are sending a window probe and there's unacked data in the
socket, make sure at least the persist timer is running.
Make sure that snd_win doesn't go negative.


To generate a diff of this commit:
cvs rdiff -u -r1.321 -r1.321.8.1 src/sys/netinet/tcp_input.c
cvs rdiff -u -r1.173.8.1 -r1.173.8.2 src/sys/netinet/tcp_output.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet/tcp_input.c
diff -u src/sys/netinet/tcp_input.c:1.321 src/sys/netinet/tcp_input.c:1.321.8.1
--- src/sys/netinet/tcp_input.c:1.321	Wed Jan 11 14:39:08 2012
+++ src/sys/netinet/tcp_input.c	Fri Jul 24 07:36:05 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_input.c,v 1.321 2012/01/11 14:39:08 drochner Exp $	*/
+/*	$NetBSD: tcp_input.c,v 1.321.8.1 2015/07/24 07:36:05 martin Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -148,7 +148,7 @@
  */
 
 #include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: tcp_input.c,v 1.321 2012/01/11 14:39:08 drochner Exp $);
+__KERNEL_RCSID(0, $NetBSD: tcp_input.c,v 1.321.8.1 2015/07/24 07:36:05 martin Exp $);
 
 #include opt_inet.h
 #include opt_ipsec.h
@@ -2719,7 +2719,10 @@ after_listen:
 tp-t_lastm = NULL;
 			sbdrop(so-so_snd, acked);
 			tp-t_lastoff -= acked;
-			tp-snd_wnd -= acked;
+			if (tp-snd_wnd  acked)
+tp-snd_wnd -= acked;
+			else
+tp-snd_wnd = 0;
 			ourfinisacked = 0;
 		}
 		sowwakeup(so);

Index: src/sys/netinet/tcp_output.c
diff -u src/sys/netinet/tcp_output.c:1.173.8.1 src/sys/netinet/tcp_output.c:1.173.8.2
--- src/sys/netinet/tcp_output.c:1.173.8.1	Mon Nov  3 23:05:59 2014
+++ src/sys/netinet/tcp_output.c	Fri Jul 24 07:36:05 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_output.c,v 1.173.8.1 2014/11/03 23:05:59 msaitoh Exp $	*/
+/*	$NetBSD: tcp_output.c,v 1.173.8.2 2015/07/24 07:36:05 martin Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -135,7 +135,7 @@
  */
 
 #include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: tcp_output.c,v 1.173.8.1 2014/11/03 23:05:59 msaitoh Exp $);
+__KERNEL_RCSID(0, $NetBSD: tcp_output.c,v 1.173.8.2 2015/07/24 07:36:05 martin Exp $);
 
 #include opt_inet.h
 #include opt_ipsec.h
@@ -1527,14 +1527,24 @@ send:
 		 * of retransmit time.
 		 */
 timer:
-		if (TCP_TIMER_ISARMED(tp, TCPT_REXMT) == 0 
-			((sack_rxmit  tp-snd_nxt != tp-snd_max) ||
-		tp-snd_nxt != tp-snd_una)) {
-			if (TCP_TIMER_ISARMED(tp, TCPT_PERSIST)) {
-TCP_TIMER_DISARM(tp, TCPT_PERSIST);
+		if (TCP_TIMER_ISARMED(tp, TCPT_REXMT) == 0) {
+			if ((sack_rxmit  tp-snd_nxt != tp-snd_max)
+			|| tp-snd_nxt != tp-snd_una) {
+if (TCP_TIMER_ISARMED(tp, TCPT_PERSIST)) {
+	TCP_TIMER_DISARM(tp, TCPT_PERSIST);
+	tp-t_rxtshift = 0;
+}
+TCP_TIMER_ARM(tp, TCPT_REXMT, tp-t_rxtcur);
+			} else if (len == 0  so-so_snd.sb_cc  0
+			 TCP_TIMER_ISARMED(tp, TCPT_PERSIST) == 0) {
+/*
+ * If we are sending a window probe and there's
+ * unacked data in the socket, make sure at
+ * least the persist timer is running.
+ */
 tp-t_rxtshift = 0;
+tcp_setpersist(tp);
 			}
-			TCP_TIMER_ARM(tp, TCPT_REXMT, tp-t_rxtcur);
 		}
 	} else
 		if (SEQ_GT(tp-snd_nxt + len, tp-snd_max))

CVS commit: [netbsd-6-1] src/sys/arch/xen/xen

[SAITOH Masanobu]

Module Name:src
Committed By:   msaitoh
Date:   Wed May 27 05:56:42 UTC 2015

Modified Files:
src/sys/arch/xen/xen [netbsd-6-1]: xenevt.c

Log Message:
Pull up following revision(s) (requested by bouyer in ticket #1299):
sys/arch/xen/xen/xenevt.c: revision 1.42
Fix off by one error, pointed out by Wei Liu in port-xen/49919


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.39.18.1 src/sys/arch/xen/xen/xenevt.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/xen/xen/xenevt.c
diff -u src/sys/arch/xen/xen/xenevt.c:1.39 src/sys/arch/xen/xen/xenevt.c:1.39.18.1
--- src/sys/arch/xen/xen/xenevt.c:1.39	Sat Dec  3 22:41:40 2011
+++ src/sys/arch/xen/xen/xenevt.c	Wed May 27 05:56:42 2015
@@ -1,4 +1,4 @@
-/*  $NetBSD: xenevt.c,v 1.39 2011/12/03 22:41:40 bouyer Exp $  */
+/*  $NetBSD: xenevt.c,v 1.39.18.1 2015/05/27 05:56:42 msaitoh Exp $  */
 
 /*
  * Copyright (c) 2005 Manuel Bouyer.
@@ -26,7 +26,7 @@
  */
 
 #include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: xenevt.c,v 1.39 2011/12/03 22:41:40 bouyer Exp $);
+__KERNEL_RCSID(0, $NetBSD: xenevt.c,v 1.39.18.1 2015/05/27 05:56:42 msaitoh Exp $);
 
 #include opt_xen.h
 #include sys/param.h
@@ -479,7 +479,7 @@ xenevt_fwrite(struct file *fp, off_t *of
 	if (uio-uio_resid == 0)
 		return (0);
 	nentries = uio-uio_resid / sizeof(uint16_t);
-	if (nentries  NR_EVENT_CHANNELS)
+	if (nentries = NR_EVENT_CHANNELS)
 		return EMSGSIZE;
 	chans = kmem_alloc(nentries * sizeof(uint16_t), KM_SLEEP);
 	if (chans == NULL)
@@ -572,7 +572,7 @@ xenevt_fioctl(struct file *fp, u_long cm
 	{
 		struct ioctl_evtchn_unbind *unbind = addr;
 		
-		if (unbind-port  NR_EVENT_CHANNELS)
+		if (unbind-port = NR_EVENT_CHANNELS)
 			return EINVAL;
 		mutex_enter(devevent_lock);
 		if (devevent[unbind-port] != d) {
@@ -593,7 +593,7 @@ xenevt_fioctl(struct file *fp, u_long cm
 	{
 		struct ioctl_evtchn_notify *notify = addr;
 		
-		if (notify-port  NR_EVENT_CHANNELS)
+		if (notify-port = NR_EVENT_CHANNELS)
 			return EINVAL;
 		mutex_enter(devevent_lock);
 		if (devevent[notify-port] != d) {

CVS commit: [netbsd-6-1] src/sys/arch/sparc/stand/ofwboot

[SAITOH Masanobu]

Module Name:src
Committed By:   msaitoh
Date:   Thu Apr 16 09:18:46 UTC 2015

Modified Files:
src/sys/arch/sparc/stand/ofwboot [netbsd-6-1]: Locore.c

Log Message:
Pull up following revision(s) (requested by nakayama in ticket #1285):
sys/arch/sparc/stand/ofwboot/Locore.c: revision 1.14
Fix kernel loading failures from partitions started from over first
4GB of disks on sparc64.


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.12.24.1 src/sys/arch/sparc/stand/ofwboot/Locore.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/sparc/stand/ofwboot/Locore.c
diff -u src/sys/arch/sparc/stand/ofwboot/Locore.c:1.12 src/sys/arch/sparc/stand/ofwboot/Locore.c:1.12.24.1
--- src/sys/arch/sparc/stand/ofwboot/Locore.c:1.12	Sat May 21 15:50:42 2011
+++ src/sys/arch/sparc/stand/ofwboot/Locore.c	Thu Apr 16 09:18:46 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: Locore.c,v 1.12 2011/05/21 15:50:42 tsutsui Exp $	*/
+/*	$NetBSD: Locore.c,v 1.12.24.1 2015/04/16 09:18:46 msaitoh Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996 Wolfgang Solfrank.
@@ -302,8 +302,8 @@ OF_seek(int handle, u_quad_t pos)
 	args.nargs = 3;
 	args.nreturns = 1;
 	args.handle = HDL2CELL(handle);
-	args.poshi = HDL2CELL(pos  32);
-	args.poslo = HDL2CELL(pos);
+	args.poshi = HDQ2CELL_HI(pos);
+	args.poslo = HDQ2CELL_LO(pos);
 	if (openfirmware(args) == -1) {
 		return -1;
 	}

CVS commit: [netbsd-6-1] src/sys/dev/ic

[Jeff Rizzo]

Module Name:src
Committed By:   riz
Date:   Thu Mar  5 22:22:53 UTC 2015

Modified Files:
src/sys/dev/ic [netbsd-6-1]: tulip.c

Log Message:
Pull up following revision(s) (requested by nakayama in ticket #1262):
sys/dev/ic/tulip.c: revision 1.185
Stop the interface before detaching to avoid the race between
tlp_detach() and tlp_intr().
While there, add missing callout_destroy()s.


To generate a diff of this commit:
cvs rdiff -u -r1.180 -r1.180.8.1 src/sys/dev/ic/tulip.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/tulip.c
diff -u src/sys/dev/ic/tulip.c:1.180 src/sys/dev/ic/tulip.c:1.180.8.1
--- src/sys/dev/ic/tulip.c:1.180	Thu Feb  2 19:43:03 2012
+++ src/sys/dev/ic/tulip.c	Thu Mar  5 22:22:53 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: tulip.c,v 1.180 2012/02/02 19:43:03 tls Exp $	*/
+/*	$NetBSD: tulip.c,v 1.180.8.1 2015/03/05 22:22:53 riz Exp $	*/
 
 /*-
  * Copyright (c) 1998, 1999, 2000, 2002 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
  */
 
 #include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: tulip.c,v 1.180 2012/02/02 19:43:03 tls Exp $);
+__KERNEL_RCSID(0, $NetBSD: tulip.c,v 1.180.8.1 2015/03/05 22:22:53 riz Exp $);
 
 
 #include sys/param.h
@@ -595,7 +595,7 @@ tlp_detach(struct tulip_softc *sc)
 	struct tulip_rxsoft *rxs;
 	struct tulip_txsoft *txs;
 	device_t self = sc-sc_dev;
-	int i;
+	int i, s;
 
 	/*
 	 * Succeed now if there isn't any work to do.
@@ -603,9 +603,14 @@ tlp_detach(struct tulip_softc *sc)
 	if ((sc-sc_flags  TULIPF_ATTACHED) == 0)
 		return (0);
 
-	/* Unhook our tick handler. */
-	if (sc-sc_tick)
-		callout_stop(sc-sc_tick_callout);
+	s = splnet();
+	/* Stop the interface. Callouts are stopped in it. */
+	tlp_stop(ifp, 1);
+	splx(s);
+
+	/* Destroy our callouts. */
+	callout_destroy(sc-sc_nway_callout);
+	callout_destroy(sc-sc_tick_callout);
 
 	if (sc-sc_flags  TULIPF_HAS_MII) {
 		/* Detach all PHYs */