CVS commit: [netbsd-6-1] src/sys/dev/ic
Module Name:src
Committed By: snj
Date: Sat Aug 19 04:29:12 UTC 2017
Modified Files:
src/sys/dev/ic [netbsd-6-1]: ciss.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1486):
sys/dev/ic/ciss.c: revision 1.37
Reject negative indices from userland.
To generate a diff of this commit:
cvs rdiff -u -r1.27.8.1 -r1.27.8.1.2.1 src/sys/dev/ic/ciss.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/ic/ciss.c
diff -u src/sys/dev/ic/ciss.c:1.27.8.1 src/sys/dev/ic/ciss.c:1.27.8.1.2.1
--- src/sys/dev/ic/ciss.c:1.27.8.1 Thu Nov 22 17:24:52 2012
+++ src/sys/dev/ic/ciss.c Sat Aug 19 04:29:12 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ciss.c,v 1.27.8.1 2012/11/22 17:24:52 riz Exp $ */
+/* $NetBSD: ciss.c,v 1.27.8.1.2.1 2017/08/19 04:29:12 snj Exp $ */
/* $OpenBSD: ciss.c,v 1.14 2006/03/13 16:02:23 mickey Exp $ */
/*
@@ -19,7 +19,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.27.8.1 2012/11/22 17:24:52 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.27.8.1.2.1 2017/08/19 04:29:12 snj Exp $");
#include "bio.h"
@@ -1198,12 +1198,12 @@ ciss_ioctl(device_t dev, u_long cmd, voi
/* FALLTHROUGH */
case BIOCDISK:
bd = (struct bioc_disk *)addr;
- if (bd->bd_volid > sc->maxunits) {
+ if (bd->bd_volid < 0 || bd->bd_volid > sc->maxunits) {
error = EINVAL;
break;
}
ldp = sc->sc_lds[0];
- if (!ldp || (pd = bd->bd_diskid) > ldp->ndrives) {
+ if (!ldp || (pd = bd->bd_diskid) < 0 || pd > ldp->ndrives) {
error = EINVAL;
break;
}
@@ -1304,7 +1304,7 @@ ciss_ioctl_vol(struct ciss_softc *sc, st
int error = 0;
u_int blks;
- if (bv->bv_volid > sc->maxunits) {
+ if (bv->bv_volid < 0 || bv->bv_volid > sc->maxunits) {
return EINVAL;
}
ldp = sc->sc_lds[bv->bv_volid];
CVS commit: [netbsd-6-1] src/sys/dev/ic
Module Name:src
Committed By: snj
Date: Sat Aug 19 04:27:37 UTC 2017
Modified Files:
src/sys/dev/ic [netbsd-6-1]: isp_netbsd.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1485):
sys/dev/ic/isp_netbsd.c: revision 1.89
Reject out-of-bounds channel index.
>From Ilja Van Sprundel.
To generate a diff of this commit:
cvs rdiff -u -r1.85.2.1 -r1.85.2.1.4.1 src/sys/dev/ic/isp_netbsd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/ic/isp_netbsd.c
diff -u src/sys/dev/ic/isp_netbsd.c:1.85.2.1 src/sys/dev/ic/isp_netbsd.c:1.85.2.1.4.1
--- src/sys/dev/ic/isp_netbsd.c:1.85.2.1 Mon Sep 3 18:38:34 2012
+++ src/sys/dev/ic/isp_netbsd.c Sat Aug 19 04:27:37 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: isp_netbsd.c,v 1.85.2.1 2012/09/03 18:38:34 riz Exp $ */
+/* $NetBSD: isp_netbsd.c,v 1.85.2.1.4.1 2017/08/19 04:27:37 snj Exp $ */
/*
* Platform (NetBSD) dependent common attachment code for Qlogic adapters.
*/
@@ -33,7 +33,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.85.2.1 2012/09/03 18:38:34 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.85.2.1.4.1 2017/08/19 04:27:37 snj Exp $");
#include
#include
@@ -475,6 +475,10 @@ ispioctl(struct scsipi_channel *chan, u_
}
lim = local.count;
channel = local.channel;
+ if (channel >= isp->isp_nchan) {
+ retval = EINVAL;
+ break;
+ }
ua = *(isp_dlist_t **)addr;
uptr = >wwns[0];
CVS commit: [netbsd-6-1] src/sys/dev/ic
Module Name:src
Committed By: snj
Date: Sat Aug 19 03:15:55 UTC 2017
Modified Files:
src/sys/dev/ic [netbsd-6-1]: bwi.c
Log Message:
`cat ~/releng/r-commit`
To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.18.14.1 src/sys/dev/ic/bwi.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/ic/bwi.c
diff -u src/sys/dev/ic/bwi.c:1.18 src/sys/dev/ic/bwi.c:1.18.14.1
--- src/sys/dev/ic/bwi.c:1.18 Mon Oct 10 11:15:24 2011
+++ src/sys/dev/ic/bwi.c Sat Aug 19 03:15:55 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: bwi.c,v 1.18 2011/10/10 11:15:24 njoly Exp $ */
+/* $NetBSD: bwi.c,v 1.18.14.1 2017/08/19 03:15:55 snj Exp $ */
/* $OpenBSD: bwi.c,v 1.74 2008/02/25 21:13:30 mglocker Exp $ */
/*
@@ -48,7 +48,7 @@
#include
-__KERNEL_RCSID(0, "$NetBSD: bwi.c,v 1.18 2011/10/10 11:15:24 njoly Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bwi.c,v 1.18.14.1 2017/08/19 03:15:55 snj Exp $");
#include
#include
@@ -8315,7 +8315,7 @@ bwi_newbuf(struct bwi_softc *sc, int buf
if (m == NULL)
return (ENOBUFS);
MCLGET(m, init ? M_WAITOK : M_DONTWAIT);
- if (m == NULL) {
+ if ((m->m_flags & M_EXT) == 0) {
error = ENOBUFS;
/*
CVS commit: [netbsd-6-1] src/sys/dev/ic
Module Name:src
Committed By: snj
Date: Fri Aug 18 15:08:02 UTC 2017
Modified Files:
src/sys/dev/ic [netbsd-6-1]: dm9000.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1477):
sys/dev/ic/dm9000.c: revision 1.12
Check for MCLGET failure in dme_alloc_receive_buffer.
>From Ilja Van Sprundel.
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.4.16.1 src/sys/dev/ic/dm9000.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/ic/dm9000.c
diff -u src/sys/dev/ic/dm9000.c:1.4 src/sys/dev/ic/dm9000.c:1.4.16.1
--- src/sys/dev/ic/dm9000.c:1.4 Sat Jan 28 08:29:55 2012
+++ src/sys/dev/ic/dm9000.c Fri Aug 18 15:08:02 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: dm9000.c,v 1.4 2012/01/28 08:29:55 nisimura Exp $ */
+/* $NetBSD: dm9000.c,v 1.4.16.1 2017/08/18 15:08:02 snj Exp $ */
/*
* Copyright (c) 2009 Paul Fleischer
@@ -1123,8 +1123,13 @@ dme_alloc_receive_buffer(struct ifnet *i
sizeof(struct ether_header);
/* All our frames have the CRC attached */
m->m_flags |= M_HASFCS;
- if (m->m_pkthdr.len + pad > MHLEN )
+ if (m->m_pkthdr.len + pad > MHLEN) {
MCLGET(m, M_DONTWAIT);
+ if ((m->m_flags & M_EXT) == 0) {
+ m_freem(m);
+ return NULL;
+ }
+ }
m->m_data += pad;
m->m_len = frame_length + (frame_length % sc->sc_data_width);
CVS commit: [netbsd-6-1] src/sys/dev/ic
Module Name:src
Committed By: snj
Date: Fri Aug 18 15:05:29 UTC 2017
Modified Files:
src/sys/dev/ic [netbsd-6-1]: dp83932.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1476):
sys/dev/ic/dp83932.c: revision 1.41
Plug mbuf leak on MCLGET failure in sonic_rxintr.
>From Ilja Van Sprundel.
To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.35.28.1 src/sys/dev/ic/dp83932.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/ic/dp83932.c
diff -u src/sys/dev/ic/dp83932.c:1.35 src/sys/dev/ic/dp83932.c:1.35.28.1
--- src/sys/dev/ic/dp83932.c:1.35 Sat Nov 13 13:52:00 2010
+++ src/sys/dev/ic/dp83932.c Fri Aug 18 15:05:29 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: dp83932.c,v 1.35 2010/11/13 13:52:00 uebayasi Exp $ */
+/* $NetBSD: dp83932.c,v 1.35.28.1 2017/08/18 15:05:29 snj Exp $ */
/*-
* Copyright (c) 2001 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: dp83932.c,v 1.35 2010/11/13 13:52:00 uebayasi Exp $");
+__KERNEL_RCSID(0, "$NetBSD: dp83932.c,v 1.35.28.1 2017/08/18 15:05:29 snj Exp $");
#include
@@ -785,8 +785,10 @@ sonic_rxintr(struct sonic_softc *sc)
goto dropit;
if (len > (MHLEN - 2)) {
MCLGET(m, M_DONTWAIT);
-if ((m->m_flags & M_EXT) == 0)
+if ((m->m_flags & M_EXT) == 0) {
+ m_freem(m);
goto dropit;
+}
}
m->m_data += 2;
/*
CVS commit: [netbsd-6-1] src/sys/dev/ic
Module Name:src
Committed By: snj
Date: Fri Aug 18 15:03:04 UTC 2017
Modified Files:
src/sys/dev/ic [netbsd-6-1]: i82596.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1475):
sys/dev/ic/i82596.c: revision 1.37
Null out sc_rx_mbuf[i] after m_freem to avoid double-free later.
>From Ilja Van Sprundel.
Also null out sc_tx_mbuf[i] after m_freem, out of paranoia.
XXX Not entirely clear to how tx mbufs are freed, but no way to test
this since it's ews4800mips- and hp700-only, so not keen to make any
more elaborate changes...
To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.28.1 src/sys/dev/ic/i82596.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/ic/i82596.c
diff -u src/sys/dev/ic/i82596.c:1.29 src/sys/dev/ic/i82596.c:1.29.28.1
--- src/sys/dev/ic/i82596.c:1.29 Mon Apr 5 07:19:35 2010
+++ src/sys/dev/ic/i82596.c Fri Aug 18 15:03:03 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: i82596.c,v 1.29 2010/04/05 07:19:35 joerg Exp $ */
+/* $NetBSD: i82596.c,v 1.29.28.1 2017/08/18 15:03:03 snj Exp $ */
/*
* Copyright (c) 2003 Jochen Kunz.
@@ -43,7 +43,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: i82596.c,v 1.29 2010/04/05 07:19:35 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: i82596.c,v 1.29.28.1 2017/08/18 15:03:03 snj Exp $");
/* autoconfig and device stuff */
#include
@@ -754,6 +754,7 @@ iee_start(struct ifnet *ifp)
printf("%s: iee_start: can't allocate mbuf\n",
device_xname(sc->sc_dev));
m_freem(sc->sc_tx_mbuf[t]);
+sc->sc_tx_mbuf[t] = NULL;
t--;
continue;
}
@@ -763,6 +764,7 @@ iee_start(struct ifnet *ifp)
printf("%s: iee_start: can't allocate mbuf "
"cluster\n", device_xname(sc->sc_dev));
m_freem(sc->sc_tx_mbuf[t]);
+sc->sc_tx_mbuf[t] = NULL;
m_freem(m);
t--;
continue;
@@ -778,6 +780,7 @@ iee_start(struct ifnet *ifp)
printf("%s: iee_start: can't load TX DMA map\n",
device_xname(sc->sc_dev));
m_freem(sc->sc_tx_mbuf[t]);
+sc->sc_tx_mbuf[t] = NULL;
t--;
continue;
}
@@ -927,6 +930,7 @@ iee_init(struct ifnet *ifp)
printf("%s: iee_init: can't allocate mbuf"
" cluster\n", device_xname(sc->sc_dev));
m_freem(sc->sc_rx_mbuf[r]);
+sc->sc_rx_mbuf[r] = NULL;
err = 1;
break;
}
@@ -940,6 +944,7 @@ iee_init(struct ifnet *ifp)
printf("%s: iee_init: can't create RX "
"DMA map\n", device_xname(sc->sc_dev));
m_freem(sc->sc_rx_mbuf[r]);
+sc->sc_rx_mbuf[r] = NULL;
err = 1;
break;
}
@@ -949,6 +954,7 @@ iee_init(struct ifnet *ifp)
device_xname(sc->sc_dev));
bus_dmamap_destroy(sc->sc_dmat, sc->sc_rx_map[r]);
m_freem(sc->sc_rx_mbuf[r]);
+ sc->sc_rx_mbuf[r] = NULL;
err = 1;
break;
}
CVS commit: [netbsd-6-1] src/sys/dev/ic
Module Name:src
Committed By: riz
Date: Thu Mar 5 22:22:53 UTC 2015
Modified Files:
src/sys/dev/ic [netbsd-6-1]: tulip.c
Log Message:
Pull up following revision(s) (requested by nakayama in ticket #1262):
sys/dev/ic/tulip.c: revision 1.185
Stop the interface before detaching to avoid the race between
tlp_detach() and tlp_intr().
While there, add missing callout_destroy()s.
To generate a diff of this commit:
cvs rdiff -u -r1.180 -r1.180.8.1 src/sys/dev/ic/tulip.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/ic/tulip.c
diff -u src/sys/dev/ic/tulip.c:1.180 src/sys/dev/ic/tulip.c:1.180.8.1
--- src/sys/dev/ic/tulip.c:1.180 Thu Feb 2 19:43:03 2012
+++ src/sys/dev/ic/tulip.c Thu Mar 5 22:22:53 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: tulip.c,v 1.180 2012/02/02 19:43:03 tls Exp $ */
+/* $NetBSD: tulip.c,v 1.180.8.1 2015/03/05 22:22:53 riz Exp $ */
/*-
* Copyright (c) 1998, 1999, 2000, 2002 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: tulip.c,v 1.180 2012/02/02 19:43:03 tls Exp $);
+__KERNEL_RCSID(0, $NetBSD: tulip.c,v 1.180.8.1 2015/03/05 22:22:53 riz Exp $);
#include sys/param.h
@@ -595,7 +595,7 @@ tlp_detach(struct tulip_softc *sc)
struct tulip_rxsoft *rxs;
struct tulip_txsoft *txs;
device_t self = sc-sc_dev;
- int i;
+ int i, s;
/*
* Succeed now if there isn't any work to do.
@@ -603,9 +603,14 @@ tlp_detach(struct tulip_softc *sc)
if ((sc-sc_flags TULIPF_ATTACHED) == 0)
return (0);
- /* Unhook our tick handler. */
- if (sc-sc_tick)
- callout_stop(sc-sc_tick_callout);
+ s = splnet();
+ /* Stop the interface. Callouts are stopped in it. */
+ tlp_stop(ifp, 1);
+ splx(s);
+
+ /* Destroy our callouts. */
+ callout_destroy(sc-sc_nway_callout);
+ callout_destroy(sc-sc_tick_callout);
if (sc-sc_flags TULIPF_HAS_MII) {
/* Detach all PHYs */
