CVS commit: [netbsd-6-1] src/sys/dev/ic
Module Name:src Committed By: snj Date: Sat Aug 19 04:29:12 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-6-1]: ciss.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1486): sys/dev/ic/ciss.c: revision 1.37 Reject negative indices from userland. To generate a diff of this commit: cvs rdiff -u -r1.27.8.1 -r1.27.8.1.2.1 src/sys/dev/ic/ciss.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/ciss.c diff -u src/sys/dev/ic/ciss.c:1.27.8.1 src/sys/dev/ic/ciss.c:1.27.8.1.2.1 --- src/sys/dev/ic/ciss.c:1.27.8.1 Thu Nov 22 17:24:52 2012 +++ src/sys/dev/ic/ciss.c Sat Aug 19 04:29:12 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ciss.c,v 1.27.8.1 2012/11/22 17:24:52 riz Exp $ */ +/* $NetBSD: ciss.c,v 1.27.8.1.2.1 2017/08/19 04:29:12 snj Exp $ */ /* $OpenBSD: ciss.c,v 1.14 2006/03/13 16:02:23 mickey Exp $ */ /* @@ -19,7 +19,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.27.8.1 2012/11/22 17:24:52 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.27.8.1.2.1 2017/08/19 04:29:12 snj Exp $"); #include "bio.h" @@ -1198,12 +1198,12 @@ ciss_ioctl(device_t dev, u_long cmd, voi /* FALLTHROUGH */ case BIOCDISK: bd = (struct bioc_disk *)addr; - if (bd->bd_volid > sc->maxunits) { + if (bd->bd_volid < 0 || bd->bd_volid > sc->maxunits) { error = EINVAL; break; } ldp = sc->sc_lds[0]; - if (!ldp || (pd = bd->bd_diskid) > ldp->ndrives) { + if (!ldp || (pd = bd->bd_diskid) < 0 || pd > ldp->ndrives) { error = EINVAL; break; } @@ -1304,7 +1304,7 @@ ciss_ioctl_vol(struct ciss_softc *sc, st int error = 0; u_int blks; - if (bv->bv_volid > sc->maxunits) { + if (bv->bv_volid < 0 || bv->bv_volid > sc->maxunits) { return EINVAL; } ldp = sc->sc_lds[bv->bv_volid];
CVS commit: [netbsd-6-1] src/sys/dev/ic
Module Name:src Committed By: snj Date: Sat Aug 19 04:27:37 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-6-1]: isp_netbsd.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1485): sys/dev/ic/isp_netbsd.c: revision 1.89 Reject out-of-bounds channel index. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.85.2.1 -r1.85.2.1.4.1 src/sys/dev/ic/isp_netbsd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/isp_netbsd.c diff -u src/sys/dev/ic/isp_netbsd.c:1.85.2.1 src/sys/dev/ic/isp_netbsd.c:1.85.2.1.4.1 --- src/sys/dev/ic/isp_netbsd.c:1.85.2.1 Mon Sep 3 18:38:34 2012 +++ src/sys/dev/ic/isp_netbsd.c Sat Aug 19 04:27:37 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: isp_netbsd.c,v 1.85.2.1 2012/09/03 18:38:34 riz Exp $ */ +/* $NetBSD: isp_netbsd.c,v 1.85.2.1.4.1 2017/08/19 04:27:37 snj Exp $ */ /* * Platform (NetBSD) dependent common attachment code for Qlogic adapters. */ @@ -33,7 +33,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.85.2.1 2012/09/03 18:38:34 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.85.2.1.4.1 2017/08/19 04:27:37 snj Exp $"); #include #include @@ -475,6 +475,10 @@ ispioctl(struct scsipi_channel *chan, u_ } lim = local.count; channel = local.channel; + if (channel >= isp->isp_nchan) { + retval = EINVAL; + break; + } ua = *(isp_dlist_t **)addr; uptr = >wwns[0];
CVS commit: [netbsd-6-1] src/sys/dev/ic
Module Name:src Committed By: snj Date: Sat Aug 19 03:15:55 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-6-1]: bwi.c Log Message: `cat ~/releng/r-commit` To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.18.14.1 src/sys/dev/ic/bwi.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/bwi.c diff -u src/sys/dev/ic/bwi.c:1.18 src/sys/dev/ic/bwi.c:1.18.14.1 --- src/sys/dev/ic/bwi.c:1.18 Mon Oct 10 11:15:24 2011 +++ src/sys/dev/ic/bwi.c Sat Aug 19 03:15:55 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: bwi.c,v 1.18 2011/10/10 11:15:24 njoly Exp $ */ +/* $NetBSD: bwi.c,v 1.18.14.1 2017/08/19 03:15:55 snj Exp $ */ /* $OpenBSD: bwi.c,v 1.74 2008/02/25 21:13:30 mglocker Exp $ */ /* @@ -48,7 +48,7 @@ #include -__KERNEL_RCSID(0, "$NetBSD: bwi.c,v 1.18 2011/10/10 11:15:24 njoly Exp $"); +__KERNEL_RCSID(0, "$NetBSD: bwi.c,v 1.18.14.1 2017/08/19 03:15:55 snj Exp $"); #include #include @@ -8315,7 +8315,7 @@ bwi_newbuf(struct bwi_softc *sc, int buf if (m == NULL) return (ENOBUFS); MCLGET(m, init ? M_WAITOK : M_DONTWAIT); - if (m == NULL) { + if ((m->m_flags & M_EXT) == 0) { error = ENOBUFS; /*
CVS commit: [netbsd-6-1] src/sys/dev/ic
Module Name:src Committed By: snj Date: Fri Aug 18 15:08:02 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-6-1]: dm9000.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1477): sys/dev/ic/dm9000.c: revision 1.12 Check for MCLGET failure in dme_alloc_receive_buffer. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.4.16.1 src/sys/dev/ic/dm9000.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/dm9000.c diff -u src/sys/dev/ic/dm9000.c:1.4 src/sys/dev/ic/dm9000.c:1.4.16.1 --- src/sys/dev/ic/dm9000.c:1.4 Sat Jan 28 08:29:55 2012 +++ src/sys/dev/ic/dm9000.c Fri Aug 18 15:08:02 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: dm9000.c,v 1.4 2012/01/28 08:29:55 nisimura Exp $ */ +/* $NetBSD: dm9000.c,v 1.4.16.1 2017/08/18 15:08:02 snj Exp $ */ /* * Copyright (c) 2009 Paul Fleischer @@ -1123,8 +1123,13 @@ dme_alloc_receive_buffer(struct ifnet *i sizeof(struct ether_header); /* All our frames have the CRC attached */ m->m_flags |= M_HASFCS; - if (m->m_pkthdr.len + pad > MHLEN ) + if (m->m_pkthdr.len + pad > MHLEN) { MCLGET(m, M_DONTWAIT); + if ((m->m_flags & M_EXT) == 0) { + m_freem(m); + return NULL; + } + } m->m_data += pad; m->m_len = frame_length + (frame_length % sc->sc_data_width);
CVS commit: [netbsd-6-1] src/sys/dev/ic
Module Name:src Committed By: snj Date: Fri Aug 18 15:05:29 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-6-1]: dp83932.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1476): sys/dev/ic/dp83932.c: revision 1.41 Plug mbuf leak on MCLGET failure in sonic_rxintr. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.35 -r1.35.28.1 src/sys/dev/ic/dp83932.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/dp83932.c diff -u src/sys/dev/ic/dp83932.c:1.35 src/sys/dev/ic/dp83932.c:1.35.28.1 --- src/sys/dev/ic/dp83932.c:1.35 Sat Nov 13 13:52:00 2010 +++ src/sys/dev/ic/dp83932.c Fri Aug 18 15:05:29 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: dp83932.c,v 1.35 2010/11/13 13:52:00 uebayasi Exp $ */ +/* $NetBSD: dp83932.c,v 1.35.28.1 2017/08/18 15:05:29 snj Exp $ */ /*- * Copyright (c) 2001 The NetBSD Foundation, Inc. @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: dp83932.c,v 1.35 2010/11/13 13:52:00 uebayasi Exp $"); +__KERNEL_RCSID(0, "$NetBSD: dp83932.c,v 1.35.28.1 2017/08/18 15:05:29 snj Exp $"); #include @@ -785,8 +785,10 @@ sonic_rxintr(struct sonic_softc *sc) goto dropit; if (len > (MHLEN - 2)) { MCLGET(m, M_DONTWAIT); -if ((m->m_flags & M_EXT) == 0) +if ((m->m_flags & M_EXT) == 0) { + m_freem(m); goto dropit; +} } m->m_data += 2; /*
CVS commit: [netbsd-6-1] src/sys/dev/ic
Module Name:src Committed By: snj Date: Fri Aug 18 15:03:04 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-6-1]: i82596.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1475): sys/dev/ic/i82596.c: revision 1.37 Null out sc_rx_mbuf[i] after m_freem to avoid double-free later. >From Ilja Van Sprundel. Also null out sc_tx_mbuf[i] after m_freem, out of paranoia. XXX Not entirely clear to how tx mbufs are freed, but no way to test this since it's ews4800mips- and hp700-only, so not keen to make any more elaborate changes... To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.28.1 src/sys/dev/ic/i82596.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/i82596.c diff -u src/sys/dev/ic/i82596.c:1.29 src/sys/dev/ic/i82596.c:1.29.28.1 --- src/sys/dev/ic/i82596.c:1.29 Mon Apr 5 07:19:35 2010 +++ src/sys/dev/ic/i82596.c Fri Aug 18 15:03:03 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: i82596.c,v 1.29 2010/04/05 07:19:35 joerg Exp $ */ +/* $NetBSD: i82596.c,v 1.29.28.1 2017/08/18 15:03:03 snj Exp $ */ /* * Copyright (c) 2003 Jochen Kunz. @@ -43,7 +43,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: i82596.c,v 1.29 2010/04/05 07:19:35 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: i82596.c,v 1.29.28.1 2017/08/18 15:03:03 snj Exp $"); /* autoconfig and device stuff */ #include @@ -754,6 +754,7 @@ iee_start(struct ifnet *ifp) printf("%s: iee_start: can't allocate mbuf\n", device_xname(sc->sc_dev)); m_freem(sc->sc_tx_mbuf[t]); +sc->sc_tx_mbuf[t] = NULL; t--; continue; } @@ -763,6 +764,7 @@ iee_start(struct ifnet *ifp) printf("%s: iee_start: can't allocate mbuf " "cluster\n", device_xname(sc->sc_dev)); m_freem(sc->sc_tx_mbuf[t]); +sc->sc_tx_mbuf[t] = NULL; m_freem(m); t--; continue; @@ -778,6 +780,7 @@ iee_start(struct ifnet *ifp) printf("%s: iee_start: can't load TX DMA map\n", device_xname(sc->sc_dev)); m_freem(sc->sc_tx_mbuf[t]); +sc->sc_tx_mbuf[t] = NULL; t--; continue; } @@ -927,6 +930,7 @@ iee_init(struct ifnet *ifp) printf("%s: iee_init: can't allocate mbuf" " cluster\n", device_xname(sc->sc_dev)); m_freem(sc->sc_rx_mbuf[r]); +sc->sc_rx_mbuf[r] = NULL; err = 1; break; } @@ -940,6 +944,7 @@ iee_init(struct ifnet *ifp) printf("%s: iee_init: can't create RX " "DMA map\n", device_xname(sc->sc_dev)); m_freem(sc->sc_rx_mbuf[r]); +sc->sc_rx_mbuf[r] = NULL; err = 1; break; } @@ -949,6 +954,7 @@ iee_init(struct ifnet *ifp) device_xname(sc->sc_dev)); bus_dmamap_destroy(sc->sc_dmat, sc->sc_rx_map[r]); m_freem(sc->sc_rx_mbuf[r]); + sc->sc_rx_mbuf[r] = NULL; err = 1; break; }
CVS commit: [netbsd-6-1] src/sys/dev/ic
Module Name:src Committed By: riz Date: Thu Mar 5 22:22:53 UTC 2015 Modified Files: src/sys/dev/ic [netbsd-6-1]: tulip.c Log Message: Pull up following revision(s) (requested by nakayama in ticket #1262): sys/dev/ic/tulip.c: revision 1.185 Stop the interface before detaching to avoid the race between tlp_detach() and tlp_intr(). While there, add missing callout_destroy()s. To generate a diff of this commit: cvs rdiff -u -r1.180 -r1.180.8.1 src/sys/dev/ic/tulip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/tulip.c diff -u src/sys/dev/ic/tulip.c:1.180 src/sys/dev/ic/tulip.c:1.180.8.1 --- src/sys/dev/ic/tulip.c:1.180 Thu Feb 2 19:43:03 2012 +++ src/sys/dev/ic/tulip.c Thu Mar 5 22:22:53 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: tulip.c,v 1.180 2012/02/02 19:43:03 tls Exp $ */ +/* $NetBSD: tulip.c,v 1.180.8.1 2015/03/05 22:22:53 riz Exp $ */ /*- * Copyright (c) 1998, 1999, 2000, 2002 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: tulip.c,v 1.180 2012/02/02 19:43:03 tls Exp $); +__KERNEL_RCSID(0, $NetBSD: tulip.c,v 1.180.8.1 2015/03/05 22:22:53 riz Exp $); #include sys/param.h @@ -595,7 +595,7 @@ tlp_detach(struct tulip_softc *sc) struct tulip_rxsoft *rxs; struct tulip_txsoft *txs; device_t self = sc-sc_dev; - int i; + int i, s; /* * Succeed now if there isn't any work to do. @@ -603,9 +603,14 @@ tlp_detach(struct tulip_softc *sc) if ((sc-sc_flags TULIPF_ATTACHED) == 0) return (0); - /* Unhook our tick handler. */ - if (sc-sc_tick) - callout_stop(sc-sc_tick_callout); + s = splnet(); + /* Stop the interface. Callouts are stopped in it. */ + tlp_stop(ifp, 1); + splx(s); + + /* Destroy our callouts. */ + callout_destroy(sc-sc_nway_callout); + callout_destroy(sc-sc_tick_callout); if (sc-sc_flags TULIPF_HAS_MII) { /* Detach all PHYs */