CVS commit: [netbsd-6] src/sys/arch/sparc64/conf
Module Name:src Committed By: martin Date: Thu Jun 7 18:01:51 UTC 2018 Modified Files: src/sys/arch/sparc64/conf [netbsd-6]: GENERIC32 NONPLUS Log Message: Fix fallout from ticket #1500: COMPAT_SVR4* has been disabled, do not disable it here again. To generate a diff of this commit: cvs rdiff -u -r1.140 -r1.140.102.1 src/sys/arch/sparc64/conf/GENERIC32 cvs rdiff -u -r1.58 -r1.58.102.1 src/sys/arch/sparc64/conf/NONPLUS Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys
Module Name:src Committed By: martin Date: Tue May 22 14:38:20 UTC 2018 Modified Files: src/sys/arch/amiga/conf [netbsd-6]: DRACO GENERIC GENERIC.in src/sys/arch/hp300/conf [netbsd-6]: GENERIC src/sys/arch/i386/conf [netbsd-6]: GENERIC XEN3_DOM0 XEN3_DOMU src/sys/arch/sparc/conf [netbsd-6]: BILL-THE-CAT GENERIC KRUPS MRCOFFEE TADPOLE3GX src/sys/arch/sparc64/conf [netbsd-6]: GENERIC NONPLUS64 src/sys/kern [netbsd-6]: kern_exec.c Log Message: Apply patch requested by maxv in ticket #1500: * disable compat_svr4 and compat_svr4_32 everywhere * disable compat_ibcs2 everywhere but on Vax * remove the svr4/svr4_32/ibcs2/freebsd entries from the autoload list To generate a diff of this commit: cvs rdiff -u -r1.154 -r1.154.2.1 src/sys/arch/amiga/conf/DRACO cvs rdiff -u -r1.284 -r1.284.2.1 src/sys/arch/amiga/conf/GENERIC cvs rdiff -u -r1.96 -r1.96.2.1 src/sys/arch/amiga/conf/GENERIC.in cvs rdiff -u -r1.169.2.1 -r1.169.2.2 src/sys/arch/hp300/conf/GENERIC cvs rdiff -u -r1.1066.2.8 -r1.1066.2.9 src/sys/arch/i386/conf/GENERIC cvs rdiff -u -r1.60.2.7 -r1.60.2.8 src/sys/arch/i386/conf/XEN3_DOM0 cvs rdiff -u -r1.41.2.2 -r1.41.2.3 src/sys/arch/i386/conf/XEN3_DOMU cvs rdiff -u -r1.51 -r1.51.4.1 src/sys/arch/sparc/conf/BILL-THE-CAT cvs rdiff -u -r1.230 -r1.230.2.1 src/sys/arch/sparc/conf/GENERIC cvs rdiff -u -r1.56.4.1 -r1.56.4.2 src/sys/arch/sparc/conf/KRUPS cvs rdiff -u -r1.34 -r1.34.4.1 src/sys/arch/sparc/conf/MRCOFFEE cvs rdiff -u -r1.54.4.1 -r1.54.4.2 src/sys/arch/sparc/conf/TADPOLE3GX cvs rdiff -u -r1.148.2.2 -r1.148.2.3 src/sys/arch/sparc64/conf/GENERIC cvs rdiff -u -r1.34 -r1.34.4.1 src/sys/arch/sparc64/conf/NONPLUS64 cvs rdiff -u -r1.339.2.10 -r1.339.2.11 src/sys/kern/kern_exec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu May 17 13:45:15 UTC 2018 Modified Files: src/sys/net/npf [netbsd-6]: npf_alg_icmp.c npf_inet.c Log Message: Pull up following revision(s) via patch (requested by maxv in ticket #1549): sys/net/npf/npf_inet.c: revision 1.45 sys/net/npf/npf_alg_icmp.c: revision 1.27,1.28 Fix use-after-free. The nbuf can be reallocated as a result of caching 'enpc', so it is necessary to recache 'npc', otherwise it contains pointers to the freed mbuf - pointers which are then used in the ruleset machinery. We recache 'npc' when we are sure we won't use 'enpc' anymore, because 'enpc' can be clobbered as a result of caching 'npc' (in other words, only one of the two can be cached at the same time). Also, we recache 'npc' unconditionally, because there is no way to know whether the nbuf got clobbered relatively to it. We can't use the NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the cache. Discussed with rmind@. Change npf_cache_all so that it ensures the potential ICMP Query Id is in the nbuf. In such a way that we don't need to ensure that later. Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither the nbuf nor npc. Adapt their callers accordingly. In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave right away, without recaching npc (not needed since we didn't touch the nbuf). This fixes the handling of Query Id packets (that I broke in my previous commit), and also fixes another possible use-after-free. To generate a diff of this commit: cvs rdiff -u -r1.8.4.7 -r1.8.4.8 src/sys/net/npf/npf_alg_icmp.c cvs rdiff -u -r1.10.4.10 -r1.10.4.11 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev/ic
Module Name:src Committed By: martin Date: Mon May 14 16:07:06 UTC 2018 Modified Files: src/sys/dev/ic [netbsd-6]: hme.c Log Message: Pull up following revision(s) (requested by pgoyette in ticket #1548): sys/dev/ic/hme.c: revision 1.97 Fix mis-placed right paren. kern/53271 To generate a diff of this commit: cvs rdiff -u -r1.87.2.1 -r1.87.2.2 src/sys/dev/ic/hme.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/kern
Module Name:src Committed By: martin Date: Thu May 3 15:00:38 UTC 2018 Modified Files: src/sys/kern [netbsd-6]: uipc_mbuf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1547): sys/kern/uipc_mbuf.c: revision 1.211 (via patch) Modify m_defrag, so that it never frees the first mbuf of the chain. While here use the given 'flags' argument, and not M_DONTWAIT. We have a problem with several drivers: they poll an mbuf chain from their queues and call m_defrag on them, but m_defrag could update the mbuf pointer, so the mbuf in the queue is no longer valid. It is not easy to fix each driver, because doing pop+push will reorder the queue, and we don't really want that to happen. This problem was independently spotted by me, Kengo, Masanobu, and other people too it seems (perhaps PR/53218). Now m_defrag leaves the first mbuf in place, and compresses the chain only starting from the second mbuf in the chain. It is important not to compress the first mbuf with hacks, because the storage of this first mbuf may be shared with other mbufs. To generate a diff of this commit: cvs rdiff -u -r1.145.2.1 -r1.145.2.2 src/sys/kern/uipc_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: martin Date: Thu May 3 14:33:30 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: ipsec_output.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1546): sys/netipsec/ipsec_output.c: revision 1.67,1.75 (via patch) Strengthen this check, to make sure there is room for an ip6_ext structure. Seems possible to crash m_copydata here (but I didn't test more than that). Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I already fixed half of the problem two months ago in rev1.67, back then I thought it was not triggerable because each packet we emit is guaranteed to have correctly formed IPv6 options; but it is actually triggerable via IPv6 forwarding, we emit a packet we just received, and we don't sanitize its options before invoking IPsec. Since it would be wrong to just stop the iteration and continue the IPsec processing, allow compute_ipsec_pos to fail, and when it does, drop the packet entirely. To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.38.2.1 src/sys/netipsec/ipsec_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: msaitoh Date: Wed Apr 18 06:59:10 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: ipsec_mbuf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1545): sys/netipsec/ipsec_mbuf.c: revision 1.23 sys/netipsec/ipsec_mbuf.c: revision 1.24 Don't assume M_PKTHDR is set only on the first mbuf of the chain. It should, but it looks like there are several places that can put M_PKTHDR on secondary mbufs (PR/53189), so drop this assumption right now to prevent further bugs. The check is replaced by (m1 != m), which is equivalent to the previous code: we want to modify m->m_pkthdr.len only when 'm' was not passed in m_adj(). Fix a pretty bad mistake, that has always been there. m_adj(m1, -(m1->m_len - roff)); if (m1 != m) m->m_pkthdr.len -= (m1->m_len - roff); This is wrong: m_adj will modify m1->m_len, so we're using a wrong value when manually adjusting m->m_pkthdr.len. Because of that, it is possible to exploit the attack I described in uipc_mbuf.c::rev1.182. The exploit is more complicated, but works 100% reliably. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.12.10.1 src/sys/netipsec/ipsec_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch/amiga/amiga
Module Name:src Committed By: martin Date: Tue Apr 10 11:27:55 UTC 2018 Modified Files: src/sys/arch/amiga/amiga [netbsd-6]: cc.c Log Message: Pull up following revision(s) (requested by msaitoh in ticket #1544): sys/arch/amiga/amiga/cc.c: revision 1.27 (patch) spl leak, found by mootja To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.22.14.1 src/sys/arch/amiga/amiga/cc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:34:17 UTC 2018 Modified Files: src/sys/net/npf [netbsd-6]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1542: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.14.2.12 -r1.14.2.13 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Sun Apr 1 09:22:37 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1541): sys/netinet6/raw_ip6.c: revision 1.161 Fix use-after-free, the first m_copyback_cow may have freed the mbuf, so it is wrong to read ip6->ip6_nxt. To generate a diff of this commit: cvs rdiff -u -r1.109.2.1 -r1.109.2.2 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Sun Apr 1 09:18:54 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: ip6_forward.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1540): sys/netinet6/ip6_forward.c: revision 1.91 (via patch) Fix two pretty bad mistakes. If ipsec6_check_policy fails m is not freed, and a 'goto out' is missing after ipsec6_process_packet. To generate a diff of this commit: cvs rdiff -u -r1.69.2.1 -r1.69.2.2 src/sys/netinet6/ip6_forward.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev/ppbus
Module Name:src Committed By: snj Date: Tue Mar 13 17:48:21 UTC 2018 Modified Files: src/sys/dev/ppbus [netbsd-6]: if_plip.c Log Message: Pull up following revision(s) (requested by msaitoh in ticket #1537): sys/dev/ppbus/if_plip.c: 1.28 spl leak, found by Mootja To generate a diff of this commit: cvs rdiff -u -r1.24 -r1.24.14.1 src/sys/dev/ppbus/if_plip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: snj Date: Tue Mar 13 17:47:14 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: ipsec_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1536): sys/netipsec/ipsec_input.c: 1.57-1.58 Extend these #ifdef notyet. The m_copydata's in these branches are wrong, we are not guaranteed to have enough room for another struct ip, and we may crash here. Triggerable remotely, but after authentication, by sending an AH packet that has a one-byte-sized IPIP payload. -- Argh, in my previous commit in this file I forgot to fix the IPv6 entry point; apply the same fix there. To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.2.1 src/sys/netipsec/ipsec_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys
Module Name:src Committed By: snj Date: Tue Mar 13 17:42:41 UTC 2018 Modified Files: src/sys/net [netbsd-6]: if_mpls.c src/sys/netmpls [netbsd-6]: mpls_ttl.c Log Message: Pull up following revision(s) (requested by uwe in ticket #1534): sys/net/if_mpls.c: 1.31-1.33 via patch sys/netmpls/mpls_ttl.c: 1.9 via patch Style, and fix several bugs: - ip4_check(), mpls_unlabel_inet() and mpls_unlabel_inet6() perform pullups, so we need to pass the updated pointers back - in mpls_lse() the route is not always freed Looks a little better now. -- Kick MPLS packets earlier. -- Several changes: * In mpls_unlabel_inet, copy the label locally. It's not incorrect to keep a pointer on the mbuf, but it's bug-friendly. * In mpls_label_inetX, fix the length check. Meanwhile add an XXX: we just want to make sure that m_copydata won't fail, but if we were guaranteed that m has M_PKTHDR set, we could simply check the length against m->m_pkthdr.len. To generate a diff of this commit: cvs rdiff -u -r1.8.8.1 -r1.8.8.2 src/sys/net/if_mpls.c cvs rdiff -u -r1.3 -r1.3.18.1 src/sys/netmpls/mpls_ttl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev/sbus
Module Name:src Committed By: snj Date: Tue Mar 13 17:20:25 UTC 2018 Modified Files: src/sys/dev/sbus [netbsd-6]: be.c Log Message: Pull up following revision(s) (requested by msaitoh in ticket #1533): sys/dev/sbus/be.c: 1.86 spl leak, found by Mootja a long time ago To generate a diff of this commit: cvs rdiff -u -r1.78 -r1.78.2.1 src/sys/dev/sbus/be.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: snj Date: Tue Mar 13 17:18:16 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: xform_ah.c xform_esp.c xform_ipip.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1532): sys/netipsec/xform_ah.c: 1.77 via patch sys/netipsec/xform_esp.c: 1.73 via patch sys/netipsec/xform_ipip.c: 1.56-1.57 via patch Reinforce and clarify. -- Add missing NULL check. Normally that's not triggerable remotely, since we are guaranteed that 8 bytes are valid at mbuf+skip. -- Fix use-after-free. There is a path where the mbuf gets pulled up without a proper mtod afterwards: 218 ipo = mtod(m, struct ip *); 281 m = m_pullup(m, hlen); 232 ipo->ip_src.s_addr Found by Mootja. Meanwhile it seems to me that 'ipo' should be set to NULL if the inner packet is IPv6, but I'll revisit that later. -- As I said in my last commit in this file, ipo should be set to NULL; otherwise the 'local address spoofing' check below is always wrong on IPv6. To generate a diff of this commit: cvs rdiff -u -r1.37.2.3 -r1.37.2.4 src/sys/netipsec/xform_ah.c cvs rdiff -u -r1.40 -r1.40.2.1 src/sys/netipsec/xform_esp.c cvs rdiff -u -r1.28.8.1 -r1.28.8.2 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch/macppc/dev
Module Name:src Committed By: snj Date: Tue Mar 13 17:09:15 UTC 2018 Modified Files: src/sys/arch/macppc/dev [netbsd-6]: snapper.c Log Message: Pull up following revision(s) (requested by sevan in ticket #1522): sys/arch/macppc/dev/snapper.c: 1.42 Fix issue with audio being downpitched, thanks to "it seems that snapper_init should be called before audio_attach_mi, as snapper init is setting the rate to 44100 after the hardware format has been configured by audio_attach_mi. audio_attach_mi should be the last thing called during an attach of an audio device so the audio device is ready to be configured when audio_attach_mi is called." Resolves PR port-macppc/52949 To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.38.4.1 src/sys/arch/macppc/dev/snapper.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch/sparc/sparc
Module Name:src Committed By: snj Date: Tue Mar 13 16:48:05 UTC 2018 Modified Files: src/sys/arch/sparc/sparc [netbsd-6]: timer.c timer_sun4m.c timerreg.h Log Message: Pull up following revision(s) (requested by mrg in ticket #1519): sys/arch/sparc/sparc/timer_sun4m.c: 1.33 1.34 1.31 sys/arch/sparc/sparc/timer.c: 1.33 sys/arch/sparc/sparc/timer.c: 1.33 1.34 sys/arch/sparc/sparc/timerreg.h: 1.33 1.34 1.31 1.10 fix time goes backwards problems on sparc. there are a few things here: - there's a race between reading the limit register (which clears the interrupt and the limit bit) and increasing the latest offset. this can happen easily if an interrupt comes between the read and the call to tickle_tc() that increases the offset (i obverved this actually happening.) - in early boot, sometimes the counter can cycle twice before the tickle happens. to handle these issues, add two workarounds: - if the limit bit isn't set, but the counter value is less than the previous value, and the offset hasn't changed, use the same fixup as if the limit bit was set. this handles the first case above. - add a hard-workaround for never allowing returning a smaller value (except during 32 bit overflow): if the result is less than the last result, add fixups until it does (or until it would overflow.) the first workaround fixes general run-time issues, and the second fixes issues only seen during boot. also expand some comments in timer_sun4m.c and re-enable the sun4m sub-microsecond tmr_ustolim4m() support (but it's always called with at least 'tick' microseconds, so the end result is the same.) fix hang at 4B microseconds (1h12 or so), and simplify part of the previous To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.8.1 src/sys/arch/sparc/sparc/timer.c cvs rdiff -u -r1.28 -r1.28.8.1 src/sys/arch/sparc/sparc/timer_sun4m.c cvs rdiff -u -r1.9 -r1.9.118.1 src/sys/arch/sparc/sparc/timerreg.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: snj Date: Tue Mar 13 16:43:06 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: ip6_forward.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1518): sys/netinet6/ip6_forward.c: 1.89-1.90 via patch Fix use-after-free of mbuf by ip6flow_create This fixes recent failures of some ATF tests such as t_ipsec_tunnel_odd. -- Fix use-after-free of mbuf by ip6flow_create (one more) To generate a diff of this commit: cvs rdiff -u -r1.69 -r1.69.2.1 src/sys/netinet6/ip6_forward.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev
Module Name:src Committed By: snj Date: Tue Mar 13 16:38:28 UTC 2018 Modified Files: src/sys/dev [netbsd-6]: fss.c Log Message: Pull up following revision(s) (requested by hannken in ticket #1516): sys/dev/fss.c: 1.101-1.103 Bounds check against media size for non-persistent snapshots. -- Treat partial read from backing store as I/O error. -- Pass residual back to b_resid for persistent snapshots. To generate a diff of this commit: cvs rdiff -u -r1.81.4.4 -r1.81.4.5 src/sys/dev/fss.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch/sparc/sparc
Module Name:src Committed By: snj Date: Sat Mar 3 20:47:24 UTC 2018 Modified Files: src/sys/arch/sparc/sparc [netbsd-6]: locore.s Log Message: Pull up following revision(s) (requested by maya in ticket #1513): sys/arch/sparc/sparc/locore.s: 1.269 Avoid an instruction requiring a higher alignment than we are guaranteed Fixes PR port-sparc/52721: ddb errors on ps command Thanks to mlelstv. To generate a diff of this commit: cvs rdiff -u -r1.265 -r1.265.8.1 src/sys/arch/sparc/sparc/locore.s Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys
Module Name:src Committed By: snj Date: Sat Mar 3 20:44:39 UTC 2018 Modified Files: src/sys/dev [netbsd-6]: rndpseudo.c src/sys/kern [netbsd-6]: subr_cprng.c src/sys/sys [netbsd-6]: cprng.h Log Message: Apply patch (requested by riastradh in ticket #1512): Fix panic when waiting with kqueue/kevent for a read from /dev/random. To generate a diff of this commit: cvs rdiff -u -r1.6.2.3 -r1.6.2.4 src/sys/dev/rndpseudo.c cvs rdiff -u -r1.5.2.8 -r1.5.2.9 src/sys/kern/subr_cprng.c cvs rdiff -u -r1.4.2.1 -r1.4.2.2 src/sys/sys/cprng.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch
Module Name:src Committed By: snj Date: Mon Feb 19 20:54:38 UTC 2018 Modified Files: src/sys/arch/amd64/amd64 [netbsd-6]: machdep.c src/sys/arch/amd64/include [netbsd-6]: segments.h src/sys/arch/i386/i386 [netbsd-6]: machdep.c src/sys/arch/i386/include [netbsd-6]: segments.h src/sys/arch/x86/x86 [netbsd-6]: vm_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1517): sys/arch/amd64/amd64/machdep.c: 1.280 via patch sys/arch/amd64/include/segments.h: 1.34 via patch sys/arch/i386/i386/machdep.c: 1.800 sys/arch/i386/include/segments.h: 1.64 sys/arch/x86/x86/vm_machdep.c: 1.30 Fix a huge privilege separation vulnerability in Xen-amd64. On amd64 the kernel runs in ring3, like userland, and therefore SEL_KPL equals SEL_UPL. While Xen can make a distinction between usermode and kernelmode in %cs, it can't when it comes to iopl. Since we set SEL_KPL in iopl, Xen sees SEL_UPL, and allows (unprivileged) userland processes to read and write to the CPU ports. It is easy, then, to completely escalate privileges; by reprogramming the PIC, by reading the ATA disks, by intercepting the keyboard interrupts (keylogger), etc. Declare IOPL_KPL, set to 1 on Xen-amd64, which allows the kernel to use the ports but not userland. I didn't test this change on i386, but it seems fine enough. To generate a diff of this commit: cvs rdiff -u -r1.175.2.9 -r1.175.2.10 src/sys/arch/amd64/amd64/machdep.c cvs rdiff -u -r1.22 -r1.22.10.1 src/sys/arch/amd64/include/segments.h cvs rdiff -u -r1.717.2.8 -r1.717.2.9 src/sys/arch/i386/i386/machdep.c cvs rdiff -u -r1.54 -r1.54.10.1 src/sys/arch/i386/include/segments.h cvs rdiff -u -r1.14 -r1.14.2.1 src/sys/arch/x86/x86/vm_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: martin Date: Fri Feb 16 18:10:09 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: ipsec.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1531): sys/netipsec/ipsec.c: revision 1.130 Fix inverted logic, otherwise the kernel crashes when receiving a 1-byte AH packet. Triggerable before authentication when IPsec and forwarding are both enabled. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.55.8.1 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: martin Date: Thu Feb 15 16:49:05 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: xform_ah.c Log Message: Fix previous (Ticket #1530) To generate a diff of this commit: cvs rdiff -u -r1.37.2.2 -r1.37.2.3 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: martin Date: Thu Feb 15 14:49:00 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: xform_ipip.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1529): sys/netipsec/xform_ipip.c: revision 1.44 via patch PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right, don't forget to subtract the ipv6 header length. To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.28.8.1 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: martin Date: Thu Feb 15 08:08:19 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: xform_ah.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1530): sys/netipsec/xform_ah.c: revision 1.80-1.81 via patch Fix use-after-free, 'ah' may not be valid after m_makewritable and ah_massage_headers. Make sure the Authentication Header fits the mbuf chain, otherwise panic. To generate a diff of this commit: cvs rdiff -u -r1.37.2.1 -r1.37.2.2 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dist/pf/net
Module Name:src Committed By: snj Date: Sat Feb 10 04:25:38 UTC 2018 Modified Files: src/sys/dist/pf/net [netbsd-6]: pf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1527): sys/dist/pf/net/pf.c: revision 1.78 via patch Oh, what is this. Fix a remotely-triggerable integer overflow: the way we define TCPOLEN_SACK makes it unsigned, and the comparison in the while() is unsigned too. That's not the expected behavior, the original code wanted a signed comparison. It's pretty easy to make 'hlen' go negative and trigger a buffer overflow. This bug was reported 8 years ago by Lucio Albornoz in PR/44059. To generate a diff of this commit: cvs rdiff -u -r1.68 -r1.68.2.1 src/sys/dist/pf/net/pf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netinet
Module Name:src Committed By: martin Date: Fri Feb 9 14:09:35 UTC 2018 Modified Files: src/sys/netinet [netbsd-6]: ip_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1526): sys/netinet/ip_input.c: revision 1.366 Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a completely dumb idea, because they have security implications. By sending an IPv4 packet containing an LSRR option, an attacker will cause the system to forward the packet to another IPv4 address - and this way he white-washes the source of the packet. It is also possible for an attacker to reach hidden networks: if a server has a public address, and a private one on an internal network (network which has several internal machines connected), the attacker can send a packet with: source = 0.0.0.0 destination = public address of the server LSRR first address = address of a machine on the internal network And the packet will be forwarded, by the server, to the internal machine, in some cases even with the internal IP address of the server as a source. To generate a diff of this commit: cvs rdiff -u -r1.298 -r1.298.2.1 src/sys/netinet/ip_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Feb 2 13:10:00 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: nd6_nbr.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1525): sys/netinet6/nd6_nbr.c: revision 1.145 (patch) Fix memory leak. Contrary to what the XXX indicates, this place is 100% reachable remotely. To generate a diff of this commit: cvs rdiff -u -r1.95 -r1.95.2.1 src/sys/netinet6/nd6_nbr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Feb 2 11:07:12 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: ip6_mroute.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1524): sys/netinet6/ip6_mroute.c: revision 1.120 Fix a pretty simple, yet pretty tragic typo: we should return IPPROTO_DONE, not IPPROTO_NONE. With IPPROTO_NONE we will keep parsing the header chain on an mbuf that was already freed. To generate a diff of this commit: cvs rdiff -u -r1.103 -r1.103.2.1 src/sys/netinet6/ip6_mroute.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 22:10:20 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: ah_input.c esp_input.c ipcomp_input.c Log Message: Ooops, remainder of Ticket #1523, accidently not commited previously To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.59.8.1 src/sys/netinet6/ah_input.c cvs rdiff -u -r1.50 -r1.50.8.1 src/sys/netinet6/esp_input.c cvs rdiff -u -r1.38 -r1.38.8.1 src/sys/netinet6/ipcomp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:44:22 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1523): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) sys/netinet6/ah_input.c: adjust other callers (patch) sys/netinet6/esp_input.c: adjust other callers (patch) sys/netinet6/ipcomp_input.c: adjust other callers (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.52.2.2 -r1.52.2.3 src/sys/netinet6/frag6.c cvs rdiff -u -r1.136.2.1 -r1.136.2.2 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.58.2.1 -r1.58.2.2 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.109 -r1.109.2.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: martin Date: Mon Jan 29 19:25:51 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: xform_ah.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1521): sys/netipsec/xform_ah.c: revision 1.76 Fix a vulnerability in IPsec-IPv6-AH, that allows an attacker to remotely crash the kernel with a single packet. In this loop we need to increment 'ad' by two, because the length field of the option header does not count the size of the option header itself. If the length is zero, then 'count' is incremented by zero, and there's an infinite loop. Beyond that, this code was written with the assumption that since the IPv6 packet already went through the generic IPv6 option parser, several fields are guaranteed to be valid; but this assumption does not hold because of the missing '+2', and there's as a result a triggerable buffer overflow (write zeros after the end of the mbuf, potentially to the next mbuf in memory since it's a pool). Add the missing '+2', this place will be reinforced in separate commits. To generate a diff of this commit: cvs rdiff -u -r1.37 -r1.37.2.1 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/fs/msdosfs
Module Name:src Committed By: martin Date: Tue Oct 17 15:43:09 UTC 2017 Modified Files: src/sys/fs/msdosfs [netbsd-6]: msdosfs_vfsops.c Log Message: Apply patch form mlelstv to fix the build after pullup #1506 To generate a diff of this commit: cvs rdiff -u -r1.93.6.4 -r1.93.6.5 src/sys/fs/msdosfs/msdosfs_vfsops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/fs/msdosfs
Module Name:src Committed By: snj Date: Fri Oct 13 08:05:30 UTC 2017 Modified Files: src/sys/fs/msdosfs [netbsd-6]: msdosfs_vfsops.c Log Message: Pull up following revision(s) (requested by mlelstv in ticket #1506): sys/fs/msdosfs/msdosfs_vfsops.c: revision 1.128 Add more sanity checks for BPB parameters. Handle FAT12 format for media with sectors >= 32kByte. Does fix PR 52485. To generate a diff of this commit: cvs rdiff -u -r1.93.6.3 -r1.93.6.4 src/sys/fs/msdosfs/msdosfs_vfsops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch/i386/i386
Module Name:src Committed By: snj Date: Fri Oct 13 08:03:04 UTC 2017 Modified Files: src/sys/arch/i386/i386 [netbsd-6]: vector.S Log Message: Pull up following revision(s) (requested by maxv in ticket #1505): sys/arch/i386/i386/i386_trap.S: revision 1.12 via patch Pfff, use %ss and not %ds. The latter is controlled by userland, the former contains the kernel value (flat); FreeBSD fixed this too a few weeks ago. As I said earlier, this dtrace code is complete bullshit. To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.59.8.1 src/sys/arch/i386/i386/vector.S Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/compat/linux32/arch/amd64
Module Name:src Committed By: snj Date: Sat Sep 9 16:53:36 UTC 2017 Modified Files: src/sys/compat/linux32/arch/amd64 [netbsd-6]: linux32_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1502): sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39 Fix a ring0 escalation vulnerability in compat_linux32 where the index of %cs is controlled by userland, making it easy to trigger the page fault and get kernel privileges. To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.10.1 \ src/sys/compat/linux32/arch/amd64/linux32_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch/sparc64/sparc64
Module Name:src Committed By: snj Date: Mon Sep 4 16:05:13 UTC 2017 Modified Files: src/sys/arch/sparc64/sparc64 [netbsd-6]: compat_13_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1501): sys/arch/sparc64/sparc64/compat_13_machdep.c: revision 1.24 Apply only CCR. Otherwise userland could set PSTATE_PRIV in %pstate and get kernel privileges on the hardware. ok martin To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.23.18.1 \ src/sys/arch/sparc64/sparc64/compat_13_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch
Module Name:src Committed By: martin Date: Thu Aug 31 15:18:12 UTC 2017 Modified Files: src/sys/arch/evbmips/conf [netbsd-6]: MALTA MALTA32 MALTA64 src/sys/arch/mips/mips [netbsd-6]: bds_emul.S Log Message: Pull up following revision(s) (requested by mrg in ticket #1499): sys/arch/evbmips/conf/MALTA64: revision 1.8 sys/arch/evbmips/conf/MALTA32: revision 1.4 sys/arch/mips/mips/bds_emul.S: revision 1.9 sys/arch/evbmips/conf/MALTA: revision 1.88 Re-enable the NOFPU and (renamed) FPEMUL options. None of the Malta CPU daughter cards currently supported by NetBSD have an FPU. Detected on real hardware. gxemul wrongly supports an FPU on the 4Kc and 5Kc CPUs. Remove the NOFPU option. The main MALTA config file has this now. mips_emul_daddi and mips_emul_daddiu don't exist, but there are bcemul_daddi and bcemul_daddiu here that should be used. however, bcemul_daddi needed to be changed to use dadd not daddui. fixes FPEMUL and N64 kernels. ok simonb. To generate a diff of this commit: cvs rdiff -u -r1.65.2.1 -r1.65.2.2 src/sys/arch/evbmips/conf/MALTA cvs rdiff -u -r1.3 -r1.3.2.1 src/sys/arch/evbmips/conf/MALTA32 cvs rdiff -u -r1.5.2.1 -r1.5.2.2 src/sys/arch/evbmips/conf/MALTA64 cvs rdiff -u -r1.6 -r1.6.2.1 src/sys/arch/mips/mips/bds_emul.S Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch/i386/conf
Module Name:src Committed By: snj Date: Sat Aug 26 16:26:46 UTC 2017 Modified Files: src/sys/arch/i386/conf [netbsd-6]: GENERIC Log Message: Apply patch (requested by maxv in ticket #1466): Disable vm86 by default. The use case is limited, and the potential for damage is too high. To generate a diff of this commit: cvs rdiff -u -r1.1066.2.7 -r1.1066.2.8 src/sys/arch/i386/conf/GENERIC Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/lib/libkern
Module Name:src Committed By: snj Date: Wed Aug 23 19:38:02 UTC 2017 Modified Files: src/sys/lib/libkern [netbsd-6]: Makefile.libkern Log Message: Pull up following revision(s) (requested by mrg in ticket #1481): sys/lib/libkern/Makefile.libkern: revision 1.19 Add strnlen.c to SRCS (which will automatically use the .S version if it exists). To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.17.2.1 src/sys/lib/libkern/Makefile.libkern Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/altq
Module Name:src Committed By: snj Date: Sat Aug 19 05:37:06 UTC 2017 Modified Files: src/sys/altq [netbsd-6]: altq_cbq.c altq_hfsc.c altq_jobs.c altq_priq.c altq_wfq.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1488): sys/altq/altq_cbq.c: revision 1.31 sys/altq/altq_hfsc.c: revision 1.27 sys/altq/altq_jobs.c: revision 1.11 sys/altq/altq_priq.c: revision 1.24 sys/altq/altq_wfq.c: revision 1.22 Zero buffers copied to userland to avoid stack disclosure. >From Ilja Van Sprundel. -- Reject negative indices. (Would be nice to change the types too, and it's *probably* safe to replace int by u_int, but I'm reluctant to touch the ioctl definitions without at least a modicum more thought. Also one of them is a u_long, because why not?) >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.26.18.1 src/sys/altq/altq_cbq.c cvs rdiff -u -r1.24 -r1.24.36.1 src/sys/altq/altq_hfsc.c cvs rdiff -u -r1.6.14.1 -r1.6.14.2 src/sys/altq/altq_jobs.c cvs rdiff -u -r1.21 -r1.21.18.1 src/sys/altq/altq_priq.c cvs rdiff -u -r1.19 -r1.19.34.1 src/sys/altq/altq_wfq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/compat/linux/common
Module Name:src Committed By: snj Date: Sat Aug 19 05:04:00 UTC 2017 Modified Files: src/sys/compat/linux/common [netbsd-6]: linux_time.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1489): sys/compat/linux/common/linux_time.c: 1.38-1.39 via patch Only let the superuser set the compat_linux timezone. Not really keen to invent a new kauth cookie for this useless purpose. >From Ilja Van Sprundel. -- Put suser check in the right function: settimeofday, not gettimeofday. While here, remove wrong comment. Noted by kre@. To generate a diff of this commit: cvs rdiff -u -r1.35 -r1.35.6.1 src/sys/compat/linux/common/linux_time.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netsmb
Module Name:src Committed By: snj Date: Sat Aug 19 04:44:56 UTC 2017 Modified Files: src/sys/netsmb [netbsd-6]: smb_dev.c smb_subr.c smb_subr.h smb_usr.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1487): sys/netsmb/smb_dev.c: 1.50 sys/netsmb/smb_subr.c: 1.38 sys/netsmb/smb_subr.h: 1.22 sys/netsmb/smb_usr.c: 1.17-1.19 Reject allocations for too-small buffers from userland. >From Ilja Van Sprundel. -- Plug another overflow: refuse bogus sa_len from user. -- Reject negative ioc_setupcnt. -- Reject negative offset/count for smb read/write. Not clear that this is actually a problem for the kernel -- might overwrite user's buffers or return garbage to user, but that's their own damn fault. But it's hard to imagine that negative offset/count ever makes sense, and I haven't ruled out a problem for the kernel. To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.39.14.1 src/sys/netsmb/smb_dev.c cvs rdiff -u -r1.36 -r1.36.8.1 src/sys/netsmb/smb_subr.c cvs rdiff -u -r1.20 -r1.20.14.1 src/sys/netsmb/smb_subr.h cvs rdiff -u -r1.16 -r1.16.18.1 src/sys/netsmb/smb_usr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev/ic
Module Name:src Committed By: snj Date: Sat Aug 19 04:29:14 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-6]: ciss.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1486): sys/dev/ic/ciss.c: revision 1.37 Reject negative indices from userland. To generate a diff of this commit: cvs rdiff -u -r1.27.8.1 -r1.27.8.2 src/sys/dev/ic/ciss.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev/ic
Module Name:src Committed By: snj Date: Sat Aug 19 04:27:39 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-6]: isp_netbsd.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1485): sys/dev/ic/isp_netbsd.c: revision 1.89 Reject out-of-bounds channel index. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.85.2.1 -r1.85.2.2 src/sys/dev/ic/isp_netbsd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/kern
Module Name:src Committed By: snj Date: Sat Aug 19 04:24:24 UTC 2017 Modified Files: src/sys/kern [netbsd-6]: kern_ktrace.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1484): sys/kern/kern_ktrace.c: revision 1.171 via patch Clamp the length we use, not the length we don't. Avoids uninitialized memory disclosure to userland. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.160.2.1 -r1.160.2.2 src/sys/kern/kern_ktrace.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/compat
Module Name:src Committed By: snj Date: Sat Aug 19 04:20:02 UTC 2017 Modified Files: src/sys/compat/common [netbsd-6]: vfs_syscalls_12.c vfs_syscalls_43.c src/sys/compat/ibcs2 [netbsd-6]: ibcs2_misc.c src/sys/compat/linux/common [netbsd-6]: linux_file64.c linux_misc.c src/sys/compat/linux32/common [netbsd-6]: linux32_dirent.c src/sys/compat/osf1 [netbsd-6]: osf1_file.c src/sys/compat/sunos [netbsd-6]: sunos_misc.c src/sys/compat/sunos32 [netbsd-6]: sunos32_misc.c src/sys/compat/svr4 [netbsd-6]: svr4_misc.c src/sys/compat/svr4_32 [netbsd-6]: svr4_32_misc.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1483): sys/compat/common/vfs_syscalls_12.c: revision 1.34 sys/compat/svr4_32/svr4_32_misc.c: revision 1.78 sys/compat/sunos32/sunos32_misc.c: revision 1.78 sys/compat/linux/common/linux_misc.c: revision 1.239 sys/compat/osf1/osf1_file.c: revision 1.44 sys/compat/common/vfs_syscalls_43.c: revision 1.60 sys/compat/svr4/svr4_misc.c: revision 1.158 sys/compat/ibcs2/ibcs2_misc.c: revision 1.114 sys/compat/linux/common/linux_file64.c: revision 1.59 sys/compat/linux32/common/linux32_dirent.c: revision 1.18 sys/compat/sunos/sunos_misc.c: revision 1.171 Fail, don't panic, on bad dirents from file system. Controllable via puffs from userland. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.29.12.1 -r1.29.12.2 src/sys/compat/common/vfs_syscalls_12.c cvs rdiff -u -r1.54.14.3 -r1.54.14.4 src/sys/compat/common/vfs_syscalls_43.c cvs rdiff -u -r1.111 -r1.111.14.1 src/sys/compat/ibcs2/ibcs2_misc.c cvs rdiff -u -r1.53 -r1.53.8.1 src/sys/compat/linux/common/linux_file64.c cvs rdiff -u -r1.219.8.1 -r1.219.8.2 src/sys/compat/linux/common/linux_misc.c cvs rdiff -u -r1.13 -r1.13.8.1 src/sys/compat/linux32/common/linux32_dirent.c cvs rdiff -u -r1.41.8.1 -r1.41.8.2 src/sys/compat/osf1/osf1_file.c cvs rdiff -u -r1.168 -r1.168.14.1 src/sys/compat/sunos/sunos_misc.c cvs rdiff -u -r1.74 -r1.74.2.1 src/sys/compat/sunos32/sunos32_misc.c cvs rdiff -u -r1.155 -r1.155.8.1 src/sys/compat/svr4/svr4_misc.c cvs rdiff -u -r1.74 -r1.74.8.1 src/sys/compat/svr4_32/svr4_32_misc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/kern
Module Name:src Committed By: snj Date: Sat Aug 19 04:17:11 UTC 2017 Modified Files: src/sys/kern [netbsd-6]: vfs_getcwd.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1482): sys/kern/vfs_getcwd.c: revision 1.52 Don't walk off the end of the dirent buffer. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.47.14.1 src/sys/kern/vfs_getcwd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/compat/ibcs2
Module Name:src Committed By: snj Date: Sat Aug 19 04:13:52 UTC 2017 Modified Files: src/sys/compat/ibcs2 [netbsd-6]: ibcs2_exec_coff.c ibcs2_ioctl.c ibcs2_stat.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1481): sys/compat/ibcs2/ibcs2_exec_coff.c: 1.27-1.29 sys/compat/ibcs2/ibcs2_ioctl.c: 1.46 sys/compat/ibcs2/ibcs2_stat.c: 1.49-1.50 Check for NUL termination within the buffer we have. >From Ilja Van Sprundel. -- Make sure we have enough space in the buffer before reading it. >From Ilja Van Sprundel. -- Make sure we move forward over the buffer. >From Ilja Van Sprundel. -- Zero buffers in ibcs2 ioctl to avoid disclosing stack to userland. >From Ilja Van Sprundel. -- Don't drop vnode ref until we're done with mount in ibcs2_stat(v)fs. Nothing else guarantees the mount will stick around. >From Ilja Van Sprundel. -- Little happy on the commit trigger. Actually use the out label. To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.25.14.1 src/sys/compat/ibcs2/ibcs2_exec_coff.c cvs rdiff -u -r1.45 -r1.45.36.1 src/sys/compat/ibcs2/ibcs2_ioctl.c cvs rdiff -u -r1.47 -r1.47.18.1 src/sys/compat/ibcs2/ibcs2_stat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/compat/svr4_32
Module Name:src Committed By: snj Date: Sat Aug 19 04:02:49 UTC 2017 Modified Files: src/sys/compat/svr4_32 [netbsd-6]: svr4_32_signal.c Log Message: Pull up following revision(s) (requested by martin in ticket #1481): sys/compat/svr4_32/svr4_32_signal.c: 1.30 make it compile again. To generate a diff of this commit: cvs rdiff -u -r1.26.40.1 -r1.26.40.2 src/sys/compat/svr4_32/svr4_32_signal.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev
Module Name:src Committed By: snj Date: Sat Aug 19 03:50:01 UTC 2017 Modified Files: src/sys/dev [netbsd-6]: vnd.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1480): sys/dev/vnd.c: 1.260, 1.262 via patch Put in a litany of judicious bounds checks around vnd headers. Thought I was done with this crap after I rewrote vndcompress(1)! >From Ilja Van Sprundel. -- Appease toxic bullshit warning from gcc. If you have a better way to write a useful bounds check that happens to always pass on LP64 but doesn't always on LP32, without making it fail to compile on LP64 or making it an #ifdef conditional on LP32, please put it in here instead. To generate a diff of this commit: cvs rdiff -u -r1.219.8.3 -r1.219.8.4 src/sys/dev/vnd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/compat
Module Name:src Committed By: snj Date: Sat Aug 19 03:40:50 UTC 2017 Modified Files: src/sys/compat/svr4 [netbsd-6]: svr4_lwp.c svr4_signal.c svr4_stream.c src/sys/compat/svr4_32 [netbsd-6]: svr4_32_signal.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1479): sys/compat/svr4/svr4_lwp.c: 1.20 sys/compat/svr4/svr4_signal.c: 1.67 sys/compat/svr4/svr4_stream.c: 1.89-1.91 via patch sys/compat/svr4_32/svr4_32_signal.c: 1.29 Fix some of the multitudinous holes in svr4 streams. We should never have enabled this by default; it is a minefield. >From Ilja Van Sprundel. -- Zero stack data before copyout. >From Ilja Van Sprundel. -- Fix indexing of svr4 signals. >From Ilja Van Sprundel. -- Feebly attempt to get this reference counting less bad. This svr4 streams code is bad and it should feel bad. >From Ilja Van Sprundel. -- Check bounds in svr4_sys_putmsg. Check more svr4_strmcmd bounds. svr4 streams code is still a disaster. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.19.18.1 src/sys/compat/svr4/svr4_lwp.c cvs rdiff -u -r1.65 -r1.65.10.1 src/sys/compat/svr4/svr4_signal.c cvs rdiff -u -r1.79 -r1.79.8.1 src/sys/compat/svr4/svr4_stream.c cvs rdiff -u -r1.26 -r1.26.40.1 src/sys/compat/svr4_32/svr4_32_signal.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev/ic
Module Name:src Committed By: snj Date: Sat Aug 19 03:15:57 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-6]: bwi.c Log Message: `cat ~/releng/r-commit` To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.18.8.1 src/sys/dev/ic/bwi.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev/ic
Module Name:src Committed By: snj Date: Fri Aug 18 15:08:21 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-6]: dm9000.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1477): sys/dev/ic/dm9000.c: revision 1.12 Check for MCLGET failure in dme_alloc_receive_buffer. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.4.2.1 src/sys/dev/ic/dm9000.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev/ic
Module Name:src Committed By: snj Date: Fri Aug 18 15:04:58 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-6]: dp83932.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1476): sys/dev/ic/dp83932.c: revision 1.41 Plug mbuf leak on MCLGET failure in sonic_rxintr. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.35 -r1.35.14.1 src/sys/dev/ic/dp83932.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev/ic
Module Name:src Committed By: snj Date: Fri Aug 18 15:03:22 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-6]: i82596.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1475): sys/dev/ic/i82596.c: revision 1.37 Null out sc_rx_mbuf[i] after m_freem to avoid double-free later. >From Ilja Van Sprundel. Also null out sc_tx_mbuf[i] after m_freem, out of paranoia. XXX Not entirely clear to how tx mbufs are freed, but no way to test this since it's ews4800mips- and hp700-only, so not keen to make any more elaborate changes... To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.14.1 src/sys/dev/ic/i82596.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev/pci
Module Name:src Committed By: snj Date: Fri Aug 18 15:00:53 UTC 2017 Modified Files: src/sys/dev/pci [netbsd-6]: if_et.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1474): sys/dev/pci/if_et.c: revision 1.15 Check for MCLGET failure in et_newbuf. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.3.2.1 -r1.3.2.2 src/sys/dev/pci/if_et.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev/pci
Module Name:src Committed By: snj Date: Fri Aug 18 14:58:15 UTC 2017 Modified Files: src/sys/dev/pci [netbsd-6]: if_ipw.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1473): sys/dev/pci/if_ipw.c: revision 1.65 via patch Null out sbuf->m on failure to avoid double-free later. >From Ilja Van Sprundel. Also null out sbuf->map out of paranoia. To generate a diff of this commit: cvs rdiff -u -r1.53 -r1.53.2.1 src/sys/dev/pci/if_ipw.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/kern
Module Name:src Committed By: snj Date: Fri Aug 18 14:53:10 UTC 2017 Modified Files: src/sys/kern [netbsd-6]: kern_malloc.c Log Message: Pull up following revision(s) (requested by martin in ticket #1465): sys/kern/kern_malloc.c: revision 1.146 Avoid integer overflow in kern_malloc(). Reported by Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.138 -r1.138.2.1 src/sys/kern/kern_malloc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch/mac68k/nubus
Module Name:src Committed By: snj Date: Sat Aug 12 16:35:11 UTC 2017 Modified Files: src/sys/arch/mac68k/nubus [netbsd-6]: if_netdock_nubus.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1472): sys/arch/mac68k/nubus/if_netdock_nubus.c: revision 1.26 Avoid memory leak in netdock_get. If top is null, this is the first time through and nothing else will free m. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.21.14.1 src/sys/arch/mac68k/nubus/if_netdock_nubus.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch/newsmips/apbus
Module Name:src Committed By: snj Date: Sat Aug 12 16:30:05 UTC 2017 Modified Files: src/sys/arch/newsmips/apbus [netbsd-6]: if_sn.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1471): sys/arch/newsmips/apbus/if_sn.c: revision 1.39 Avoid memory leak in sonic_get. If this is the first time around, top is null and nothing else will free m. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.33 -r1.33.14.1 src/sys/arch/newsmips/apbus/if_sn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev/usb
Module Name:src Committed By: snj Date: Sat Aug 12 16:26:31 UTC 2017 Modified Files: src/sys/dev/usb [netbsd-6]: if_ural.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1470): sys/dev/usb/if_ural.c: revision 1.52 Free the RX list if ural_alloc_rx_list fails part way through. Reported by Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.39.2.1 src/sys/dev/usb/if_ural.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/compat
Module Name:src Committed By: snj Date: Sat Aug 12 16:23:29 UTC 2017 Modified Files: src/sys/compat/common [netbsd-6]: vfs_syscalls_12.c vfs_syscalls_43.c src/sys/compat/sys [netbsd-6]: dirent.h Log Message: Pull up following revision(s) (requested by mrg in ticket #1469): sys/compat/common/vfs_syscalls_12.c: revision 1.30 sys/compat/common/vfs_syscalls_43.c: revision 1.56 sys/compat/sys/dirent.h: revision 1.3 It is wishful thinking that vn_readdir will return dirent12 structures. -- Fix the compat-4.3 getdirentries call (pre d_type). This is used in NetBSD-0.9. -- add a struct for the 4.3BSD struct direct To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.12.1 src/sys/compat/common/vfs_syscalls_12.c cvs rdiff -u -r1.54.14.2 -r1.54.14.3 src/sys/compat/common/vfs_syscalls_43.c cvs rdiff -u -r1.2 -r1.2.118.1 src/sys/compat/sys/dirent.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch
Module Name:src Committed By: martin Date: Tue Aug 8 12:00:35 UTC 2017 Modified Files: src/sys/arch/amd64/amd64 [netbsd-6]: locore.S machdep.c trap.c src/sys/arch/i386/i386 [netbsd-6]: locore.S machdep.c trap.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1464): sys/arch/i386/i386/trap.c: revision 1.288 (patch) sys/arch/i386/i386/machdep.c: revision 1.783 (patch) sys/arch/i386/i386/locore.S: revision 1.146 (patch) sys/arch/amd64/amd64/locore.S: revision 1.122,1.124 (patch) sys/arch/amd64/amd64/machdep.c revision 1.254 (patch) sys/arch/amd64/amd64/trap.c: revision 1.95-1.96 (patch) Remove the osyscall call gate and emulate it. There is a one-instruction race in it that could panic the kernel. Restore the ability to run netbsd 1.0 32-bit executables by checking for the relevant lcall instruction in the trap handler and treating it as a syscall. To generate a diff of this commit: cvs rdiff -u -r1.66.2.1 -r1.66.2.2 src/sys/arch/amd64/amd64/locore.S cvs rdiff -u -r1.175.2.8 -r1.175.2.9 src/sys/arch/amd64/amd64/machdep.c cvs rdiff -u -r1.69.2.2 -r1.69.2.3 src/sys/arch/amd64/amd64/trap.c cvs rdiff -u -r1.95.10.3 -r1.95.10.4 src/sys/arch/i386/i386/locore.S cvs rdiff -u -r1.717.2.7 -r1.717.2.8 src/sys/arch/i386/i386/machdep.c cvs rdiff -u -r1.262.8.1 -r1.262.8.2 src/sys/arch/i386/i386/trap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev/pci
Module Name:src Committed By: snj Date: Sun Jul 23 14:27:24 UTC 2017 Modified Files: src/sys/dev/pci [netbsd-6]: aceride.c pciide_acer_reg.h Log Message: Pull up following revision(s) (requested by nakayama in ticket #1463): sys/dev/pci/aceride.c: revision 1.37 sys/dev/pci/pciide_acer_reg.h: revision 1.13 Apply workaround from FreeBSD to fix read data corruption observed on Fire V100 and mSATA-SSD with mSATA to IDE adapter. The patch is from port-sparc64@. To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.30.10.1 src/sys/dev/pci/aceride.c cvs rdiff -u -r1.12 -r1.12.18.1 src/sys/dev/pci/pciide_acer_reg.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev
Module Name:src Committed By: snj Date: Fri Jul 21 04:06:50 UTC 2017 Modified Files: src/sys/dev [netbsd-6]: audio.c Log Message: Apply patch (requested by nat in ticket #1457): Fix occasional stuttering that can be caused by ringbuffer overflow. To generate a diff of this commit: cvs rdiff -u -r1.257.2.4 -r1.257.2.5 src/sys/dev/audio.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev
Module Name:src Committed By: snj Date: Fri Jul 21 04:02:12 UTC 2017 Modified Files: src/sys/dev [netbsd-6]: cgd.c Log Message: Apply patch (requested by chs in ticket #1455): Avoid crashes by checking if a cgd device has been configured before processing most ioctls, and failing with ENXIO if the device is not configured. To generate a diff of this commit: cvs rdiff -u -r1.76.6.1 -r1.76.6.2 src/sys/dev/cgd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/kern
Module Name:src Committed By: snj Date: Fri Jul 14 06:18:25 UTC 2017 Modified Files: src/sys/kern [netbsd-6]: exec_elf.c Log Message: Pull up following revision(s) (requested by uwe in ticket #1438): sys/kern/exec_elf.c: revision 1.88 via patch netbsd_elf_signature - look at note segments (phdrs) not note sections. They point to the same data in the file, but sections are for linkers and are not necessarily present in an executable. The original switch from phdrs to shdrs seems to be just a cop-out to avoid parsing multiple notes per segment, which doesn't really avoid the problem b/c sections also can contain multiple notes. To generate a diff of this commit: cvs rdiff -u -r1.37.2.2 -r1.37.2.3 src/sys/kern/exec_elf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/miscfs/procfs
Module Name:src Committed By: snj Date: Thu Jul 6 15:28:21 UTC 2017 Modified Files: src/sys/miscfs/procfs [netbsd-6]: procfs_map.c Log Message: Pull up following revision(s) (requested by tsutsui in ticket #1434): sys/miscfs/procfs/procfs_map.c: revision 1.45 Maps don't change that frequently between reads, so don't give up and do what linux does (support reading from an offset). To generate a diff of this commit: cvs rdiff -u -r1.41.8.1 -r1.41.8.2 src/sys/miscfs/procfs/procfs_map.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/kern
Module Name:src Committed By: snj Date: Thu Jul 6 15:20:00 UTC 2017 Modified Files: src/sys/kern [netbsd-6]: subr_xcall.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1419): sys/kern/subr_xcall.c: revision 1.19 Fix a race condition of low priority xcall xc_lowpri and xc_thread are racy and xc_wait may return during/before executing all xcall callbacks, resulting in a kernel panic at worst. xc_lowpri serializes multiple jobs by a mutex and a cv. If all xcall callbacks are done, xc_wait returns and also xc_lowpri accepts a next job. The problem is that a counter that counts the number of finished xcall callbacks is incremented *before* actually executing a xcall callback (see xc_tailp++ in xc_thread). So xc_lowpri accepts a next job before all xcall callbacks complete and a next job begins to run its xcall callbacks. Even worse the counter is global and shared between jobs, so if a xcall callback of the next job completes, the shared counter is incremented, which confuses wc_wait of the previous job as all xcall callbacks of the previous job are done and wc_wait of the previous job returns during/before executing its xcall callbacks. How to fix: there are actually two counters that count the number of finished xcall callbacks for low priority xcall for historical reasons (I guess): xc_tailp and xc_low_pri.xc_donep. xc_low_pri.xc_donep is incremented correctly while xc_tailp is incremented wrongly, i.e., before executing a xcall callback. We can fix the issue by dropping xc_tailp and using only xc_low_pri.xc_donep. PR kern/51632 To generate a diff of this commit: cvs rdiff -u -r1.13.10.1 -r1.13.10.2 src/sys/kern/subr_xcall.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys
Module Name:src Committed By: snj Date: Thu Jun 15 06:04:01 UTC 2017 Modified Files: src/sys/arch/ews4800mips/sbd [netbsd-6]: fb_sbdio.c src/sys/arch/pmax/ibus [netbsd-6]: pm.c src/sys/dev/hpc [netbsd-6]: bivideo.c src/sys/dev/ic [netbsd-6]: sti.c Log Message: Pull up following revision(s) (requested by spz in ticket #1456): sys/arch/ews4800mips/sbd/fb_sbdio.c: revision 1.16 sys/arch/pmax/ibus/pm.c: revision 1.13 sys/dev/hpc/bivideo.c: revision 1.34 sys/dev/ic/sti.c: revision 1.19 correct size checks so they cannot be circumvented by integer overflows reported by CTurt, thanks for the notification To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.12.2.1 src/sys/arch/ews4800mips/sbd/fb_sbdio.c cvs rdiff -u -r1.11 -r1.11.2.1 src/sys/arch/pmax/ibus/pm.c cvs rdiff -u -r1.32 -r1.32.14.1 src/sys/dev/hpc/bivideo.c cvs rdiff -u -r1.16.8.1 -r1.16.8.2 src/sys/dev/ic/sti.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch/i386/stand/misc
Module Name:src Committed By: snj Date: Sat Jun 3 16:49:29 UTC 2017 Modified Files: src/sys/arch/i386/stand/misc [netbsd-6]: rawr32.exe.uue Log Message: Pull up following revision(s) (requested by martin in ticket #1454): sys/arch/i386/stand/misc/rawr32.exe.uue: revision 1.7 Update to rawrite32 1.0.5 (new signatures to avoid scary windows warnings) To generate a diff of this commit: cvs rdiff -u -r1.4.4.1 -r1.4.4.2 src/sys/arch/i386/stand/misc/rawr32.exe.uue Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev/pci/ixgbe
Module Name:src Committed By: snj Date: Sat Mar 25 17:35:56 UTC 2017 Modified Files: src/sys/dev/pci/ixgbe [netbsd-6]: ixgbe.c Log Message: Pull up following revision(s) (requested by msaitoh in ticket #1439): sys/dev/pci/ixgbe/ixgbe.c: revision 1.60 via patch Use 64bit DMA tag. If not, a lot of bounce buffer is allocated. Fixes PR#49968 reported by Hauke. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.2.4.1 src/sys/dev/pci/ixgbe/ixgbe.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev/usb
Module Name:src Committed By: snj Date: Sat Mar 25 17:30:18 UTC 2017 Modified Files: src/sys/dev/usb [netbsd-6]: uplcom.c Log Message: Pull up following revision(s) (requested by bad in ticket #1445): sys/dev/usb/uplcom.c: revision 1.75 Null suspend/resume handler for uplcom(4). To generate a diff of this commit: cvs rdiff -u -r1.73.2.1 -r1.73.2.2 src/sys/dev/usb/uplcom.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev/usb
Module Name:src Committed By: snj Date: Sat Mar 25 17:26:53 UTC 2017 Modified Files: src/sys/dev/usb [netbsd-6]: uplcom.c Log Message: Pull up following revision(s) (requested by bad in ticket #1444): sys/dev/usb/uplcom.c: revision 1.76 Don't pretend to do zero length IN control transfers as dwctwo(4) (correctly according to usb 2.0 specification 8.5.3) uses IN status stage when no (zero length) data stage. Instead read into a 1 byte array. My uplcom(4) now works on RPI. To generate a diff of this commit: cvs rdiff -u -r1.73 -r1.73.2.1 src/sys/dev/usb/uplcom.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch
Module Name:src Committed By: snj Date: Sat Mar 25 17:18:25 UTC 2017 Modified Files: src/sys/arch/amd64/amd64 [netbsd-6]: trap.c src/sys/arch/i386/i386 [netbsd-6]: trap.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1446): sys/arch/amd64/amd64/trap.c: revision 1.94 sys/arch/i386/i386/trap.c: revision 1.287 Mmh, allow iret to be handled when an #SS fault (T_STKFLT) happens. Even if the sdm is far from being clear, it appears that iret can trigger an #SS fault if %ss points to a writable but non-present segment; in which case the kernel would panic, thinking the fault was internal to it. In particular, userland can create a broken segment in the ldt with USER_LDT, update its %ss with setcontext and trigger the panic. I don't think amd64 is affected since USER_LDT does not exist there, and the changes on tf_ss seem correct - but I'm still adding T_STKFLT for safety. To generate a diff of this commit: cvs rdiff -u -r1.69.2.1 -r1.69.2.2 src/sys/arch/amd64/amd64/trap.c cvs rdiff -u -r1.262 -r1.262.8.1 src/sys/arch/i386/i386/trap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch/x86
Module Name:src Committed By: snj Date: Mon Mar 6 08:18:44 UTC 2017 Modified Files: src/sys/arch/x86/include [netbsd-6]: pmap.h src/sys/arch/x86/x86 [netbsd-6]: pmap.c Log Message: Pull up following revision(s) (requested by bouyer in ticket #1441): sys/arch/x86/x86/pmap.c: revision 1.241 via patch sys/arch/x86/include/pmap.h: revision 1.63 via patch Should be PG_k, doesn't change anything. -- Remove PG_u from the kernel pages on Xen. Otherwise there is no privilege separation between the kernel and userland. On Xen-amd64, the kernel runs in ring3 just like userland, and the separation is guaranteed by the hypervisor - each syscall/trap is intercepted by Xen and sent manually to the kernel. Before that, the hypervisor modifies the page tables so that the kernel becomes accessible. Later, when returning to userland, the hypervisor removes the kernel pages and flushes the TLB. However, TLB flushes are costly, and in order to reduce the number of pages flushed Xen marks the userland pages as global, while keeping the kernel ones as local. This way, when returning to userland, only the kernel pages get flushed - which makes sense since they are the only ones that got removed from the mapping. Xen differentiates the userland pages by looking at their PG_u bit in the PTE; if a page has this bit then Xen tags it as global, otherwise Xen manually adds the bit but keeps the page as local. The thing is, since we set PG_u in the kernel pages, Xen believes our kernel pages are in fact userland pages, so it marks them as global. Therefore, when returning to userland, the kernel pages indeed get removed from the page tree, but are not flushed from the TLB. Which means that they are still accessible. With this - and depending on the DTLB size - userland has a small window where it can read/write to the last kernel pages accessed, which is enough to completely escalate privileges: the sysent structure systematically gets read when performing a syscall, and chances are that it will still be cached in the TLB. Userland can then use this to patch a chosen syscall, make it point to a userland function, retrieve %gs and compute the address of its credentials, and finally grant itself root privileges. To generate a diff of this commit: cvs rdiff -u -r1.49.2.2 -r1.49.2.3 src/sys/arch/x86/include/pmap.h cvs rdiff -u -r1.164.2.5 -r1.164.2.6 src/sys/arch/x86/x86/pmap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/compat/linux/arch/amd64
Module Name:src Committed By: snj Date: Tue Feb 14 16:59:31 UTC 2017 Modified Files: src/sys/compat/linux/arch/amd64 [netbsd-6]: linux_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1433): sys/compat/linux/arch/amd64/linux_machdep.c: 1.50, 1.51 Don't let userland choose %rip. This is the Intel Sysret vulnerability again. -- Make sure %rip is in userland. This is harmless, since the return to userland is made with iret instead of sysret in this path. While here, use size_t. To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.39.6.1 \ src/sys/compat/linux/arch/amd64/linux_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netinet
Module Name:src Committed By: snj Date: Sun Feb 5 06:07:36 UTC 2017 Modified Files: src/sys/netinet [netbsd-6]: if_arp.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1432): sys/netinet/if_arp.c: 1.238, 1.239 via patch Make sure the protocol address length equals that of IPv4. Also, make sure the hardware address length equals that of the interface we received the packet on. Otherwise a packet could easily set them both to zero and make the kernel read beyond the allocated mbuf, which is terrible. Note: for the latter we drop the packet instead of replying, since it is malformed. Note: I also added an ugly hack in CARP, since it apparently expects at least six bytes. -- Add some checks, mostly same as in_arpinput. To generate a diff of this commit: cvs rdiff -u -r1.154.2.2 -r1.154.2.3 src/sys/netinet/if_arp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch/amd64/amd64
Module Name:src Committed By: snj Date: Sun Feb 5 06:01:05 UTC 2017 Modified Files: src/sys/arch/amd64/amd64 [netbsd-6]: copy.S Log Message: Apply patch (requested by maxv in ticket #1431): suword: Don't allow 4 bytes to overflow beyond the userland space. To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.18.14.1 src/sys/arch/amd64/amd64/copy.S Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/net
Module Name:src Committed By: snj Date: Sun Feb 5 05:48:00 UTC 2017 Modified Files: src/sys/net [netbsd-6]: if_arcsubr.c if_ecosubr.c if_ethersubr.c if_fddisubr.c if_tokensubr.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1429): sys/net/if_arcsubr.c: revision 1.76 via patch sys/net/if_ecosubr.c: revision 1.50 via patch sys/net/if_ethersubr.c: revision 1.236 via patch sys/net/if_fddisubr.c: revision 1.104 via patch sys/net/if_tokensubr.c: revision 1.80 via patch Don't forget to free the mbuf when we decide not to reply to an ARP request. This obviously is a terrible bug, since it allows a remote sender to DoS the system with specially-crafted requests sent in a loop. To generate a diff of this commit: cvs rdiff -u -r1.63.14.1 -r1.63.14.2 src/sys/net/if_arcsubr.c cvs rdiff -u -r1.36.4.1 -r1.36.4.2 src/sys/net/if_ecosubr.c cvs rdiff -u -r1.188.8.4 -r1.188.8.5 src/sys/net/if_ethersubr.c cvs rdiff -u -r1.81.14.1 -r1.81.14.2 src/sys/net/if_fddisubr.c cvs rdiff -u -r1.61 -r1.61.8.1 src/sys/net/if_tokensubr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch/alpha
Module Name:src Committed By: snj Date: Wed Nov 16 18:04:39 UTC 2016 Modified Files: src/sys/arch/alpha/alpha [netbsd-6]: machdep.c prom.c src/sys/arch/alpha/stand/common [netbsd-6]: booted_dev.c prom.c Log Message: Pull up following revision(s) (requested by flxd in ticket #1416): sys/arch/alpha/alpha/machdep.c: revision 1.347 sys/arch/alpha/alpha/prom.c: revision 1.49 sys/arch/alpha/stand/common/booted_dev.c: revision 1.4 sys/arch/alpha/stand/common/prom.c: revision 1.15 Match the two prom_getenv() and fix buffer overflow causing wrong host controller SCSI ID for DEC 3000. OK skrll@ To generate a diff of this commit: cvs rdiff -u -r1.337.2.1 -r1.337.2.2 src/sys/arch/alpha/alpha/machdep.c cvs rdiff -u -r1.48 -r1.48.2.1 src/sys/arch/alpha/alpha/prom.c cvs rdiff -u -r1.3 -r1.3.174.1 src/sys/arch/alpha/stand/common/booted_dev.c cvs rdiff -u -r1.14 -r1.14.18.1 src/sys/arch/alpha/stand/common/prom.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/kern
Module Name:src Committed By: snj Date: Fri Nov 11 07:08:05 UTC 2016 Modified Files: src/sys/kern [netbsd-6]: uipc_usrreq.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1415): sys/kern/uipc_usrreq.c: revision 1.181 Memory leak, found by Mootja. It is easily triggerable from userland. To generate a diff of this commit: cvs rdiff -u -r1.136.8.3 -r1.136.8.4 src/sys/kern/uipc_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch/sparc64/sparc64
Module Name:src Committed By: bouyer Date: Sat Sep 24 13:18:43 UTC 2016 Modified Files: src/sys/arch/sparc64/sparc64 [netbsd-6]: locore.s Log Message: Pull up following revision(s) (requested by nakayama in ticket #1408): sys/arch/sparc64/sparc64/locore.s: revision 1.401 Fix RAS for 32-bit kernels. trapframe is always 64-bit. To generate a diff of this commit: cvs rdiff -u -r1.338.8.7 -r1.338.8.8 src/sys/arch/sparc64/sparc64/locore.s Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev/pci
Module Name:src Committed By: bouyer Date: Sat Sep 24 13:14:57 UTC 2016 Modified Files: src/sys/dev/pci [netbsd-6]: if_wm.c Log Message: Apply patch, requested by martin in ticket #1407: sys/dev/pci/if_wm.c patch fix evbppc build, where the older gcc wrongly warns about uninitialized variable. To generate a diff of this commit: cvs rdiff -u -r1.227.2.19 -r1.227.2.20 src/sys/dev/pci/if_wm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/lib/libsa
Module Name:src Committed By: bouyer Date: Sat Sep 24 13:10:52 UTC 2016 Modified Files: src/sys/lib/libsa [netbsd-6]: checkpasswd.c Log Message: Pull up following revision(s) (requested by dholland in ticket #1406): sys/lib/libsa/checkpasswd.c: revision 1.10 Check bounds on input. From Michael Plass. To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.9.14.1 src/sys/lib/libsa/checkpasswd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch/sparc64/sparc64
Module Name:src Committed By: bouyer Date: Sat Sep 24 13:06:41 UTC 2016 Modified Files: src/sys/arch/sparc64/sparc64 [netbsd-6]: kobj_machdep.c Log Message: Pull up following revision(s) (requested by martin in ticket #1405): sys/arch/sparc64/sparc64/kobj_machdep.c: revision 1.5 sys/arch/sparc64/sparc64/kobj_machdep.c: revision 1.6 Follow rev. 1.54, 1.55 of libexec/ld.elf_so/arch/sparc64/mdreloc.c. The target of the OLO10 relocation is the simd13 field of the instruction, so use a 13 bit target mask. Fixes PR kern/51436 (I broke this myself in rev 1.4) To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.4.14.1 src/sys/arch/sparc64/sparc64/kobj_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev/pci
Module Name:src Committed By: bouyer Date: Sat Sep 24 12:56:16 UTC 2016 Modified Files: src/sys/dev/pci [netbsd-6]: if_vioif.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1401): sys/dev/pci/if_vioif.c: revision 1.25 Fix initializing wrong queues Pointed out by Mike Larkin. PR kern/51448 To generate a diff of this commit: cvs rdiff -u -r1.2.8.2 -r1.2.8.3 src/sys/dev/pci/if_vioif.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/miscfs/kernfs
Module Name:src Committed By: bouyer Date: Sat Sep 3 11:36:03 UTC 2016 Modified Files: src/sys/miscfs/kernfs [netbsd-6]: kernfs_vnops.c Log Message: Revert ticket 1367, it causes a kernel panic in test lib/libc/gen/t_getcwd as seen in e.g. http://www-soc.lip6.fr/~bouyer/NetBSD-tests/xen/netbsd-6/i386/201608291710Z_anita.txt lib/libc/gen/t_getcwd (206/500): 2 test cases getcwd_err: [0.006614s] Passed. getcwd_fts: uvm_fault(0xc0e221b0, 0, 1) -> 0xe fatal page fault in supervisor mode trap type 6 code 0 eip c023ba9f cs 9 eflags 10246 cr2 1c ilevel 0 panic: trap cpu1: Begin traceback... panic(c04616d0,cdcfb938,cdcfb938,c023ba9f,9,10246,1c,0,1c,0) at netbsd:panic+0x18 trap() at netbsd:trap+0xb51 --- trap (number 6) --- kernfs_readdir(cdcfbc0c,1,c11ce0b4,c0439f60,c11ce0b4,cdcfbc58,c0cc0cc0,cdcfbc7c,0,0) at netbsd:kernfs_readdir+0x98f VOP_READDIR(c11ce0b4,cdcfbc58,c0cc0cc0,cdcfbc7c,0,0,c19287e0,1,cdcfbc58,cdcfbc74) at netbsd:VOP_READDIR+0x68 vn_readdir(c14c3000,bb512000,0,1000,cdcfbcbc,c19287e0,0,0,c14c3000,0) at netbsd:vn_readdir+0xbd sys___getdents30(c19287e0,cdcfbd00,cdcfbd28,186,bb516000,0,cdcfbd00,c1199bf4,2,bb7a4fe7) at netbsd:sys___getdents30+0x8c syscall(cdcfbd48,bb6b00b3,ab,bf7f001f,bb6b001f,0,bb5010d0,bf7fe764,bb7c4be0,0) at netbsd:syscall+0xaa cpu1: End traceback... To generate a diff of this commit: cvs rdiff -u -r1.144.2.1 -r1.144.2.2 src/sys/miscfs/kernfs/kernfs_vnops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/net80211
Module Name:src Committed By: bouyer Date: Wed Aug 31 15:15:57 UTC 2016 Modified Files: src/sys/net80211 [netbsd-6]: ieee80211_input.c Log Message: Pull up following revision(s) (requested by mlelstv in ticket #1382): sys/net80211/ieee80211_input.c: revision 1.83 sys/net80211/ieee80211_input.c: revision 1.84 Don't check sequence number on multicast packets in station mode. Handle overflow of 12bit sequence number. In station mode filter packets that or not for us in case the interface is in promiscous mode or doesn't filter packets itself. To generate a diff of this commit: cvs rdiff -u -r1.72 -r1.72.2.1 src/sys/net80211/ieee80211_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netinet
Module Name:src Committed By: bouyer Date: Sun Aug 28 10:49:45 UTC 2016 Modified Files: src/sys/netinet [netbsd-6]: ip_carp.c Log Message: Pull up following revision(s) (requested by is in ticket #1393): sys/netinet/ip_carp.c: revision 1.75 Workaround for PR 47013 by bouyer@. Only works for mixed IPv4/IPv6 environemnts, not for pure-IPv6 yet. A real fix is still needed. To generate a diff of this commit: cvs rdiff -u -r1.47.4.4 -r1.47.4.5 src/sys/netinet/ip_carp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch/i386/stand/misc
Module Name:src Committed By: bouyer Date: Sun Aug 28 10:38:29 UTC 2016 Modified Files: src/sys/arch/i386/stand/misc [netbsd-6]: rawr32.exe.uue Log Message: Pull up following revision(s) (requested by martin in ticket #1385): sys/arch/i386/stand/misc/rawr32.exe.uue: sync to revision 1.6 New Rawrite32 release To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.4.4.1 src/sys/arch/i386/stand/misc/rawr32.exe.uue Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/compat/common
Module Name:src Committed By: bouyer Date: Sat Aug 27 14:51:29 UTC 2016 Modified Files: src/sys/compat/common [netbsd-6]: vfs_syscalls_43.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1400): sys/compat/common/vfs_syscalls_43.c: revision 1.58 fill in the tv_nsec parts of the converted timespec in cvtstat(). To generate a diff of this commit: cvs rdiff -u -r1.54.14.1 -r1.54.14.2 src/sys/compat/common/vfs_syscalls_43.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/dev
Module Name:src Committed By: bouyer Date: Sat Aug 27 14:47:48 UTC 2016 Modified Files: src/sys/dev [netbsd-6]: fss.c Log Message: Pull up following revision(s) (requested by hannken in ticket #1399): sys/dev/fss.c: revision 1.95 Disestablish COW handler on error. No need to do further copies after the snapshot device failed. Should fix PR kern/51377: fss(4) panic if snapshot mounted read/write To generate a diff of this commit: cvs rdiff -u -r1.81.4.3 -r1.81.4.4 src/sys/dev/fss.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch/evbppc/conf
Module Name:src Committed By: bouyer Date: Sat Aug 27 14:44:11 UTC 2016 Modified Files: src/sys/arch/evbppc/conf [netbsd-6]: Makefile.ev64260.inc Makefile.obs405.inc Makefile.walnut.inc Log Message: Pull up following revision(s) (requested by maya in ticket #1396): sys/arch/evbppc/conf/Makefile.walnut.inc: revision 1.9 sys/arch/evbppc/conf/Makefile.obs405.inc: revision 1.13 sys/arch/evbppc/conf/Makefile.ev64260.inc: revision 1.8 Fix typo in Makefile which resulted in kernel image not being generated >From Rin Okuyama in PR/51369 To generate a diff of this commit: cvs rdiff -u -r1.5.14.1 -r1.5.14.2 \ src/sys/arch/evbppc/conf/Makefile.ev64260.inc cvs rdiff -u -r1.6.14.1 -r1.6.14.2 \ src/sys/arch/evbppc/conf/Makefile.obs405.inc cvs rdiff -u -r1.6.2.1 -r1.6.2.2 src/sys/arch/evbppc/conf/Makefile.walnut.inc Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netinet
Module Name:src Committed By: bouyer Date: Sat Aug 27 14:39:10 UTC 2016 Modified Files: src/sys/netinet [netbsd-6]: ip_carp.c Log Message: Pull up following revision(s) (requested by is in ticket #1394): sys/netinet/ip_carp.c: revision 1.76 Print the IPv6 or IPv4 source addresses of packets with wrong hash, to help debugging. To generate a diff of this commit: cvs rdiff -u -r1.47.4.3 -r1.47.4.4 src/sys/netinet/ip_carp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/arch/mips/mips
Module Name:src Committed By: bouyer Date: Sat Aug 27 14:34:55 UTC 2016 Modified Files: src/sys/arch/mips/mips [netbsd-6]: pmap.c Log Message: Pull up following revision(s) (requested by skrll in ticket #1390): sys/arch/mips/mips/pmap.c: revision 1.221 sys/arch/mips/mips/pmap.c: revision 1.222 sys/arch/mips/mips/pmap.c: revision 1.223 Fix a bug introduced by me in 1.214 where unmanaged mappings would be affected by calls to pmap_page_protect which is wrong. Now PV_KENTER mappings are left intact. Thanks to chuq for spotting my mistake and reviewing this diff. Thanks to everyone who tested it as well. Fix PR/51288 reproducable panic on evbmips64-eb (erlite) pmap_page_remove from the previous change neglected to terminate the pv list correctly when it started with an initial unmanaged mapping and subsequent managed mappings. Fix this. Fix MIPS3_NO_PV_UNCACHED alias handling by looping through the pv_list looking for bad aliases and removing the bad entries. That is, revert to the code before the matt-mips64 merge. Additionally, fix the pmap_update call to not use the (recently removed/freed) pv for the pmap_t. Fixes the following two PRs PR/49903: Panic during installation on WorkPad Z50 (hpcmips) whilst uncompressing base.tgz PR/51226: Install bug for hpcmips NetBSD V7 using FTP Full installation To generate a diff of this commit: cvs rdiff -u -r1.207.2.3 -r1.207.2.4 src/sys/arch/mips/mips/pmap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/ufs/lfs
Module Name:src Committed By: bouyer Date: Sat Aug 27 14:13:18 UTC 2016 Modified Files: src/sys/ufs/lfs [netbsd-6]: lfs_vnops.c Log Message: Pull up following revision(s) (requested by dholland in ticket #1389): sys/ufs/lfs/lfs_vnops.c: revision 1.304 Fix a deadlock ok dholland@ To generate a diff of this commit: cvs rdiff -u -r1.239.2.1 -r1.239.2.2 src/sys/ufs/lfs/lfs_vnops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
