remove global variable in_vm86call, set vm86 calling flag in PCB flags.
2.Fix vm86 BIOS calling preempted problem by changing vm86_lock mutex type
from MTX_DEF to MTX_SPIN. vm86pcb is not remembered in thread struct,
when the thread calling vm86 BIOS is preempted by interrupt thread,
and later switching back to the thread would cause incorrect context be
loaded into CPU registers, this leads to kernel crash.
argument is an expression you can end up casting part of it to void *.
This resulted in bogus warnings about pointer arith using void *'s for
the ep(4) driver.
from being MI in any fashion. It currently "assumes" that it can get
a kernel virtual address for a phyiscal address by adding KERNBASE to the
physical address. It also tries to read values out of a the PC BIOS on
all archs. It also uses "manual" inb() and outb()'s to talk to the mcclock
device which just happens to be at that location on both i386 and alpha.
This driver should likely be i386-only.
not look like the prerequisites to fill it in properly will be in the tree
for the upcoming release, but it's mostly done, so there is no need for these
to stay around to remind us.
manipulated directly (rather than using sballoc()/sbfree()); update them
to tweak the new sb_ctl field too.
Sponsored by: NTT Multimedia Communications Labs
(1) Permit userland applications to request a change of label atomic
with an execve() via mac_execve(). This is required for the
SEBSD port of SELinux/FLASK. Attempts to invoke this without
MAC compiled in result in ENOSYS, as with all other MAC system
calls. Complexity, if desired, is present in policy modules,
rather than the framework.
(2) Permit policies to have access to both the label of the vnode
being executed as well as the interpreter if it's a shell
script or related UNIX nonsense. Because we can't hold both
vnode locks at the same time, cache the interpreter label.
SEBSD relies on this because it supports secure transitioning
via shell script executables. Other policies might want to
take both labels into account during an integrity or
confidentiality decision at execve()-time.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Allow transitioning to be twiddled off using the process and fs enforcement
flags, although at some point this should probably be its own flag.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
entrypoints, #ifdef MAC. The supporting logic already existed in
kern_mac.c, so no change there. This permits MAC policies to cause
a process label change as the result of executing a binary --
typically, as a result of executing a specially labeled binary.
For example, the SEBSD port of SELinux/FLASK uses this functionality
to implement TE type transitions on processes using transitioning
binaries, in a manner similar to setuid. Policies not implementing
a notion of transition (all the ones in the tree right now) require
no changes, since the old label data is copied to the new label
via mac_create_cred() even if a transition does occur.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
with them in non-C cases, outside of the kernel.
Include <sys/cdefs.h> for __BEGIN_DECLS/__END_DECLS as other headers seem
to do in this area.
Requested by: Patrick Hartling <patrick@137.org>
describes an image activation instance. Instead, make use of the
existing fname structure entry, and introduce two new entries,
userspace_argv, and userspace_envv. With the addition of
mac_execve(), this divorces the image structure from the specifics
of the execve() system call, removes a redundant pointer, etc.
No semantic change from current behavior, but it means that the
structure doesn't depend on syscalls.master-generated includes.
There seems to be some redundant initialization of imgact entries,
which I have maintained, but which could probably use some cleaning
up at some point.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
require Biba privilege to configure either, and require that accounting
files be high integrity. Note that this does allow implicit information
flow from low to high integrity, but it also protects the integrity
of accounting data.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
system accounting configuration and for nfsd server thread attach.
Policies might use this to protect the integrity or confidentiality
of accounting data, limit the ability to turn on or off accounting,
as well as to prevent inappropriately labeled threads from becoming nfs
server threads.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Replace ARC4 with SHA2-512.
Change lock-structure encoding to use random ordering rather for obscurity.
Encrypt lock-structure with AES/256 instead of AES/128.
Change kkey derivation to be MD5 hash based.
Watch for malloc(M_NOWAIT) failures and ditch our cache when they happen.
Remove clause 3 of the license with NAI Labs consent.
Many thanks to "Lucky Green" <shamrock@cypherpunks.to> and "David
Wagner" <daw@cs.berkeley.edu>, for code reading, inputs and
suggestions.
This code has still not been stared at for 10 years by a gang of
hard-core cryptographers. Discretion advised.
NB: These changes result in the on-disk format changing: dump/restore needed.
Sponsored by: DARPA & NAI Labs.
is a compiler tool and needs to be compiled by the host compiler. I've
tested this in i386->sparc cross-build, 4.7->current upgrade, normal
buildkernel target, and normal /sys/i386/compile/GENERIC configurations.
Submitted by: ru
because it's no longer used. (See revision 1.215.)
- Fix a harmless bug: the number of vm_page structures allocated wasn't
properly adjusted when uma_bootstrap() was introduced. Consequently,
we were allocating 30 unused vm_page structures.
- Wrap a long line.
acpi_cmbat_init_battery() and acpi_cmbat_init_acline() respectively.
Call acpi_cmbat_init_battery() from acpi_cmbat_resume() too just in
case.
This is a workaround for embedded controller operations which is
unstable for about a minute (typically 30 or 40 sec.) at boot time.
the partition once a partition has been set. This is required for correct
operation of sendmail between partitions.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
o Always release the resources on device detach.
o Attach resources the same with driver added as we do we do in the insert
case (maybe this should be a routine).
o signal the wakeup of the thread on resume instead of trying to force an
interrupt.
o Minor debug hacks.
o use 0xffffffff instead of -1 for uint32_t items.
o Don't complain when we're asked to detach no cards. This is normal.
o Eliminate the now worthless second parameter to card_detach_card.
o minor style(9)isms
Some of these patches may be from: iwasaki-san, jhb, iadowse
o It turns out that we always need to try to route the interrupts for
the case where the $PIR tells us there can be only one. Some machines
require this, while others fail when we try to do this (bogusly, imho).
Since we have no apriori way of knowing which is which, we always try to
do the routing and hope for the best if things fail.
o Add some additional comments that state the obvious, but amplify it in
non-obvious ways (judging from the questions I've gotten).
This should un-break older laptops that still have to use PCIBIOS to route
interrupts.
Tested by: sam
Use exact width types, since this is a MD file and won't be used elsewhere.
Fix a couple of resulting printf breakages
Bug found by: phk using Flexlint
checking for "path == NULL" (like ffs) rather than MNT_ROOT. Otherwise
when you try and do an update or mountd does an NFS export, the remount
fails because the code tries to mount a fresh rootfs and gets an EBUSY.
The same bug is in 4.x (which is where I found it).
Sanity check by: mux
function takes an int * parameter, not a size_t * parameter.
Arguably, it should rather take a size_t *, but that would
require changing the uio_resid field of struct uio to be a size_t
instead of an int, which I don't want to do that close to
5.0-RELEASE.
Reviewed by: rwatson
skip those. This handles the Protective MBR (PMBR) which consists
of a single partition of type 0xEE that covers the whole disk and
as such protects the GPT partitioning. We allow other partitions to
be present besides partitions of type 0xEE and as such interpret
partition type 0xEE as a "hands-off" partition only.
While here, fix g_mbrext_dumpconf to test if indent is NULL and
dump the data in a form that libdisk can grok. Change the logic
in g_mbr_dumpconf to match that of g_mbrext_dumpconf. This does
not change the output, but prevents a NULL-pointer dereference
when indent == NULL && pp == NULL.
expected under -current. This is a problem for GEOM because the up/down
threads cannot sleep waiting for memory to become free. The reason they
cannot sleep is that paging things out to disk may be the only way we can
clear up some RAM. Nice catch-22 there.
Implement a rudimentary ENOMEM recovery strategy: If an I/O request
fails with an error code of ENOMEM, schedule it for a retry, and
tell the down-thread to sleep hz/10 to get other parts of the system
a chance to free up some memory, in particular the up-path in GEOM.
All caches should probably start to monitor malloc(9) failures using the new
malloc_last_fail() function, and release when it indicates congestion.
Sponsored by: DARPA & NAI Labs.
TAILQ_FIRST(&ifp->if_addrhead) to find the link layer ifaddr.
(it's always first I believe)
Allows this to compile on -current.
.. need testers with FEC capable switches..
the data value returned by kevent()'s EVFILT_READ filter on non-TCP
sockets accurately reflects the amount of data that can be read from the
sockets by applications.
PR: 30634
Reviewed by: -net, -arch
Sponsored by: NTT Multimedia Communications Labs
MFC after: 2 weeks
permitting MAC policies to limit access to the kernel environment.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
malloc(9) failed last time. This is intended to help code adjust
memory usage to the current circumstances.
A typical use could be:
if (malloc_last_fail() < 60)
reduce_cache_by_one();
has a valid b_iocmd. Valid is any one of BIO_{READ,WRITE,DELETE}.
I have seen at least one case where the bio_cmd field was zero once the
request made it into GEOM. Putting the KASSERT here allows us to spot
the culprit in the backtrace.
vm_page_alloc not to insert this page into an object. The pindex is
still used for colorization.
- Rework vm_page_select_* to accept a color instead of an object and
pindex to work with VM_PAGE_NOOBJ.
- Document other VM_ALLOC_ flags.
Reviewed by: peter, jake
prediction code. Previously, 2GB worth of header predicted data
could leave these variables too far out of sequence which would cause
problems after receiving a packet that did not match the header
prediction.
Submitted by: Bill Baumann <bbaumann@isilon.com>
Sponsored by: Isilon Systems, Inc.
Reviewed by: hsu, pete@isilon.com, neal@isilon.com, aaronp@isilon.com
This is NOT YET CONVERTED TO -current.
This node is a source for preprogrammed packets at a known rate for testing.
I will convert it to -current "in place" but will MFC teh original
pre-conversion variant as that is what is originally submitted.
Man page my me, info from Dave's README.
Submitted by: Dave Chapeskie <dchapeskie@SANDVINE.com>
Obtained from: Sandvine inc.
MFC after: 1 week
nfsm_srvpathsiz. This macro plucks a length out of an rpc request and
verifies that its size does not exceed NFS_MAXPATHLEN. If it does
it generates an ENAMETOOLONG response.
- Use this macro, and the existing nfsm_srvnamsiz macro in two places
where we deal with paths passed in by the client.
This fixes a linux interoperability bug. Linux was sending oversized path
components which would cause us to ignore the request all together. This
causes linux to hang indefinitly while it waits for a response. This
could still happen in other cases where we error out with EBADRPC.
Sponsored by: Isilon Systems, Inc.
Reviewed by: alfred, fabbri@isilon.com, neal@isilon.com
state. Instead, use ACPI_STA_PRESENT and ACPI_STA_FUNCTIONAL for it.
In some ACPI BIOS implementations, boot disabled devices don't have
ACPI_STA_ENABLE bit in _STA object.
Also it is not fatal if getting current IRQ of boot disabled devices
is failed in initial state.
And minor fixes.
amr_cam.c,
amrreg.h,
amrvar.h:
- added support for 12/16 byte cdb's, effecting CAM branch only ( non-disk support )
amrreg.h:
- increased number of scatter gather elements from 16 to 26.
amr_pci.c:
- amr_pci_free(), incorrect bus tag meant for 'amr_mailbox_dmat' was being freed
all:
- copyright change requested by scottl
Reviewed by: ps,scottl
MFC after: 1 week
across system suspends on the Intel 82371AB PCI-ISA bridge. On a
Sony Vaio C1XD that I have, these registers are not set correctly
after an ACPI resume. The result is that after resuming, a shared
IRQ is left in edge-triggered mode so the interrupt can later become
jammed in a state where the line remains asserted, but the handler
is never called.
Reviewed by: jhb
behaviour of the hardware: a possibly reserved bit of the receive
descriptor (RFA) `status' field is borrowed to record no-resource
(RNR) events, and the same status field is read and written to at
a time that may clash with the hardware updating this field.
There is no hardware documentation available to determine if these
things are safe to do; the second issue almost certainly isn't, and
the first is only safe if there is documentation saying that this
bit is free to be used by the driver. The PR referenced below
provides extremely convincing evidence that the changes cause random
crashes on some (unusual) hardware.
Since these features are only required by the DEVICE_POLLING case,
this commit makes their use conditional on that option. It does not
change the DEVICE_POLLING case, but at least people with the rare
hardware on which this code causes problems can now avoid the crashes
by not enabling DEVICE_POLLING.
PR: kern/42260
Reviewed by: luigi
Problem revision found by: Pawel Malachowski <pawmal@unia.3lo.lublin.pl>
Tested by: Pawel Malachowski <pawmal@unia.3lo.lublin.pl>
MFC after: 1 week
structure definition, rather than using an operation vector
we translate into the structure. Originally, we used a vector
for two reasons:
(1) We wanted to define the structure sparsely, which wasn't
supported by the C compiler for structures. For a policy
with five entry points, you don't want to have to stick in
a few hundred NULL function pointers.
(2) We thought it would improve ABI compatibility allowing modules
to work with kernels that had a superset of the entry points
defined in the module, even if the kernel had changed its
entry point set.
Both of these no longer apply:
(1) C99 gives us a way to sparsely define a static structure.
(2) The ABI problems existed anyway, due to enumeration numbers,
argument changes, and semantic mismatches. Since the going
rule for FreeBSD is that you really need your modules to
pretty closely match your kernel, it's not worth the
complexity.
This submit eliminates the operation vector, dynamic allocation
of the operation structure, copying of the vector to the
structure, and redoes the vectors in each policy to direct
structure definitions. One enourmous benefit of this change
is that we now get decent type checking on policy entry point
implementation arguments.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
MAC access() and open() checks, the argument actually has an int type
where it becomes available. Switch to using 'int' for the mode argument
throughout the MAC Framework and policy modules.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
a true scratch register. This change and future re-allocations will
eventually result in code that we can unwind to to get the preserved
registers of the process. This of course means that we cannot trash
them while saving the process context.
While re-allocating, remove the register aliases. Abstraction is in
this case disadvanteous.
have f16-f31 as part of the context. The PCB has been reorganized to
better match how we save and restore the (preserved) registers. This
commit also moves the context restoriation to its own function (named
pcb_restore), as we did with pcb_save.
Only minimal effort has been put in writing optimal assembly. The
expectation is that there will be more rounds of changes.
This provides a 30% reduction in system time and a 6% reduction in wallclock time
for a make buildworld on my xp1000 (one 21264).
FWIW, I've been running this for nearly 2 months without problems.
Portions submitted by: ticso, jhb
Tested by: jhb (ds20 dual 21264)
We've been talking about this for years, but nobody has done it.
(and I don't think anybody has used this for debugging since Doug
and I were doing the initial bootstrapping..)
pipe callback function, and just return if these cases are detected.
Without these checks, the ulpt driver may cause an infinite loop
of failing USB transfers that can hang the whole machine. This makes
printing work for me on a HP DJ950C printer.
and mac_check_system_sysctl(), providing additional integrity
protections relating to swap target device selection and system
management via sysctl(). Require Biba privilege for both; also
require that the target of swap operations be a high integrity
object, since swap data is high integrity.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Asssociates Laboratories
These are really only partly netgraph nodes as they do not use the
netgraph interfaces for many of the functions for which they could
be used, however they represent important functionality.
Submitted by: wpaul
MFC after: 2 days
This allows socket() to return an error when the kernel is not built
with IPDIVERT, and doesn't prevent future applications from using the
"borrowed" IP protocol number. The sysctl net.inet.raw.olddiverterror
controls whether opening a socket with the "borrowed" IP protocol
fails with an accompanying kernel printf; this code should last only a
couple of releases.
Approved by: re
terminating zero (it was treated as length missmatch). The mtools create
such slots if the name len is the product of 13 (max number of unicode
chars fitting in directory slot).
MFC after: 1 week
WARNING: This is not a published interface, it is a stopgap measure for
WARNING: libdisk so we can get 5.0-R out of the door.
Sponsored by: DARPA & NAI Labs
with the new VFS/EA semantics in the MAC framework. Move the per-policy
structures out to per-policy include files, removing all policy-specific
defines and structures out of the base framework includes and
implementation, making mac_biba and mac_mls entirely self-contained.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Print a warning if a requested interface name is longer than
IFNAMSIZ.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
WARNING: You need to backup and restore the _unencrypted_ contents
WARNING: of your GBDE disks when you take this update!
Sponsored by: DARPA & NAI Labs.
from all low-level bus space support functions. There's no need
to actually force the read/write to be accepted by the platform
before we can do anything else. We still have the mf instruction
there, which forces ordering. This too is not required given the
semantices of the bus space I/O functions, but it's not at all
clear to me if there are any poorly written device drivers that
depend on the strict ordering by the processor. The motto here is
to take small steps...
o Properly set the pointer to the counter for each interrupt and
update the intrnames table.
o Remove Alpha cruft from intrcnt.h.
o Create INTRNAME_LEN as the single entity that defines the width
of the names in the intrnames table (incl. terminatinf '\0').
missed. This bug has been present since the vn_start_write() and
vn_finished_write() calls were first added in revision 1.159. When
the case is triggered, any attempts to create snapshots on the
filesystem will deadlock and also prevent further write activity
on that filesystem.
This guarantees that loads and stores emitted before the fence are
made visible before the IPI becomes pended.
Remove the mf.a instruction after initiating the IPI. There's no
guarantee that the IPI becomes pended prior to subsequent reads or
writes. Even if there was a guarantee, it would mostly be without
any benefit.
to conform to 1003.1-2001. Make it possible for applications to actually
tell whether or not asynchronous I/O is supported.
Since FreeBSD's aio implementation works on all descriptor types, don't
call down into file or vnode ops when [f]pathconf() is asked about
_PC_ASYNC_IO; this avoids the need for every file and vnode op to know about
it.
Implement new sysconf keys. Change the implenentation of
_SC_ASYNCHRONOUS_IO in preparation for the next set of changes.
Move some limits which had been in <sys/syslimits.h> to <limits.h> where
they belong. They had only ever been in syslimits.h to provide for the
kernel implementation of the CTL_USER MIB branch, which went away with
newsysctl years ago. (There is a #error in <sys/syslimits.h> which I
will downgrade in the next commit.)
for sparc64 from trap #9 to trap #65. This is one of the ABI "blessed"
system call vectors and is different from any other system that we might
want to emulate, making the emulation easier by reducing the number of
code paths that need to be shared. Compatibility with old applications
is provided with COMPAT_FREEBSD4.
Add defines for a few special traps that we may need to implement for
compatibility with 32bit applications, and add comments on which vectors
are used for what in other systems, and which are available.
Pass magic flags to trap() for deprecated or unimplemented system call
vectors so they will deliver SIGSYS instead of SIGILL.
This piggy backs nicely with the recent sigaction(2) system call number
change, and provided the rules are followed for upgrading past it, this
change should not be noticed.
mac_enforce_system toggle, rather than several separate toggles.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
permit MAC policies to augment the security protections on sysctl()
operations. This is not really a wonderful entry point, as we
only have access to the MIB of the target sysctl entry, rather than
the more useful entry name, but this is sufficient for policies
like Biba that wish to use their notions of privilege or integrity
to prevent inappropriate sysctl modification. Affects MAC kernels
only. Since SYSCTL_LOCK isn't in sysctl.h, just kern_sysctl.c,
we can't assert the SYSCTL subsystem lockin the MAC Framework.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
permits MAC modules to augment system security decisions regarding
the reboot() system call, if MAC is compiled into the kernel.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
mac_check_system_swapon(), to reflect the fact that the primary
object of this change is the running kernel as a whole, rather
than just the vnode. We'll drop additional checks of this
class into the same check namespace, including reboot(),
sysctl(), et al.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
"refreshing" the label on the vnode before use, just get the label
right from inception. For single-label file systems, set the label
in the generic VFS getnewvnode() code; for multi-label file systems,
leave the labeling up to the file system. With UFS1/2, this means
reading the extended attribute during vfs_vget() as the inode is
pulled off disk, rather than hitting the extended attributes
frequently during operations later, improving performance. This
also corrects sematics for shared vnode locks, which were not
previously present in the system. This chances the cache
coherrency properties WRT out-of-band access to label data, but in
an acceptable form. With UFS1, there is a small race condition
during automatic extended attribute start -- this is not present
with UFS2, and occurs because EAs aren't available at vnode
inception. We'll introduce a work around for this shortly.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
This is not quite the set of information I would want, but the tree where
I have the "correct" version is messed up with conflicts.
Sponsored by: DARPA & NAI Labs.
- Make DDB use %y instead of %z.
- Teach GCC about %y.
- Implement support for the C99 %z format modifier.
Approved by: re@
Reviewed by: peter
Tested on: i386, sparc64
handling clean and functional as 5.x evolves. This allows some of the
nasty bandaids in the 5.x codepaths to be unwound.
Encapsulate 4.x signal handling under COMPAT_FREEBSD4 (there is an
anti-foot-shooting measure in place, 5.x folks need this for a while) and
finish encapsulating the older stuff under COMPAT_43. Since the ancient
stuff is required on alpha (longjmp(3) passes a 'struct osigcontext *'
to the current sigreturn(2), instead of the 'ucontext_t *' that sigreturn
is supposed to take), add a compile time check to prevent foot shooting
there too. Add uniform COMPAT_43 stubs for ia64/sparc64/powerpc.
Tested on: i386, alpha, ia64. Compiled on sparc64 (a few days ago).
Approved by: re
Try INT 15H/E820H first, then fall back to the old compatibility
method (INT 12H).
This is a workaround for newer machines which have broken INT 12H BIOS
service implementation.
Reviewed by: -current ML
MFC after: 3 days
seem to have all the prerequisites already.
Call g_waitidle() as the first thing in vfs_mountroot() so that we have
it out of the way before we even decide if we should call .._ask() or
.._try().
Call the g_dev_print() function to provide better guidance for the
root-mount prompt.
streaming cache. This bug could have the potential to cause data
corruption on systems with Psycho U2P bridges (Sabre bridges have no
streaming cache).
However, due to the usual driver architecture, it is believed that
corruption did occur only in rare cases (if at all).
trap types and signals to send. Rearrange KASSERTs to better handle faults
early before curthread is setup, or in the case that it gets corrupted or
set to 0.
does not require Giant.
This means that we may miss panics on a class of mutex programming bugs,
but only if running with a Chernobyl setting of debug-flags.
Spotted by: Pete Carah <pete@ns.altadena.net>
long doubles at the moment (printf truncates them to doubles).
However, long doubles to appear to work to the ranges listed in this
commit on both -stable (4.5) and -current. There may be some slight
rounding issues with long doubles, but that's an orthogonal issue to
these constants.
I've had this in my local tree for 3 months, and in my company's local
tree for 15 months with no ill effects.
Obtained from: NetBSD
Not likely to like it: bde
check for and/or report I/O errors. The result is that a VFS_SYNC
or VOP_FSYNC called with MNT_WAIT could loop infinitely on ufs in
the presence of a hard error writing a disk sector or in a filesystem
full condition. This patch ensures that I/O errors will always be
checked and returned. This patch also ensures that every call to
VFS_SYNC or VOP_FSYNC with MNT_WAIT set checks for and takes
appropriate action when an error is returned.
Sponsored by: DARPA & NAI Labs.
so that there is ony one copy of it. Fix that one copy
so that KSEs with no mailbox in a KSE program are not a cause
of page faults (this can legitmatly happen).
Submitted by: (parts) davidxu