Without this change a local attacker could trigger a panic by
tricking the kernel into accessing undefined kernel memory.
We would like to acknowledge Francisco Falcon from CORE Security
Technologies who discovered the issue and reported to the
FreeBSD Security Team.
More information can be found at CORE Security's advisory at:
http://www.coresecurity.com/content/freebsd-kernel-multiple-vulnerabilities
This is an errata candidate for releng/10.1 and releng/9.3. Earlier
releases are not affected.
Reported by: Francisco Falcon from CORE Security Technologies
Security: CVE-2014-0998
Reviewed by: dumbbell
MFC after: 3 days
Also, split power_suspend into power_suspend and power_suspend_early.
power_suspend_early is called before the userland is frozen.
power_suspend is called after the userland is frozen.
Currently only VT switching is hooked to power_suspend_early.
This is needed because switching away from X server requires its
cooperation, so obviously X server must not be frozen when that happens.
Freezing userland during ACPI suspend is useful because not all drivers
correctly handle suspension concurrent with other activity. This is
especially applicable to drivers ported from other operating systems
that suspend all software activity between placing drivers and hardware
into suspended state.
In particular drm2/radeon (radeonkms) depends on the described
procedure. The driver does not have any internal synchronization
between suspension activities and processing of userland requests.
Many thanks to kib for the code that allows to freeze and thaw all
userland threads.
Note that ideally we also need to park / inhibit (non-special) kernel
threads as well to ensure that they do not call into drivers.
MFC after: 17 days
suspend/resume
The goal is to avoid that the vt(4) resume happens before the video
display is resumed. The original patch was provided by Andriy Gapon.
This new patch registers the handlers in vt_upgrade(). This is done
once, thanks to the VDF_ASYNC flag. I abused this flag because it was
already abused by the keyboard allocation. The event handlers then call
the backend if it provides callbacks for suspend/resume.
Differential Revision: https://reviews.freebsd.org/D1004
On behalf of: dumbbell
MFC after: 2 weeks
which prevents us from doing a "callout_drain()" call. The callout in
question has a lock associated with it and we are not freeing the
callout. That means we can use the "callout_stop()" function to
atomically stop the callback iff the "callout_stop()" function is
called locked. This patch applies proper locking to "callout_stop()"
and replaces a "callout_drain()" with a "callout_stop()".
MFC after: 1 week
Revert the EFI part of r276064 until I can test it properly on a real EFI
system. This was causing problems to people booting using UEFI and vt.
Reported by: O. Hartmann <ohartman@zedat.fu-berlin.de>
Current VT drivers don't register the memory regions they use with the
nexus. This patch makes vt_vga and vt_efifb register the memory regions they
use.
This is needed (at least) for Xen support, since the FreeBSD kernel will try
to use the holes in the memory map to map memory from other domains and
setup it's grant table.
Sponsored by: Citrix Systems R&D
Reported by: sbruno
Tested by: emaste
Reviewed by: ray
PR: 195537
Differential Revision: https://reviews.freebsd.org/D1291
Therefore, to set histry size to 2000 lines, add the following line to
your kernel configuration file:
options SC_HISTORY_SIZE=2000
The default history remains at 500 lines.
MFC after: 1 week
The problem was that only the kbdmux keyboard index was saved in
vd->vd_keyboard. This index is -1 when kbdmux isn't used. In this
case, the keyboard was correctly allocated, but the returned index was
discarded.
PR: 194718
MFC after: 1 week
A new terminal_set_cursor() is added: it wraps the existing
teken_set_cursor() function.
In vtbuf_grow(), the cursor position is adjusted at the end of the
function. In vt_change_font(), we call terminal_set_cursor() just after
terminal_set_winsize_blank(), while the terminal is mute.
This fixes a bug where, after loading a kernel video driver which
increases the terminal window size, the cursor remains at its old
position, in other words, in the middle of the display content.
PR: 194421
MFC after: 1 week
To restore the default font using vidcontrol(1), use the "-f" flag
without an argument:
vidcontrol -f < /dev/ttyv0
PR: 193910
Differential Revision: https://reviews.freebsd.org/D971
Submitted by: Marcin Cieslak <saper@saper.info>
Reviewed by: ray@, emaste@
Approved by: ray@
MFC after: 1 week
Before, the font was loaded and the window size recalculated, giving an
unusable terminal, even if the actual font didn't change.
Reported by: beeessdee@ruggedinbox.com
MFC after: 3 days
Previously, if no drivers attached at boot we would panic with
"vtbuf_fill_locked begin.tp_row 0 must be < screen height 0".
PR: 192248
Reviewed by: ray
MFC after: 3 days
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D954
When the screen size is unknown, it's set to 0x0. We can't use that as
the buffer size, otherwise, functions such as vtbuf_fill() will fail.
This fixes a panic on RaspberryPi, where there's no vt(4) backend
configured early in boot.
PR: 193981
Tested by: danilo@
MFC after: 3 days
Add new functions to manipulate these mode & state, instead of calling
kbdd_ioctl() everyhere.
This fixes at least two bugs:
1. The state of the Scroll Lock LED and the state of scroll mode
could be out-of-sync. For instance, if one enables scroll mode on
window #1 and switches to window #2, the LED would remain on, but
the window wouldn't be in scroll mode.
Similarily, when switching between a console and an X.Org
session, the LED states could be inconsistent with the real
state.
2. When exiting from an X.Org session, the user could be unable to
type anything. The workaround was to switch to another console
window and come back.
Differential Revision: https://reviews.freebsd.org/D821
Reviewed by: ray@
Approved by: ray@
Tested by: kwm@
MFC after: 3 days
It's now possible to scroll up the 500 hard-coded lines of history, not
just a fraction of them. For instance, one can reach the top of the boot
process.
Sometimes, when scrolling or when changing the screen size (by changing
the font or loading a KMS driver for instance), one could see the
history cycling (old content appeared below latest lines). This is
fixed.
Now, when the resolution changes are more lines can be shown, the
displayed area is adjusted so that, if the screen was filled with
content before, it's filled with content after as well: more history
is visible, instead of having blank lines below the previously visible
content.
MFC after: 3 days
reboot/halt/debug.
o Add support for most key combinations supported by syscons(4).
Reviewed by: dumbbell, emaste (prev revision of D747)
MFC after: 5 days
Sponsored by: The FreeBSD Foundation
This fixes a bug where scroll lock would not work for tty #0 when using
vt_vga's textmode. The reason was that this window is created with a
static 256x100 buffer, larger than the real size of 80x25.
Now, in vt_change_font() and vt_compute_drawable_area(), we still
perform operations even of the window has no font loaded (this is the
case in textmode here vw->vw_font == NULL). One of these operation
resizes the buffer accordingly.
In vt_compute_drawable_area(), we take the terminal size as is (ie.
80x25) for the drawable area.
The font argument to vt_set_border() is removed (it was never used) and
the code now uses the computed drawable area instead of re-doing its own
calculation.
Reported by: Harald Schmalzbauer <h.schmalzbauer_omnilan.de>
Tested by: Harald Schmalzbauer <h.schmalzbauer_omnilan.de>
MFC after: 3 days
There were two issues:
1. The area given to vt_is_cursor_in_area() was adding the drawable
area offset, something already handled by this function.
2. The cursor was shifted on the screen by the offset of this area
and thus was misplaced or not erased. Furthermore, when reaching
the bottom or right borders, the cursor was either totally
removed or not erased correctly.
MFC after: 1 week
The timer is restarted whenever a window buffer is marked as dirty or
the mouse cursor moves.
There's still room for improvement. For instance, we should not mark a
window buffer as dirty when this window isn't displayed.
Review: https://reviews.freebsd.org/D683
Reviewed by: ray@
Approved by: ray@
MFC after: 1 week
They are used when a panic occurs or when entering a DDB session for
instance.
cngrab() forces a vt-switch to the console window, no matter if the
original window is another terminal or an X session. However, cnungrab()
doesn't vt-switch back to the original window currently.
MFC after: 1 week
With the current implementation, this allows an X11 server to tell
the console it switches a particular window in "graphics mode". This
information is used by the mouse handling code to ignore sysmouse events
in the window taken by the X server: only him should receive those
events.
Reported by: flo@, glebius@, kan@
Tested by: flo@
Reviewed by: kan@
MFC after: 1 week
... not just the visible part.
This fixes a bug where, when switching from eg. vt_vga to vt_fb (ie. the
resolution goes up), the originally hidden, uninitialized area of the
buffer is displayed on the screen. This leads to a missing text cursor
when it's over an unitialized area.
This was also visible when selecting text: the uninitialized area was
not highlighted.
Internally, this area was zeroed: characters were all 0x00000000,
meaning the foreground and background color was black. Now, everything
is filled with a space with a gray foreground color, like the visible
area.
While here, remove the check for the mute flag and always use
TERMINAL_NORM_ATTR as the character attribute (ie. gray foreground,
black background).
MFC after: 1 week
This allows backends to verify they do not draw outside of this area.
This fixes a bug in vt_vga where the text was happily drawn over the
right and bottom margins, when using the Gallant font.
MFC after: 1 week