Currently each call to telldir() requires a malloc and adds an entry to a
linked list which must be traversed on future telldir(), seekdir(),
closedir(), and readdir() calls. Applications that call telldir() for every
directory entry incur O(n^2) behavior in readdir() and O(n) in telldir() and
closedir().
This optimization eliminates the malloc() and linked list in most cases by
packing the relevant information into a single long. On 64-bit architectures
msdosfs, NFS, tmpfs, UFS, and ZFS can all use the packed representation. On
32-bit architectures msdosfs, NFS, and UFS can use the packed
representation, but ZFS and tmpfs can only use it for about the first 128
files per directory. Memory savings is about 50 bytes per telldir(3) call.
Speedup for telldir()-heavy directory traversals is about 20-30x for one
million files per directory.
Reviewed by: kib, mav, mckusick
MFC after: 3 weeks
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D13385
matching failure.
According to the Open Group documentation for fwscanf:
"Upon successful completion, these functions shall return the number of
successfully matched and assigned input items; this number can be zero in
the event of an early matching failure."
Without this change, fwscanf would return EOF in the case of an early
matching failure, instead of the proper return value of 0.
This change aligns fwscanf(3) with the implementation in fscanf(3).
PR: 202240
Submitted by: rajendra.sy@gmail.com
Reviewed by: jhb, cem
Approved by: sjg (mentor)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D13288
Using
.symver foo,foo@@VER
causes foo and foo@@VER to be output to the .o file. This requires foo
to be weak since the linker handles foo@@VER as foo.
Using
.symver foo,foo@@@VER
causes just foo@@ver to be output and avoid the need for making foo
weak. It also reduces the constraint on how exactly a linker has to
handle foo and foo@@VER being present.
Submitted by: Rafael Espíndola
Reviewed by: dim, kib
Differential Revision: https://reviews.freebsd.org/D11653
system calls. Man pages are missing for v2 and v5, so any entries for
those versions were inferred by new implementations of these functions
in libc.
Obtained from: http://www.tuhs.org/cgi-bin/utree.pl
It would previously return negative zero for -0.0 since -0.0 does not
compare less than 0. The issue was discovered when running the libc++
test suite on softfloat MIPS64.
I have verified that both clang and GCC generate sensible code for the
builtin. For soft float they clear the sign bit using integer operations
and in hard float mode they use abs.d.
Reviewed by: #mips, jhb, brooks, imp, emaste
Approved by: jhb (mentor)
Differential Revision: https://reviews.freebsd.org/D13135
Mainly focus on files that use BSD 2-Clause license, however the tool I
was using mis-identified many licenses so this was mostly a manual - error
prone - task.
The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
Mainly focus on files that use BSD 3-Clause license.
The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.
The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.
Initially, only tag files that use BSD 4-Clause "Original" license.
RelNotes: yes
Differential Revision: https://reviews.freebsd.org/D13133
Do not use macros in the -width of a .Bl, since mandoc does not support them.
Fix issues reported by igor and mandoc -Tlint.
Use a .Bl for list of clock IDs instead of a comma list.
MFC after: 3 days
Sponsored by: Dell EMC
Add notes to each of these that specifically state that results are
undefined if the strings overlap. In the case of memcpy, we document
the overlapping behavior on FreeBSD (pre-existing). For str*, it is
left unspecified, however, since the default (and x86) implementations
do not handle overlapping strings properly.
PR: 223653
Sponsored by: Netflix
As of r325320 posix_fallocate returns EINVAL on ZFS to indicate that
the underlying filesystem does not support this operation, per
POSIX.1-2008. Document this case in the man page.
MFC after: 20 days
MFC with: r325320
Sponsored by: The FreeBSD Foundation
For statically linked binaries, where all relocation are solved by static
linker, the linker expect that offset to TLS section is aligned. Additionaly,
to maintain absolute alignment, TLS TCB should by also aligned.
Obtained from: CheriBSD (initial version)
MFC after: 1 month
Reviewed by: brooks (previous version), kib
Differential Revision: https://reviews.freebsd.org/D12907
{}'s around the if (c == EOF) block to prevent potential 'trailing else'
issues from being introduced when refactoring. As my gets_s() code
is based on this, it makes sense to fix the same issue here first
here and now, then do an svn copy again to capture this history).
Suggested by: ed@ in D12785
The bug is an out-of-bounds read detected with address sanitizer that
happens when 'sp' in p_b_coll_elems() includes NUL byte[s], e.g. if it's
equal to "GS\x00". In that case len will be equal to 4, and the
strncmp(cp->name, sp, len) call will succeed when cp->name is "GS" but the
cp->name[len] == '\0' comparison will cause the read to go out-of-bounds.
Checking the length using strlen() instead eliminates the issue.
The bug was found in LLVM with oss-fuzz:
https://reviews.llvm.org/D39380
MFC after: 1 week
Obtained from: Vlad Tsyrklevich through posting on openbsd-tech
RB_POWERCYCLE instructs the platform to power off and then power back
on a short time later, if that's possible. Otherwise, degrade to the
RB_POWEROFF behavior.
Sponsored by: Netflix
In r322258 I made p1003_1b.aio_listio_max a tunable. However, further
investigation shows that there was never any good reason for that limit to
exist in the first place. It's used in two completely different ways:
* To size a UMA zone, which globally limits the number of concurrent
aio_suspend calls.
* To artifically limit the number of operations in a single lio_listio call.
There doesn't seem to be any memory allocation associated with this limit.
This change does two things:
* Properly names aio_suspend's UMA zone, and sizes it based on a new constant.
* Eliminates the artifical restriction on lio_listio. Instead, lio_listio
calls will now be limited by the more generous max_aio_queue_per_proc. The
old p1003_1b.aio_listio_max is now an alias for
vfs.aio.max_aio_queue_per_proc, so sysconf(3) will still work with
_SC_AIO_LISTIO_MAX.
Reported by: bde
Reviewed by: jhb
MFC after: 3 weeks
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D12120
one call to sysctl(2) from jemalloc startup code. (That also requires
changes to jemalloc, but I plan to push those to upstream first.)
Reviewed by: kib
MFC after: 2 weeks
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D12745
- Teach elf aux vector functions about newly added AT_HWCAP and AT_HWCAP2
vectors.
- Export _elf_aux_info() as new public libc function elf_aux_info(3)
The elf_aux_info(3) should be considered as FreeBSD counterpart of glibc
getauxval() with more robust interface.
Note:
We cannot name this new function as getauxval(), with glibc compatible
interface. Some ports autodetect its existence and then expects that all
Linux specific AT_<*> vectors are defined and implemented.
MFC after: 1 month
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D12743
In FreeBSD 11 and later debug.iosize_max_clamp defaults to 0, and the
maximum nbytes count for write(2) is SSIZE_MAX. Update the man page to
document this, and mention the sysctl that can be set to obtain the
previous behaviour.
PR: 196666
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
posix_fallocate is logically equivalent to writing zero blocks to the
desired file size and there is no reason to prevent calling it in
capability mode. posix_fallocate already checked for the CAP_WRITE
right, so we merely need to list it in capabilities.conf.
Reviewed by: allanjude
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D12640
Make armv7 as a new MACHINE_ARCH.
Copy all the places we do armv6 and add armv7 as basically an
alias. clang appears to generate code for armv7 by default. armv7 hard
float isn't supported by the the in-tree gcc, so it hasn't been
updated to have a new default.
Support armv7 as a new valid MACHINE_ARCH (and by extension
TARGET_ARCH).
Add armv7 to the universe build.
Differential Revision: https://reviews.freebsd.org/D12010
On Variant I TLS architectures (aarch64, arm, mips, powerpc, and riscv)
the __libc_allocate_tls function allocates thread local storage memory
with calloc(). It then copies initialization data over the portions with
non-zero initial values. Before this change it would then pointlessly
zero the already zeroed remainder of the storage. Unfortunately the
calculation was wrong and it would zero TLS_TCB_SIZE (2*sizeof(void *))
additional bytes.
In practice, this overflow only matters if the TLS segment is sized such
that calloc() allocates a less than TLS_TCB_SIZE extra memory. Even
then, the likely result will be zeroing part of the next bucket. This
coupled with the impact being confined to Tier II platforms means there
will be no security advisory for this issue.
Reviewed by: kib, dfr
Discussed with: security-officer (delphij)
MFC after: 1 week
Found by: CHERI
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D12547
Also fix the style of the asprintf(3) call in __collate_load_tables_l().
Both of these lines were modified away from snprintf(3) during the
import from DragonFly/Illumos.
Reviewed by: jilles (briefly over shoulder)
MFC after: 2 weeks
Sponsored by: Dell EMC Isilon
After r308212 Capsicum permits .. lookups in capability mode, as long as
path component traversal does not escape the directory corresponding to
the provided file descriptor.
We should add a description of the vfs.lookup_cap_dotdot and
vfs.lookup_cap_dotdot_nonlocal sysctls, perhaps as a cross-reference to
capsicum(4). I intend to look at that soon.
Reviewed by: bjk, cem, kib
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D12343
Illumos and Schillix is adopting some of the locale code and our style(9)
sometimes matches the Solaris cstyle, so the changes are also useful as a
way to reduce diffs.
No functional change.
Discussed with: Joerg Schilling
MFC after: 1 week
getmntinfo(3) is designed around a relatively static or slow growing set of
current mounts. It tried to detect a race with somewhat concurrent mount
and re-call getfsstat(2) in that case, looping indefinitely. It also
allocated space for a single extra mount as slop.
In the case where the user has a large number of mounts and is adding them
at a rapid pace, it fell over.
This patch makes two functional changes:
1. Allocate even more slop. Double whatever the last getfsstat(2) returned.
2. Abort and return some known results after looping a few times
(arbitrarily, 3). If the list is constantly changing, we can't guarantee
we return a full result to the user at any point anyways.
While here, add very basic functional tests for getmntinfo(3) to the libc
suite.
PR: 221743
Submitted by: Peter Eriksson <peter AT ifm.liu.se> (earlier version)
Sponsored by: Dell EMC Isilon
These builtins were listed in the mips-specific Symbol.map for libc but
were not implemented. Compiling mips with recent clang requires these
symbols.
Sponsored by: DARPA / AFRL
instructions, if supported both by CPU and kernel.
Reviewed by: jhb (previous version)
Tested by: pho (previous version)
Sponsored by: The FreeBSD Foundation
MFC after: 3 weeks
Differential revision: https://reviews.freebsd.org/D12023
lld can successfully link most of a working i386 userland and kernel,
but produces a broken libc. For now if we're otherwise using lld, and
ld.bfd is available, explicitly use it for libc.
Sponsored by: The FreeBSD Foundation
Non-tests/... changes:
- Add HAS_TESTS= to Makefiles with libraries and programs to enable iteration
and propagate the appropriate environment down to *.test.mk.
tests/... changes:
- Add appropriate support Makefile.inc's to set HAS_TESTS in a minimal manner,
since tests/... is a special subdirectory tree compared to the others.
MFC after: 2 months
MFC with: r322511
Reviewed by: arch (silence), testing (silence)
Differential Revision: D12014
On i386 with CPUID but without SSE2, set lfence_works to LMB_NONE
instead of looping.
Reported and tested by: Andre Albsmeier <andre@fbsd.e4m.org>
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
S_IRUSR is defined in sys/stat.h
PR: 209229
Submitted by: <mt AT markoturk DOT info>
Approved by: bcr (mentor)
MFC after: 5 days
Differential Revision: https://reviews.freebsd.org/D12007
abort_handler_s() currently simply calls abort(), though the standard
specifies more: "Writes an implementation-defined message to stderr
which must include the string pointed to by msg and calls abort()."
memset_s() is missing error condition "n > smax", and does not invoke
the constraint handler after filling the buffer: "following errors are
detected at runtime and call the currently installed constraint
handler function after storing ch in every location of the destination
range [dest, dest+destsz) if dest and destsz are themselves valid",
one of the errors is "n > smax" itself.
Submitted by: Yuri Pankov <yuripv@gmx.com>
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D11991
In a recent interpretation[1], "\\" shall return a non-zero value
(indicating either no match or an error).
The fix involves a change over r254091 and now the behavior matches the
Sun/IBM/HP closed source implementations and also likely musl libc.
Submitted by: Joerg Schilling <joerg at schily.net>
MFC after: 1 week
[1] http://austingroupbugs.net/view.php?id=806
New version is not compatible on supervisor mode with v1.9.1
(previous version).
Highlights:
o BBL (Berkeley Boot Loader) provides no initial page tables
anymore allowing us to choose VM, to build page tables manually
and enable MMU in S-mode.
o SBI interface changed.
o GENERIC kernel.
FDT is now chosen standard for RISC-V hardware description.
DTB is now provided by Spike (golden model simulator). This
allows us to introduce GENERIC kernel. However, description
for console and timer devices is not provided in DTB, so move
these devices temporary to nexus bus.
o Supervisor can't access userspace by default. Solution is to
set SUM (permit Supervisor User Memory access) bit in sstatus
register.
o Compressed extension is now turned on by default.
o External GCC 7.1 compiler used.
o _gp renamed to __global_pointer$
o Compiler -march= string is now in use allowing us to choose
required extensions (compressed, FPU, atomic, etc).
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D11800
Apply the changes from upstream jemalloc 048c6679. This is actually not
quite a cherry pick due to makefile difference and because FreeBSD does
not carry the msvc project files which were also modified in that
commit.
Approved by: jasone (maintainer), markj (mentor)
Sponsored by: Dell EMC Isilon
Adding features for matching is fairly straightforward, but this requires
some duplication because of this fast/slow setup. They can be fairly
trivially combined into a single walk(), so do it to make future additions
less error prone.
Reviewed by: cem (earlier version), emaste, pfg
Approved by: emaste (mentor)
Differential Revision: https://reviews.freebsd.org/D11233
Currently, regex(3) exhibits the following wrong behavior as demonstrated
with sed:
- echo "a{1,2,3}b" | sed -r "s/{/_/" (1)
- echo "a{1,2,3}b" | sed "s/\}/_/" (2)
- echo "a{1,2,3}b" | sed -r "s/{}/_/" (3)
Cases (1) and (3) should throw errors but they actually succeed, and (2)
throws an error when it should match the literal '}'. The correct behavior
was decided by comparing to the behavior with the equivalent BRE (1)(3) or
ERE (2) and consulting POSIX, along with some reasonable evaluation.
Tests were also adjusted/added accordingly.
PR: 166861
Reviewed by: emaste, ngie, pfg
Approved by: emaste (mentor)
MFC after: never
Differential Revision: https://reviews.freebsd.org/D10315
o Replace __riscv64 with (__riscv && __riscv_xlen == 64)
This is required to support new GCC 7.1 compiler.
This is compatible with current GCC 6.1 compiler.
RISC-V is extensible ISA and the idea here is to have built-in define
per each extension, so together with __riscv we will have some subset
of these as well (depending on -march string passed to compiler):
__riscv_compressed
__riscv_atomic
__riscv_mul
__riscv_div
__riscv_muldiv
__riscv_fdiv
__riscv_fsqrt
__riscv_float_abi_soft
__riscv_float_abi_single
__riscv_float_abi_double
__riscv_cmodel_medlow
__riscv_cmodel_medany
__riscv_cmodel_pic
__riscv_xlen
Reviewed by: ngie
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D11901
directories to SUBDIR.${MK_TESTS} idiom
This is being done to pave the way for future work (and homogenity) in
^/projects/make-check-sandbox .
No functional change intended.
MFC after: 1 weeks
Kernel already used the stronger barrier instruction for AMDs, correct
the userspace fast gettimeofday() implementation as well.
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D11728
Private functions like __aio_read and _aio_read were exposed in
FBSDprivate_1.0 by r169090, even though they've never been used outside of
librt. Also, remove some weak references from r156136 that have never
resolved.
Reviewed by: kib
MFC after: 3 weeks
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D11649
As hinted in the commit log message for r259042, this is unnecessary.
Moreover, as a result of that change we may invoke a DSO's atexit handler
after it has been unmapped.
Reviewed by: bdrewery, cem
MFC after: 1 week
Sponsored by: Dell EMC Isilon
Create libdl.so.1 as a filter for libc.so.7 which exports public dl*
functions. The functions are resolved from the rtld instead, the goal
of creating library is to avoid errors from the static linker due to
missed libdl. For static binaries, an empty .o is compiled into
libdl.a so that static binaries still get dl stubs from libc.a.
Right now lld cannot create filter objects, disable libdl on arm64
when binutils are not used.
Reviewed by: bdrewery, dim (previos version); emaste
Exp run: PR 220525, done by antoine
Sponsored by: The FreeBSD Foundation
MFC after: 1 month
Differential revision: https://reviews.freebsd.org/D11504
An oversight in r320742 caused BREs to become sensitive to the branching operator prematurely, which caused
breakage in some limited situations -- namely, those that tried to use branching in a BRE. Most of these scenarios
had already been corrected beforehand to properly use gsed or grep for GNU extensions, so the damage is
slightly mitigated.
Reported by: antoine
Reported by: antoine
Approved by: emaste (mentor)
Differential Revision: https://reviews.freebsd.org/D11522
p_branch_empty was declared but never used due to an oversight. Use it as
designed, further comment on its return value.
Reported by: Jenkins (head-sparc64)
Reviewed by: emaste
Approved by: emaste (mentor)
MFC with: r320742
Differential Revision: https://reviews.freebsd.org/D11506
EREs closer together. Prepare for this and reduce the diff of libregex changes by
refactoring and combining the top-level parsers for EREs/BREs ahead of time.
Branching functionality has been split out to make it easier to follow the combined
version of the top-level parser. It may also be enabled in the parsing context to make
it easier when libregex enables branching for BREs.
A branching context was also added for the various branching functions and so that
BREs, for instance, can determine if they're the first expression in a chain of expressions
within the current branch and treat '*' as ordinary if so.
This should have no functional impact and negligible performance impact.
Reviewed by: cem, emaste, pfg
Approved by: emaste (mentor)
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D10920
ATF cleanup routines run in separate processes from the tests themselves, so
they can't share global variables.
Also, setdomainname_test needs to be is_exclusive because the test cases
access a global resource.
PR: 219967
Reviewed by: ngie
MFC after: 3 weeks
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D11188
Most important, use a correct signature for the
__pthread_cleanup_push_imp() stub, which was incorrectly generated
with two-args variant. The pthread_cleanup_info pointer was corrupted
in the forwarded call to the real libthr implementation, visible on
PowerPC and possibly ARM. [1]
Found and tested by: Mark Millard <markmi@dsl-only.net> [1]
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
__pthread_cleanup_push/pop_imp instead of symbols also exported from
libthr.
This prevents calls into libthr if libthr is not yet initialized. The
situation occurs e.g. when an LD_PRELOADed object is not linked
against libthr, but the main binary is.
Reported and tested by: jbeich
PR: 220381
Discussed with: vangyzen
Sponsored by: The FreeBSD Foundation
MFC after: 13 days
reported by cppcheck.
dup_ncp() tries to allocate a buffer of MAXNETCONFIGLINE
as tmp, which is then assigned to p->nc_netid via strcpy,
so the free(p->nc_netid) would have correctly released
the memory in case nc_lookups() fails, therefore, the
allerged leak never existed.
MFC after: 3 days
If used with fopen(3)/fdopen(3)-ed FILEs, stdio accurately uses
non-cancellable internal versions of the functions, i.e. it seems to
be fine with regard to cancellation. But if the funopen(3) and
f{r,w}open(3) functions were used to open the FILE, and corresponding
user functions create cancellation points (they typically have no
other choice), then stdio code at least leaks FILE' lock.
The change installs cleanup handler which unlocks FILE. Some minimal
restructuring of the code was required to make it use common return
place to satisfy hand-rolled pthread_cleanup_pop() requirements.
Noted by: eugen
Reviewed by: eugen, vangyzen
Tested by: pho
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D11246
ARMv4 or ARMv5, and only support it when it's present on ARMv6 and later.
As such always store the VFP register in setjmp and restore them in
longjmp when building for armv6.
Reviewed by: mmel
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D11393
Guard, requested by the MAP_GUARD mmap(2) flag, prevents the reuse of
the allocated address space, but does not allow instantiation of the
pages in the range. It is useful for more explicit support for usual
two-stage reserve then commit allocators, since it prevents accidental
instantiation of the mapping, e.g. by mprotect(2).
Use guards to reimplement stack grow code. Explicitely track stack
grow area with the guard, including the stack guard page. On stack
grow, trivial shift of the guard map entry and stack map entry limits
makes the stack expansion. Move the code to detect stack grow and
call vm_map_growstack(), from vm_fault() into vm_map_lookup().
As result, it is impossible to get random mapping to occur in the
stack grow area, or to overlap the stack guard page.
Enable stack guard page by default.
Reviewed by: alc, markj
Man page update reviewed by: alc, bjk, emaste, markj, pho
Tested by: pho, Qualys
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D11306 (man pages)
The flag is not implemented, all FreeBSD architectures correctly
handle locks on normal cacheable mappings. On the other hand, the
flag was specified by some software, so it is kept in the header as
nop. Removal from the man page should discourage its use.
Reviewed by: alc, bjk, emaste, markj, pho
MFC after: 3 days
X-Differential revision: https://reviews.freebsd.org/D11306
Add forward compatibility so that new binaries can run on old
kernels. If the new system call from ino64 isn't available on your
system, then the old one will be used and the results translated. The
stat and statfs families of functions are fully emulated. While not
required by policy, in this case it is helpful to our users to provide
this compatibility. In this case, it allows rollback of the kernel
after installing a new userland should a problem be discovered. It
also prevents foot-shooting if a user does an install before rebooting
with the new kernel. Finally, it allows the use case where one needs
to run new binaries on an old kernel as part of an upgrade process.
The getdirentries family uses tricks that may not work on remote
filesystems. Specifically, it uses a buffer 1/4 the size requested to
get the data from he old syscall.
The code carefully uses direct syscalls for old system calls to avoid
referencing freebsd11_* symbols, which contaminate ld-elf.so.1's
export table due to its use of stat functions, which causes errno to
be incorrect in client programs due to the wrong *stat* function being
resolved in some cases.
This code should removed sometime after 12 is branched.
Tested on: 12-current binaries on a 10.3-beta kernel run and return
consistent results. 12-current kernel and userland with
packages from before ino64 was committed also work.
Differential Revision: https://reviews.freebsd.org/D11185
Reviewed by: kib@, emaste@
In r300388, endnetconfig() was called on nc_handle which would release
the associated netconfig structure, which means tmpnconf->nc_netid
would be a use-after-free.
Solve this by doing endnetconfig() in return paths instead.
Reported by: jemalloc via kevlo
Reviewed by: cem, ngie (earlier version)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D11288
Replace conditional branches with trampolines to unconditional branches when
jumping to labels within other compilation units. This increases the offset
range from +-1 MiB to +-128 MiB.
This syscall has never existed and is not at risk of existing any time soon.
Remove documentation referencing it, which has been wrong since FreeBSD 9.
Reported by: allanjude@
Make syslog(3) resilent to cancellation occuring in supported deferred
mode. Code must unlock syslog_mutex on cancel, install the cleanup
handler.
Diagnosed and tested by: eugen
Discussed with: dchagin
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
This change implements NOTE_ABSTIME flag for EVFILT_TIMER, which
specifies that the data field contains absolute time to fire the
event.
To make this useful, data member of the struct kevent must be extended
to 64bit. Using the opportunity, I also added ext members. This
changes struct kevent almost to Apple struct kevent64, except I did
not changed type of ident and udata, the later would cause serious API
incompatibilities.
The type of ident was kept uintptr_t since EVFILT_AIO returns a
pointer in this field, and e.g. CHERI is sensitive to the type
(discussed with brooks, jhb).
Unlike Apple kevent64, symbol versioning allows us to claim ABI
compatibility and still name the new syscall kevent(2). Compat shims
are provided for both host native and compat32.
Requested by: bapt
Reviewed by: bapt, brooks, ngie (previous version)
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D11025
gets output via warnx(3)
This helps set expectations for how one might deal with those messages, i.e.,
mute output from /dev/stderr today, since that's where vwarn(3) outputs messages
to today.
MFC after: 1 month
The futimens() and utimensat() compat stubs allowed using these functions on
kernels that did not have the system calls yet (10.2, old 11-current).
Also remove the documentation of the [ENOTSUP] error that could occur with
an old kernel.
A -DNO_CLEAN build may fail because the depend files refer to the deleted
files.
The documentation moved to section 3 several years ago, but
'man cap_rights_get' pulls up cap_rights_limit(2) (which is
MLINKed to cap_rights_get.2) instead of cap_rights_get(3).
MFC after: 1 week
const char *.
This fixes a bogus set of errors from gcc about strdup not being allowed a NULL
argument.
MFC after: 1 week
Sponsored by: Dell EMC Isilon
- Fix -Wmissing-declaration warning by staticizing run_tests.
- Fix -Wsign-compare warnings by casting size_t types to int
for comparisons.
Reindent some of the code in sdump_hostent(..) to accomodate the
overall changes.
MFC after: 3 days
Sponsored by: Dell EMC Isilon
The pattern used prior to this commit was `calloc(1, n * sizeof(type))`;
the pattern that should be used however is `calloc(n, sizeof(type))`.
MFC after: 3 days
Sponsored by: Dell EMC Isilon
Move an unneeded initialization, introduced in r54770 to quiet down GCC,
to a place nearer to its first use. This has no practical effect, it just
keeps the garbage better sorted.
Hinted by: OpenBSD (CVS rev. 1.56, without obfuscations)
bhyve was recently sandboxed with capsicum, and needs to be able to
control the CPU sets of its vcpu threads
Reviewed by: emaste, oshogbo, rwatson
MFC after: 2 weeks
Sponsored by: ScaleEngine Inc.
Differential Revision: https://reviews.freebsd.org/D10170
Fix warnings about:
- redundant declarations
- a local variable shadowing a global function (dlinfo)
- an old-style function definition (with an empty parameter list)
- a variable that is possibly used uninitialized
"make tinderbox" passes this time, except for a few unrelated
kernel failures.
Reviewed by: kib
MFC after: 3 days
Sponsored by: Dell EMC
Differential Revision: https://reviews.freebsd.org/D10870
Extend the ino_t, dev_t, nlink_t types to 64-bit ints. Modify
struct dirent layout to add d_off, increase the size of d_fileno
to 64-bits, increase the size of d_namlen to 16-bits, and change
the required alignment. Increase struct statfs f_mntfromname[] and
f_mntonname[] array length MNAMELEN to 1024.
ABI breakage is mitigated by providing compatibility using versioned
symbols, ingenious use of the existing padding in structures, and
by employing other tricks. Unfortunately, not everything can be
fixed, especially outside the base system. For instance, third-party
APIs which pass struct stat around are broken in backward and
forward incompatible ways.
Kinfo sysctl MIBs ABI is changed in backward-compatible way, but
there is no general mechanism to handle other sysctl MIBS which
return structures where the layout has changed. It was considered
that the breakage is either in the management interfaces, where we
usually allow ABI slip, or is not important.
Struct xvnode changed layout, no compat shims are provided.
For struct xtty, dev_t tty device member was reduced to uint32_t.
It was decided that keeping ABI compat in this case is more useful
than reporting 64-bit dev_t, for the sake of pstat.
Update note: strictly follow the instructions in UPDATING. Build
and install the new kernel with COMPAT_FREEBSD11 option enabled,
then reboot, and only then install new world.
Credits: The 64-bit inode project, also known as ino64, started life
many years ago as a project by Gleb Kurtsou (gleb). Kirk McKusick
(mckusick) then picked up and updated the patch, and acted as a
flag-waver. Feedback, suggestions, and discussions were carried
by Ed Maste (emaste), John Baldwin (jhb), Jilles Tjoelker (jilles),
and Rick Macklem (rmacklem). Kris Moore (kris) performed an initial
ports investigation followed by an exp-run by Antoine Brodin (antoine).
Essential and all-embracing testing was done by Peter Holm (pho).
The heavy lifting of coordinating all these efforts and bringing the
project to completion were done by Konstantin Belousov (kib).
Sponsored by: The FreeBSD Foundation (emaste, kib)
Differential revision: https://reviews.freebsd.org/D10439
- Sort .Xr entries in SEE ALSO section.
- Sort SEE ALSO and STANDARDS sections properly, in terms of the
entire document.
Reported by: make manlint
MFC after: 2 weeks
Sponsored by: Dell EMC Isilon
This no longer seems useful. Remove it.
This was prompted by a "cast discards volatile qualifier" warning
in libthr when WARNS=6.
Reviewed by: kib
MFC after: 3 days
Sponsored by: Dell EMC
Differential Revision: https://reviews.freebsd.org/D10832
always perform recursion on the left partition, then use a tail call to
handle the right partition. In the worst case this could require O(N)
levels of recursions.
Reduce the possible recursion level to log2(N) by always recursing on the
smaller partition instead.
Obtained from: PostgreSQL 9d6077abf9d6efd992a59f05ef5aba981ea32096
The first test triggers the out of bounds read of the 'left' array. It
only fails when realpath.c is compiled with '-fsanitize=address'.
The other test checks for ENOENT when running into an empty
symlink. This matches NetBSD's realpath(3) semantics. Previously,
empty symlinks were treated like ".".
Submitted by: Jan Kokemц╪ller <jan.kokemueller@gmail.com>
PR: 219154
MFC after: 2 weeks
_local_initshells did not reset cp to the beginning of the line buffer
for every iteration that it called fgets(3), leading to writing past the
end of line with fairly long /etc/shells or excessively long line
lengths. Correct this by properly resetting cp.
PR: 192528
Submitted by: Kyle Evans <kevans91@ksu.edu>
Reviewed by: cem, jilles
Differential Revision: https://reviews.freebsd.org/D10690
If realpath() allocated memory for result and failed, the memory is
freed in each place where return is performed. More, the function
needs to track the allocation status, to not free user-supplied
buffer.
Consolidate the memory handling in the wrapper, freeing the buffer if
the actual worker failed.
Reviewed by: emaste (previous version)
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D10670
- The statement "left_len -= s - left;" does not take the slash into
account if one was found. This results in the invariant
"left[left_len] == '\0'" being violated (and possible buffer
overflows). The patch replaces the variable "s" with a size_t
"next_token_len" for more clarity.
- "slen" from readlink(2) can be 0 when encountering empty
symlinks. Then, further down, "symlink[slen - 1]" underflows the
buffer. When slen == 0, realpath(3) should probably return ENOENT
(http://austingroupbugs.net/view.php?id=825,
https://lwn.net/Articles/551224/).
Some other minor issues:
- The condition "resolved_len >= PATH_MAX" cannot be true.
- Similarly, "s - left >= sizeof(next_token)" cannot be true, as long
as "sizeof(next_token) >= sizeof(left)".
- Return ENAMETOOLONG when a resolved symlink from readlink(2) is too
long for the symlink buffer (instead of just truncating it).
- "resolved_len > 1" below the call to readlink(2) is always true as
"strlcat(resolved, next_token, PATH_MAX);" always results in a
string of length > 1. Also, "resolved[resolved_len - 1] = '\0';" is
not needed; there can never be a trailing slash here.
- The truncation check for "strlcat(symlink, left, sizeof(symlink));"
should be against "sizeof(symlink)" (the third argument to strlcat)
instead of "sizeof(left)".
Submitted by: Jan Kokemц╪ller <jan.kokemueller@gmail.com>
PR: 219154
MFC after: 2 weeks
The previous misuse of sys_sigqueue() was sending random register or
stack garbage to 64-bit targets. The freebsd32 implementation preserves
the sival_int member of value when signaling a 64-bit process.
Document the mixed ABI implementation of union sigval and the
incompability of sival_ptr with pointer integrity schemes.
Reviewed by: kib, wblock
MFC after: 1 week
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D10605
Trivial style(9) fix, no functional change. There are also some 81
characters lines below, but I don't see a good way to shorten them.
Sponsored by: Dell EMC Isilon
Adapt glob's match() routine to use a greedy algorithm that avoids
exponential runtime in byzantine inputs.
While here, add a testcase for the byzantine input.
Prompted by: https://research.swtch.com/glob
Authored by: Yves Orton <demerphq at gmail.com>
Obtained from: Perl (33252c318625f3c6c89b816ee88481940e3e6f95)
Sponsored by: Dell EMC Isilon
When passed the invalid regular expression "a**", the error is
eventually detected and seterr() is called. It sets p->error
appropriatly and p->next and p->end to nuls which is a never used char
nuls[10] which is zeros due to .bss initialization. Unfortunatly,
p_ere_exp() and p_simp_re() both have fall through cases where they set
the error, decrement p->next and access it which means a read from what
ever .bss variable comes before nuls.
Found with regex_test:repet_multi and CHERI bounds checking.
Reviewed by: ngie, pfg, emaste
Obtained from: CheriBSD
Sponsored by: DARPA, AFRL
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D10541
Accomplish this by allocating space for it in __svc_xports and allowing
it to be registered. The failure to allocate space was causing an
out-of-bounds read in svc_getreq_common(). The failure to register
caused PR 211804.
The bug was found with CHERI bounds checking.
PR: 211804
Obtained from: CheriBSD
Sponsored by: DARPA, AFRL
Reviewed by: ngie
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D10528
The mutex is used in sem_open() and sem_close(), which cannot
recurse. The atfork handlers cannot collide with the open and close
code.
Reviewed by: vangyzen
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D10545
Do not retest for the found semaphore after the loop to look it up.
Instead, handle both cases of last and non-last close simultaneously,
which allows to consolidate the list unlock and successful return.
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
The sysctl(HW_PAGESIZE) call cannot fail on FreeBSD kernels at least.
And even if it failed for some improbable reason, PAGE_SIZE is a safe
value to return.
Discussed with: jilles
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
patm(4) devices.
Maintaining an address family and framework has real costs when we make
infrastructure improvements. In the case of NATM we support no devices
manufactured in the last 20 years and some will not even work in modern
motherboards (some newer devices that patm(4) could be updated to
support apparently exist, but we do not currently have support).
With this change, support remains for some netgraph modules that don't
require NATM support code. It is unclear if all these should remain,
though ng_atmllc certainly stands alone.
Note well: FreeBSD 11 supports NATM and will continue to do so until at
least September 30, 2021. Improvements to the code in FreeBSD 11 are
certainly welcome.
Reviewed by: philip
Approved by: harti
The internal array size goes through a loop and is compared with numitems
which at its limits makes can be unreachably higher than arraysz.
Prevent an hypothetical overflow by matching the types.
MFC after: 1 week
Taking some hints from the regex variant in nvi(1) and higher-level
compiler warnings, update some types in our regex(3) implementation.
Joint work with: Kyle Evans
MFC after: 2 weeks
When application reads large directory, calling telldir() for each entry,
like Samba does, it creates exponential performance drop as number of
entries reach tenths to hundreds of thousands. It is caused by full search
through the internal list, that never finds matches in that scenario, but
creates O(n^2) delays. This patch optimizes that search, limiting it to
entries of the same buffer, turning time closer to O(n) in case of linear
directory scan.
PR: 218622
Reviewed by: jhb, jilles
MFC after: 2 weeks
Sponsored by: iXsystems, Inc.
Differential Revision: https://reviews.freebsd.org/D10408
of the current usermode implementation of the POSIX semaphores.
For NSEMS_MAX, return -1 without changing errno, which indicates that
the variable has no limit. Before, sysconf(3) returned parameters
queried from the ksem(9) legacy implementation, which apparently has
low defaults for NSEMS_MAX.
Reported and tested by: jbeich
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
The conditional jump can only be performed to targets up to 1MB in
either direction and does not work too well when linker places cerror
further that that from the caller. In that case linker will complain
about relocation overflows.
Reviewed by: emaste, andrew
Differential Revision: https://reviews.freebsd.org/D10305
9899:2011 Appendix K 3.7.4.1.
Other needed supporting types, defines and constraint_handler
infrastructure is added as specified in the C11 spec.
Submitted by: Tom Rix <trix@juniper.net>
Sponsored by: Juniper Networks
Discussed with: ed
MFC after: 3 weeks
Differential revision: https://reviews.freebsd.org/D9903
Differential revision: https://reviews.freebsd.org/D10161
Implement a new init(8) option in /etc/ttys. If this option is present
on the entry in /etc/ttys, the entry will be active if and only if it
exists. If the name starts with a '/', it will be considered an
absolute path. If not, it will be a path relative to /dev.
This allows one to turn off video console getty that aren't present
(while running a getty on them even when they aren't the system
console). Likewise with serial ports.
It differs from onifconsole in only requiring the device exist rather
than it be listed as one of the system consoles.
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D10037
If opendir succeeds but malloc fails, numitems was used uninitialized in
error handling under the 'fail' label. If it happened to have a non-zero
value, the NULL 'names' was dereferenced.
Reported by: Coverity
CIDs: 1329566, 1372625
Sponsored by: Dell EMC Isilon
Add the CLOCK_PROCESS_CPUTIME_ID and CLOCK_THREAD_CPUTIME_ID clock_id
values to the clock_gettime(2) man page. Reformat the excessively
long paragraph (sentence!) into a tag list.
Reported by: jilles in https://reviews.freebsd.org/D10020
MFC after: 3 days
Sponsored by: Dell EMC
The failing test requires the zh_TW.Big5 locale, which is no longer
installed as of r315568.
Add a note/pointer just in case someone considers re-adding it.
Reported by: Jenkins
Sponsored by: Dell EMC Isilon
Add a clock_nanosleep() syscall, as specified by POSIX.
Make nanosleep() a wrapper around it.
Attach the clock_nanosleep test from NetBSD. Adjust it for the
FreeBSD behavior of updating rmtp only when interrupted by a signal.
I believe this to be POSIX-compliant, since POSIX mentions the rmtp
parameter only in the paragraph about EINTR. This is also what
Linux does. (NetBSD updates rmtp unconditionally.)
Copy the whole nanosleep.2 man page from NetBSD because it is complete
and closely resembles the POSIX description. Edit, polish, and reword it
a bit, being sure to keep any relevant text from the FreeBSD page.
Reviewed by: kib, ngie, jilles
MFC after: 3 weeks
Relnotes: yes
Sponsored by: Dell EMC
Differential Revision: https://reviews.freebsd.org/D10020
It is O(n) in the length of the haystack (big) string, and has special
cases for short needle (little) strings, of one to four bytes, to avoid
excessive overhead.
There are a small set of nearly trivial cases where the startup overhead
of the musl implementation makes it slightly slower -- for example, a 31
byte needle that matches the beginning of the haystack. It's faster for
non-trivial cases, and significantly so for inputs that trigger worst-
case behaviour of the previous implementation. As an example, in my
tests a 16K needle that matches the end of a 64K haystack is nearly
2000x faster with this implementation.
Reviewed by: bapt (earlier), ed (earlier)
Obtained from: musl (snapshot at commit c718f9fc)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D2601
D8376 extended softfloat/hardfloat support, but used a macro that never
actually gets set except in libc and msun's Makefile.inc. So libc and libm
got built correctly, but any program including fenv.h itself assumed it was
on a hardfloat systen and emitted inline fpu instructions for
fedisableexcept() and friends.
Using __mips_soft_float makes everything work in all cases, since it's a
compiler-internal macro that is always set correctly for the target
PR: 217845
Submitted by: Dan Nelson <dnelson_1901@yahoo.com>
MFC after: 1 week
INHERIT_ZERO is an OpenBSD feature.
When a page is marked as such, it would be zeroed
upon fork().
This would be used in new arc4random(3) functions.
PR: 182610
Reviewed by: kib (earlier version)
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D427
reallocarray(3) is a non portable extension that originated in OpenBSD.
Given that it is already in FreeBSD's libc it is useful for the cases
where reallocation involves a multiplication.
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D9955
Unsign setlen: it is local and will never be negative. Having one more bit
for growth is beneficial and it avoids a cast when it's going to be used
for allocation.
Reviewed by: ngie
MFC after: 3 days
Rename nitems to numitems: it shares the anme with an existing macro in
sys/params.h. Also initialize the value later which avoids asigning the
value if we exit early.
Reviewed by: ngie
MFC after: 3 days
Dan Krejsa reports a potential memory leak in an fts_build error case,
detected by Coverity. (It doesn't seem to show up in Coverity Scan, so I
don't have a CID to point to.)
I don't know whether it is actually possible to arrive in this case with a
non-empty 'head' list. The cost is low, though. One additional branch in a
terminal error case isn't the end of the world.
PR: 217125
Submitted by: Dan Krejsa <dan.krejsa at gmail.com>
4.0.0 (branches/release_40 296509). The release will follow soon.
Please note that from 3.5.0 onwards, clang, llvm and lldb require C++11
support to build; see UPDATING for more information.
Also note that as of 4.0.0, lld should be able to link the base system
on amd64 and aarch64. See the WITH_LLD_IS_LLD setting in src.conf(5).
Though please be aware that this is work in progress.
Release notes for llvm, clang and lld will be available here:
<http://releases.llvm.org/4.0.0/docs/ReleaseNotes.html>
<http://releases.llvm.org/4.0.0/tools/clang/docs/ReleaseNotes.html>
<http://releases.llvm.org/4.0.0/tools/lld/docs/ReleaseNotes.html>
Thanks to Ed Maste, Jan Beich, Antoine Brodin and Eric Fiselier for
their help.
Relnotes: yes
Exp-run: antoine
PR: 215969, 216008
MFC after: 1 month
MDSRCS it intended to allow assembly versions of funtions with C
implementations listed in MISRCS. The selection of the correct
machdep_ldis?.c for a given architecture does not follow this pattern
and the file should be added to SRCS directly.
Reviewed by: emaste, imp, jhb
MFC after: 1 week
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D9841
- Remove .c files which duplicate entries in MISRCS.
- Use the same, less merge conflict prone style in all cases.
- Use MDSRCS for mips (.c and .S files both ended up in SRCS).
- Remove pointless sparc64 Makefile.inc.
- Remove uninformative foreign VCS ID entries.
Reviewed by: emaste, imp, jhb
MFC after: 1 week
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D9841
Renumber cluase 4 to 3, per what everybody else did when BSD granted
them permission to remove clause 3. My insistance on keeping the same
numbering for legal reasons is too pedantic, so give up on that point.
Submitted by: Jan Schaumann <jschauma@stevens.edu>
Pull Request: https://github.com/freebsd/freebsd/pull/96
Also mention <time.h> in sem_timedwait(3), because POSIX does,
and because the user will need it for clockid_t, struct timespec,
and TIMER_ABSTIME.
Reported by: bde
MFC after: 9 days
X-MFC with: r314179
Sponsored by: Dell EMC
fail in the Capability mode. Instead silently fallback to the syscall
method, which is done for example in the gettimeofday(2) function.
Reviewed by: kib
This function allows the caller to specify the reference clock
and choose between absolute and relative mode. In relative mode,
the remaining time can be returned.
The API is similar to clock_nanosleep(3). Thanks to Ed Schouten
for that suggestion.
While I'm here, reduce the sleep time in the semaphore "child"
test to greatly reduce its runtime. Also add a reasonable timeout.
Reviewed by: ed (userland)
MFC after: 2 weeks
Relnotes: yes
Sponsored by: Dell EMC
Differential Revision: https://reviews.freebsd.org/D9656
Although fp[get][set]sticky() functions are obsolete, they are still
required for GNU fortran49 library.
MFC after: 2 months
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D9634
Due to bug[1] in libcompiler_rt, all symbols declared by
DEFINE_AEABI_FUNCTION_ALIAS() are not hidden. All these but two
are explicitly exported from libc and don't causes problems.
Remaining two, __aeabi_uidiv and __aeabi_idiv, infecting all
non-versioned shared libraries. And these symbols are consumed
by many (if not all) packages[2].
As workaround, export these from libc as compatible symbols,
in global namespace. With this, these are still visible for
rtld, but static linker doesn't use then.
[1]
DEFINE_AEABI_FUNCTION_ALIAS() macro uses '.set' directive for
declaration of aliased symbol. Unfortunately, '.set' doesn't
inherit visibility of base symbol, and macro don't explicitly
sets visibility for aliased one.
[2]
Given symbols are exported from non-versioned libraries only if
library itself uses them. So, if world is built for CPU with
HW divide, these function are not used and given symbols are
not exported. By this, contents of these libraries is not stable,
and all packages fails to run.
Note: Due to r313823 I'm forced to commit this too early, without
leave enough time for proper review.
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D9632
Now that <sys/event.h> can be included on its own, adjust the manual
page accordingly. Remove both unnecessary #include statements from the
synopsis and the example code.
While there, also add a note to the BUGS section to mention that
previous versions of this header file still depend on <sys/types.h>.
Reviewed by: ngie, vangyzen
Differential Revision: https://reviews.freebsd.org/D9605
NSS modules are loaded when nsswitch.conf is parsed and may register their
own atexit handlers with libc. nss_atexit() unloads any dynamically loaded
NSS modules, so it should run only after the modules' atexit handlers have
been invoked.
MFC after: 2 weeks
Sponsored by: Dell EMC Isilon
since it is using type punning of union members, and clang does not yet
support gcc's extensions which allow this (refer to
https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html#Type%2dpunning
for more information).
This should fix strtod(3) return values for the lang/julia port, so it
does not fail on an assertion during its build.
PR: 216770
For regular files and posix shared memory, POSIX requires that
[offset, offset + size) range is legitimate. At the maping time,
check that offset is not negative. Allowing negative offsets might
expose the data that filesystem put into vm_object for internal use,
esp. due to OFF_TO_IDX() signess treatment. Fault handler verifies
that the mapped range is valid, assuming that mmap(2) checked that
arithmetic gives no undefined results.
For device mappings, leave the semantic of negative offsets to the
driver. Correct object page index calculation to not erronously
propagate sign.
In either case, disallow overflow of offset + size.
Update mmap(2) man page to explain the requirement of the range
validity, and behaviour when the range becomes invalid after mapping.
Reported and tested by: royger (previous version)
Reviewed by: alc
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
