to an integer divide by zero panic in the kernel, if the kernel was
run with hz<1000.
Neither i386, pc98, amd64 or sparc64 are affected in the currently
supported branches and default configuration.
Submitted by: Miikka Saukko, Ossi Herrala and Jukka Taimisto from
the CROSS project at Codenomicon Ltd. via CERT-FI.
Reviewed by: bz, rwatson
Security: CVE-2008-2464
MFC after: 8 hours
loop pointed out by cognet@ that occurs when calling strtod() with a
string representing a number between DBL_MAX and 2*DBL_MAX, when the
rounding mode is anything other than the default.
contexts as rtld's malloc is not thread safe and is only supposed to be
called with exclusive bind lock already held.
The originating PR submitted a patch on top of different pre-requisite
workaroud for unsafe dlopen calls, and the patch was midief slighlty to apply
to stock sources for the purpose of this commit. Running rtld malloc from
unlocked contexts is a bug on its own.
PR: 126950
Submited by: Oleg Dolgov
at least pass muster with the loader on 3.0.3
Note that this doesn't actually make it work as Xen 3.0.3
appears to disallow recursive mappings on the page directory
sizes (and running at different frequencies) so move the cacheinfo
to the PCPU data. While at it, remove some redundant and/or unused
members from struct cacheinfo.
- In sparc64_init don't assume the first CPU node we find in the OFW
device tree is the BSP.
in order to avoid the invasive probes done by identify-routines of
ISA drivers, which may access unassigned addresses or those of
unrelated devices and thus in turn can trigger master/target aborts
as revealed by r182108 and ahc(4). I think that this is also the
cause of the hang previously seen on B100 blades during boot.
Bypassing isa_probe_children(9) also avoids adding ISA hints, which
just can be wrong for sparc64.
Reported by: gavin
After the MPSAFE TTY import we support an additional rlimit, called
RLIMIT_NPTS. This limit allows you to cap the amount of pseudo-terminals
allocated by one user.
We forgot to add support for this limit to limits(1), which means it
crashed. Add the proper bits to make it work like it should.
Unfortunately not all shells actually implement the RLIMIT, so
unfortunately I suspect it to be broken with certain shells.
Submitted by: Yuriy Tsibizov <yuriy tsibizov gfk ru>
processes, clear PCB_32BIT and PCB_GS32BIT bits [1].
- Reread the fs and gs bases from the msr unconditionally, not believing
the values in pcb_fsbase and pcb_gsbase, since usermode may reload
segment registers, invalidating the cache. [2].
Both problems resulted in the wrong fs base, causing wrong tls pointer
be dereferenced in the usermode.
Reported and tested by: Vyacheslav Bocharov <adeepv at gmail com> [1]
Reported by: Bernd Walter <ticsoat cicely7 cicely de>,
Artem Belevich <fbsdlist at src cx>[2]
Reviewed by: peter
MFC after: 3 days
The ttydisc_getc() routine obtains a read length from ttyoutq_read().
For no valid reason, the current code stores this value in an int, and
returns a size_t. There is no need to perform this useless conversion.
Obtained from: //depot/projects/mpsafetty/...
The D_NEEDMINOR flag was introduced for drivers that do not actually
depend on storing a device unit/minor number, but require the ability to
address the cdevs by this number, which is used by clone_create().
The cpuctl(4) driver sets D_NEEDMINOR, even though it doesn't use the
clone_create() API. Remove the flag, because maybe we want to get rid of
it somewhere in the far future.