The facility_initialized and facility arrays are the same size and were
intended to be indexed the same. I believe this mismatch was just a
typo/braino in r208731.
Reported by: Coverity
CID: 1017430
Sponsored by: EMC / Isilon Storage Division
An mbpool is allocated with a contiguous array of mbpages. Freeing an
individual mbpage has never been valid. Don't do it.
This bug has been present since this code was introduced in r117624 (2003).
Reported by: Coverity
CID: 1009687
Sponsored by: EMC / Isilon Storage Division
- Factor out common part to zynq-7000.dtsi
- Fix problem with Zynq interrupts by using interrupt "triples"
in .dtsi file to differentiate between edge-triggered and
level-triggered interrupts
- cgem driver now recognizes "status" property
Submitted by: Thomas Skibo <thomasskibo@yahoo.com>
Differential Revision: https://reviews.freebsd.org/D6095
The disgusting macro INP_WLOCK_RECHECK may early-return. In
tcp_default_ctloutput() the TCP_CCALGOOPT case allocates memory before invoking
this macro, which may leak memory.
Add a _CLEANUP variant that takes a code argument to perform variable cleanup
in the early return path. Use it to free the 'pbuf' allocated in
tcp_default_ctloutput().
I am not especially happy with this macro, but I reckon it's not any worse than
INP_WLOCK_RECHECK already was.
Reported by: Coverity
CID: 1350286
Sponsored by: EMC / Isilon Storage Division
This value is u32 on disk, but assigned to an int in memory. After we do the
implicit conversion via assignment, check that the result is at least one[1]
(non-negative[2]).
1. The subsequent for-loop iterates from gpt_entries minus one, down, until
reaching zero. A negative or zero initial index results in undefined signed
integer overflow.
2. It is also used to index into arrays later.
In practice, we expected non-malicious disks to contain small positive values.
Reported by: Coverity
CID: 1223202
Sponsored by: EMC / Isilon Storage Division
The softc member 'ciss_logical' is an array of 'ciss_max_logical_bus' members.
Most of the time it is iterated correctly. This patch fixes the two instances
where the driver iterated off the end of the array.
Reported by: Coverity
CID: 1305492
Sponsored by: EMC / Isilon Storage Division
ism_stop() already destroys and frees 'sp', including a call to ic_destroy().
Don't dereference 'sp' after ism_stop() and don't invoke ic_destroy() on the
freed memory either.
Reported by: Coverity
CIDs: 1006109, 1304861
Sponsored by: EMC / Isilon Storage Division
It seems that the only way to supply dtb to loader on Zynq-based
SoCs is to manually generate dtb and place it to pre-defined location
on SD card or TFTP server where loader can pick it up. More modern
approach is to add modules/dtb/%soc% module and let installworld
target generate dtb and copy them to /boot/dtb/ where they can be
loaded by ubldr
In win2unixfn() we expand Windows 95 style long names. In some cases that
requires moving the data in the nbp->nb_buf buffer backwards to make room. That
code failed to check for overflows, leading to a stack overflow in win2unixfn().
We now check for this event, and mark the entire conversion as failed in that
case. This means we present the 8 character, dos style, name instead.
PR: 204643
Differential Revision: https://reviews.freebsd.org/D6015
It seems rn_dupedkey may be NULL, because of the NULL check inside the loop.
(Also, the rt gets assigned from rn_dupedkey and NULL checked at top of loop.)
However, the for-loop update condition happens before the top-of-loop check and
dereferences 'rt' unconditionally.
Instead, NULL-check before dereferencing.
If rn_dupedkey cannot in fact be NULL, or something else protects this, feel
free to revert this and add an ASSERT of some kind instead.
This was introduced in r191080 (2009) and moved around slightly in r293657.
Reported by: Coverity
CID: 1348482
Sponsored by: EMC / Isilon Storage Division
This is a trivial follow-up to r296308. Annotate the intentional fallthrough
to make it clear for future readers and linters.
Reported by: Coverity
CID: 1352716
Discussed with: jhb
Sponsored by: EMC / Isilon Storage Division
This is a minor follow-up to r297422, prompted by a Coverity warning. (It's
not a real defect, just a code smell.) OSD slot array reservations are an
array of pointers (void **) but were cast to void* and back unnecessarily.
Keep the correct type from reservation to use.
osd.9 is updated to match, along with a few trivial igor fixes.
Reported by: Coverity
CID: 1353811
Sponsored by: EMC / Isilon Storage Division
Remove the semicolon accidentally added after the new conditional that tests
that /dev/zero is opened successfully.
MFC after: 1 week
X-MFC with: r298368
Pointhat to: ngie
Reported by: Coverity
CID: 1354980
Sponsored by: EMC / Isilon Storage Division
Introduced in r298594. There is no path before the 'vap == NULL' check where
vap is not already dereferenced.
Reported by: Coverity
CID: 1354979
Sponsored by: EMC / Isilon Storage Division
Without this the incremental build was broken since .depend.* are not
generated with .MAKE.MODE=meta and .meta files were not created to
track dependencies. Typically meta mode does not create .meta files
when building with curdir==objdir but the kernel build is special.
Reported by: Nikolai Lifanov <lifanov@mail.lifanov.com>
Sponsored by: EMC / Isilon Storage Division
boot issues when booting with FDT. It is planned to re-enable this at a
later date.
Obtained from: ABT Systems Ltd
Sponsored by: The FreeBSD Foundation
Set MMC_CAP_4_BIT_DATA and MMC_CAP_8_BIT_DATA based on the "bus-width"
DT property and reduce maximum bus frequency from 52MHz to 50MHz to match
the capabilities of the clock provider.
Tested on a BananaPi BPI-M3 (A83T).
is invalid. It is used to find the size of allocated memory. As malloc may
allocate memory with mmap it will fail to take this memory into account.
Obtained from: brooks