Commit Graph

211083 Commits

Author SHA1 Message Date
Conrad Meyer
da95a2ae56 posix4_mib: Don't overrun facility_initialized array
The facility_initialized and facility arrays are the same size and were
intended to be indexed the same.  I believe this mismatch was just a
typo/braino in r208731.

Reported by:	Coverity
CID:		1017430
Sponsored by:	EMC / Isilon Storage Division
2016-04-27 00:10:32 +00:00
Conrad Meyer
a286650b08 subr_mbpool: Don't free bogus pointer in error paths
An mbpool is allocated with a contiguous array of mbpages.  Freeing an
individual mbpage has never been valid.  Don't do it.

This bug has been present since this code was introduced in r117624 (2003).

Reported by:	Coverity
CID:		1009687
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 23:58:55 +00:00
Conrad Meyer
5a8c498f2e netipsec: Don't leak memory when deep copy fails
Reported by:	Coverity
CID:		1331693
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 23:23:44 +00:00
Conrad Meyer
2769d06203 in_lltable_alloc and in6 copy: Don't leak LLE in error path
Fix a memory leak in error conditions introduced in r292978.

Reported by:	Coverity
CIDs:		1347009, 1347010
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 23:13:48 +00:00
Oleksandr Tymoshenko
349ef43de4 Refactor DTS files for Zynq-based SoCs
- Factor out common part to zynq-7000.dtsi
- Fix problem with Zynq interrupts by using interrupt "triples"
    in .dtsi file to differentiate between edge-triggered and
    level-triggered interrupts
- cgem driver now recognizes "status" property

Submitted by:	Thomas Skibo <thomasskibo@yahoo.com>
Differential Revision:	https://reviews.freebsd.org/D6095
2016-04-26 23:09:47 +00:00
Conrad Meyer
bac5bedf44 tcp_usrreq: Free allocated buffer in relock case
The disgusting macro INP_WLOCK_RECHECK may early-return.  In
tcp_default_ctloutput() the TCP_CCALGOOPT case allocates memory before invoking
this macro, which may leak memory.

Add a _CLEANUP variant that takes a code argument to perform variable cleanup
in the early return path.  Use it to free the 'pbuf' allocated in
tcp_default_ctloutput().

I am not especially happy with this macro, but I reckon it's not any worse than
INP_WLOCK_RECHECK already was.

Reported by:	Coverity
CID:		1350286
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 23:02:18 +00:00
Conrad Meyer
4a2776e538 g_part_bsd64: Delete duplicate/dead code
RAW_PART is handled earlier in the loop.

Reported by:	Coverity
CID:		1223201
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 22:32:33 +00:00
Conrad Meyer
5ad33e776f g_part_bsd64: Check for valid on-disk npartitions value
This value is u32 on disk, but assigned to an int in memory.  After we do the
implicit conversion via assignment, check that the result is at least one[1]
(non-negative[2]).

1. The subsequent for-loop iterates from gpt_entries minus one, down, until
   reaching zero.  A negative or zero initial index results in undefined signed
   integer overflow.
2. It is also used to index into arrays later.

In practice, we expected non-malicious disks to contain small positive values.

Reported by:	Coverity
CID:		1223202
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 22:30:54 +00:00
Conrad Meyer
5eae46af9c ciss(4): Fix overrun of array
The softc member 'ciss_logical' is an array of 'ciss_max_logical_bus' members.
Most of the time it is iterated correctly.  This patch fixes the two instances
where the driver iterated off the end of the array.

Reported by:	Coverity
CID:		1305492
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 22:01:07 +00:00
Conrad Meyer
90b9cca2a8 iscsi_initiator(4): Fix use-after-free, double-free
ism_stop() already destroys and frees 'sp', including a call to ic_destroy().
Don't dereference 'sp' after ism_stop() and don't invoke ic_destroy() on the
freed memory either.

Reported by:	Coverity
CIDs:		1006109, 1304861
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 21:44:08 +00:00
Jamie Gritton
1fb6767d27 Use crcopysafe in jail_attach. 2016-04-26 21:19:12 +00:00
Oleksandr Tymoshenko
b76565c267 Add dtb/zynq to the list of extra modules required by Zedboard 2016-04-26 21:11:52 +00:00
Oleksandr Tymoshenko
cf790dc236 Add dtb/zynq to generate dtb files for Zynq-based boards
It seems that the only way to supply dtb to loader on Zynq-based
SoCs is to manually generate dtb and place it to pre-defined location
on SD card or TFTP server where loader can pick it up.  More modern
approach is to add modules/dtb/%soc% module and let installworld
target generate dtb and copy them to /boot/dtb/ where they can be
loaded by ubldr
2016-04-26 21:11:01 +00:00
Conrad Meyer
0f752e9f7b aacraid(4): Fix some mostly trivial buffer overruns
strcpy(3) emits a trailing nul byte, trampling fields after the intended
destination.  Instead, use strncpy(3), intentionally leaving these fields
not nul-terminated.

Reported by:	Coverity
CIDs:		1031024, 1305463, 1305494, 1305545
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 20:59:21 +00:00
Kristof Provost
66527f742b msdosfs: Prevent buffer overflow when expanding win95 names
In win2unixfn() we expand Windows 95 style long names. In some cases that
requires moving the data in the nbp->nb_buf buffer backwards to make room. That
code failed to check for overflows, leading to a stack overflow in win2unixfn().

We now check for this event, and mark the entire conversion as failed in that
case. This means we present the 8 character, dos style, name instead.

PR: 204643
Differential Revision:	https://reviews.freebsd.org/D6015
2016-04-26 20:36:32 +00:00
Conrad Meyer
dcbee68850 radix_mpath: Don't derefence a NULL pointer in for loop iteration
It seems rn_dupedkey may be NULL, because of the NULL check inside the loop.
(Also, the rt gets assigned from rn_dupedkey and NULL checked at top of loop.)
However, the for-loop update condition happens before the top-of-loop check and
dereferences 'rt' unconditionally.

Instead, NULL-check before dereferencing.

If rn_dupedkey cannot in fact be NULL, or something else protects this, feel
free to revert this and add an ASSERT of some kind instead.

This was introduced in r191080 (2009) and moved around slightly in r293657.

Reported by:	Coverity
CID:		1348482
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 20:27:17 +00:00
Conrad Meyer
517960dc84 PCI Enhanced Allocation: Annotate an intentional switch fallthrough
This is a trivial follow-up to r296308.  Annotate the intentional fallthrough
to make it clear for future readers and linters.

Reported by:	Coverity
CID:		1352716
Discussed with:	jhb
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 20:06:35 +00:00
Conrad Meyer
aa90aec270 osd(9): Change array pointer to array pointer type from void*
This is a minor follow-up to r297422, prompted by a Coverity warning.  (It's
not a real defect, just a code smell.)  OSD slot array reservations are an
array of pointers (void **) but were cast to void* and back unnecessarily.
Keep the correct type from reservation to use.

osd.9 is updated to match, along with a few trivial igor fixes.

Reported by:	Coverity
CID:		1353811
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 19:57:35 +00:00
Enji Cooper
605e9d2105 Fix up r298368
Remove the semicolon accidentally added after the new conditional that tests
that /dev/zero is opened successfully.

MFC after: 1 week
X-MFC with: r298368
Pointhat to: ngie
Reported by: Coverity
CID: 1354980
Sponsored by: EMC / Isilon Storage Division
2016-04-26 19:21:35 +00:00
Conrad Meyer
2cb2bed294 iwm(4): Don't dereference potentially NULL pointer before NULL check
Introduced in r298594.  There is no path before the 'vap == NULL' check where
vap is not already dereferenced.

Reported by:	Coverity
CID:		1354979
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 19:06:28 +00:00
Bjoern Heidotting
7bb0da8d70 Remove redundant word.
Reviewed by:	 bjk, bcr
Differential Revision:	https://reviews.freebsd.org/D6064
2016-04-26 18:54:44 +00:00
Conrad Meyer
7165836188 emu10kx: Don't iterate beyond array bounds
Reported by:	Coverity
CID:		1354978
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 18:20:41 +00:00
Jamie Gritton
5579267b08 Redo the changes to the SYSV IPC sysctl functions from r298585, so they
don't (mis)use sbufs.

PR:		48471
2016-04-26 18:17:44 +00:00
Conrad Meyer
be0edef163 kgssapi: Don't leak memory in error cases
Reported by:	Coverity
CIDs:		1007046, 1007047, 1007048
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 18:11:45 +00:00
Bryan Drewery
561e173f7e WITH_META_MODE: Allow buildkernel to create .meta files with curdir==objdir.
Without this the incremental build was broken since .depend.* are not
generated with .MAKE.MODE=meta and .meta files were not created to
track dependencies.  Typically meta mode does not create .meta files
when building with curdir==objdir but the kernel build is special.

Reported by:	Nikolai Lifanov <lifanov@mail.lifanov.com>
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 18:08:51 +00:00
Adrian Chadd
959f9e0f5d [mips] correctly represent memory region allocations >> 2^^31
Without this, it'd get promoted incorrectly and fail allocation.

Submitted by:	Mori Hiroki <yamori813@yahoo.co.jp>
Reviewed by:	imp
2016-04-26 16:40:04 +00:00
Ruslan Bukin
9ef5c83c17 Fix the parameter type according to method declaration.
This fixes compilation on riscv with GCC 5.2.0
2016-04-26 16:02:13 +00:00
Hans Petter Selasky
cc165fbf19 Build fix. Add howmany() and nitems() macros to bootloader kernel shim. 2016-04-26 15:41:31 +00:00
Pedro F. Giffuni
55e0987aea sys: extend use of the howmany() macro when available.
We have a howmany() macro in the <sys/param.h> header that is
convenient to re-use as it makes things easier to read.
2016-04-26 15:38:17 +00:00
Bjoern A. Zeeb
c9087a9303 Mark the unused period argument __unused.
Reviewed by:	andrew
MFC after:	2 weeks
Sponsored by:	DARPA/AFRL
2016-04-26 15:34:00 +00:00
Hans Petter Selasky
b1660d8774 Add function needed for linking USB test application. 2016-04-26 15:33:53 +00:00
Pedro F. Giffuni
057b4402bf sys/dev: extend use of the howmany() macro when available.
We have a howmany() macro in the <sys/param.h> header that is
convenient to re-use as it makes things easier to read.
2016-04-26 15:03:15 +00:00
Pedro F. Giffuni
768f89e078 sys/boot: make use of the howmany() macro when available.
We have a howmany() macro in the <sys/param.h> header that is
convenient to re-use as it makes things easier to read.
2016-04-26 14:51:58 +00:00
Alan Somers
96edd3f3ee Add GEOM::physpath documentation to devd.conf(5)
Suggested by:	trasz
Reviewed by:	trasz
MFC after:	4 weeks
Sponsored by:	Spectra Logic Corp
Differential Revision:	https://reviews.freebsd.org/D6063
2016-04-26 14:48:58 +00:00
Pedro F. Giffuni
f0e561112f sys/arm: make use of the howmany() macro when available.
We have a howmany() macro in the <sys/param.h> header that is
convenient to re-use as it makes things easier to read.
2016-04-26 14:47:52 +00:00
Pedro F. Giffuni
910c079886 sys/powerpc: make use of the howmany() macro when available.
We have a howmany() macro in the <sys/param.h> header that is
convenient to re-use as it makes things easier to read.
2016-04-26 14:44:49 +00:00
Ruslan Bukin
9af9422682 Rework the list of all pmaps: embed the list link into pmap. 2016-04-26 14:38:18 +00:00
Pedro F. Giffuni
8123f597e9 ed(1): switch two statements so we check the index before dereferencing.
This is related to r270256 but was missed in that occasion.

MFC after:	3 days
2016-04-26 14:31:48 +00:00
Andrew Turner
ef6b515b69 Disable ACPI on arm64 ad it has only had minimal testing and is causing
boot issues when booting with FDT. It is planned to re-enable this at a
later date.

Obtained from:	ABT Systems Ltd
Sponsored by:	The FreeBSD Foundation
2016-04-26 14:21:39 +00:00
Ruslan Bukin
3f8f5599a3 o Add device tree files and kernel configuration files
for RISC-V cpus synthesized on FPGA hardware.
o Include new files to the build.
2016-04-26 13:22:08 +00:00
Andrew Turner
9c42d415a3 Stop including machine/fdt.h from the fdt uart code, it's unneeded.
Sponsored by:	ABT Systems Ltd
2016-04-26 13:16:45 +00:00
Ruslan Bukin
00106e52c2 Add the non-standard "IO interrupt" vector used by lowRISC.
For now they provide UART irq only.

Sponsored by:	DARPA, AFRL
Sponsored by:	HEIF5
2016-04-26 12:56:44 +00:00
Ruslan Bukin
6c0d33bcb3 Add the implementation of basic bus_space_read/write functions.
Sponsored by:	DARPA, AFRL
Sponsored by:	HEIF5
2016-04-26 12:45:01 +00:00
Jared McNeill
39fe39bca9 Fix calculation of LCD CH1 SCLK1 output frequency when SCLK2 /2 is used
as source.

PR:		208680
Reported by:	David Binderman <dcb314@hotmail.com>
2016-04-26 12:36:12 +00:00
Ruslan Bukin
63270b0b65 Add the implementation of OF_decode_addr(). 2016-04-26 12:33:25 +00:00
Ruslan Bukin
5c3a3f25ce Do not include fdt.h on RISC-V. 2016-04-26 12:31:23 +00:00
Ruslan Bukin
3a32292401 Add support for RISC-V. 2016-04-26 12:29:47 +00:00
Jared McNeill
fc0424631d Add support for 8-bit eMMC.
Set MMC_CAP_4_BIT_DATA and MMC_CAP_8_BIT_DATA based on the "bus-width"
DT property and reduce maximum bus frequency from 52MHz to 50MHz to match
the capabilities of the clock provider.

Tested on a BananaPi BPI-M3 (A83T).
2016-04-26 12:02:36 +00:00
Ruslan Bukin
30b72b6871 Move arm's devmap to some generic place, so it can be used
by other architectures.

Reviewed by:	imp
Differential Revision:	https://reviews.freebsd.org/D6091
Sponsored by:	DARPA, AFRL
Sponsored by:	HEIF5
2016-04-26 11:53:37 +00:00
Andrew Turner
6487f78716 Stop using sbrk in csh. This is a legacy interface and its use within csh
is invalid. It is used to find the size of allocated memory. As malloc may
allocate memory with mmap it will fail to take this memory into account.

Obtained from:	brooks
2016-04-26 11:39:32 +00:00