Commit Graph

150246 Commits

Author SHA1 Message Date
Hiroki Sato
df2b25f6ee - Enable an afexists() check only when no AF argument is specified.
- Simplify helper functions.

Discussed with:	ume
2009-10-02 20:19:53 +00:00
Bjoern A. Zeeb
492ffed1e3 Replace the name of the sysctl to security.bsd.map_at_zero and to be
consistent updated the name of the variable as well, after the change
in r197711.
2009-10-02 17:53:48 +00:00
Bjoern A. Zeeb
fc50832731 Back out the functional parts from r197537. After r197711, affecting all
user mappings, mmap no longer needs special treatment.
2009-10-02 17:51:46 +00:00
Bjoern A. Zeeb
878adb8517 Add a mitigation feature that will prevent user mappings at
virtual address 0, limiting the ability to convert a kernel
NULL pointer dereference into a privilege escalation attack.

If the sysctl is set to 0 a newly started process will not be able
to map anything in the address range of the first page (0 to PAGE_SIZE).
This is the default. Already running processes are not affected by this.

You can either change the sysctl or the tunable from loader in case
you need to map at a virtual address of 0, for example when running
any of the extinct species of a set of a.out binaries, vm86 emulation, ..
In that case set security.bsd.map_at_zero="1".

Superseeds:		r197537
In collaboration with:	jhb, kib, alc
2009-10-02 17:48:51 +00:00
Yoshihiro Takahashi
a38f6f86d2 Fix build nfscl and/or nfsd.
MFC after:	3 days
2009-10-02 12:47:01 +00:00
Rui Paulo
f49e371d3b Reserve numbers for XScale.
Reviewed by:	jkoshy
2009-10-02 11:14:12 +00:00
Rui Paulo
f143a35bf1 Remove performance counter headers. This code came from NetBSD, but our
hardware perf. counter support is different, so we don't need these
files.

Reviewed by:	freebsd-arm (no comments)
2009-10-02 11:10:05 +00:00
Hiroki Sato
d7caaef2e5 Enable adding a link-local address even if ND6_IFF_IFDISABLED.
Note that when the interface has ND6_IFF_IFDISABLED, a newly-added
address is always marked as IN6_IFF_TENTATIVE so that the interface
can perform DAD after the ND6_IFF_IFDISABLED is cleared.
2009-10-02 07:00:20 +00:00
Hiroki Sato
b5a70c98b2 The net.inet.tcp.log_in_vain accepts 0, 1 or 2, not Y/N. 2009-10-02 06:51:39 +00:00
Hiroki Sato
ccbc06d893 Revert the previous afexists() change. Knobs configured explicitly by
the user should not be ignored if possible even if the kernel does not
support the prerequisite feature.

Discussed with:	ume
2009-10-02 06:19:34 +00:00
Hiroki Sato
e248dc09a8 - Split routing_*() and option_*() to *_AF() and add afexists() check
for each address family.  Replace AF_static() with static_AF() for
  consistency.

- Display a message only if the user sets a non-default value, and set
  a sysctl explicitly even if it is the default value.
2009-10-02 02:28:59 +00:00
Hiroki Sato
01ce5591ad - Fix logic inversion bug of net.inet.tcp.rfc1323[*].
- Split netoptions_start() to netoptions_AF() and add afexists() check
  for each address family.

- Display a message only if the user sets a non-default value, and set
  a sysctl explicitly even if it is the default value.

Spotted by:	Pegasus Mc Cleaft[*]
2009-10-02 02:27:49 +00:00
Hiroki Sato
b558571de6 - Add AF_IPX and AF_NATM to afexists().
- Add afexists() check to address family specific rc.d scripts.  A
  script for an AF will be silently ignored if the kernel has no
  support for the AF.
2009-10-02 02:24:25 +00:00
Qing Li
b4a22c365c Remove a log message from production code. This log message can be
triggered by a misconfigured host that is sending out gratuious ARPs.
This log message can also be triggered during a network renumbering
event when multiple prefixes co-exist on a single network segment.

MFC after:	immediately
2009-10-02 01:45:11 +00:00
Qing Li
fa3cfd39ff Previously, if an address alias is configured on an interface, and
this address alias has a prefix matching that of another address
configured on the same interface, then the ARP entry for the alias
is not deleted from the ARP table when that address alias is removed.
This patch fixes the aforementioned issue.

PR:		kern/139113
MFC after:	3 days
2009-10-02 01:34:55 +00:00
Kip Macy
46aba52a50 make read_eflags and write_eflags accomplish the same effect on PVM as native,
simplifying interrupt handling
2009-10-01 22:05:38 +00:00
Ed Maste
e380cc73ed In fill_kinfo_thread, copy the thread's name into struct kinfo_proc even
if it is empty.  Otherwise the previous thread's name would remain in the
struct and then be reported for this thread.

Submitted by:	Ryan Stone
MFC after:	1 week
2009-10-01 21:44:30 +00:00
Jilles Tjoelker
47e5ae08a1 sh: Disallow mismatched quotes in backticks (...).
Due to the amount of code removed by this, it seems that allowing unmatched
quotes was a deliberate imitation of System V sh and real ksh. Most other
shells do not allow unmatched quotes (e.g. bash, zsh, pdksh, NetBSD /bin/sh,
dash).

PR:		bin/137657
2009-10-01 21:40:08 +00:00
Jung-uk Kim
165a00d1de Compile ACPI debugger and disassembler for kernel modules unconditionally.
These files will generate almost empty object files without ACPI_DEBUG/DDB
options.  As a result, size of acpi.ko will increase slightly.
2009-10-01 20:56:15 +00:00
Qing Li
e5c610d659 The flow-table associates TCP/UDP flows and IP destinations with
specific routes. When the routing table changes, for example,
when a new route with a more specific prefix is inserted into the
routing table, the flow-table is not updated to reflect that change.
As such existing connections cannot take advantage of the new path.
In some cases the path is broken. This patch will update the affected
flow-table entries when a more specific route is added. The route
entry is properly marked when a route is deleted from the table.
In this case, when the flow-table performs a search, the stale
entry is updated automatically. Therefore this patch is not
necessary for route deletion.

Submitted by:	simon, phk
Reviewed by:	bz, kmacy
MFC after:	3 days
2009-10-01 20:32:29 +00:00
John Baldwin
3538cf0cbe Put square backets ([]) around process names for system processes to patch
the behavior of ps(1).
2009-10-01 19:12:14 +00:00
Xin LI
6f62807611 Return EOPNOTSUPP instead of EINVAL when doing chflags(2) over an old
format ZFS, as defined in the manual page.

Submitted by:	pjd (response of my original patch but bugs are mine)
MFC after:	3 days
2009-10-01 18:58:26 +00:00
Andrew Thompson
c8a14b9124 EHCI Hardware BUG workaround
The EHCI HW can use the qtd_next field instead of qtd_altnext when a short
packet is received. This contradicts what is stated in the EHCI datasheet.
Also the total-bytes field in the status field of the following TD gets
corrupted upon reception of a short packet!  We work this around in software by
not queueing more than one job/TD at a time of up to 16Kbytes! The bug has been
seen on multiple INTEL based EHCI chips.  Other vendors have not been tested
yet.

- Applications using /dev/usb/X.Y.Z, where Z is non-zero are affected, but not
  applications using LibUSB v0.1, v1.2 and v2.0.
- Mass Storage (umass) is affected.

Submitted by:	Hans Petter Selasky
MFC after:	3 days
2009-10-01 18:37:16 +00:00
Joe Marcus Clarke
ad1e5416ab Correct the pthread stub prototype for pthread_mutexattr_settype to allow for
the type argument.  This is known to fix some pthread_mutexattr_settype()
invocations, especially when it comes to pulseaudio.

Approved by:	kib
		deischen (threads)
MFC after:	3 days
2009-10-01 18:23:50 +00:00
Edward Tomasz Napierala
2c29cfa083 Provide default implementation for VOP_ACCESS(9), so that filesystems which
want to provide VOP_ACCESSX(9) don't have to implement both.  Note that
this commit makes implementation of either of these two mandatory.

Reviewed by:	kib
2009-10-01 17:22:03 +00:00
Dag-Erling Smørgrav
7aee6ffee0 Upgrade to OpenSSH 5.3p1. 2009-10-01 17:12:52 +00:00
VANHULLEBUS Yvan
a45bff047c Changed an IPSEC_ASSERT to a simple test, as such invalid packets
may come from outside without being discarded before.

Submitted by:	aurelien.ansel@netasq.com
Reviewed by:	bz (secteam)
Obtained from:	NETASQ
MFC after:	1m
2009-10-01 15:33:53 +00:00
Dag-Erling Smørgrav
e5e752b5a7 Vendor import of OpenSSH 5.3p1 2009-10-01 15:19:37 +00:00
Konstantin Belousov
b02395c64d As a workaround, for Intel CPUs, do not use CLFLUSH in
pmap_invalidate_cache_range() when self-snoop is apparently not reported
in cpu features. We get a reserved trap when clflushing APIC registers
window.

XEN in full system virtualization mode removes self-snoop from CPU
features, making this a problem.

Tested by:	csjp
Reviewed by:	alc
MFC after:	3 days
2009-10-01 12:52:48 +00:00
Konstantin Belousov
75ffdc4049 Do not dereference vp->v_mount without holding vnode lock and checking
that the vnode is not reclaimed.

Noted by:	Igor Sysoev <is rambler-co ru>
MFC after:	1 week
2009-10-01 12:50:26 +00:00
Konstantin Belousov
6fecb26b6b Move the annotation for vm_map_startup() immediately before the function.
MFC after:	3 days
2009-10-01 12:48:35 +00:00
Konstantin Belousov
15b7a831df Fix typo.
MFC after:	3 days
2009-10-01 12:46:58 +00:00
Coleman Kane
00e6b158be Fix a bad use of NULL instead of zero for int comparison. Sorry for the
breakage.

Submitted by:	bz, des, onemda
MFC after:	3 days
2009-10-01 11:52:06 +00:00
Andriy Gapon
7e936cef34 print machine in kernel boot version string
Discussed with:	gavin, kib, jhb
PR:		kern/126926
MFC after:	2 weeks
2009-10-01 10:53:12 +00:00
Yoshihiro Takahashi
eb8d03079d MFi386: revision 197653
Improve 802.11s comment.

MFC after:	1 day
2009-10-01 10:46:22 +00:00
Coleman Kane
ed44e7ec7d style(9) fixes (always compare pointers to NULL)
Also, the previous commit to sys/dev/if_ndis/if_ndis.c also included the
removal of a call to ndis_setstate_80211 that is no longer needed.

Submitted by:	sam
MFC after:	3 days
2009-10-01 02:43:51 +00:00
Rui Paulo
c16c6b65da Improve 802.11s comment.
Spotted by:	dougb
MFC after:	1 day
2009-10-01 02:08:42 +00:00
Edward Tomasz Napierala
5aea82db46 Fix typo in the comment. 2009-09-30 18:50:50 +00:00
John Baldwin
146672474f Do not hold the ACPI A/C adapter lock when changing the power profile.
MFC after:	2 weeks
2009-09-30 17:07:49 +00:00
John Baldwin
0032eb1acb Split the 'video' ACPI lock up into two locks to resolve a LOR with the
sysctl lock.  The 'video' lock now protects the 'bus' of video output
devices attached to a graphics adapter.  It is used when iterating over
the list of outputs, etc.  The 'video_output' lock is used to lock the
output-specific data similar to a driver lock for the individual video
outputs.

MFC after:	2 weeks
2009-09-30 17:05:26 +00:00
Andriy Gapon
beb2c1f3e9 cpufunc.h: unify/correct style of c extension names
i386 and amd64 archs only.
inline => __inline. [1]
__asm__ => __asm. [2]

Reviewed by:	kib, jhb [1]
Suggested by:	kib [2]
MFC after:	1 week
2009-09-30 16:34:50 +00:00
Hajimu UMEMOTO
db4abd60a3 Don't do an IPv6 operation when the kernel doesn't have
an IPv6 support.

Reported by:	Alexander Best <alexbestms__at__math.uni-muenster.de>
Confirmed by:	Paul B. Mahol <onemda__at__gmail.com>,
		Alexander Best <alexbestms__at__math.uni-muenster.de>
2009-09-30 14:58:10 +00:00
Andrew Gallatin
83d54b590f Two more mxge watchdog fixes:
1) Restore the PCI Express control register after a watchdog
   reset.  This is required because the device will come out
   of watchdog reset with the pectl reg at its default state,
   and important BIOS configuration (like max payload size)
   could be lost.

2) Call mxge_start_locked() for every tx queue before dropping
   the lock in the watchdog handler.   This is required, as
   the queue's buf ring may have filled during the reset.
2009-09-30 14:42:06 +00:00
Coleman Kane
d63581ec39 Correct a bug that could lead to a kernel panic if a user attempted to
perform 802.11 operations directly on the ndis0 interface before the
first VAP (wlan0) had been created. This would lead to a NULL-pointer
dereference in the kernel.

Submitted by:	Paul B. Mahol <onemda@gmail.com>
MFC after:	3 days
2009-09-30 14:28:38 +00:00
Attilio Rao
ddce63ca73 When releasing a read/shared lock we need to use a write memory barrier
in order to avoid, on architectures which doesn't have strong ordered
writes, CPU instructions reordering.

Diagnosed by:	fabio
Reviewed by:	jhb
Tested by:	Giovanni Trematerra
		<giovanni dot trematerra at gmail dot com>
2009-09-30 13:26:31 +00:00
Andriy Gapon
78edb09e67 print_caddr_t: drop incorrect __unused attribute from parameter
seems like a purely cosmetic change

Reviewed by:	jhb, kib
MFC after:	1 week
2009-09-30 11:14:13 +00:00
Alexander Motin
2ad05ba238 Fix typo in previous commit.
Add Realtek ALC887 codec ID.
2009-09-30 11:05:12 +00:00
Robert Watson
718dbcfeaa Regenerate system call files following r197636. 2009-09-30 08:48:59 +00:00
Robert Watson
72c35fc69c Reserve system call numbers for Capsicum security framework capabilities,
capability mode, and process descriptors: cap_new, cap_getrights, cap_enter,
cap_getmode, pdfork, pdkill, pdgetpid, and pdwait.

Obtained from:	TrustedBSD Project
Sponsored by:	Google
MFC after:	3 weeks
2009-09-30 08:46:01 +00:00
Pyun YongHyeon
cb2cdeceb5 Fix multicast handling. All Atheros controllers use big-endian form
in computing multicast hash.

PR:	kern/139137
2009-09-29 23:03:16 +00:00