Commit Graph

211210 Commits

Author SHA1 Message Date
Pedro F. Giffuni
167e63e394 cam: unsign some types to match their definitions and avoid overflows.
numpatterns is u_int.

ctl:
CTL_NUM_MODE_PAGES comes from sizeof().
In struct:ctl_scsiio, kern_sg_entries is uint32_t.

MFC after:	2 weeks
2016-04-27 15:35:05 +00:00
Andrey V. Elsukov
9a5be809ab Make create_object callback optional and return EOPNOTSUPP when it isn't
defined. Remove eaction_create_compat() and use designated initializers to
initialize eaction_opcodes structure.

Obtained from:	Yandex LLC
2016-04-27 15:28:25 +00:00
Pedro F. Giffuni
b99bce73e2 geom: unsign some types to match their definitions and avoid overflows.
In struct:gctl_req, nargs is unsigned.

In mirror:
g_mirror_syncreqs is unsigned.

In raid:
in struct:g_raid_volume, v_disks_count is unsigned.

In virstor:
in struct:g_virstor_softc, n_components is unsigned.

MFC after:	2 weeks
2016-04-27 15:10:40 +00:00
Sepherosa Ziehau
9e3db01282 tcp/lro: Fix typo.
MFC after:	1 week
Sponsored by:	Microsoft OSTC
2016-04-27 09:40:55 +00:00
Xin LI
4990d495fc MFV r298691:
ntp 4.2.8p7.

Security:	CVE-2016-1547, CVE-2016-1548, CVE-2016-1549, CVE-2016-1550
Security:	CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518
Security:	CVE-2016-2519
Security:	FreeBSD-SA-16:16.ntp
With hat:	so
2016-04-27 07:46:38 +00:00
Sepherosa Ziehau
0fbe6eaef6 hyperv/hn: Add stat for # of chimney sending tries
MFC after:	1 week
Sponsored by:	Microsoft OSTC
2016-04-27 06:49:16 +00:00
Sepherosa Ziehau
677d0d5076 hyperv/vmbus: Mark sysctls MPSAFE
MFC after:	1 week
Sponsored by:	Microsoft OSTC
2016-04-27 05:45:14 +00:00
Xin LI
c1950318d1 Vendor import of ntp-4.2.8p7. 2016-04-27 05:37:54 +00:00
Sepherosa Ziehau
b649be4068 hyperv/hn: Mark sysctls MPSAFE
MFC after:	1 week
Sponsored by:	Microsoft OSTC
2016-04-27 05:18:04 +00:00
Sepherosa Ziehau
6456e1587b hyperv/hn: Remove unapplied comment.
Chimney sending buffers are shared across channels.

MFC after:	1 week
Sponsored by:	Microsoft OSTC
2016-04-27 05:05:54 +00:00
Sepherosa Ziehau
ff1c886a59 hyperv/hn: Restart sending earlier once we gathered some free TX descs
This greatly reduces the oqdrops under heavy workload.

For TCP send/recv test (10K concurrent connections):
oqdrops is reduced by 17% on sending side, and 57% on receiving side.

For nginx-1.8/wrk-4 1KB object test (10K concurrent connections,
4 requests/connection):
oqdrops is reduced by 44% on nginx side, and 10% on wrk side.

MFC after:	1 week
Sponsored by:	Microsoft OSTC
2016-04-27 04:51:28 +00:00
Marcelo Araujo
1f3d62ab98 For pointers use NULL instead of 0.
Reviewed by:	rpaulo
MFC after:	2 weeks.
Differential Revision:	https://reviews.freebsd.org/D5946
2016-04-27 03:06:53 +00:00
Marcelo Araujo
cd59e2f343 Use MIN() macro from sys/param.h.
MFC after:	2 weeks.
2016-04-27 02:44:10 +00:00
Marcelo Araujo
a9a46bd918 Use MIN() macro from sys/param.h.
MFC after:	2 weeks.
2016-04-27 02:34:25 +00:00
Marcelo Araujo
1e8b591f62 Use macro MIN() from sys/param.h.
MFC after:	2 weeks.
2016-04-27 02:26:31 +00:00
Jamie Gritton
73d9e52d2f Delay revmoing the last jail reference in prison_proc_free, and instead
put it off into the pr_task.  This is similar to prison_free, and in fact
uses the same task even though they do something slightly different.

This resolves a LOR between the process lock and allprison_lock, which
came about in r298565.

PR:		48471
2016-04-27 02:25:21 +00:00
Marcelo Araujo
a301044615 Use MIN() macro from sys/param.h.
MFC after:	2 weeks.
2016-04-27 02:13:57 +00:00
Marcelo Araujo
7de7df1554 Use macro MIN() from sys/param.h.
MFC after:	2 weeks.
2016-04-27 02:02:44 +00:00
Pedro F. Giffuni
11ec5dd04b fsck_ffs: Revert partially the unsigned changes.
Any value of uint16_t will be internally promoted to int so
changing them to an unsigned value doesn't help.

Missing revert value in suj_read().

X-MFC with:	r298551
2016-04-27 01:36:25 +00:00
Pedro F. Giffuni
4235bafa7e fsck_ffs: Revert partially the unsigned changes.
Any value of uint16_t will be internally promoted to int so
changing them to an unsigned value doesn't help.

Make clear we want to use uint32_t for closedisk()

X-MFC with:	r298551
2016-04-27 01:32:11 +00:00
Conrad Meyer
da95a2ae56 posix4_mib: Don't overrun facility_initialized array
The facility_initialized and facility arrays are the same size and were
intended to be indexed the same.  I believe this mismatch was just a
typo/braino in r208731.

Reported by:	Coverity
CID:		1017430
Sponsored by:	EMC / Isilon Storage Division
2016-04-27 00:10:32 +00:00
Conrad Meyer
a286650b08 subr_mbpool: Don't free bogus pointer in error paths
An mbpool is allocated with a contiguous array of mbpages.  Freeing an
individual mbpage has never been valid.  Don't do it.

This bug has been present since this code was introduced in r117624 (2003).

Reported by:	Coverity
CID:		1009687
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 23:58:55 +00:00
Conrad Meyer
5a8c498f2e netipsec: Don't leak memory when deep copy fails
Reported by:	Coverity
CID:		1331693
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 23:23:44 +00:00
Conrad Meyer
2769d06203 in_lltable_alloc and in6 copy: Don't leak LLE in error path
Fix a memory leak in error conditions introduced in r292978.

Reported by:	Coverity
CIDs:		1347009, 1347010
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 23:13:48 +00:00
Oleksandr Tymoshenko
349ef43de4 Refactor DTS files for Zynq-based SoCs
- Factor out common part to zynq-7000.dtsi
- Fix problem with Zynq interrupts by using interrupt "triples"
    in .dtsi file to differentiate between edge-triggered and
    level-triggered interrupts
- cgem driver now recognizes "status" property

Submitted by:	Thomas Skibo <thomasskibo@yahoo.com>
Differential Revision:	https://reviews.freebsd.org/D6095
2016-04-26 23:09:47 +00:00
Conrad Meyer
bac5bedf44 tcp_usrreq: Free allocated buffer in relock case
The disgusting macro INP_WLOCK_RECHECK may early-return.  In
tcp_default_ctloutput() the TCP_CCALGOOPT case allocates memory before invoking
this macro, which may leak memory.

Add a _CLEANUP variant that takes a code argument to perform variable cleanup
in the early return path.  Use it to free the 'pbuf' allocated in
tcp_default_ctloutput().

I am not especially happy with this macro, but I reckon it's not any worse than
INP_WLOCK_RECHECK already was.

Reported by:	Coverity
CID:		1350286
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 23:02:18 +00:00
Conrad Meyer
4a2776e538 g_part_bsd64: Delete duplicate/dead code
RAW_PART is handled earlier in the loop.

Reported by:	Coverity
CID:		1223201
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 22:32:33 +00:00
Conrad Meyer
5ad33e776f g_part_bsd64: Check for valid on-disk npartitions value
This value is u32 on disk, but assigned to an int in memory.  After we do the
implicit conversion via assignment, check that the result is at least one[1]
(non-negative[2]).

1. The subsequent for-loop iterates from gpt_entries minus one, down, until
   reaching zero.  A negative or zero initial index results in undefined signed
   integer overflow.
2. It is also used to index into arrays later.

In practice, we expected non-malicious disks to contain small positive values.

Reported by:	Coverity
CID:		1223202
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 22:30:54 +00:00
Conrad Meyer
5eae46af9c ciss(4): Fix overrun of array
The softc member 'ciss_logical' is an array of 'ciss_max_logical_bus' members.
Most of the time it is iterated correctly.  This patch fixes the two instances
where the driver iterated off the end of the array.

Reported by:	Coverity
CID:		1305492
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 22:01:07 +00:00
Conrad Meyer
90b9cca2a8 iscsi_initiator(4): Fix use-after-free, double-free
ism_stop() already destroys and frees 'sp', including a call to ic_destroy().
Don't dereference 'sp' after ism_stop() and don't invoke ic_destroy() on the
freed memory either.

Reported by:	Coverity
CIDs:		1006109, 1304861
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 21:44:08 +00:00
Jamie Gritton
1fb6767d27 Use crcopysafe in jail_attach. 2016-04-26 21:19:12 +00:00
Oleksandr Tymoshenko
b76565c267 Add dtb/zynq to the list of extra modules required by Zedboard 2016-04-26 21:11:52 +00:00
Oleksandr Tymoshenko
cf790dc236 Add dtb/zynq to generate dtb files for Zynq-based boards
It seems that the only way to supply dtb to loader on Zynq-based
SoCs is to manually generate dtb and place it to pre-defined location
on SD card or TFTP server where loader can pick it up.  More modern
approach is to add modules/dtb/%soc% module and let installworld
target generate dtb and copy them to /boot/dtb/ where they can be
loaded by ubldr
2016-04-26 21:11:01 +00:00
Conrad Meyer
0f752e9f7b aacraid(4): Fix some mostly trivial buffer overruns
strcpy(3) emits a trailing nul byte, trampling fields after the intended
destination.  Instead, use strncpy(3), intentionally leaving these fields
not nul-terminated.

Reported by:	Coverity
CIDs:		1031024, 1305463, 1305494, 1305545
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 20:59:21 +00:00
Kristof Provost
66527f742b msdosfs: Prevent buffer overflow when expanding win95 names
In win2unixfn() we expand Windows 95 style long names. In some cases that
requires moving the data in the nbp->nb_buf buffer backwards to make room. That
code failed to check for overflows, leading to a stack overflow in win2unixfn().

We now check for this event, and mark the entire conversion as failed in that
case. This means we present the 8 character, dos style, name instead.

PR: 204643
Differential Revision:	https://reviews.freebsd.org/D6015
2016-04-26 20:36:32 +00:00
Conrad Meyer
dcbee68850 radix_mpath: Don't derefence a NULL pointer in for loop iteration
It seems rn_dupedkey may be NULL, because of the NULL check inside the loop.
(Also, the rt gets assigned from rn_dupedkey and NULL checked at top of loop.)
However, the for-loop update condition happens before the top-of-loop check and
dereferences 'rt' unconditionally.

Instead, NULL-check before dereferencing.

If rn_dupedkey cannot in fact be NULL, or something else protects this, feel
free to revert this and add an ASSERT of some kind instead.

This was introduced in r191080 (2009) and moved around slightly in r293657.

Reported by:	Coverity
CID:		1348482
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 20:27:17 +00:00
Conrad Meyer
517960dc84 PCI Enhanced Allocation: Annotate an intentional switch fallthrough
This is a trivial follow-up to r296308.  Annotate the intentional fallthrough
to make it clear for future readers and linters.

Reported by:	Coverity
CID:		1352716
Discussed with:	jhb
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 20:06:35 +00:00
Conrad Meyer
aa90aec270 osd(9): Change array pointer to array pointer type from void*
This is a minor follow-up to r297422, prompted by a Coverity warning.  (It's
not a real defect, just a code smell.)  OSD slot array reservations are an
array of pointers (void **) but were cast to void* and back unnecessarily.
Keep the correct type from reservation to use.

osd.9 is updated to match, along with a few trivial igor fixes.

Reported by:	Coverity
CID:		1353811
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 19:57:35 +00:00
Enji Cooper
605e9d2105 Fix up r298368
Remove the semicolon accidentally added after the new conditional that tests
that /dev/zero is opened successfully.

MFC after: 1 week
X-MFC with: r298368
Pointhat to: ngie
Reported by: Coverity
CID: 1354980
Sponsored by: EMC / Isilon Storage Division
2016-04-26 19:21:35 +00:00
Conrad Meyer
2cb2bed294 iwm(4): Don't dereference potentially NULL pointer before NULL check
Introduced in r298594.  There is no path before the 'vap == NULL' check where
vap is not already dereferenced.

Reported by:	Coverity
CID:		1354979
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 19:06:28 +00:00
Bjoern Heidotting
7bb0da8d70 Remove redundant word.
Reviewed by:	 bjk, bcr
Differential Revision:	https://reviews.freebsd.org/D6064
2016-04-26 18:54:44 +00:00
Conrad Meyer
7165836188 emu10kx: Don't iterate beyond array bounds
Reported by:	Coverity
CID:		1354978
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 18:20:41 +00:00
Jamie Gritton
5579267b08 Redo the changes to the SYSV IPC sysctl functions from r298585, so they
don't (mis)use sbufs.

PR:		48471
2016-04-26 18:17:44 +00:00
Conrad Meyer
be0edef163 kgssapi: Don't leak memory in error cases
Reported by:	Coverity
CIDs:		1007046, 1007047, 1007048
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 18:11:45 +00:00
Bryan Drewery
561e173f7e WITH_META_MODE: Allow buildkernel to create .meta files with curdir==objdir.
Without this the incremental build was broken since .depend.* are not
generated with .MAKE.MODE=meta and .meta files were not created to
track dependencies.  Typically meta mode does not create .meta files
when building with curdir==objdir but the kernel build is special.

Reported by:	Nikolai Lifanov <lifanov@mail.lifanov.com>
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 18:08:51 +00:00
Adrian Chadd
959f9e0f5d [mips] correctly represent memory region allocations >> 2^^31
Without this, it'd get promoted incorrectly and fail allocation.

Submitted by:	Mori Hiroki <yamori813@yahoo.co.jp>
Reviewed by:	imp
2016-04-26 16:40:04 +00:00
Ruslan Bukin
9ef5c83c17 Fix the parameter type according to method declaration.
This fixes compilation on riscv with GCC 5.2.0
2016-04-26 16:02:13 +00:00
Hans Petter Selasky
cc165fbf19 Build fix. Add howmany() and nitems() macros to bootloader kernel shim. 2016-04-26 15:41:31 +00:00
Pedro F. Giffuni
55e0987aea sys: extend use of the howmany() macro when available.
We have a howmany() macro in the <sys/param.h> header that is
convenient to re-use as it makes things easier to read.
2016-04-26 15:38:17 +00:00
Bjoern A. Zeeb
c9087a9303 Mark the unused period argument __unused.
Reviewed by:	andrew
MFC after:	2 weeks
Sponsored by:	DARPA/AFRL
2016-04-26 15:34:00 +00:00