- Use strlcpy to ensure p->name doesn't overflow sa.sun_path [*].
- Use SUN_LEN(..) instead of spelling out calculation longhand (inspired
by comment by jmallett).
Tested with: dgram and stream support with both bsnmpwalk and snmpwalk
MFC after: 1 week
Reported by: Coverity
CID: 1006825
- Ensure `section` doesn't overrun section by using strlcpy instead of
strcpy [*].
- Use strdup instead of malloc + strcpy (this wasn't flagged by Coverity,
but is an opportunistic change).
MFC after: 1 week
Reported by: Coverity
CID: 1006826 [*]
The previous change was flawed in terms of how it calculated the
buffer length for the sockaddr_un object. Use SUN_LEN where
appropriate and mute the Coverity complaint by using memset(.., 0, ..)
to zero out the entire structure instead of setting .sun_len to a bogus
value and strlcpy'ing in the contents of argv[1].
SUN_LEN is now being passed to bind(2) as well. For some odd reason
this wasn't flagged as a bug with Coverity.
Reported by: jilles, jmallett
MFC after: 2 days
X-MFC with: r311233
* rename the ieee80211com field for vht mcsinfo to be ic_, not iv;
* add a vht config field, stealing from the spares I left there.
This doesn't change the ABI.
The HT40 channel population logic was "just" doing pairs of channels starting with
the band entry frequency. Trouble is, a lot of the rules start way off at 5120MHz,
which isn't a valid 5GHz channel. Then, eg for HT40U, it would populate:
* (5120,5140)
* (5160,5180)
* (5200,5220)
* (5240,5260)
.. as the HT40U pairs, with the first being the primary channel. Channel 36
is 5180MHz, and since it's not a primary channel here, it wouldn't populate it.
Then, the next HT40U would be 5200/5220, which is highly wrong.
HT40D had the same problem.
So, this just forces that 5GHz HT40 channels start at channel 36 (5180),
no matter what the band edge says. This includes eg doing 4.9GHz channels.
This erm, meant that the HT40 channels for the low band was always wrong.
Oops!
Tested:
* AR9380, STA mode
* AR9344 SoC, AP mode
MFC after: 1 week
Upon each execve, we allocate a KVA range for use in copying data to the
new image. Pages must be faulted into the range, and when the range is
freed, the backing pages are freed and their mappings are destroyed. This
is a lot of needless overhead, and the exec_map management becomes a
bottleneck when many CPUs are executing execve concurrently. Moreover, the
number of available ranges is fixed at 16, which is insufficient on large
systems and potentially excessive on 32-bit systems.
The new allocator reduces overhead by making exec_map allocations
persistent. When a range is freed, pages backing the range are marked clean
and made easy to reclaim. With this change, the exec_map is sized based on
the number of CPUs.
Reviewed by: kib
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D8921
Previously, the stack unwinder tried to locate the start of the function
in each frame by walking backwards until it found an instruction that
modified the stack pointer and then assumed that was the first instruction
in a function. The unwinder would only print a function name if the
starting instruction's address was an exact match for a symbol name.
However, not all functions generated by modern compilers start off functions
with that instruction. For those functions, the unwinder would fail to
find a matching function name. As a result, most frames in a stack
trace would be printed as raw hex PC's instead of a function name.
Stop depending on this incorrect assumption and just use db_printsym()
like other platforms to display the function name and offset for each
frame. This generates a far more useful stack trace.
While here, don't print out curproc's pid at the end of the trace. The
pid was always from curproc even if tracing some other process.
In addition, remove some rotted comments about hardcoded constants that
are no longer hardcoded.
Sponsored by: DARPA / AFRL
There was a single call to stacktrace() under an #ifdef DEBUG to obtain
a stack trace during a fault that resulted in a function pointer to a
printf function being passed to stacktrace_subr() in db_trace.c. The
kernel now has existing interfaces for obtaining a stack trace outside
of DDB (kdb_backtrace(), or the stack_*() API) that should be used instead.
Rather than fix the one call however, remove it since the kernel will
dump a trace anyway once it panics.
Make stacktrace_subr() static, remove the function pointer and change it
to use db_printf() explicitly.
Discussed with: kan
Sponsored by: DARPA / AFRL
Use the trapframe unwinder recently added for kernel stack overflow
panics for frames crossing MipsKernGenException and MipsKernIntr.
This provides more reliably unwinding across nested interrupts and
exceptions in the kernel.
While here, dump the value of the CAUSE and BADVADDR registers when
crossing a trapframe.
Submitted by: rwatson (original version)
Obtained from: CheriBSD
Sponsored by: DARPA / AFRL
The sim_vid, hba_vid, and dev_name fields of struct ccb_pathinq are
fixed-length strings. AFAICT the only place they're read is in
sbin/camcontrol/camcontrol.c, which assumes they'll be null-terminated.
However, the kernel doesn't null-terminate them. A bunch of copy-pasted code
uses strncpy to write them, and doesn't guarantee null-termination. For at
least 4 drivers (mpr, mps, ciss, and hyperv), the hba_vid field actually
overflows. You can see the result by doing "camcontrol negotiate da0 -v".
This change null-terminates those fields everywhere they're set in the
kernel. It also shortens a few strings to ensure they'll fit within the
16-character field.
PR: 215474
Reported by: Coverity
CID: 1009997 1010000 1010001 1010002 1010003 1010004 1010005
CID: 1331519 1010006 1215097 1010007 1288967 1010008 1306000
CID: 1211924 1010009 1010010 1010011 1010012 1010013 1010014
CID: 1147190 1010017 1010016 1010018 1216435 1010020 1010021
CID: 1010022 1009666 1018185 1010023 1010025 1010026 1010027
CID: 1010028 1010029 1010030 1010031 1010033 1018186 1018187
CID: 1010035 1010036 1010042 1010041 1010040 1010039
Reviewed by: imp, sephe, slm
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D9037
Differential Revision: https://reviews.freebsd.org/D9038
The offending code has been dead ever since the import from OpenBSD in
r195805. OpenBSD later deleted that entire function.
Reported by: Coverity
CID: 500059
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
This is being done to reduce wasted space, simplify complexity in
the code, and to quell a Coverity warning about buffer overruns.
warning about buffer overruns.
MFC after: 1 week
Reported by: Coverity
CID: 1006736
It's been dead ever since it was imported from TI-RPC in 1995. The dead
code is still present in Illumos today, but was removed from NetBSD in 2006.
Reported by: Coverity
CID: 270097
Obtained from: NetBSD
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
It's always been dead, ever since first import in 1994. It's still dead in
OpenBSD's version, too.
Reported by: Coverity
CID: 270586
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
the mapping which might be accessed by other threads.
If a pointer to the /dev/hpet register page mapping was stored into
the hpet_dev_map, other threads might access the page at any time.
Never unmap it, instead, keep track of mappings for all hpet units in
smal array. Store pointer to the newly mapped registers page using
CAS, to detect parallel mappings.
It appeared relatively easy to demonstrate the problem by arranging
two threads which perform gettimeofday(2) concurently, first time in
the process address space, when HPET is used for timecounter.
PR: 215715
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
returns memory which must be freed, regardless of the error. Assign
NULL to *buf in case we are not going to allocate any memory due to
invalid mode.
Reported and tested by: pho
Reviewed by: jhb
Sponsored by: The FreeBSD Foundation
MFC after: 3 weeks (together with r310638)
Differential revision: https://reviews.freebsd.org/D9042
a symlink and an autofs mount request. The crash was caused by namei()
calling bcopy() with a negative length, caused by numeric underflow:
in lookup(), in the relookup path, the ni_pathlen was decremented too
many times. The bug was introduced in r296715.
Big thanks to Alex Deiter for his help with debugging this.
Reviewed by: kib@
Tested by: Alex Deiter <alex.deiter at gmail.com>
MFC after: 1 month
observed to fix any actual error, but it's the right thing to do
from the correctness point of view.
Tested by: Eugene M. Zheganin <emz at norma.perm.ru>
MFC after: 1 month
party software, this provides more standarized import workflow and
makes future upgrades easier.
The following files are new with this commit:
zconf.h.in
zlib.map
zlib.pc.in
They are not connected to build, but were kept in tree for reference
for future maintenance.
All our local trivial changes were applied to contrib/zlib, and the
contrib/zlib vendor source code is intended to 100% match lib/libz
before this commit.
MFC after: 2 weeks
This code is unused on FreeBSD, but it mutes a valid Coverity warning
which would be true on NetBSD
MFC after: 3 days
Reported by: Coverity
CID: 978311
Ensure child exits when complete as it's always run in a forked
process.
Add a missing break statement in :pselect_sigmask when calling
child(..) for clarity and to avoid weird domino effects if the
child process somehow does something it's not supposed to do
with the logfiles, file descriptors, etc
MFC after: 1 week
Reported by: Coverity
CID: 1223369, 1223370, 1300301