pool: Check early that we can sleep
Check early that we actuallly are in a sleepable context in pool_get().
There is an equivalent check in malloc().
from jsg@, ok jca@
rpki-client: add experimental support for P-256 TA keys
This reuses a subset of the checks in cert_check_spki() and passes regress.
It will make sure we revisit this if we add support for other key types and
resolves an XXX (while adding another one).
discussed with job
rpki-client: add more smarts to filemode file type detection
If the file extension doesn't indicate what file type we have, attempt to
parse the file's content as DER for CMS content, a cert or a CRL. For CMS
we can check if we deal with signedData and inspect its eContentType.
h/t jsing
ok job
Fix a regression introduced in rev. 1.152:
Initialize the right variable (max_sz, not this_sz).
Caught by jsg@ with smatch, which correctly complained:
term_strlen() error: uninitialized symbol 'max_sz'.
virtio: Allow DMA mem above 4G
Allow to use memory above 4G on amd64 for virtio rings and
descriptors. This may reduce pressure on dma-able memory a bit.
For the virtio ring address, virtio 0.9 has a 2^44 limit. Use
bus_dmamem_alloc_range there.
With input from kettenis@
ok mlarkin@
Split io_read_str() in two. One version that requires a string (default)
and one that allows optional strings (aka NULL pointers).
Also split io_str_buffer() in two. To enforce that we don't pass a NULL
pointer in a place where we don't expect a NULL pointer.
On top of this just error out in io_read_buf() if the sz passed in is 0.
Adjust all io_read_str() calls to follow this. This way it is obvious
where we accept a NULL as a string pointer.
OK tb@ job@
Inherit PS_NOBTCFI at fork(2)
Else the forked children could get killed by our BTCFI safeguards.
PS_NOBTCFI is supposed to be set/unset at exec time.
Spotted by tb@ and landry@ with recent firefox.
ok claudio@ sthen@ deraadt@ tb@
Better fix for power-button event handling during resume
Reset resume_time once we have passed the sleep_state() function.
With this we can keep using the 10 seconds power button timeout
we had before I bumped it to 15 seconds.
Suggested by deraadt@
Instead of resetting p_cpticks in schedcpu() for all procs make
p_cpticks a constantly increasing counter. schedcpu() then uses
p_cpticks2 to store the last value. So the count of tick then
becomes p_cpticks - p_cpticks2 and with both value are only
updated by a single point. This makes the calculation of p_cpu
fully MP safe.
OK mpi@
Avoid decoding instructions when elr isn't pointing into the kernel part
of the virtual address space. Use fault() instead of panic() to report
an attempt to access or execute user space address from the kernel such
that we preserve more state.
ok miod@, deraadt@, jca@
revert 'fix wrong ifmedia macro used to check for IFM_AUTO'; change was wrong
While IFM_AUTO is indeed in the IFM_SUBTYPE range of the ifmedia word,
what this check is really trying to find out is whether any bits in
the IFM_MODE range are set. Those bits indicate whether userland has fixed
the phy mode to 11a/11b/11g etc. And because IFM_AUTO is zero this check
works as intended, even though comparing IFM_MODE range values to a value
declared in the IFM_SUBTYPE range is questionable coding style.
Set the upper boundary of 'kern.seminfo.semopm' variable to
"(MALLOC_MAX / sizeof(struct sembuf))". Otherwise the greater value
could exceed the MALLOC_MAX limit and cause panic.
Reported-by: syzbot+eef7ac9dfe338eeaec7c at syzkaller.appspotmail.com
ok bluhm deraadt millert jca
For IMSG_BINDANY, bnd.bnd_proc wasn't range checked to ensure it is positive.
As a result IF the other side of the privsep was succesfully exploited, it
could then send such a flawed message and cause a cause an array bounds
violation over the privsep boundary.
Reported by S. Ai, H. Lefeuvre, Systopia team
ok claudio