327588 |
05-Jan-2018 |
emaste |
MFC r327497, r327498: fix memory disclosure in hpt* ioctls
r327497: hpt27xx: plug info leak in hpt_ioctl
The hpt27xx ioctl handler allocates a buffer without M_ZERO and calls hpt_do_ioctl(), which might not overwrite the entire buffer.
Also zero bytesReturned in case it is not written by hpt_do_ioctl().
The hpt27xx device has permissions only for root so this is not urgent, and the fix can be MFCd and considered for a future EN.
Reported by: Ilja van Sprundel <ivansprundel@ioactive.com> Submitted by: Domagoj Stolfa <domagoj.stolfa@gmail.com> (M_ZERO)
r327498: hpt{nr,rr}: plug info leak in hpt_ioctl
The hpt{nr,rr} ioctl handler allocates a buffer without M_ZERO and calls hpt_do_ioctl(), which might not overwrite the entire buffer.
Also zero bytesReturned in case it is not written by hpt_do_ioctl().
The hpt27{nr,rr} device has permissions only for root so this is not urgent, and the fix can be MFCd and considered for a future EN.
The same issue was reported in the hpt27xx driver by Ilja Van Sprundel.
Security: memory disclosure in root-only ioctls Sponsored by: The FreeBSD Foundation |
296135 |
27-Feb-2016 |
jhibbits |
Replace several bus_alloc_resource() calls with bus_alloc_resource_any()
Most of these are BARs, and we allocate them in their entirety. The one outlier in this is amdsbwd, which calls bus_set_resource() prior.
Reviewed by: jhb Differential Revision: https://reviews.freebsd.org/D5370 (partial)
|
274819 |
21-Nov-2014 |
smh |
Prevent overflow issues in timeout processing
Previously, any timeout value for which (timeout * hz) will overflow the signed integer, will give weird results, since callout(9) routines will convert negative values of ticks to '1'. For unsigned integer overflow we will get sufficiently smaller timeout values than expected.
Switch from callout_reset, which requires conversion to int based ticks to callout_reset_sbt to avoid this.
Also correct isci to correctly resolve ccb timeout.
This was based on the original work done by Eygene Ryabinkin <rea@freebsd.org> back in 5 Aug 2011 which used a macro to help avoid the overlow.
Differential Revision: https://reviews.freebsd.org/D1157 Reviewed by: mav, davide MFC after: 1 month Sponsored by: Multiplay
|
255871 |
25-Sep-2013 |
scottl |
Re-do r255853. Along with adding back the API/ABI changes from the original, this hides the contents of cam_compat.h from ktrace/kdump/truss, avoiding problems there. There are no user-servicable parts in there, so no need for those tools to be groping around in there.
Approved by: re
|
255853 |
24-Sep-2013 |
scottl |
Update the CAM API for FreeBSD 10:
- Remove the timeout_ch field. It's been deprecated since FreeBSD 7.0; MPSAFE drivers should be managing their own timeout storage. The remaining non-MPSAFE drivers have been modified to also manage their own storage, and should be considered for updating to MPSAFE (or removal) during the FreeBSD 10.x lifecycle.
- Add fields related to soft timeouts and quality of service, to be used in upcoming work.
- Add room for more flags in the CCB header and path_inq structures.
- Begin support for extended 64-bit LUNs.
- Bump the CAM version number to 0x18, but add compat shims. Tested with camcontrol and smartctl.
Reviewed by: nathanw, ken, kib Approved by: re Obtained from: Netflix
|
249468 |
14-Apr-2013 |
mav |
MFprojects/camlock r248982: Stop abusing xpt_periph in random plases that really have no periph related to CCB, for example, bus scanning. NULL value is fine in such cases and it is correctly logged in debug messages as "noperiph". If at some point we need some real XPT periphs (alike to pmpX now), quite likely they will be per-bus, and not a single global instance as xpt_periph now.
|
246713 |
12-Feb-2013 |
kib |
Reform the busdma API so that new types may be added without modifying every architecture's busdma_machdep.c. It is done by unifying the bus_dmamap_load_buffer() routines so that they may be called from MI code. The MD busdma is then given a chance to do any final processing in the complete() callback.
The cam changes unify the bus_dmamap_load* handling in cam drivers.
The arm and mips implementations are updated to track virtual addresses for sync(). Previously this was done in a type specific way. Now it is done in a generic way by recording the list of virtuals in the map.
Submitted by: jeff (sponsored by EMC/Isilon) Reviewed by: kan (previous version), scottl, mjacob (isp(4), no objections for target mode changes) Discussed with: ian (arm changes) Tested by: marius (sparc64), mips (jmallet), isci(4) on x86 (jharris), amd64 (Fabian Keil <freebsd-listen@fabiankeil.de>)
|