6 hours agotcp/syncache: Set flowid and hash type properly for SYN|ACK master github/master
sephe [Fri, 29 Apr 2016 07:23:08 +0000 (07:23 +0000)]
tcp/syncache: Set flowid and hash type properly for SYN|ACK

So the underlying drivers can use it to select the sending queue
properly for SYN|ACK instead of rolling their own hash.

Sponsored by: Microsoft OSTC
Differential Revision:

8 hours agoFix including Kyuafile in packaged base system.
gjb [Fri, 29 Apr 2016 05:28:40 +0000 (05:28 +0000)]
Fix including Kyuafile in packaged base system.

Fix a related typo while here.

Note, this change results in the Kyuafile inclusion in the runtime
package, which needs to be fixed, however addresses the PR as far
as I can tell in my tests.

PR: 209114
Submitted by: ngie
Sponsored by: The FreeBSD Foundation

12 hours ago[ath] Add LDPC transmit support.
adrian [Fri, 29 Apr 2016 01:53:45 +0000 (01:53 +0000)]
[ath] Add LDPC transmit support.

LDPC adds better transmit reliability if both ends support it.

You in theory can do both STBC and LDPC at the same time.
If I see issues I'll disable it.

* Only enable it if both ends of a connection negotiate it.
* Disable it if any rate is non-11n.
* Count both LDPC TX and STBC TX.


* AR9380, STA mode

12 hours ago[ath] turn the BA hardware bug back into a printf().
adrian [Fri, 29 Apr 2016 01:52:06 +0000 (01:52 +0000)]
[ath] turn the BA hardware bug back into a printf().

I saw this happen a couple of times and all I saw was a dump of the
transmit descriptors.  Log the message for now so I can see whta happened.

12 hours ago[ath] Add counters for STBC TX and LDPC TX.
adrian [Fri, 29 Apr 2016 01:51:27 +0000 (01:51 +0000)]
[ath] Add counters for STBC TX and LDPC TX.

This is a big no-op until the TX path changes to enable LDPC TX are

15 hours agoClarify build(7) instructions for alternate object directory.
wblock [Thu, 28 Apr 2016 22:14:09 +0000 (22:14 +0000)]
Clarify build(7) instructions for alternate object directory.

PR: 209062
Submitted by: Shawn Debnath <>
MFC after: 1 week
Differential Revision:

16 hours agoRemove logically impossible test in scsidoinquiry(..)
ngie [Thu, 28 Apr 2016 21:17:23 +0000 (21:17 +0000)]
Remove logically impossible test in scsidoinquiry(..)

It was already done 4 lines prior and the value of error didn't change

MFC after: 3 days
Reported by: Coverity
CID: 1011236
Sponsored by: EMC / Isilon Storage Division

17 hours ago[net80211] fix indenting.
adrian [Thu, 28 Apr 2016 20:30:49 +0000 (20:30 +0000)]
[net80211] fix indenting.

Sponsored by: Eva Automation, Inc.

17 hours ago[net80211] handle action frames in adhoc mode from the node that created the BSS.
adrian [Thu, 28 Apr 2016 20:29:49 +0000 (20:29 +0000)]
[net80211] handle action frames in adhoc mode from the node that created the BSS.

We don't have a separate bss node; instead we dup the first node we saw
and turn that into the BSS node.  This means that action frames from
that node would be rejected.

So, check that the node is the bss node /and/ the MAC doesn't match ni_macaddr.
That's the "right" way for now to verify it's an unknown node.

This fixes handling action frames in adhoc mode, which includes negotiating
11n aggregation via ADDBA/DELBA.

This by itself isn't enough to correctly create 11n adhoc networks; but
it is required for aggregation to be negotiated.


* AR9380, 11n adhoc mode
* broadcom 11ac adhoc (vendor platform)

Sponsored by: Eva Automation, Inc.

18 hours agosys/geom: spelling fixes.
pfg [Thu, 28 Apr 2016 19:26:46 +0000 (19:26 +0000)]
sys/geom: spelling fixes.

These affect debugging messages.

MFC after: 2 weeks

19 hours agoOnly count CPU devices that are using the ACPI CPU driver.
jhb [Thu, 28 Apr 2016 18:53:14 +0000 (18:53 +0000)]
Only count CPU devices that are using the ACPI CPU driver.

Arguably we should only be doing the probe/attach to children of
these devices as well.

Tested by: Michal Stanek <> (arm64)
Differential Revision:

19 hours agoFix va_list handling
ngie [Thu, 28 Apr 2016 18:41:55 +0000 (18:41 +0000)]
Fix va_list handling

- Add missing va_end's after corresponding va_start's to cleanup state
- Eliminate questionable bzero'ing of va_list passed in to
  do_buff_decode(..) and do_encode(..) from buff_{de,en}code_visit(..)
  and csio_{de,en}code_visit(..). Make va_list a pointer instead and
  pass NULL into the underlying functions to handler this in a portable
- Do some minor style(9) clean up in affected functions.

Differential Revision:
MFC after: 3 days
Reported by: cppcheck, Coverity
CID: 1018500-1018503
Reviewed by: cem
Sponsored by: EMC / Isilon Storage Division

19 hours agoAdd some notes about the implicit resource mapping for activated resources.
jhb [Thu, 28 Apr 2016 18:23:18 +0000 (18:23 +0000)]
Add some notes about the implicit resource mapping for activated resources.

Specifically, mention that rman_get_bustag/handle/virtual are valid after
a resource is activated.  Also, mention the wrapper API that accepts a
struct resource instead of a bus tag and handle.

20 hours agoDocument RF_PREFETCHABLE.
jhb [Thu, 28 Apr 2016 18:01:25 +0000 (18:01 +0000)]

20 hours agoUse a better idiom for finding UTC prefixed timezones
ngie [Thu, 28 Apr 2016 17:57:17 +0000 (17:57 +0000)]
Use a better idiom for finding UTC prefixed timezones

Instead of copy-pasting the string literal for "UTC" 3 times and using
strlen, use a static char[3] buffer and sizeof(..).

MFC after: 3 days
X-MFC with: r298507
Submitted by: kib
Sponsored by: EMC / Isilon Storage Division

20 hours agoDocument PCI_RES_BUS as a possible resource type.
jhb [Thu, 28 Apr 2016 17:50:16 +0000 (17:50 +0000)]
Document PCI_RES_BUS as a possible resource type.

20 hours agoRemove a stale reference to the removed RF_TIMESHARE flag.
jhb [Thu, 28 Apr 2016 17:48:52 +0000 (17:48 +0000)]
Remove a stale reference to the removed RF_TIMESHARE flag.

22 hours agoComplete the UDP tunneling of ICMP msgs to those protocols
rrs [Thu, 28 Apr 2016 15:53:10 +0000 (15:53 +0000)]
Complete the UDP tunneling of ICMP msgs to those protocols
interested in having tunneled UDP and finding out about the
ICMP (tested by Michael Tuexen with SCTP.. soon to be using
this feature).

Differential Revision:

22 hours agoSmall typo.
pfg [Thu, 28 Apr 2016 15:20:08 +0000 (15:20 +0000)]
Small typo.

22 hours agoSmall typos.
pfg [Thu, 28 Apr 2016 15:18:28 +0000 (15:18 +0000)]
Small typos.

22 hours agoAdd PACKAGE fields to usr.sbin/extattr/tests/Makefile
asomers [Thu, 28 Apr 2016 15:13:50 +0000 (15:13 +0000)]
Add PACKAGE fields to usr.sbin/extattr/tests/Makefile

Add boiler plate required by 298107 but omitted by 298483.  These
two changes passed through CR in parallel.  I think this should get
the full test suite running in Jenkins again.

MFC after: 22 days
X-MFC-with: 298483
Sponsored by: Spectra Logic Corp

24 hours agoThis cleans up the timers code in TCP to start using the new
rrs [Thu, 28 Apr 2016 13:27:12 +0000 (13:27 +0000)]
This cleans up the timers code in TCP to start using the new
async_drain functionality. This as been tested in NF as well as
by Verisign. Still to do in here is to remove all the old flags. They
are currently left being maintained but probably are no longer needed.

Sponsored by: Netflix Inc.
Differential Revision:

25 hours agoTEGRA: Add interrupt support for Tegra GPIO controller.
mmel [Thu, 28 Apr 2016 13:00:40 +0000 (13:00 +0000)]
TEGRA: Add interrupt support for Tegra GPIO controller.

25 hours agoStop using sbrk(2) with malloc. This helps reduce the number of places
andrew [Thu, 28 Apr 2016 12:24:58 +0000 (12:24 +0000)]
Stop using sbrk(2) with malloc. This helps reduce the number of places
within the tree where we call this legacy interface.

Reviewed by: jasone
Obtained from: brooks
Sponsored by: ABT Systems Ltd

25 hours agoARM: Use kernel pmap as intermediate mapping in context switch.
mmel [Thu, 28 Apr 2016 12:05:07 +0000 (12:05 +0000)]
ARM: Use kernel pmap as intermediate mapping in context switch.
On ARM, we can directly switch between translation tables only when
the size of the mapping for any given virtual address is the same in
the old and new translation tables. The load of new TTB and subsequent
TLB flush is not atomic operation. So speculative page table walk can
load TLB entry from new mapping while rest of TLB entries are still the
old ones. In worst case, this can lead to situation when TLB cache can
contain multiple matching TLB entries. One (from old mapping) L2 entry
for VA + 4k and one (from new mapping) L1 entry for VA.

Thus, we must switch to kernel pmap translation table as intermediate
mapping because all sizes of these (old pmap and kernel pmap) mappings
are same (or unmapped). The same is true for switch from kernel pmap
translation table to new pmap one.

25 hours agoINTRNG: Define 'INTR_IRQ_INVALID' constant and use it consistently
mmel [Thu, 28 Apr 2016 12:04:12 +0000 (12:04 +0000)]
INTRNG: Define 'INTR_IRQ_INVALID' constant and use it consistently
as error indicator.

26 hours agoGPIO: Add support for gpio pin interrupts.
mmel [Thu, 28 Apr 2016 12:03:22 +0000 (12:03 +0000)]
GPIO: Add support for gpio pin interrupts.
Add new function gpio_alloc_intr_resource(), which allows an allocation
of interrupt resource associated to given gpio pin. It also allows to
specify interrupt configuration.

Note: This functionality is dependent on INTRNG, and must be
implemented in each GPIO controller.

28 hours agofix missing variable in r298736
avg [Thu, 28 Apr 2016 09:40:24 +0000 (09:40 +0000)]
fix missing variable in r298736

Pointyhat to: avg
Reported by: Ivan Klymenko <>
MFC after: 2 weeks
X-MFC with: r298736

29 hours agoensure that initial local apic id is sane on AMD 10h systems
avg [Thu, 28 Apr 2016 08:29:57 +0000 (08:29 +0000)]
ensure that initial local apic id is sane on AMD 10h systems

The Initial Local APIC ID is returned by CPUID function 1 (in EBX).
On AMD Family 10h systems the way that ID is built is controlled by
an MSR bit (InitApicIdCpuIdLo).  BKDG instructs BIOS to set it in a
certain way, but a BIOS can be buggy.  In that case the ID can confuse
tools that use it, e.g. hwloc.
For example, on a system that I own real Local APIC IDs are configured
as 0, 1, 2, 3, but IDs reported via CPUID.1 are 0, 0x40, 0x80, 0xc0.

Reviewed by: kib
MFC after: 2 weeks
Differential Revision:

31 hours agosfxge(4): do not use RxQ index as label
arybchik [Thu, 28 Apr 2016 06:20:43 +0000 (06:20 +0000)]
sfxge(4): do not use RxQ index as label

Labels are limitted by 32 on EF10. It is not sufficient on powerful hosts.
Since only one RxQ is running over each EvQ, zero label may be used.

Reviewed by:    gnn
Sponsored by:   Solarflare Communications, Inc.
MFC after:      2 days
PR:             208267
Differential Revision:

34 hours agondis(4): it's rather unrealistic to expect a size_t here.
pfg [Thu, 28 Apr 2016 03:19:53 +0000 (03:19 +0000)]
ndis(4): it's rather unrealistic to expect a size_t here.

int was actually OK, and u_int is more than enough.

35 hours agoipdivert: Remove unnecessary and incorrectly typed variable.
pfg [Thu, 28 Apr 2016 02:46:08 +0000 (02:46 +0000)]
ipdivert: Remove unnecessary and incorrectly typed variable.

In principle n is only used to carry a copy of ipi_count, which is
unsigned, in the non-VIMAGE case, however ipi_count can be used
directly so it is not needed at all. Removing it makes things look

35 hours agosys/devfs: unsign an index to prevent signed integer overflow.
pfg [Thu, 28 Apr 2016 02:39:43 +0000 (02:39 +0000)]
sys/devfs: unsign an index to prevent signed integer overflow.

cdp_maxdirent in struct:cdev_priv is of type u_int.  Use the same
type for the corresponding index in devfs_revoke().

MFC after: 1 week

36 hours agondis(4): unsign some indexes to prevent overflows.
pfg [Thu, 28 Apr 2016 01:58:56 +0000 (01:58 +0000)]
ndis(4): unsign some indexes to prevent overflows.

The "len" parameter is uint32_t, indexing it with an int may
end up in a signed integer overflow.

strlen(3) returns an integer of size_t so the corresponding index should
have that size.

MFC after: 1 week

36 hours agotcp/lro: Fix more typo
sephe [Thu, 28 Apr 2016 01:43:18 +0000 (01:43 +0000)]
tcp/lro: Fix more typo

Noticed by: hiren
MFC after: 1 week
Sponsored by: Microsoft OSTC

40 hours agoTrim redundant message.
jhb [Wed, 27 Apr 2016 21:51:24 +0000 (21:51 +0000)]
Trim redundant message.

WITNESS_WARN() appends "with non-sleepable lock" to the caller's message.

Sponsored by: Chelsio Communications

40 hours agoAdjust prototypes for NUMA-related functions to match the style of the
jhb [Wed, 27 Apr 2016 21:12:05 +0000 (21:12 +0000)]
Adjust prototypes for NUMA-related functions to match the style of the
rest of this file.

41 hours agoAdd support for the Non-maskable interrupt driver found in the Allwinner A20 and...
manu [Wed, 27 Apr 2016 20:49:57 +0000 (20:49 +0000)]
Add support for the Non-maskable interrupt driver found in the Allwinner A20 and A31 SoCs.
This is normally used for the PMU.

Reviewed by: andrew
Approved by: andrew (mentor)
Differential Revision:

41 hours agoFix build without ACPI_DEBUG.
jkim [Wed, 27 Apr 2016 20:24:48 +0000 (20:24 +0000)]
Fix build without ACPI_DEBUG.

42 hours agoFix build for systems without PCI_RES_BUS.
jhb [Wed, 27 Apr 2016 19:54:56 +0000 (19:54 +0000)]
Fix build for systems without PCI_RES_BUS.

Submitted by: vangyzen

42 hours agoSort SUBDIR.
jkim [Wed, 27 Apr 2016 19:38:24 +0000 (19:38 +0000)]

42 hours agoMerge ACPICA 20160422.
jkim [Wed, 27 Apr 2016 19:09:21 +0000 (19:09 +0000)]
Merge ACPICA 20160422.

43 hours agoDon't use the control argument after calling sctp_add_to_readq().
tuexen [Wed, 27 Apr 2016 18:58:47 +0000 (18:58 +0000)]
Don't use the control argument after calling sctp_add_to_readq().
This breaks the userland stack. There should be no functional change
for the FreeBSD kernel stack.
While there, use consistent variable nameing.

44 hours agoAdd a bus_null_rescan() method that always fails with an error.
jhb [Wed, 27 Apr 2016 17:49:42 +0000 (17:49 +0000)]
Add a bus_null_rescan() method that always fails with an error.

Use this in place of kobj_error_method to disable BUS_RESCAN() on
PCI drivers that do not use the "standard" scanning algorithm.

45 hours agoAdd a pcib_attach_child() method to manage adding the child "pci" device.
jhb [Wed, 27 Apr 2016 16:39:05 +0000 (16:39 +0000)]
Add a pcib_attach_child() method to manage adding the child "pci" device.

This allows the PCI-PCI bridge driver to save a reference to the child
device in its softc.

Note that this required moving the "pci" device creation out of
acpi_pcib_attach().  Instead, acpi_pcib_attach() is renamed to
acpi_pcib_fetch_prt() as it's sole action now is to fetch the PCI
interrupt routing table.

Differential Revision:

45 hours agoFix PCI bus detach to delete child devices.
jhb [Wed, 27 Apr 2016 16:34:29 +0000 (16:34 +0000)]
Fix PCI bus detach to delete child devices.

Differential Revision:

45 hours agoAdd 'devctl delete' that calls device_delete_child().
jhb [Wed, 27 Apr 2016 16:33:17 +0000 (16:33 +0000)]
Add 'devctl delete' that calls device_delete_child().

'devctl delete' can be used to delete a device that is no longer present.
As an anti-foot-shooting measure, 'delete' will not delete a device
unless it's parent bus says it is no longer present.  This can be
overridden by passing the force ('-f') flag.

Note that this command should be used with care.  If a device is deleted
that is actually present it can't be resurrected unless the parent bus
device's driver supports rescans.

Differential Revision:

45 hours agoImplement a PCI bus rescan method.
jhb [Wed, 27 Apr 2016 16:31:12 +0000 (16:31 +0000)]
Implement a PCI bus rescan method.

Rescanning a PCI bus uses the following steps:
- Fetch the current set of child devices and save it in the 'devlist'
- Allocate a parallel array 'unchanged' initalized with NULL pointers.
- Scan the bus checking each slot (and each function on slots with a
  multifunction device).
- If a valid function is found, look for a matching device in the 'devlist'
  array.  If a device is found, save the pointer in the 'unchanged' array.
  If a device is not found, add a new device.
- After the scan has finished, walk the 'devlist' array deleting any
  devices that do not have a matching pointer in the 'unchanged' array.
- Finally, fetch an updated set of child devices and explicitly attach any
  devices that are not present in the 'unchanged' array.

This builds on the previous changes to move subclass data management into
pci_alloc_devinfo(), pci_child_added(), and bus_child_deleted().

Subclasses of the PCI bus use custom rescan logic explicitly override the
rescan method to disable rescans.

Differential Revision:

45 hours agoAdd a new rescan method to the bus interface.
jhb [Wed, 27 Apr 2016 16:29:03 +0000 (16:29 +0000)]
Add a new rescan method to the bus interface.

The BUS_RESCAN() method rescans a single bus device checking for devices
that have been added or removed from the bus.  A new 'rescan' command is
added to devctl(8) to trigger a rescan.

Differential Revision:

46 hours agocam: unsign some types to match their definitions and avoid overflows.
pfg [Wed, 27 Apr 2016 15:35:05 +0000 (15:35 +0000)]
cam: unsign some types to match their definitions and avoid overflows.

numpatterns is u_int.

CTL_NUM_MODE_PAGES comes from sizeof().
In struct:ctl_scsiio, kern_sg_entries is uint32_t.

MFC after: 2 weeks

46 hours agoMake create_object callback optional and return EOPNOTSUPP when it isn't
ae [Wed, 27 Apr 2016 15:28:25 +0000 (15:28 +0000)]
Make create_object callback optional and return EOPNOTSUPP when it isn't
defined. Remove eaction_create_compat() and use designated initializers to
initialize eaction_opcodes structure.

Obtained from: Yandex LLC

46 hours agogeom: unsign some types to match their definitions and avoid overflows.
pfg [Wed, 27 Apr 2016 15:10:40 +0000 (15:10 +0000)]
geom: unsign some types to match their definitions and avoid overflows.

In struct:gctl_req, nargs is unsigned.

In mirror:
g_mirror_syncreqs is unsigned.

In raid:
in struct:g_raid_volume, v_disks_count is unsigned.

In virstor:
in struct:g_virstor_softc, n_components is unsigned.

MFC after: 2 weeks

2 days agotcp/lro: Fix typo.
sephe [Wed, 27 Apr 2016 09:40:55 +0000 (09:40 +0000)]
tcp/lro: Fix typo.

MFC after: 1 week
Sponsored by: Microsoft OSTC

2 days agoMFV r298691:
delphij [Wed, 27 Apr 2016 07:46:38 +0000 (07:46 +0000)]
MFV r298691:

ntp 4.2.8p7.

Security: CVE-2016-1547, CVE-2016-1548, CVE-2016-1549, CVE-2016-1550
Security: CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518
Security: CVE-2016-2519
Security: FreeBSD-SA-16:16.ntp
With hat: so

2 days agohyperv/hn: Add stat for # of chimney sending tries
sephe [Wed, 27 Apr 2016 06:49:16 +0000 (06:49 +0000)]
hyperv/hn: Add stat for # of chimney sending tries

MFC after: 1 week
Sponsored by: Microsoft OSTC

2 days agohyperv/vmbus: Mark sysctls MPSAFE
sephe [Wed, 27 Apr 2016 05:45:14 +0000 (05:45 +0000)]
hyperv/vmbus: Mark sysctls MPSAFE

MFC after: 1 week
Sponsored by: Microsoft OSTC

2 days agoVendor import of ntp-4.2.8p7.
delphij [Wed, 27 Apr 2016 05:37:54 +0000 (05:37 +0000)]
Vendor import of ntp-4.2.8p7.

2 days agohyperv/hn: Mark sysctls MPSAFE
sephe [Wed, 27 Apr 2016 05:18:04 +0000 (05:18 +0000)]
hyperv/hn: Mark sysctls MPSAFE

MFC after: 1 week
Sponsored by: Microsoft OSTC

2 days agohyperv/hn: Remove unapplied comment.
sephe [Wed, 27 Apr 2016 05:05:54 +0000 (05:05 +0000)]
hyperv/hn: Remove unapplied comment.

Chimney sending buffers are shared across channels.

MFC after: 1 week
Sponsored by: Microsoft OSTC

2 days agohyperv/hn: Restart sending earlier once we gathered some free TX descs
sephe [Wed, 27 Apr 2016 04:51:28 +0000 (04:51 +0000)]
hyperv/hn: Restart sending earlier once we gathered some free TX descs

This greatly reduces the oqdrops under heavy workload.

For TCP send/recv test (10K concurrent connections):
oqdrops is reduced by 17% on sending side, and 57% on receiving side.

For nginx-1.8/wrk-4 1KB object test (10K concurrent connections,
4 requests/connection):
oqdrops is reduced by 44% on nginx side, and 10% on wrk side.

MFC after: 1 week
Sponsored by: Microsoft OSTC

2 days agoFor pointers use NULL instead of 0.
araujo [Wed, 27 Apr 2016 03:06:53 +0000 (03:06 +0000)]
For pointers use NULL instead of 0.

Reviewed by: rpaulo
MFC after: 2 weeks.
Differential Revision:

2 days agoUse MIN() macro from sys/param.h.
araujo [Wed, 27 Apr 2016 02:44:10 +0000 (02:44 +0000)]
Use MIN() macro from sys/param.h.

MFC after: 2 weeks.

2 days agoUse MIN() macro from sys/param.h.
araujo [Wed, 27 Apr 2016 02:34:25 +0000 (02:34 +0000)]
Use MIN() macro from sys/param.h.

MFC after: 2 weeks.

2 days agoUse macro MIN() from sys/param.h.
araujo [Wed, 27 Apr 2016 02:26:31 +0000 (02:26 +0000)]
Use macro MIN() from sys/param.h.

MFC after: 2 weeks.

2 days agoDelay revmoing the last jail reference in prison_proc_free, and instead
jamie [Wed, 27 Apr 2016 02:25:21 +0000 (02:25 +0000)]
Delay revmoing the last jail reference in prison_proc_free, and instead
put it off into the pr_task.  This is similar to prison_free, and in fact
uses the same task even though they do something slightly different.

This resolves a LOR between the process lock and allprison_lock, which
came about in r298565.

PR: 48471

2 days agoUse MIN() macro from sys/param.h.
araujo [Wed, 27 Apr 2016 02:13:57 +0000 (02:13 +0000)]
Use MIN() macro from sys/param.h.

MFC after: 2 weeks.

2 days agoUse macro MIN() from sys/param.h.
araujo [Wed, 27 Apr 2016 02:02:44 +0000 (02:02 +0000)]
Use macro MIN() from sys/param.h.

MFC after: 2 weeks.

2 days agofsck_ffs: Revert partially the unsigned changes.
pfg [Wed, 27 Apr 2016 01:36:25 +0000 (01:36 +0000)]
fsck_ffs: Revert partially the unsigned changes.

Any value of uint16_t will be internally promoted to int so
changing them to an unsigned value doesn't help.

Missing revert value in suj_read().

X-MFC with: r298551

2 days agofsck_ffs: Revert partially the unsigned changes.
pfg [Wed, 27 Apr 2016 01:32:11 +0000 (01:32 +0000)]
fsck_ffs: Revert partially the unsigned changes.

Any value of uint16_t will be internally promoted to int so
changing them to an unsigned value doesn't help.

Make clear we want to use uint32_t for closedisk()

X-MFC with: r298551

2 days agoposix4_mib: Don't overrun facility_initialized array
cem [Wed, 27 Apr 2016 00:10:32 +0000 (00:10 +0000)]
posix4_mib: Don't overrun facility_initialized array

The facility_initialized and facility arrays are the same size and were
intended to be indexed the same.  I believe this mismatch was just a
typo/braino in r208731.

Reported by: Coverity
CID: 1017430
Sponsored by: EMC / Isilon Storage Division

2 days agosubr_mbpool: Don't free bogus pointer in error paths
cem [Tue, 26 Apr 2016 23:58:55 +0000 (23:58 +0000)]
subr_mbpool: Don't free bogus pointer in error paths

An mbpool is allocated with a contiguous array of mbpages.  Freeing an
individual mbpage has never been valid.  Don't do it.

This bug has been present since this code was introduced in r117624 (2003).

Reported by: Coverity
CID: 1009687
Sponsored by: EMC / Isilon Storage Division

2 days agonetipsec: Don't leak memory when deep copy fails
cem [Tue, 26 Apr 2016 23:23:44 +0000 (23:23 +0000)]
netipsec: Don't leak memory when deep copy fails

Reported by: Coverity
CID: 1331693
Sponsored by: EMC / Isilon Storage Division

2 days agoin_lltable_alloc and in6 copy: Don't leak LLE in error path
cem [Tue, 26 Apr 2016 23:13:48 +0000 (23:13 +0000)]
in_lltable_alloc and in6 copy: Don't leak LLE in error path

Fix a memory leak in error conditions introduced in r292978.

Reported by: Coverity
CIDs: 1347009, 1347010
Sponsored by: EMC / Isilon Storage Division

2 days agoRefactor DTS files for Zynq-based SoCs
gonzo [Tue, 26 Apr 2016 23:09:47 +0000 (23:09 +0000)]
Refactor DTS files for Zynq-based SoCs

- Factor out common part to zynq-7000.dtsi
- Fix problem with Zynq interrupts by using interrupt "triples"
    in .dtsi file to differentiate between edge-triggered and
    level-triggered interrupts
- cgem driver now recognizes "status" property

Submitted by: Thomas Skibo <>
Differential Revision:

2 days agotcp_usrreq: Free allocated buffer in relock case
cem [Tue, 26 Apr 2016 23:02:18 +0000 (23:02 +0000)]
tcp_usrreq: Free allocated buffer in relock case

The disgusting macro INP_WLOCK_RECHECK may early-return.  In
tcp_default_ctloutput() the TCP_CCALGOOPT case allocates memory before invoking
this macro, which may leak memory.

Add a _CLEANUP variant that takes a code argument to perform variable cleanup
in the early return path.  Use it to free the 'pbuf' allocated in

I am not especially happy with this macro, but I reckon it's not any worse than
INP_WLOCK_RECHECK already was.

Reported by: Coverity
CID: 1350286
Sponsored by: EMC / Isilon Storage Division

2 days agog_part_bsd64: Delete duplicate/dead code
cem [Tue, 26 Apr 2016 22:32:33 +0000 (22:32 +0000)]
g_part_bsd64: Delete duplicate/dead code

RAW_PART is handled earlier in the loop.

Reported by: Coverity
CID: 1223201
Sponsored by: EMC / Isilon Storage Division

2 days agog_part_bsd64: Check for valid on-disk npartitions value
cem [Tue, 26 Apr 2016 22:30:54 +0000 (22:30 +0000)]
g_part_bsd64: Check for valid on-disk npartitions value

This value is u32 on disk, but assigned to an int in memory.  After we do the
implicit conversion via assignment, check that the result is at least one[1]

1. The subsequent for-loop iterates from gpt_entries minus one, down, until
   reaching zero.  A negative or zero initial index results in undefined signed
   integer overflow.
2. It is also used to index into arrays later.

In practice, we expected non-malicious disks to contain small positive values.

Reported by: Coverity
CID: 1223202
Sponsored by: EMC / Isilon Storage Division

2 days agociss(4): Fix overrun of array
cem [Tue, 26 Apr 2016 22:01:07 +0000 (22:01 +0000)]
ciss(4): Fix overrun of array

The softc member 'ciss_logical' is an array of 'ciss_max_logical_bus' members.
Most of the time it is iterated correctly.  This patch fixes the two instances
where the driver iterated off the end of the array.

Reported by: Coverity
CID: 1305492
Sponsored by: EMC / Isilon Storage Division

2 days agoiscsi_initiator(4): Fix use-after-free, double-free
cem [Tue, 26 Apr 2016 21:44:08 +0000 (21:44 +0000)]
iscsi_initiator(4): Fix use-after-free, double-free

ism_stop() already destroys and frees 'sp', including a call to ic_destroy().
Don't dereference 'sp' after ism_stop() and don't invoke ic_destroy() on the
freed memory either.

Reported by: Coverity
CIDs: 1006109, 1304861
Sponsored by: EMC / Isilon Storage Division

2 days agoUse crcopysafe in jail_attach.
jamie [Tue, 26 Apr 2016 21:19:12 +0000 (21:19 +0000)]
Use crcopysafe in jail_attach.

2 days agoAdd dtb/zynq to the list of extra modules required by Zedboard
gonzo [Tue, 26 Apr 2016 21:11:52 +0000 (21:11 +0000)]
Add dtb/zynq to the list of extra modules required by Zedboard

2 days agoAdd dtb/zynq to generate dtb files for Zynq-based boards
gonzo [Tue, 26 Apr 2016 21:11:01 +0000 (21:11 +0000)]
Add dtb/zynq to generate dtb files for Zynq-based boards

It seems that the only way to supply dtb to loader on Zynq-based
SoCs is to manually generate dtb and place it to pre-defined location
on SD card or TFTP server where loader can pick it up.  More modern
approach is to add modules/dtb/%soc% module and let installworld
target generate dtb and copy them to /boot/dtb/ where they can be
loaded by ubldr

2 days agoaacraid(4): Fix some mostly trivial buffer overruns
cem [Tue, 26 Apr 2016 20:59:21 +0000 (20:59 +0000)]
aacraid(4): Fix some mostly trivial buffer overruns

strcpy(3) emits a trailing nul byte, trampling fields after the intended
destination.  Instead, use strncpy(3), intentionally leaving these fields
not nul-terminated.

Reported by: Coverity
CIDs: 1031024, 1305463, 1305494, 1305545
Sponsored by: EMC / Isilon Storage Division

2 days agomsdosfs: Prevent buffer overflow when expanding win95 names
kp [Tue, 26 Apr 2016 20:36:32 +0000 (20:36 +0000)]
msdosfs: Prevent buffer overflow when expanding win95 names

In win2unixfn() we expand Windows 95 style long names. In some cases that
requires moving the data in the nbp->nb_buf buffer backwards to make room. That
code failed to check for overflows, leading to a stack overflow in win2unixfn().

We now check for this event, and mark the entire conversion as failed in that
case. This means we present the 8 character, dos style, name instead.

PR: 204643
Differential Revision:

2 days agoradix_mpath: Don't derefence a NULL pointer in for loop iteration
cem [Tue, 26 Apr 2016 20:27:17 +0000 (20:27 +0000)]
radix_mpath: Don't derefence a NULL pointer in for loop iteration

It seems rn_dupedkey may be NULL, because of the NULL check inside the loop.
(Also, the rt gets assigned from rn_dupedkey and NULL checked at top of loop.)
However, the for-loop update condition happens before the top-of-loop check and
dereferences 'rt' unconditionally.

Instead, NULL-check before dereferencing.

If rn_dupedkey cannot in fact be NULL, or something else protects this, feel
free to revert this and add an ASSERT of some kind instead.

This was introduced in r191080 (2009) and moved around slightly in r293657.

Reported by: Coverity
CID: 1348482
Sponsored by: EMC / Isilon Storage Division

2 days agoPCI Enhanced Allocation: Annotate an intentional switch fallthrough
cem [Tue, 26 Apr 2016 20:06:35 +0000 (20:06 +0000)]
PCI Enhanced Allocation: Annotate an intentional switch fallthrough

This is a trivial follow-up to r296308.  Annotate the intentional fallthrough
to make it clear for future readers and linters.

Reported by: Coverity
CID: 1352716
Discussed with: jhb
Sponsored by: EMC / Isilon Storage Division

2 days agoosd(9): Change array pointer to array pointer type from void*
cem [Tue, 26 Apr 2016 19:57:35 +0000 (19:57 +0000)]
osd(9): Change array pointer to array pointer type from void*

This is a minor follow-up to r297422, prompted by a Coverity warning.  (It's
not a real defect, just a code smell.)  OSD slot array reservations are an
array of pointers (void **) but were cast to void* and back unnecessarily.
Keep the correct type from reservation to use.

osd.9 is updated to match, along with a few trivial igor fixes.

Reported by: Coverity
CID: 1353811
Sponsored by: EMC / Isilon Storage Division

2 days agoFix up r298368
ngie [Tue, 26 Apr 2016 19:21:35 +0000 (19:21 +0000)]
Fix up r298368

Remove the semicolon accidentally added after the new conditional that tests
that /dev/zero is opened successfully.

MFC after: 1 week
X-MFC with: r298368
Pointhat to: ngie
Reported by: Coverity
CID: 1354980
Sponsored by: EMC / Isilon Storage Division

2 days agoiwm(4): Don't dereference potentially NULL pointer before NULL check
cem [Tue, 26 Apr 2016 19:06:28 +0000 (19:06 +0000)]
iwm(4): Don't dereference potentially NULL pointer before NULL check

Introduced in r298594.  There is no path before the 'vap == NULL' check where
vap is not already dereferenced.

Reported by: Coverity
CID: 1354979
Sponsored by: EMC / Isilon Storage Division

2 days agoRemove redundant word.
bhd [Tue, 26 Apr 2016 18:54:44 +0000 (18:54 +0000)]
Remove redundant word.

Reviewed by:  bjk, bcr
Differential Revision:

2 days agoemu10kx: Don't iterate beyond array bounds
cem [Tue, 26 Apr 2016 18:20:41 +0000 (18:20 +0000)]
emu10kx: Don't iterate beyond array bounds

Reported by: Coverity
CID: 1354978
Sponsored by: EMC / Isilon Storage Division

2 days agoRedo the changes to the SYSV IPC sysctl functions from r298585, so they
jamie [Tue, 26 Apr 2016 18:17:44 +0000 (18:17 +0000)]
Redo the changes to the SYSV IPC sysctl functions from r298585, so they
don't (mis)use sbufs.

PR: 48471

2 days agokgssapi: Don't leak memory in error cases
cem [Tue, 26 Apr 2016 18:11:45 +0000 (18:11 +0000)]
kgssapi: Don't leak memory in error cases

Reported by: Coverity
CIDs: 1007046, 1007047, 1007048
Sponsored by: EMC / Isilon Storage Division

2 days agoWITH_META_MODE: Allow buildkernel to create .meta files with curdir==objdir.
bdrewery [Tue, 26 Apr 2016 18:08:51 +0000 (18:08 +0000)]
WITH_META_MODE: Allow buildkernel to create .meta files with curdir==objdir.

Without this the incremental build was broken since .depend.* are not
generated with .MAKE.MODE=meta and .meta files were not created to
track dependencies.  Typically meta mode does not create .meta files
when building with curdir==objdir but the kernel build is special.

Reported by: Nikolai Lifanov <>
Sponsored by: EMC / Isilon Storage Division

2 days ago[mips] correctly represent memory region allocations >> 2^^31
adrian [Tue, 26 Apr 2016 16:40:04 +0000 (16:40 +0000)]
[mips] correctly represent memory region allocations >> 2^^31

Without this, it'd get promoted incorrectly and fail allocation.

Submitted by: Mori Hiroki <>
Reviewed by: imp

2 days agoFix the parameter type according to method declaration.
br [Tue, 26 Apr 2016 16:02:13 +0000 (16:02 +0000)]
Fix the parameter type according to method declaration.
This fixes compilation on riscv with GCC 5.2.0

2 days agoBuild fix. Add howmany() and nitems() macros to bootloader kernel shim.
hselasky [Tue, 26 Apr 2016 15:41:31 +0000 (15:41 +0000)]
Build fix. Add howmany() and nitems() macros to bootloader kernel shim.

2 days agosys: extend use of the howmany() macro when available.
pfg [Tue, 26 Apr 2016 15:38:17 +0000 (15:38 +0000)]
sys: extend use of the howmany() macro when available.

We have a howmany() macro in the <sys/param.h> header that is
convenient to re-use as it makes things easier to read.

2 days agoMark the unused period argument __unused.
bz [Tue, 26 Apr 2016 15:34:00 +0000 (15:34 +0000)]
Mark the unused period argument __unused.

Reviewed by: andrew
MFC after: 2 weeks
Sponsored by: DARPA/AFRL

2 days agoAdd function needed for linking USB test application.
hselasky [Tue, 26 Apr 2016 15:33:53 +0000 (15:33 +0000)]
Add function needed for linking USB test application.