Skip to content

Commit

Permalink
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Browse files Browse the repository at this point in the history 
* freebsd/12-stable/master:
  MFC r341402: Fix off-by-one (page) errors in checks in d_mmap methods of several drivers.
  MFC r341400: Add a comment noting that the additional range checks are not needed.
  MFC r341399: Fix off by one in hpet_mmap() csw method.
  MFC r341398: Change the vm_ooffset_t type to unsigned.
  MFC r341746: Fix PAE boot.
  MFC r341768,r341795: ping(8): remove needless comparision with LONG_MAX after unsigned long ultmp changed to long ltmp in r340245.
  • Loading branch information
@opntr-auto
opntr-auto committed Dec 16, 2018
2 parents 4994bcd + d63ba97 commit c03f7dc
Show file tree
Hide file tree
Showing 14 changed files with 40 additions and 26 deletions.
2 changes: 1 addition & 1 deletion sbin/ping/ping.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -313,7 +313,7 @@ main(int argc, char *const *argv)
break;
case 'c':
ltmp = strtol(optarg, &ep, 0);
if (*ep || ep == optarg || ltmp > LONG_MAX || ltmp <=0)
if (*ep || ep == optarg || ltmp <= 0)
errx(EX_USAGE,
"invalid count of packets to transmit: `%s'",
optarg);
Expand Down
2 changes: 1 addition & 1 deletion sys/arm/ti/ti_pruss.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -704,7 +704,7 @@ ti_pruss_mmap(struct cdev *cdev, vm_ooffset_t offset, vm_paddr_t *paddr,
device_t dev = cdev->si_drv1;
struct ti_pruss_softc *sc = device_get_softc(dev);

if (offset > rman_get_size(sc->sc_mem_res))
if (offset >= rman_get_size(sc->sc_mem_res))
return (ENOSPC);
*paddr = rman_get_start(sc->sc_mem_res) + offset;
*memattr = VM_MEMATTR_UNCACHEABLE;
Expand Down
2 changes: 1 addition & 1 deletion sys/dev/acpica/acpi_hpet.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -396,7 +396,7 @@ hpet_mmap(struct cdev *cdev, vm_ooffset_t offset, vm_paddr_t *paddr,
struct hpet_softc *sc;

sc = cdev->si_drv1;
if (offset > rman_get_size(sc->mem_res))
if (offset >= rman_get_size(sc->mem_res))
return (EINVAL);
if (!sc->mmap_allow_write && (nprot & PROT_WRITE))
return (EPERM);
Expand Down
1 change: 1 addition & 0 deletions sys/dev/altera/avgen/altera_avgen.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,7 @@ altera_avgen_mmap(struct cdev *dev, vm_ooffset_t offset, vm_paddr_t *paddr,
return (EACCES);
}
if (trunc_page(offset) == offset &&
offset + PAGE_SIZE > offset &&
rman_get_size(sc->avg_res) >= offset + PAGE_SIZE) {
*paddr = rman_get_start(sc->avg_res) + offset;
*memattr = VM_MEMATTR_UNCACHEABLE;
Expand Down
5 changes: 4 additions & 1 deletion sys/dev/sound/pcm/dsp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2200,7 +2200,10 @@ dsp_mmap(struct cdev *i_dev, vm_ooffset_t offset, vm_paddr_t *paddr,
int nprot, vm_memattr_t *memattr)
{

/* XXX memattr is not honored */
/*
* offset is in range due to checks in dsp_mmap_single().
* XXX memattr is not honored.
*/
*paddr = vtophys(offset);
return (0);
}
Expand Down
1 change: 1 addition & 0 deletions sys/dev/terasic/mtl/terasic_mtl_reg.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,7 @@ terasic_mtl_reg_mmap(struct cdev *dev, vm_ooffset_t offset, vm_paddr_t *paddr,
sc = dev->si_drv1;
error = 0;
if (trunc_page(offset) == offset &&
offset + PAGE_SIZE > offset &&
rman_get_size(sc->mtl_reg_res) >= offset + PAGE_SIZE) {
*paddr = rman_get_start(sc->mtl_reg_res) + offset;
*memattr = VM_MEMATTR_UNCACHEABLE;
Expand Down
1 change: 1 addition & 0 deletions sys/dev/terasic/mtl/terasic_mtl_text.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,7 @@ terasic_mtl_text_mmap(struct cdev *dev, vm_ooffset_t offset,
sc = dev->si_drv1;
error = 0;
if (trunc_page(offset) == offset &&
offset + PAGE_SIZE > offset &&
rman_get_size(sc->mtl_text_res) >= offset + PAGE_SIZE) {
*paddr = rman_get_start(sc->mtl_text_res) + offset;
*memattr = VM_MEMATTR_UNCACHEABLE;
Expand Down
8 changes: 4 additions & 4 deletions sys/dev/xen/gntdev/gntdev.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -814,8 +814,8 @@ gntdev_gmap_pg_fault(vm_object_t object, vm_ooffset_t offset, int prot,

relative_offset = offset - gmap->file_index;

pidx = UOFF_TO_IDX(offset);
ridx = UOFF_TO_IDX(relative_offset);
pidx = OFF_TO_IDX(offset);
ridx = OFF_TO_IDX(relative_offset);
if (ridx >= gmap->count ||
gmap->grant_map_ops[ridx].status != GNTST_okay)
return (VM_PAGER_FAIL);
Expand Down Expand Up @@ -1085,7 +1085,7 @@ mmap_gref(struct per_user_data *priv_user, struct gntdev_gref *gref_start,
break;

vm_page_insert(gref->page, mem_obj,
UOFF_TO_IDX(gref->file_index));
OFF_TO_IDX(gref->file_index));

count--;
}
Expand Down Expand Up @@ -1225,7 +1225,7 @@ gntdev_mmap_single(struct cdev *cdev, vm_ooffset_t *offset, vm_size_t size,
if (error != 0)
return (EINVAL);

count = UOFF_TO_IDX(size);
count = OFF_TO_IDX(size);

gref_start = gntdev_find_grefs(priv_user, *offset, count);
if (gref_start) {
Expand Down
14 changes: 14 additions & 0 deletions sys/i386/i386/mpboot.s
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,20 @@ NON_GPROF_ENTRY(MPentry)
movl %cr4, %eax
orl $CR4_PAE, %eax
movl %eax, %cr4
movl $0x80000000, %eax
cpuid
movl $0x80000001, %ebx
cmpl %ebx, %eax
jb 1f
movl %ebx, %eax
cpuid
testl $AMDID_NX, %edx
je 1f
movl $MSR_EFER, %ecx
rdmsr
orl $EFER_NXE,%eax
wrmsr
1:
#else
movl IdlePTD, %eax
movl %eax,%cr3
Expand Down
2 changes: 1 addition & 1 deletion sys/sys/types.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -261,7 +261,7 @@ typedef __uint64_t kvaddr_t;
typedef __uint64_t ksize_t;

typedef __vm_offset_t vm_offset_t;
typedef __int64_t vm_ooffset_t;
typedef __uint64_t vm_ooffset_t;
typedef __vm_paddr_t vm_paddr_t;
typedef __uint64_t vm_pindex_t;
typedef __vm_size_t vm_size_t;
Expand Down
6 changes: 3 additions & 3 deletions sys/vm/device_pager.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,9 +150,9 @@ cdev_pager_allocate(void *handle, enum obj_type tp, struct cdev_pager_ops *ops,
* of the page size. Do a check to avoid wrap.
*/
size = round_page(size);
pindex = UOFF_TO_IDX(foff) + UOFF_TO_IDX(size);
if (pindex > OBJ_MAX_SIZE || pindex < UOFF_TO_IDX(foff) ||
pindex < UOFF_TO_IDX(size))
pindex = OFF_TO_IDX(foff) + OFF_TO_IDX(size);
if (pindex > OBJ_MAX_SIZE || pindex < OFF_TO_IDX(foff) ||
pindex < OFF_TO_IDX(size))
return (NULL);

if (ops->cdev_pg_ctor(handle, size, prot, foff, cred, &color) != 0)
Expand Down
6 changes: 3 additions & 3 deletions sys/vm/sg_pager.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,9 +100,9 @@ sg_pager_alloc(void *handle, vm_ooffset_t size, vm_prot_t prot,
* to map beyond that.
*/
size = round_page(size);
pindex = UOFF_TO_IDX(foff) + UOFF_TO_IDX(size);
if (pindex > npages || pindex < UOFF_TO_IDX(foff) ||
pindex < UOFF_TO_IDX(size))
pindex = OFF_TO_IDX(foff) + OFF_TO_IDX(size);
if (pindex > npages || pindex < OFF_TO_IDX(foff) ||
pindex < OFF_TO_IDX(size))
return (NULL);

/*
Expand Down
4 changes: 2 additions & 2 deletions sys/vm/vm_map.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4286,7 +4286,7 @@ vm_map_lookup(vm_map_t *var_map, /* IN/OUT */
* Return the object/offset from this entry. If the entry was
* copy-on-write or empty, it has been fixed up.
*/
*pindex = UOFF_TO_IDX((vaddr - entry->start) + entry->offset);
*pindex = OFF_TO_IDX((vaddr - entry->start) + entry->offset);
*object = entry->object.vm_object;

*out_prot = prot;
Expand Down Expand Up @@ -4367,7 +4367,7 @@ vm_map_lookup_locked(vm_map_t *var_map, /* IN/OUT */
* Return the object/offset from this entry. If the entry was
* copy-on-write or empty, it has been fixed up.
*/
*pindex = UOFF_TO_IDX((vaddr - entry->start) + entry->offset);
*pindex = OFF_TO_IDX((vaddr - entry->start) + entry->offset);
*object = entry->object.vm_object;

*out_prot = prot;
Expand Down
12 changes: 3 additions & 9 deletions sys/vm/vm_object.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -196,20 +196,14 @@ struct vm_object {
/*
* Helpers to perform conversion between vm_object page indexes and offsets.
* IDX_TO_OFF() converts an index into an offset.
* OFF_TO_IDX() converts an offset into an index. Since offsets are signed
* by default, the sign propagation in OFF_TO_IDX(), when applied to
* negative offsets, is intentional and returns a vm_object page index
* that cannot be created by a userspace mapping.
* UOFF_TO_IDX() treats the offset as an unsigned value and converts it
* into an index accordingly. Use it only when the full range of offset
* values are allowed. Currently, this only applies to device mappings.
* OFF_TO_IDX() converts an offset into an index.
* OBJ_MAX_SIZE specifies the maximum page index corresponding to the
* maximum unsigned offset.
*/
#define IDX_TO_OFF(idx) (((vm_ooffset_t)(idx)) << PAGE_SHIFT)
#define OFF_TO_IDX(off) ((vm_pindex_t)(((vm_ooffset_t)(off)) >> PAGE_SHIFT))
#define UOFF_TO_IDX(off) (((vm_pindex_t)(off)) >> PAGE_SHIFT)
#define OBJ_MAX_SIZE (UOFF_TO_IDX(UINT64_MAX) + 1)
#define UOFF_TO_IDX(off) OFF_TO_IDX(off)
#define OBJ_MAX_SIZE (OFF_TO_IDX(UINT64_MAX) + 1)

#ifdef _KERNEL

Expand Down

0 comments on commit c03f7dc

Please sign in to comment.