On systems without xonly mmu hardware-enforcement, we can still mitigate
against classic BROP with a range-checking wrapper in front of copyin() and
copyinstr() which ensures the userland source does

On systems without xonly mmu hardware-enforcement, we can still mitigate
against classic BROP with a range-checking wrapper in front of copyin() and
copyinstr() which ensures the userland source doesn't overlap the main program
text, ld.so text, signal tramp text (it's mapping is hard to distinguish
so it comes along for the ride), or libc.so text. ld.so tells the kernel
libc.so text range with msyscall(2). The range checking for 2-4 elements is
done without locking (because all 4 ranges are immutable!) and is inexpensive.

write(sock, &open, 400) now fails with EFAULT. No programs have been
discovered which require reading their own text segments with a system call.

On a machine without mmu enforcement, a test program reports the following:
userland kernel
ld.so readable unreadable
mmap xz unreadable unreadable
mmap x readable readable
mmap nrx readable readable
mmap nwx readable readable
mmap xnwx readable readable
main readable unreadable
libc unmapped? readable unreadable
libc mapped readable unreadable

ok kettenis, additional help from miod

show more ...

remove unneeded includes in sys/kern
ok mpi@ miod@

In hash{free,init}(), there's no need to calculate the size of the hash table if
the given number of elements already is a power of 2.

ok visa@, "seems like a good plan" deraadt@

Convert most of the manual checks for CPU hogging to sched_pause().

The distinction between preempt() and yield() stays as it is usueful
to know if a thread decided to yield by itself or if the kern

Convert most of the manual checks for CPU hogging to sched_pause().

The distinction between preempt() and yield() stays as it is usueful
to know if a thread decided to yield by itself or if the kernel told
him to go away.

ok tedu@, guenther@

show more ...

introduce hashfree() function to free hash tables, with sizes.
ok guenther

Remove now unused legacy uiomovei() function.

All its callers got reviewed and converted to
use uiomove() properly.

ok deraadt@

Make sure uiomove does not copy more than uio_resid bytes, as the manual
says. Move code belonging to diagnostics in the #ifdef DIAGNOSTIC part
and add a KASSERT that makes sure that we do not run be

Make sure uiomove does not copy more than uio_resid bytes, as the manual
says. Move code belonging to diagnostics in the #ifdef DIAGNOSTIC part
and add a KASSERT that makes sure that we do not run beyond uio_iov.
Diff from Martin Natano.

show more ...

Replace mountroothook_establish(9) by config_mountroot(9) a narrower API
similar to config_defer(9).

ok mikeb@, deraadt@

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

First step towards making uiomove() take a size_t size argument:
- rename uiomove() to uiomovei() and update all its users.
- introduce uiomove(), which is similar to uiomovei() but with a size_t.
-

First step towards making uiomove() take a size_t size argument:
- rename uiomove() to uiomovei() and update all its users.
- introduce uiomove(), which is similar to uiomovei() but with a size_t.
- rewrite uiomovei() as an uiomove() wrapper.
ok kettenis@

show more ...

retire shutdown hooks; ok deraadt, krw

add a few sizes to free

trim some casts

use mallocarray where arguments are multipled. ok deraadt

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

When hooks are called, allow them to disestablish themselves by using
the safe version to traverse the TAILQ list.

ok deraadt@

Correct the handling of I/O of >=2^32 bytes and the ktracing there of
by using size_t/ssize_t instead of int/u_int to handle I/O lengths in
uiomove(), vn_fsizechk(), and ktrgenio(). Eliminate the al

Correct the handling of I/O of >=2^32 bytes and the ktracing there of
by using size_t/ssize_t instead of int/u_int to handle I/O lengths in
uiomove(), vn_fsizechk(), and ktrgenio(). Eliminate the always-zero
'error' argument to ktrgenio() at the same time.

show more ...

Switch time_t, ino_t, clock_t, and struct kevent's ident and data
members to 64bit types. Assign new syscall numbers for (almost
all) the syscalls that involve the affected types, including anything

Switch time_t, ino_t, clock_t, and struct kevent's ident and data
members to 64bit types. Assign new syscall numbers for (almost
all) the syscalls that involve the affected types, including anything
with time_t, timeval, itimerval, timespec, rusage, dirent, stat,
or kevent arguments. Add a d_off member to struct dirent and replace
getdirentries() with getdents(), thus immensely simplifying and
accelerating telldir/seekdir. Build perl with -DBIG_TIME.

Bump the major on every single base library: the compat bits included
here are only good enough to make the transition; the T32 compat
option will be burned as soon as we've reached the new world are
are happy with the snapshots for all architectures.

DANGER: ABI incompatibility. Updating to this kernel requires extra
work or you won't be able to login: install a snapshot instead.

Much assistance in fixing userland issues from deraadt@ and tedu@
and build assistance from todd@ and otto@

show more ...

remove the powerhook code. All architectures now use the ca_activate tree
traversal code to suspend/resume
ok oga kettenis blambert

All PWR_{SUSPEND,RESUME} can now be replaced by DVACT_{SUSPEND,RESUME}

Remove silly panic when disestablish cookie doesnt exist

ok art

The world of __HAVEs and __HAVE_NOTs is reducing. All architectures
have cpu_info now, so kill the option.

eyeballed by jsg@ and grange@

ansi/deregister.
'go for it' deraadt@

mountroothooks are called after the root filesystem is mounted.

debranch SMP, have fun