use sysmon_envsys sleep waiting at "rndsrc" when "drvctl -d".
Don't call rnd_detach_source() in sme_remove_event() which is called
from sme_event_unregister_all(). Instead, call rnd_detach_source() in
sysmon_envsys_sensor_detach() and call sysmon_envsys_sensor_detach()
before sme_event_unregister_sensor(). Each sensor(envsys_data) has each
rnd_src, but some sme_events point to the same rnd_src in a sensor.
Calling rnd_detach_souce() twice with the same rnd_src brokes a reference
count in rnd_src. OK'd by pgoyette@.
- use i2c addresses with the direction bit shifted out in iic_exec and when
attaching drivers so things attaching to iic* have a chance of working
- add an empty i2c-devices prop_array_t to keep drivers we don't want from
attaching to iic*
- printf -> DPRINTF / aprint_*
- usa mapiodev() for now to make this work on G5
all of sub entries in HEST correctly.
- Print a SpaceID number for unknown ID in acpi_print_gas().
- Use PRINTFLAG() in acpi_print_hest_notify().
- Use %u instead of %d for unsgined values in acpi_print_hest_generic().
Enable XON/XOFF flowcontrol in SLIP layer depending on config response.
Send an acknowlegment packet on timeout/retry.
Compute tx{ack,seq} and rx{ack,seq} according to the specification.
For hwvc, audio_calc_blksize() appears soon again.
For user vc, the userland format and HW format are separeted, so
audio_calc_blksize() here is no longer necessary. In addition,
vc->sc_mpr.blksize is already initialized in audio_open().
mitigation against similar bugs.
The operations on segment registers can generate a page fault if there is
an issue when touching the in-memory gdt. Theoretically, it is never
supposed to happen, since the gdt is mapped correctly. However, in the
kernel we allow the gdt to be resized, and to do that, we allocate the
maximum amount of va needed by it, but only kenter a few pages until we
need more. Moreover, to avoid reloading the gdt each time we grow it, the
'size' field of gdtr is set to the maximum value. All of this means that
if a mov or iretq is done with a segment register whose index hits a page
that has not been kentered, a page fault is sent.
Such a page fault, if received in kernel mode, does not trigger a swapgs
on amd64; in other words, the kernel would be re-entered with the userland
tls.
And there just happens to be a place in compat_linux32 where the index of
%cs is controlled by userland, making it easy to trigger the page fault
and get kernel privileges.
The mitigation simply consists in abandoning the gdt_grow mechanism and
allocating/kentering the maximum size right away, in such a way that no
page fault can be triggered because of segment registers.
- But does not revert to trigger method. trigger method is not suitable for
x68k ADPCM+DMA mechanism.
- Don't (re)start ADPCM when DMA is running. This solves the noise.
From Y.Sugahara.
- Cache dmac xfer.
as appropriate.
PR/52102 shark: ffs_newvnode panic when unpacking sets installing -current
Thanks to Felix Deichmann for bisecting the problem and testing the fix.
