Enable XON/XOFF flowcontrol in SLIP layer depending on config response.
Send an acknowlegment packet on timeout/retry.
Compute tx{ack,seq} and rx{ack,seq} according to the specification.
For hwvc, audio_calc_blksize() appears soon again.
For user vc, the userland format and HW format are separeted, so
audio_calc_blksize() here is no longer necessary. In addition,
vc->sc_mpr.blksize is already initialized in audio_open().
mitigation against similar bugs.
The operations on segment registers can generate a page fault if there is
an issue when touching the in-memory gdt. Theoretically, it is never
supposed to happen, since the gdt is mapped correctly. However, in the
kernel we allow the gdt to be resized, and to do that, we allocate the
maximum amount of va needed by it, but only kenter a few pages until we
need more. Moreover, to avoid reloading the gdt each time we grow it, the
'size' field of gdtr is set to the maximum value. All of this means that
if a mov or iretq is done with a segment register whose index hits a page
that has not been kentered, a page fault is sent.
Such a page fault, if received in kernel mode, does not trigger a swapgs
on amd64; in other words, the kernel would be re-entered with the userland
tls.
And there just happens to be a place in compat_linux32 where the index of
%cs is controlled by userland, making it easy to trigger the page fault
and get kernel privileges.
The mitigation simply consists in abandoning the gdt_grow mechanism and
allocating/kentering the maximum size right away, in such a way that no
page fault can be triggered because of segment registers.
- But does not revert to trigger method. trigger method is not suitable for
x68k ADPCM+DMA mechanism.
- Don't (re)start ADPCM when DMA is running. This solves the noise.
From Y.Sugahara.
- Cache dmac xfer.
as appropriate.
PR/52102 shark: ffs_newvnode panic when unpacking sets installing -current
Thanks to Felix Deichmann for bisecting the problem and testing the fix.
PROT_MPROTECT(), or if the test is built without _NETBSD_SOURCE defined,
by providing a dummy #define if the real one does not exist. The test
might then fail, if the PROT_MPROTECT() is really needed, but that's
better than not building.
PROT_MAXPROTECT or PROT_ALLOWPROTECT or something) on the mmap() call
which specifies PROT_NONE, and which we later want to change to PROT_READ,
otherwise when PAX is enabled, the mprotect() will fail.
PR/51518: Jay West: prompt is interleaved with client output
Both these issues are caused by rl_restore_handler not DTRT; fix
it so that it kills the internal libedit state completely. This is
inefficient, but it works.
Also fix:
1. add append_history()/H_NSAVE_FP
2. call the rl_startup_hook before printing the first prompt as documented.
callint it from rl_initialize breaks python, because the callback ends
up being invoked before the readline module is installed, and we end up
dereferencing a NULL pointer.
3. add el_resize_terminal.
With those changes, s/lreadline/ledit/g in python works.
which garbles the display.
The scroll region is set for a terminfo scroll operation and then
reset to the current window size. While xterm lets you clear a
scroll region, there is no way to do this in terminfo except by
resetting the terminal which has a visual side effect.
Xterm actually clears the scroll region as part of the resize but
that happens before a program gets the SIGWINCH signal. When nvi sees
the SIGWINCH signal, it exits the vi mode using a scroll operation to
tidy up the display before it reenters vi mode with the new window size.
This patch does two things:
- make nvi also invoke a previous SIGWINCH handler (not sufficient,
but that's how curses wants it).
- skip the tidy up in case of a restart (avoids the scroll region)
- Don't print FADT_RESET_REG if FADT version is 1.
- Print FADT ArmBootFlags, MinorRevision, SleepControl, SleepStatus and
HypervisorId.
- Print "{}" even if any flags aren't set.
sysretq faults. Right now we try to make sure that %rip is canonical by
performing sanity checks in several places, but I've already found missing
checks two times already, and there may be others.
By performing an additional swapgs here, we are turning ring0 exploits to
simple DoSes - which are still security bugs, but of a lower impact.
all the same values (except for the filename) just ignore it. Otherwise
report the duplicate-entry error.
This allows the user to create a signature file with veriexegen(8) and
not worry about duplicate entries (due to hard-linked files) which will
otherwise cause /etc/rc.d/veriexec to report an error.
Fixes PR kern/52512
XXX Pull-up for -8
