AH must be considered as the payload, otherwise a
block all
pass in proto ah from any
pass out proto ah from any
configuration will actually block everything, because NPF checks the
protocol against the one found after AH, and not AH itself.
In addition it may have been a problem for stateful connections; an AH
packet sent by an attacker with an incorrect authentication and a correct
TCP/UDP/whatever payload from an active connection could manage to change
NPF's FSM state, which would perhaps have altered the legitimate
connection with the authenticated remote IPsec host.
Note that IPv4 already doesn't go beyond AH, which is the correct
behavior.
faults occuring when reloading %es/%ds/%fs/%gs, but it did not fix faults
occuring when executing 'iretq', because before iretq we needed to do +16
in %rsp, and the resulting stack layout was not the one kernuser_reenter()
expected (tf_trapno and tf_err were not there).
So now: pop tf_trapno and tf_err right away in intrfastexit(), and update
the layout in kernuser_reenter() accordingly. The resulting code is
actually simpler.
Tested by "hardcoding" an iretq fault; the process correctly receives a
SIGSEGV.
(Note that segment register faults do not happen in the wild, you really
need to try hard to trigger one.)
needed anyway. Initially I had added it so that if such a fault was
received the kernel would panic "cleanly" instead of crashing in a
potentially undefined way.
I'll re-add this handler later.
AcpiOsInstallInterruptHandler(), part of ACPICA API, doesn't allow passing
the xname. I extend the API with AcpiOsInstallInterruptHandler_xname()
for this purpose, and change acpi_md_OsInstallInterruptHandler() to
accept and use the xname (ia64 doens't use it).
The xname was hardcoded to "acpi SCI" in the
x86 acpi_md_OsInstallInterruptHandler(), so I make
AcpiOsInstallInterruptHandler() call
AcpiOsInstallInterruptHandler_xname with xname = "acpi SCI".
Now 'vmstat -i' shows the device's name instead of "acpi SCI" for for i2c HID
interrupts.
Proposed on tech-kern@ on Dec 29.
adapter->link_active is updated by ixv_update_link_status() only.
The function is called from the following two functions.
- ixv_media_status()
- ixv_handle_link()
ixv_media_status() calls ixv_update_link_status() with holding
IXGBE_CORE_LOCK, however ixv_handle_link() calls it without
holding IXGBE_CORE_LOCK, the same as ixg(4).
ok by msaitoh@n.o.
adapter->link_active is updated by ixgbe_update_link_status() only.
The function is called from the following four functions.
- ixgbe_media_status()
- ixgbe_local_timer1()
- ixgbe_stop()
- ixgbe_handle_link()
The functions other than ixgbe_handle_link() call ixgbe_update_link_status()
with holding IXGBE_CORE_LOCK, however ixgbe_handle_link() calls it without
holding IXGBE_CORE_LOCK. That can cause race. So, add IXGBE_CORE_LOCK to
ixgbe_handle_link().
Tested by msaitoh@n.o and me.
Add soroverflow() which increments the overflow counter, sets so_error
to ENOBUFS and wakes the receive socket up.
Replace all code that manually increments this counter with soroverflow().
Add soroverflow() to raw_input().
This allows userland to detect route(4) overflows so it can re-sync
with the current state.
unable to find physically continous pages for their uarea, just allocate
them via uvm_km_alloc(), that is: make cpu_uarea_alloc() fail instead
of panic. cpu_uarea_free() already deals with this.
Should fix PR port-alpha/53077.
Discussed with maxv and mrg.
