From 4ec1c9bfacb13ccd42e36c47eff2211d28a36ab2 Mon Sep 17 00:00:00 2001
From: Jung-uk Kim <jkim@FreeBSD.org>
Date: Wed, 13 Jan 2016 19:19:50 +0000
Subject: Remove dead code when the target processor has POPCNT instruction.

---
 sys/amd64/amd64/pmap.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'sys/amd64')

diff --git a/sys/amd64/amd64/pmap.c b/sys/amd64/amd64/pmap.c
index 8b04eab99006..d2d0248c6984 100644
--- a/sys/amd64/amd64/pmap.c
+++ b/sys/amd64/amd64/pmap.c
@@ -3018,11 +3018,14 @@ reserve_pv_entries(pmap_t pmap, int needed, struct rwlock **lockp)
 retry:
 	avail = 0;
 	TAILQ_FOREACH(pc, &pmap->pm_pvchunk, pc_list) {
+#ifndef __POPCNT__
 		if ((cpu_feature2 & CPUID2_POPCNT) == 0) {
 			free = bitcount64(pc->pc_map[0]);
 			free += bitcount64(pc->pc_map[1]);
 			free += bitcount64(pc->pc_map[2]);
-		} else {
+		} else
+#endif
+		{
 			free = popcnt_pc_map_elem_pq(pc->pc_map[0]);
 			free += popcnt_pc_map_elem_pq(pc->pc_map[1]);
 			free += popcnt_pc_map_elem_pq(pc->pc_map[2]);
-- 
cgit v1.2.3


From 037f750877f04f57a316f597f2e0176fa1e19aab Mon Sep 17 00:00:00 2001
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Thu, 14 Jan 2016 10:13:58 +0000
Subject: Change linux get_robust_list system call to match actual linux one.

The set_robust_list system call request the kernel to record the head
of the list of robust futexes owned by the calling thread. The head
argument is the list head to record.
The get_robust_list system call should return the head of the robust
list of the thread whose thread id is specified in pid argument.
The list head should be stored in the location pointed to by head
argument.

In contrast, our implemenattion of get_robust_list system call copies
the known portion of memory pointed by recorded in set_robust_list
system call pointer to the head of the robust list to the location
pointed by head argument.

So, it is possible for a local attacker to read portions of kernel
memory, which may result in a privilege escalation.

Submitted by:	mjg
Security:	SA-16:03.linux
---
 sys/amd64/linux/syscalls.master   | 4 ++--
 sys/amd64/linux32/syscalls.master | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'sys/amd64')

diff --git a/sys/amd64/linux/syscalls.master b/sys/amd64/linux/syscalls.master
index 87c800079b14..eb36d5f2ec90 100644
--- a/sys/amd64/linux/syscalls.master
+++ b/sys/amd64/linux/syscalls.master
@@ -461,8 +461,8 @@
 272	AUE_NULL	STD	{ int linux_unshare(void); }
 273	AUE_NULL	STD	{ int linux_set_robust_list(struct linux_robust_list_head *head, \
 				    l_size_t len); }
-274	AUE_NULL	STD	{ int linux_get_robust_list(l_int pid, struct linux_robust_list_head *head, \
-				    l_size_t *len); }
+274	AUE_NULL	STD	{ int linux_get_robust_list(l_int pid, \
+				    struct linux_robust_list_head **head, l_size_t *len); }
 275	AUE_NULL	STD	{ int linux_splice(void); }
 276	AUE_NULL	STD	{ int linux_tee(void); }
 277	AUE_NULL	STD	{ int linux_sync_file_range(void); }
diff --git a/sys/amd64/linux32/syscalls.master b/sys/amd64/linux32/syscalls.master
index 8d9f90c21043..0396b30db9c8 100644
--- a/sys/amd64/linux32/syscalls.master
+++ b/sys/amd64/linux32/syscalls.master
@@ -520,8 +520,8 @@
 ; linux 2.6.17:
 311	AUE_NULL	STD	{ int linux_set_robust_list(struct linux_robust_list_head *head, \
 					l_size_t len); }
-312	AUE_NULL	STD	{ int linux_get_robust_list(l_int pid, struct linux_robust_list_head *head, \
-					l_size_t *len); }
+312	AUE_NULL	STD	{ int linux_get_robust_list(l_int pid, \
+				    struct linux_robust_list_head **head, l_size_t *len); }
 313	AUE_NULL	STD	{ int linux_splice(void); }
 314	AUE_NULL	STD	{ int linux_sync_file_range(void); }
 315	AUE_NULL	STD	{ int linux_tee(void); }
-- 
cgit v1.2.3


From de44d808ef9e0a4cdccaf37cb009737ba57f3d14 Mon Sep 17 00:00:00 2001
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Thu, 14 Jan 2016 10:15:21 +0000
Subject: Regen after r293907.

---
 sys/amd64/linux/linux_proto.h             | 4 ++--
 sys/amd64/linux/linux_syscall.h           | 2 +-
 sys/amd64/linux/linux_syscalls.c          | 2 +-
 sys/amd64/linux/linux_sysent.c            | 2 +-
 sys/amd64/linux/linux_systrace_args.c     | 4 ++--
 sys/amd64/linux32/linux32_proto.h         | 4 ++--
 sys/amd64/linux32/linux32_syscall.h       | 2 +-
 sys/amd64/linux32/linux32_syscalls.c      | 2 +-
 sys/amd64/linux32/linux32_sysent.c        | 2 +-
 sys/amd64/linux32/linux32_systrace_args.c | 4 ++--
 10 files changed, 14 insertions(+), 14 deletions(-)

(limited to 'sys/amd64')

diff --git a/sys/amd64/linux/linux_proto.h b/sys/amd64/linux/linux_proto.h
index 8aecd7c0f976..54e11fe8bdfc 100644
--- a/sys/amd64/linux/linux_proto.h
+++ b/sys/amd64/linux/linux_proto.h
@@ -3,7 +3,7 @@
  *
  * DO NOT EDIT-- this file is automatically generated.
  * $FreeBSD$
- * created from FreeBSD: head/sys/amd64/linux/syscalls.master 289769 2015-10-22 21:28:20Z jhb 
+ * created from FreeBSD: head/sys/amd64/linux/syscalls.master 293907 2016-01-14 10:13:58Z glebius 
  */
 
 #ifndef _LINUX_SYSPROTO_H_
@@ -966,7 +966,7 @@ struct linux_set_robust_list_args {
 };
 struct linux_get_robust_list_args {
 	char pid_l_[PADL_(l_int)]; l_int pid; char pid_r_[PADR_(l_int)];
-	char head_l_[PADL_(struct linux_robust_list_head *)]; struct linux_robust_list_head * head; char head_r_[PADR_(struct linux_robust_list_head *)];
+	char head_l_[PADL_(struct linux_robust_list_head **)]; struct linux_robust_list_head ** head; char head_r_[PADR_(struct linux_robust_list_head **)];
 	char len_l_[PADL_(l_size_t *)]; l_size_t * len; char len_r_[PADR_(l_size_t *)];
 };
 struct linux_splice_args {
diff --git a/sys/amd64/linux/linux_syscall.h b/sys/amd64/linux/linux_syscall.h
index 671eb0b344d7..cee28556b237 100644
--- a/sys/amd64/linux/linux_syscall.h
+++ b/sys/amd64/linux/linux_syscall.h
@@ -3,7 +3,7 @@
  *
  * DO NOT EDIT-- this file is automatically generated.
  * $FreeBSD$
- * created from FreeBSD: head/sys/amd64/linux/syscalls.master 289769 2015-10-22 21:28:20Z jhb 
+ * created from FreeBSD: head/sys/amd64/linux/syscalls.master 293907 2016-01-14 10:13:58Z glebius 
  */
 
 #define	LINUX_SYS_read	0
diff --git a/sys/amd64/linux/linux_syscalls.c b/sys/amd64/linux/linux_syscalls.c
index a414ea0cebaf..ea001ba68467 100644
--- a/sys/amd64/linux/linux_syscalls.c
+++ b/sys/amd64/linux/linux_syscalls.c
@@ -3,7 +3,7 @@
  *
  * DO NOT EDIT-- this file is automatically generated.
  * $FreeBSD$
- * created from FreeBSD: head/sys/amd64/linux/syscalls.master 289769 2015-10-22 21:28:20Z jhb 
+ * created from FreeBSD: head/sys/amd64/linux/syscalls.master 293907 2016-01-14 10:13:58Z glebius 
  */
 
 const char *linux_syscallnames[] = {
diff --git a/sys/amd64/linux/linux_sysent.c b/sys/amd64/linux/linux_sysent.c
index 31f2eeb02e4d..053f8d1e415d 100644
--- a/sys/amd64/linux/linux_sysent.c
+++ b/sys/amd64/linux/linux_sysent.c
@@ -3,7 +3,7 @@
  *
  * DO NOT EDIT-- this file is automatically generated.
  * $FreeBSD$
- * created from FreeBSD: head/sys/amd64/linux/syscalls.master 289769 2015-10-22 21:28:20Z jhb 
+ * created from FreeBSD: head/sys/amd64/linux/syscalls.master 293907 2016-01-14 10:13:58Z glebius 
  */
 
 #include <sys/param.h>
diff --git a/sys/amd64/linux/linux_systrace_args.c b/sys/amd64/linux/linux_systrace_args.c
index d649eed3d4de..bc279c947ec1 100644
--- a/sys/amd64/linux/linux_systrace_args.c
+++ b/sys/amd64/linux/linux_systrace_args.c
@@ -2020,7 +2020,7 @@ systrace_args(int sysnum, void *params, uint64_t *uarg, int *n_args)
 	case 274: {
 		struct linux_get_robust_list_args *p = params;
 		iarg[0] = p->pid; /* l_int */
-		uarg[1] = (intptr_t) p->head; /* struct linux_robust_list_head * */
+		uarg[1] = (intptr_t) p->head; /* struct linux_robust_list_head ** */
 		uarg[2] = (intptr_t) p->len; /* l_size_t * */
 		*n_args = 3;
 		break;
@@ -5347,7 +5347,7 @@ systrace_entry_setargdesc(int sysnum, int ndx, char *desc, size_t descsz)
 			p = "l_int";
 			break;
 		case 1:
-			p = "struct linux_robust_list_head *";
+			p = "struct linux_robust_list_head **";
 			break;
 		case 2:
 			p = "l_size_t *";
diff --git a/sys/amd64/linux32/linux32_proto.h b/sys/amd64/linux32/linux32_proto.h
index 84c78152a7ab..e76384fb445b 100644
--- a/sys/amd64/linux32/linux32_proto.h
+++ b/sys/amd64/linux32/linux32_proto.h
@@ -3,7 +3,7 @@
  *
  * DO NOT EDIT-- this file is automatically generated.
  * $FreeBSD$
- * created from FreeBSD: head/sys/amd64/linux32/syscalls.master 289769 2015-10-22 21:28:20Z jhb 
+ * created from FreeBSD: head/sys/amd64/linux32/syscalls.master 293907 2016-01-14 10:13:58Z glebius 
  */
 
 #ifndef _LINUX32_SYSPROTO_H_
@@ -1023,7 +1023,7 @@ struct linux_set_robust_list_args {
 };
 struct linux_get_robust_list_args {
 	char pid_l_[PADL_(l_int)]; l_int pid; char pid_r_[PADR_(l_int)];
-	char head_l_[PADL_(struct linux_robust_list_head *)]; struct linux_robust_list_head * head; char head_r_[PADR_(struct linux_robust_list_head *)];
+	char head_l_[PADL_(struct linux_robust_list_head **)]; struct linux_robust_list_head ** head; char head_r_[PADR_(struct linux_robust_list_head **)];
 	char len_l_[PADL_(l_size_t *)]; l_size_t * len; char len_r_[PADR_(l_size_t *)];
 };
 struct linux_splice_args {
diff --git a/sys/amd64/linux32/linux32_syscall.h b/sys/amd64/linux32/linux32_syscall.h
index a3fbb26bb41c..990adf3642ed 100644
--- a/sys/amd64/linux32/linux32_syscall.h
+++ b/sys/amd64/linux32/linux32_syscall.h
@@ -3,7 +3,7 @@
  *
  * DO NOT EDIT-- this file is automatically generated.
  * $FreeBSD$
- * created from FreeBSD: head/sys/amd64/linux32/syscalls.master 289769 2015-10-22 21:28:20Z jhb 
+ * created from FreeBSD: head/sys/amd64/linux32/syscalls.master 293907 2016-01-14 10:13:58Z glebius 
  */
 
 #define	LINUX32_SYS_linux_exit	1
diff --git a/sys/amd64/linux32/linux32_syscalls.c b/sys/amd64/linux32/linux32_syscalls.c
index f3b4510177a0..79b96a71bf2a 100644
--- a/sys/amd64/linux32/linux32_syscalls.c
+++ b/sys/amd64/linux32/linux32_syscalls.c
@@ -3,7 +3,7 @@
  *
  * DO NOT EDIT-- this file is automatically generated.
  * $FreeBSD$
- * created from FreeBSD: head/sys/amd64/linux32/syscalls.master 289769 2015-10-22 21:28:20Z jhb 
+ * created from FreeBSD: head/sys/amd64/linux32/syscalls.master 293907 2016-01-14 10:13:58Z glebius 
  */
 
 const char *linux32_syscallnames[] = {
diff --git a/sys/amd64/linux32/linux32_sysent.c b/sys/amd64/linux32/linux32_sysent.c
index 6f0420dec634..7d6d22078f83 100644
--- a/sys/amd64/linux32/linux32_sysent.c
+++ b/sys/amd64/linux32/linux32_sysent.c
@@ -3,7 +3,7 @@
  *
  * DO NOT EDIT-- this file is automatically generated.
  * $FreeBSD$
- * created from FreeBSD: head/sys/amd64/linux32/syscalls.master 289769 2015-10-22 21:28:20Z jhb 
+ * created from FreeBSD: head/sys/amd64/linux32/syscalls.master 293907 2016-01-14 10:13:58Z glebius 
  */
 
 #include "opt_compat.h"
diff --git a/sys/amd64/linux32/linux32_systrace_args.c b/sys/amd64/linux32/linux32_systrace_args.c
index b6ccd334178f..80889bf83b62 100644
--- a/sys/amd64/linux32/linux32_systrace_args.c
+++ b/sys/amd64/linux32/linux32_systrace_args.c
@@ -2122,7 +2122,7 @@ systrace_args(int sysnum, void *params, uint64_t *uarg, int *n_args)
 	case 312: {
 		struct linux_get_robust_list_args *p = params;
 		iarg[0] = p->pid; /* l_int */
-		uarg[1] = (intptr_t) p->head; /* struct linux_robust_list_head * */
+		uarg[1] = (intptr_t) p->head; /* struct linux_robust_list_head ** */
 		uarg[2] = (intptr_t) p->len; /* l_size_t * */
 		*n_args = 3;
 		break;
@@ -5551,7 +5551,7 @@ systrace_entry_setargdesc(int sysnum, int ndx, char *desc, size_t descsz)
 			p = "l_int";
 			break;
 		case 1:
-			p = "struct linux_robust_list_head *";
+			p = "struct linux_robust_list_head **";
 			break;
 		case 2:
 			p = "l_size_t *";
-- 
cgit v1.2.3