From owner-p4-projects@FreeBSD.ORG  Fri Sep 19 21:44:42 2003
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id B44A616A4C0; Fri, 19 Sep 2003 21:44:41 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8D76B16A4B3
	for <perforce@freebsd.org>; Fri, 19 Sep 2003 21:44:41 -0700 (PDT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AC88543FAF
	for <perforce@freebsd.org>; Fri, 19 Sep 2003 21:44:40 -0700 (PDT)
	(envelope-from marcel@freebsd.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.9/8.12.9) with ESMTP id h8K4ieXJ009253
	for <perforce@freebsd.org>; Fri, 19 Sep 2003 21:44:40 -0700 (PDT)
	(envelope-from marcel@freebsd.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.12.9/8.12.9/Submit) id h8K4ieg2009248
	for perforce@freebsd.org; Fri, 19 Sep 2003 21:44:40 -0700 (PDT)
	(envelope-from marcel@freebsd.org)
Date: Fri, 19 Sep 2003 21:44:40 -0700 (PDT)
Message-Id: <200309200444.h8K4ieg2009248@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	marcel@freebsd.org using -f
From: Marcel Moolenaar <marcel@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Subject: PERFORCE change 38317 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Sep 2003 04:44:42 -0000

http://perforce.freebsd.org/chv.cgi?CH=38317

Change 38317 by marcel@marcel_nfs on 2003/09/19 21:44:25

	IFC @38316

Affected files ...

.. //depot/projects/ia64/release/doc/en_US.ISO8859-1/errata/article.sgml#27 integrate
.. //depot/projects/ia64/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml#127 integrate
.. //depot/projects/ia64/share/man/man4/uart.4#3 integrate
.. //depot/projects/ia64/sys/kern/sched_ule.c#25 integrate
.. //depot/projects/ia64/sys/kern/vfs_subr.c#55 integrate

Differences ...

==== //depot/projects/ia64/release/doc/en_US.ISO8859-1/errata/article.sgml#27 (text+ko) ====

@@ -38,7 +38,7 @@
     The &os; Project
     </corpauthor>
 
-    <pubdate>$FreeBSD: src/release/doc/en_US.ISO8859-1/errata/article.sgml,v 1.49 2003/09/16 23:25:48 bmah Exp $</pubdate>
+    <pubdate>$FreeBSD: src/release/doc/en_US.ISO8859-1/errata/article.sgml,v 1.50 2003/09/20 00:17:52 bmah Exp $</pubdate>
 
     <copyright>
       <year>2000</year>
@@ -157,6 +157,15 @@
       security fix branch.  For more details, refer to security
       advisory
       <ulink url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:12.openssh.asc">FreeBSD-SA-03:12</ulink>.</para>
+
+    <para><application>sendmail</application> contains a
+      remotely-exploitable buffer overflow.  This bug has been fixed
+      via a new version import on the &release.branch; development
+      branch and via a vendor-supplied patch on the &release.prev;
+      security fix branch.  More details can be found in security
+      advisory
+      <ulink url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:13.sendmail.asc">FreeBSD-SA-03:13</ulink>.</para>
+
 ]]>
 
   </sect1>

==== //depot/projects/ia64/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml#127 (text+ko) ====

@@ -3,7 +3,7 @@
 
   <corpauthor>The FreeBSD Project</corpauthor>
 
-  <pubdate>$FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml,v 1.625 2003/09/19 23:23:55 gshapiro Exp $</pubdate>
+  <pubdate>$FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml,v 1.626 2003/09/20 00:01:29 bmah Exp $</pubdate>
 
   <copyright>
     <year>2000</year>
@@ -141,6 +141,11 @@
       security advisory 
       <ulink url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:12.openssh.asc">FreeBSD-SA-03:12</ulink>. &merged;</para>
 
+    <para>A buffer overflow in <application>sendmail</application> has
+      been fixed.  More information can be found in security advisory
+      <ulink url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:13.sendmail.asc">FreeBSD-SA-03:13</ulink>.
+      &merged;</para>
+
   </sect2>
 
   <sect2 id="kernel">
@@ -569,10 +574,10 @@
       architectures.</para>
 
     <para>The supported release of <application>GNOME</application> has
-      been updated from 2.2.1 to 2.2.2. &merged;</para>
+      been updated from 2.2.1 to 2.4. &merged;</para>
 
     <para>The supported release of <application>KDE</application> has
-      been updated from 3.1.2 to 3.1.3. &merged;</para>
+      been updated from 3.1.2 to 3.1.4. &merged;</para>
 
   </sect2>
 

==== //depot/projects/ia64/share/man/man4/uart.4#3 (text+ko) ====

@@ -23,7 +23,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $FreeBSD: src/share/man/man4/uart.4,v 1.3 2003/09/07 16:34:03 hmp Exp $
+.\" $FreeBSD: src/share/man/man4/uart.4,v 1.4 2003/09/20 04:13:16 marcel Exp $
 .\"
 .Dd August 25, 2003
 .Dt UART 4
@@ -114,4 +114,4 @@
 .Fx 5.2 .
 .Sh AUTHORS
 This manual page was written by
-.An Marcel Molenaar Aq marcel@FreeBSD.ORG .
+.An Marcel Moolenaar Aq marcel@xcllnt.net .

==== //depot/projects/ia64/sys/kern/sched_ule.c#25 (text+ko) ====

@@ -25,7 +25,7 @@
  */
 
 #include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/kern/sched_ule.c,v 1.55 2003/08/26 11:33:15 davidxu Exp $");
+__FBSDID("$FreeBSD: src/sys/kern/sched_ule.c,v 1.56 2003/09/20 02:05:58 jeff Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -718,15 +718,17 @@
 	/*
 	 * Adjust counters and watermark for pctcpu calc.
 	 */
-
-	/*
-	 * Shift the tick count out so that the divide doesn't round away
-	 * our results.
-	 */
-	ke->ke_ticks <<= 10;
-	ke->ke_ticks = (ke->ke_ticks / (ke->ke_ltick - ke->ke_ftick)) *
-		    SCHED_CPU_TICKS;
-	ke->ke_ticks >>= 10;
+	if (ke->ke_ltick > ticks - SCHED_CPU_TICKS) {
+		/*
+		 * Shift the tick count out so that the divide doesn't
+		 * round away our results.
+		 */
+		ke->ke_ticks <<= 10;
+		ke->ke_ticks = (ke->ke_ticks / (ticks - ke->ke_ftick)) *
+			    SCHED_CPU_TICKS;
+		ke->ke_ticks >>= 10;
+	} else
+		ke->ke_ticks = 0;
 	ke->ke_ltick = ticks;
 	ke->ke_ftick = ke->ke_ltick - SCHED_CPU_TICKS;
 }
@@ -1307,7 +1309,6 @@
 		 */
 		if (ke->ke_ltick < (ticks - (hz / 2)))
 			sched_pctcpu_update(ke);
-
 		/* How many rtick per second ? */
 		rtick = min(ke->ke_ticks / SCHED_CPU_TIME, SCHED_CPU_TICKS);
 		pctcpu = (FSCALE * ((FSCALE * rtick)/realstathz)) >> FSHIFT;

==== //depot/projects/ia64/sys/kern/vfs_subr.c#55 (text+ko) ====

@@ -43,7 +43,7 @@
  */
 
 #include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/kern/vfs_subr.c,v 1.456 2003/09/19 19:13:54 kan Exp $");
+__FBSDID("$FreeBSD: src/sys/kern/vfs_subr.c,v 1.458 2003/09/20 00:21:48 jeff Exp $");
 
 #include "opt_ddb.h"
 #include "opt_mac.h"
@@ -744,7 +744,6 @@
 vnlru_proc(void)
 {
 	struct mount *mp, *nmp;
-	int s;
 	int done;
 	struct proc *p = vnlruproc;
 	struct thread *td = FIRST_THREAD_IN_PROC(p);	/* XXXKSE */
@@ -754,7 +753,6 @@
 	EVENTHANDLER_REGISTER(shutdown_pre_sync, kproc_shutdown, p,
 	    SHUTDOWN_PRI_FIRST);
 
-	s = splbio();
 	for (;;) {
 		kthread_suspend_check(p);
 		mtx_lock(&vnode_free_list_mtx);
@@ -791,7 +789,6 @@
 			tsleep(vnlruproc, PPAUSE, "vlrup", hz * 3);
 		}
 	}
-	splx(s);
 }
 
 static struct kproc_desc vnlru_kp = {
@@ -1107,7 +1104,7 @@
 	int slpflag, slptimeo;
 {
 	struct buf *blist;
-	int s, error;
+	int error;
 	vm_object_t object;
 
 	GIANT_REQUIRED;
@@ -1116,19 +1113,16 @@
 
 	VI_LOCK(vp);
 	if (flags & V_SAVE) {
-		s = splbio();
 		while (vp->v_numoutput) {
 			vp->v_iflag |= VI_BWAIT;
 			error = msleep(&vp->v_numoutput, VI_MTX(vp),
 			    slpflag | (PRIBIO + 1), "vinvlbuf", slptimeo);
 			if (error) {
 				VI_UNLOCK(vp);
-				splx(s);
 				return (error);
 			}
 		}
 		if (!TAILQ_EMPTY(&vp->v_dirtyblkhd)) {
-			splx(s);
 			VI_UNLOCK(vp);
 			if ((error = VOP_FSYNC(vp, cred, MNT_WAIT, td)) != 0)
 				return (error);
@@ -1137,14 +1131,11 @@
 			 * enabled under INVARIANTS
 			 */
 			VI_LOCK(vp);
-			s = splbio();
 			if (vp->v_numoutput > 0 ||
 			    !TAILQ_EMPTY(&vp->v_dirtyblkhd))
 				panic("vinvalbuf: dirty bufs");
 		}
-		splx(s);
 	}
-	s = splbio();
 	/*
 	 * If you alter this loop please notice that interlock is dropped and
 	 * reacquired in flushbuflist.  Special care is needed to ensure that
@@ -1166,7 +1157,6 @@
 		break;
 	}
 	if (error) {
-		splx(s);
 		VI_UNLOCK(vp);
 		return (error);
 	}
@@ -1191,8 +1181,6 @@
 	} while (vp->v_numoutput > 0);
 	VI_UNLOCK(vp);
 
-	splx(s);
-
 	/*
 	 * Destroy the copy in the VM cache, too.
 	 */
@@ -1298,7 +1286,7 @@
 {
 	register struct buf *bp;
 	struct buf *nbp;
-	int s, anyfreed;
+	int anyfreed;
 	int trunclbn;
 
 	/*
@@ -1306,7 +1294,6 @@
 	 */
 	trunclbn = (length + blksize - 1) / blksize;
 
-	s = splbio();
 	ASSERT_VOP_LOCKED(vp, "vtruncbuf");
 restart:
 	VI_LOCK(vp);
@@ -1390,8 +1377,6 @@
 		msleep(&vp->v_numoutput, VI_MTX(vp), PVM, "vbtrunc", 0);
 	}
 	VI_UNLOCK(vp);
-	splx(s);
-
 	vnode_pager_setsize(vp, length);
 
 	return (0);
@@ -1616,8 +1601,6 @@
 	register struct vnode *vp;
 	register struct buf *bp;
 {
-	int s;
-
 	KASSERT(bp->b_vp == NULL, ("bgetvp: not free"));
 
 	KASSERT((bp->b_xflags & (BX_VNDIRTY|BX_VNCLEAN)) == 0,
@@ -1630,9 +1613,7 @@
 	/*
 	 * Insert onto list for new vnode.
 	 */
-	s = splbio();
 	buf_vlist_add(bp, vp, BX_VNCLEAN);
-	splx(s);
 }
 
 /*
@@ -1643,7 +1624,6 @@
 	register struct buf *bp;
 {
 	struct vnode *vp;
-	int s;
 
 	KASSERT(bp->b_vp != NULL, ("brelvp: NULL"));
 
@@ -1651,7 +1631,6 @@
 	 * Delete from old vnode list, if on one.
 	 */
 	vp = bp->b_vp;
-	s = splbio();
 	VI_LOCK(vp);
 	if (bp->b_xflags & (BX_VNDIRTY | BX_VNCLEAN))
 		buf_vlist_remove(bp);
@@ -1662,11 +1641,10 @@
 		mtx_unlock(&sync_mtx);
 	}
 	vdropl(vp);
-	VI_UNLOCK(vp);
 	bp->b_vp = (struct vnode *) 0;
 	if (bp->b_object)
 		bp->b_object = NULL;
-	splx(s);
+	VI_UNLOCK(vp);
 }
 
 /*
@@ -1675,9 +1653,8 @@
 static void
 vn_syncer_add_to_worklist(struct vnode *vp, int delay)
 {
-	int s, slot;
+	int slot;
 
-	s = splbio();
 	ASSERT_VI_LOCKED(vp, "vn_syncer_add_to_worklist");
 
 	mtx_lock(&sync_mtx);
@@ -1692,8 +1669,6 @@
 
 	LIST_INSERT_HEAD(&syncer_workitem_pending[slot], vp, v_synclist);
 	mtx_unlock(&sync_mtx);
-
-	splx(s);
 }
 
 struct  proc *updateproc;
@@ -1715,7 +1690,6 @@
 	struct vnode *vp;
 	struct mount *mp;
 	long starttime;
-	int s;
 	struct thread *td = FIRST_THREAD_IN_PROC(updateproc);  /* XXXKSE */
 
 	mtx_lock(&Giant);
@@ -1732,13 +1706,11 @@
 		 * Push files whose dirty time has expired.  Be careful
 		 * of interrupt race on slp queue.
 		 */
-		s = splbio();
 		mtx_lock(&sync_mtx);
 		slp = &syncer_workitem_pending[syncer_delayno];
 		syncer_delayno += 1;
 		if (syncer_delayno == syncer_maxdelay)
 			syncer_delayno = 0;
-		splx(s);
 
 		while ((vp = LIST_FIRST(slp)) != NULL) {
 			mtx_unlock(&sync_mtx);
@@ -1749,7 +1721,6 @@
 				VOP_UNLOCK(vp, 0, td);
 				vn_finished_write(mp);
 			}
-			s = splbio();
 			mtx_lock(&sync_mtx);
 			if (LIST_FIRST(slp) == vp) {
 				mtx_unlock(&sync_mtx);
@@ -1775,7 +1746,6 @@
 				VI_UNLOCK(vp);
 				mtx_lock(&sync_mtx);
 			}
-			splx(s);
 		}
 		mtx_unlock(&sync_mtx);
 
@@ -1899,13 +1869,14 @@
 	register struct buf *bp;
 	register struct vnode *newvp;
 {
+	struct vnode *vp;
 	int delay;
-	int s;
 
 	if (newvp == NULL) {
 		printf("reassignbuf: NULL");
 		return;
 	}
+	vp = bp->b_vp;
 	++reassignbufcalls;
 
 	/*
@@ -1915,24 +1886,25 @@
 	if (bp->b_flags & B_PAGING)
 		panic("cannot reassign paging buffer");
 
-	s = splbio();
 	/*
 	 * Delete from old vnode list, if on one.
 	 */
-	VI_LOCK(bp->b_vp);
+	VI_LOCK(vp);
 	if (bp->b_xflags & (BX_VNDIRTY | BX_VNCLEAN)) {
 		buf_vlist_remove(bp);
-		if (bp->b_vp != newvp) {
+		if (vp != newvp) {
 			vdropl(bp->b_vp);
 			bp->b_vp = NULL;	/* for clarification */
 		}
 	}
-	VI_UNLOCK(bp->b_vp);
+	if (vp != newvp) {
+		VI_UNLOCK(vp);
+		VI_LOCK(newvp);
+	}
 	/*
 	 * If dirty, put on list of dirty buffers; otherwise insert onto list
 	 * of clean buffers.
 	 */
-	VI_LOCK(newvp);
 	if (bp->b_flags & B_DELWRI) {
 		if ((newvp->v_iflag & VI_ONWORKLST) == 0) {
 			switch (newvp->v_type) {
@@ -1967,7 +1939,6 @@
 		vholdl(bp->b_vp);
 	}
 	VI_UNLOCK(newvp);
-	splx(s);
 }
 
 /*
@@ -2306,13 +2277,9 @@
 vholdl(vp)
 	register struct vnode *vp;
 {
-	int s;
-
-	s = splbio();
 	vp->v_holdcnt++;
 	if (VSHOULDBUSY(vp))
 		vbusy(vp);
-	splx(s);
 }
 
 /*
@@ -2331,9 +2298,6 @@
 vdropl(vp)
 	register struct vnode *vp;
 {
-	int s;
-
-	s = splbio();
 	if (vp->v_holdcnt <= 0)
 		panic("vdrop: holdcnt");
 	vp->v_holdcnt--;
@@ -2341,7 +2305,6 @@
 		vfree(vp);
 	else
 		vlruvp(vp);
-	splx(s);
 }
 
 /*
@@ -2621,13 +2584,14 @@
 		VI_LOCK(vp);
 		v_incr_usecount(vp, -1);
 		if (vp->v_usecount <= 0) {
-#ifdef DIAGNOSTIC
+#ifdef INVARIANTS
 			if (vp->v_usecount < 0 || vp->v_writecount != 0) {
 				vprint("vclean: bad ref count", vp);
 				panic("vclean: ref cnt");
 			}
 #endif
-			vfree(vp);
+			if (VSHOULDFREE(vp))
+				vfree(vp);
 		}
 		VI_UNLOCK(vp);
 	}
@@ -2741,8 +2705,6 @@
 	struct vnode *vp;
 	struct thread *td;
 {
-	int s;
-
 	/*
 	 * If a vgone (or vclean) is already in progress,
 	 * wait until it is done and return.
@@ -2791,7 +2753,6 @@
 	 */
 	VI_LOCK(vp);
 	if (vp->v_usecount == 0 && !(vp->v_iflag & VI_DOOMED)) {
-		s = splbio();
 		mtx_lock(&vnode_free_list_mtx);
 		if (vp->v_iflag & VI_FREE) {
 			TAILQ_REMOVE(&vnode_free_list, vp, v_freelist);
@@ -2801,7 +2762,6 @@
 		}
 		TAILQ_INSERT_HEAD(&vnode_free_list, vp, v_freelist);
 		mtx_unlock(&vnode_free_list_mtx);
-		splx(s);
 	}
 
 	vp->v_type = VBAD;
@@ -3288,10 +3248,7 @@
 vfree(vp)
 	struct vnode *vp;
 {
-	int s;
-
 	ASSERT_VI_LOCKED(vp, "vfree");
-	s = splbio();
 	mtx_lock(&vnode_free_list_mtx);
 	KASSERT((vp->v_iflag & VI_FREE) == 0, ("vnode already free"));
 	if (vp->v_iflag & VI_AGE) {
@@ -3303,7 +3260,6 @@
 	mtx_unlock(&vnode_free_list_mtx);
 	vp->v_iflag &= ~VI_AGE;
 	vp->v_iflag |= VI_FREE;
-	splx(s);
 }
 
 /*
@@ -3313,9 +3269,6 @@
 vbusy(vp)
 	struct vnode *vp;
 {
-	int s;
-
-	s = splbio();
 	ASSERT_VI_LOCKED(vp, "vbusy");
 	KASSERT((vp->v_iflag & VI_FREE) != 0, ("vnode not free"));
 
@@ -3325,7 +3278,6 @@
 	mtx_unlock(&vnode_free_list_mtx);
 
 	vp->v_iflag &= ~(VI_FREE|VI_AGE);
-	splx(s);
 }
 
 /*
@@ -3559,7 +3511,7 @@
 /*
  * The syncer vnode is no longer needed and is being decommissioned.
  *
- * Modifications to the worklist must be protected at splbio().
+ * Modifications to the worklist must be protected by sync_mtx.
  */
 static int
 sync_reclaim(ap)
@@ -3568,11 +3520,9 @@
 	} */ *ap;
 {
 	struct vnode *vp = ap->a_vp;
-	int s;
 
-	s = splbio();
+	VI_LOCK(vp);
 	vp->v_mount->mnt_syncer = NULL;
-	VI_LOCK(vp);
 	if (vp->v_iflag & VI_ONWORKLST) {
 		mtx_lock(&sync_mtx);
 		LIST_REMOVE(vp, v_synclist);
@@ -3580,7 +3530,6 @@
 		vp->v_iflag &= ~VI_ONWORKLST;
 	}
 	VI_UNLOCK(vp);
-	splx(s);
 
 	return (0);
 }