Merge remote-tracking branch 'origin/stable/10' into devel

14 files changed, 145 insertions, 19 deletions

diff --git a/release/arm/CUBOX-HUMMINGBOARD.conf b/release/arm/CUBOX-HUMMINGBOARD.conf
index 987fe23..7470fbe 100644
--- a/release/arm/CUBOX-HUMMINGBOARD.conf
+++ b/release/arm/CUBOX-HUMMINGBOARD.conf
@@ -3,13 +3,14 @@
 # $FreeBSD$
 #
 
+SRCBRANCH="base/stable/10@rHEAD"
 EMBEDDEDBUILD=1
 EMBEDDED_TARGET="arm"
 EMBEDDED_TARGET_ARCH="armv6"
 EMBEDDEDPORTS="sysutils/u-boot-cubox-hummingboard"
 KERNEL="IMX6"
 WORLD_FLAGS="${WORLD_FLAGS} UBLDR_LOADADDR=0x12000000"
-IMAGE_SIZE="480M"
+IMAGE_SIZE="495M"
 PART_SCHEME="MBR"
 FAT_SIZE="50m -b 16384"
 FAT_TYPE="16"
diff --git a/release/arm/GUMSTIX.conf b/release/arm/GUMSTIX.conf
index 1f3d8da..34500fc 100644
--- a/release/arm/GUMSTIX.conf
+++ b/release/arm/GUMSTIX.conf
@@ -3,6 +3,7 @@
 # $FreeBSD$
 #
 
+SRCBRANCH="base/stable/10@rHEAD"
 EMBEDDEDBUILD=1
 EMBEDDED_TARGET="arm"
 EMBEDDED_TARGET_ARCH="armv6"
diff --git a/release/arm/WANDBOARD.conf b/release/arm/WANDBOARD.conf
index 971aa1c..d5955fd 100644
--- a/release/arm/WANDBOARD.conf
+++ b/release/arm/WANDBOARD.conf
@@ -10,7 +10,7 @@ EMBEDDED_TARGET_ARCH="armv6"
 EMBEDDEDPORTS="sysutils/u-boot-wandboard"
 KERNEL="IMX6"
 WORLD_FLAGS="${WORLD_FLAGS} UBLDR_LOADADDR=0x12000000"
-IMAGE_SIZE="480M"
+IMAGE_SIZE="495M"
 PART_SCHEME="MBR"
 FAT_SIZE="50m -b 16384"
 FAT_TYPE="16"
diff --git a/release/doc/share/xml/errata.xml b/release/doc/share/xml/errata.xml
index 30d5fc3..f5c93bc 100644
--- a/release/doc/share/xml/errata.xml
+++ b/release/doc/share/xml/errata.xml
@@ -19,7 +19,34 @@
 
     <tbody>
       <row>
-	<entry><para></para></entry>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-EN-16:06.libc.asc">FreeBSD-EN-16:06.libc</link></entry>
+	<entry>4&nbsp;May&nbsp;2016</entry>
+	<entry><para>Performance regression in libc
+	    &man.hash.3;</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-EN-16:07.ipi.asc">FreeBSD-EN-16:07.ipi</link></entry>
+	<entry>4&nbsp;May&nbsp;2016</entry>
+	<entry><para>Excessive latency in x86 IPI
+	    delivery</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-EN-16:08.zfs.asc">FreeBSD-EN-16:08.zfs</link></entry>
+	<entry>4&nbsp;May&nbsp;2016</entry>
+	<entry><para>Memory leak in ZFS</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-EN-16:09.freebsd-update.asc">FreeBSD-EN-16:09.freebsd-update</link></entry>
+	<entry>25&nbsp;July&nbsp;2016</entry>
+	<entry><para>Fix &man.freebsd-update.8; support of
+	    &os;&nbsp;11.0-RELEASE</para></entry>
       </row>
     </tbody>
   </tgroup>
diff --git a/release/doc/share/xml/security.xml b/release/doc/share/xml/security.xml
index 6ddefc1..c253b76 100644
--- a/release/doc/share/xml/security.xml
+++ b/release/doc/share/xml/security.xml
@@ -19,7 +19,81 @@
 
     <tbody>
       <row>
-	<entry><para></para></entry>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-SA-16:09.ntp.asc">FreeBSD-SA-16:09.ntp</link></entry>
+	<entry>29&nbsp;April&nbsp;2016</entry>
+	<entry><para>Multiple <application>ntp</application>
+	    vulnerabilities.</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-SA-16:17.openssl.asc">FreeBSD-SA-16:17.openssl</link></entry>
+	<entry>29&nbsp;April&nbsp;2016</entry>
+	<entry><para>Multiple <application>OpenSSL</application>
+	    vulnerabilities.</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-SA-16:18.atkbd.asc">FreeBSD-SA-16:18.atkbd</link></entry>
+	<entry>17&nbsp;May&nbsp;2016</entry>
+	<entry><para>Keyboard driver buffer overflow</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-SA-16:19.sendmsg.asc">FreeBSD-SA-16:19.sendmsg</link></entry>
+	<entry>17&nbsp;May&nbsp;2016</entry>
+	<entry><para>Incorrect argument handling in
+	    &man.sendmsg.2;</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-SA-16:20.linux.asc">FreeBSD-SA-16:20.linux</link></entry>
+	<entry>31&nbsp;May&nbsp;2016</entry>
+	<entry><para>Kernel stack disclosure in Linux compatibility
+	  layer</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-SA-16:21.43bsd.asc">FreeBSD-SA-16:21.43bsd</link></entry>
+	<entry>31&nbsp;May&nbsp;2016</entry>
+	<entry><para>Kernel stack disclosure in 4.3BSD compatibility
+	  layer</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-SA-16:22.libarchive.asc">FreeBSD-SA-16:22.libarchive</link></entry>
+	<entry>31&nbsp;May&nbsp;2016</entry>
+	<entry><para>Absolute path traversal
+	    vulnerability</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-SA-16:23.libarchive.asc">FreeBSD-SA-16:23.libarchive</link></entry>
+	<entry>31&nbsp;May&nbsp;2016</entry>
+	<entry><para>Absolute path traversal
+	    vulnerability</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-SA-16:24.ntp.asc">FreeBSD-SA-16:24.ntp</link></entry>
+	<entry>3&nbsp;June&nbsp;2016</entry>
+	<entry><para>Multiple <application>ntp</application>
+	    vulnerabilties</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-SA-16:25.bspatch.asc">FreeBSD-SA-16:25.bspatch</link></entry>
+	<entry>25&nbsp;July&nbsp;2016</entry>
+	<entry><para>heap overflow vulnerability</para></entry>
       </row>
     </tbody>
   </tgroup>
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index bb28f43..16c7847 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -4649,6 +4649,16 @@ timeout_spec	: STRING NUMBER
 			}
 			free($1);
 		}
+		| INTERVAL NUMBER		{
+			if (check_rulestate(PFCTL_STATE_OPTION))
+				YYERROR;
+			if ($2 < 0 || $2 > UINT_MAX) {
+				yyerror("only positive values permitted");
+				YYERROR;
+			}
+			if (pfctl_set_timeout(pf, "interval", $2, 0) != 0)
+				YYERROR;
+		}
 		;
 
 timeout_list	: timeout_list comma timeout_spec optnl
diff --git a/sys/kern/init_main.c b/sys/kern/init_main.c
index 03a3d9e..b8e3596 100644
--- a/sys/kern/init_main.c
+++ b/sys/kern/init_main.c
@@ -520,7 +520,7 @@ proc0_init(void *dummy __unused)
 	newcred->cr_ruidinfo = uifind(0);
 	newcred->cr_prison = &prison0;
 	newcred->cr_loginclass = loginclass_find("default");
-	proc_set_cred(p, newcred);
+	proc_set_cred_init(p, newcred);
 #ifdef AUDIT
 	audit_cred_kproc0(newcred);
 #endif
diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c
index a5595c9..a84b619 100644
--- a/sys/kern/kern_fork.c
+++ b/sys/kern/kern_fork.c
@@ -412,9 +412,6 @@ do_fork(struct thread *td, int flags, struct proc *p2, struct thread *td2,
 	p2->p_treeflag = 0;
 	p2->p_filemon = NULL;
 
-	crhold(td->td_ucred);
-	proc_set_cred(p2, td->td_ucred);
-
 	/* Tell the prison that we exist. */
 	prison_proc_hold(p2->p_ucred->cr_prison);
 
@@ -875,7 +872,7 @@ fork1(struct thread *td, int flags, int pages, struct proc **procp,
 		td2 = thread_alloc(pages);
 		if (td2 == NULL) {
 			error = ENOMEM;
-			goto fail1;
+			goto fail2;
 		}
 		proc_linkup(newproc, td2);
 	} else {
@@ -884,7 +881,7 @@ fork1(struct thread *td, int flags, int pages, struct proc **procp,
 				vm_thread_dispose(td2);
 			if (!thread_alloc_stack(td2, pages)) {
 				error = ENOMEM;
-				goto fail1;
+				goto fail2;
 			}
 		}
 	}
@@ -893,7 +890,7 @@ fork1(struct thread *td, int flags, int pages, struct proc **procp,
 		vm2 = vmspace_fork(p1->p_vmspace, &mem_charged);
 		if (vm2 == NULL) {
 			error = ENOMEM;
-			goto fail1;
+			goto fail2;
 		}
 		if (!swap_reserve(mem_charged)) {
 			/*
@@ -904,7 +901,7 @@ fork1(struct thread *td, int flags, int pages, struct proc **procp,
 			 */
 			swap_reserve_force(mem_charged);
 			error = ENOMEM;
-			goto fail1;
+			goto fail2;
 		}
 	} else
 		vm2 = NULL;
@@ -913,7 +910,7 @@ fork1(struct thread *td, int flags, int pages, struct proc **procp,
 	 * XXX: This is ugly; when we copy resource usage, we need to bump
 	 *      per-cred resource counters.
 	 */
-	proc_set_cred(newproc, p1->p_ucred);
+	proc_set_cred_init(newproc, crhold(td->td_ucred));
 
 	/*
 	 * Initialize resource accounting for the child process.
@@ -974,6 +971,9 @@ fork1(struct thread *td, int flags, int pages, struct proc **procp,
 #endif
 	racct_proc_exit(newproc);
 fail1:
+	crfree(newproc->p_ucred);
+	newproc->p_ucred = NULL;
+fail2:
 	if (vm2 != NULL)
 		vmspace_free(vm2);
 	uma_zfree(proc_zone, newproc);
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 8235a1a..6d6a92f 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1957,8 +1957,19 @@ cred_update_thread(struct thread *td)
 }
 
 /*
+ * Set initial process credentials.
+ * Callers are responsible for providing the reference for provided credentials.
+ */
+void
+proc_set_cred_init(struct proc *p, struct ucred *newcred)
+{
+
+	p->p_ucred = newcred;
+}
+
+/*
  * Change process credentials.
- * Callers are responsible for providing the reference for current credentials
+ * Callers are responsible for providing the reference for passed credentials
  * and for freeing old ones.
  *
  * Process has to be locked except when it does not have credentials (as it
@@ -1971,9 +1982,10 @@ proc_set_cred(struct proc *p, struct ucred *newcred)
 {
 	struct ucred *oldcred;
 
+	MPASS(p->p_ucred != NULL);
 	if (newcred == NULL)
 		MPASS(p->p_state == PRS_ZOMBIE);
-	else if (p->p_ucred != NULL)
+	else
 		PROC_LOCK_ASSERT(p, MA_OWNED);
 
 	oldcred = p->p_ucred;
diff --git a/sys/kern/sched_4bsd.c b/sys/kern/sched_4bsd.c
index 676bd35..28ca5e1 100644
--- a/sys/kern/sched_4bsd.c
+++ b/sys/kern/sched_4bsd.c
@@ -1235,7 +1235,7 @@ sched_pickcpu(struct thread *td)
 
 	mtx_assert(&sched_lock, MA_OWNED);
 
-	if (THREAD_CAN_SCHED(td, td->td_lastcpu))
+	if (td->td_lastcpu != NOCPU && THREAD_CAN_SCHED(td, td->td_lastcpu))
 		best = td->td_lastcpu;
 	else
 		best = NOCPU;
diff --git a/sys/sys/ucred.h b/sys/sys/ucred.h
index b3d6f52..cbc87be 100644
--- a/sys/sys/ucred.h
+++ b/sys/sys/ucred.h
@@ -106,6 +106,7 @@ struct ucred	*crcopysafe(struct proc *p, struct ucred *cr);
 struct ucred	*crdup(struct ucred *cr);
 void	crextend(struct ucred *cr, int n);
 void	cred_update_thread(struct thread *td);
+void	proc_set_cred_init(struct proc *p, struct ucred *cr);
 struct ucred	*proc_set_cred(struct proc *p, struct ucred *cr);
 void	crfree(struct ucred *cr);
 struct ucred	*crget(void);
diff --git a/usr.bin/grep/regex/glue.h b/usr.bin/grep/regex/glue.h
index 2fea4fd..0c54e98 100644
--- a/usr.bin/grep/regex/glue.h
+++ b/usr.bin/grep/regex/glue.h
@@ -50,7 +50,7 @@ typedef enum { STR_WIDE, STR_BYTE, STR_MBS, STR_USER } tre_str_type_t;
       if ((long long)pmatch[0].rm_eo - pmatch[0].rm_so < 0)		\
 	return REG_NOMATCH;						\
       ret = fn;								\
-      for (unsigned i = 0; (!(eflags & REG_NOSUB) && (i < nmatch)); i++)\
+      for (unsigned i = 0; (!preg->nosub && (i < nmatch)); i++)		\
 	{								\
 	  pmatch[i].rm_so += offset;					\
 	  pmatch[i].rm_eo += offset;					\
diff --git a/usr.bin/grep/regex/tre-fastmatch.c b/usr.bin/grep/regex/tre-fastmatch.c
index 0881c55..08e17c7 100644
--- a/usr.bin/grep/regex/tre-fastmatch.c
+++ b/usr.bin/grep/regex/tre-fastmatch.c
@@ -621,7 +621,7 @@ tre_compile_fast(fastmatch_t *fg, const tre_char_t *pat, size_t n,
 	  case TRE_CHAR('+'):
 	  case TRE_CHAR('?'):
 	    if ((cflags & REG_EXTENDED) && (i == 0))
-	      continue;
+	      goto badpat;
 	    else if ((cflags & REG_EXTENDED) ^ !escaped)
 	      STORE_CHAR;
 	    else
diff --git a/usr.bin/grep/util.c b/usr.bin/grep/util.c
index 3ec12fa..f3cf05f 100644
--- a/usr.bin/grep/util.c
+++ b/usr.bin/grep/util.c
@@ -336,7 +336,7 @@ procline(struct str *l, int nottext)
 		}
 
 		/* One pass if we are not recording matches */
-		if (!wflag && ((color == NULL && !oflag) || qflag || lflag))
+		if (!wflag && ((color == NULL && !oflag) || qflag || lflag || Lflag))
 			break;
 
 		if (st == (size_t)pmatch.rm_so)