After reverting my earlier fix (which I don't intend to MFC and by which I was distracted by the "optimization" of reusing the existing buffer), this fixes pfctl for me on CHERI. In effect, it makes Igor's original commit just add the missing 'nw->size = new_size'. I think that probably explains both of the issues Igor noted in the original commit log. The buffer overflows were caused by nw->offset exceeding nw->size and eventually the realloc'd buffer was simply too small as it was only 'nw->size + <size of current object needed>' which could easily be smaller than 'nw->offset' once you've appended a few things larger than the initial buffer size.

Hmmm, I wonder if 0 is the right thing vs something like 0xdeadc0de. We have a few explicit IVAR handlers that intentionally return a default value (e.g. acpi_get_handle()) and those do tend to be zero (and in those cases we don't KASSERT). I have a patch in a branch to add a new one like that for ThunderBolt PCI bridges even. 0 is probably fine as a default, but @imp might also have an opinion.

In D54051#1234938, @olce wrote:

There is an occurrence of "swapper" in sys/vm/vnode_pager.c that seems to also point to the swapper process.

Use ruxreset

Add to OptionalObsoleteFiles.inc

FYI, submitter of the bug report tried this out and it fixed their issue.

More const

Use ?=

Trim #if 0'd code

Use void *

Well, this isn't a generated stub so using void * could be ok, OTOH, it is now always passed something like wcred->cr_label in which case it is typed (though user_setcred intentionally discards that type) and it might be nice to keep what type checking you do get there (so that for internal APIs a compat user pointer is always treated as the native user pointer). Most places where we deal with user pointers though they are just one type and not polymorphic as in this case. Globally changing all user pointers would definitely be a net negative, but using void * here is probably fine.

In CheriBSD we have a second import of ZFS (with various CHERI patches applied) which is why we benefit from having a single definition of this variable, but I think the cleanup of using ZFSTOP more widely is nice regardless as it makes several long lines a bit shorter.

Rebase

Rebase

In D53296#1227854, @imp wrote:

I've thought about this. And maybe we'd be better off always aligning to a page. It's going to be a large allocation and it will be multiple pages and likely the size is a multiple of pages. It would make the most sense to use full pages, no?

This is exactly what I envisioned for an EN-style fix.

Hmmm, I wonder if what might be better is to rework the existing apm.4 manpage to say it is an interface (instead of a driver), but not merge all its content over into acpi.4. It's more that this is a way to describe an API than a device driver. There would be no real SYNOPSIS in this case in the classic sense (we don't really have a model for a SYNOPSIS for something that is an abstract interface as opposed to a foo.ko you can load). That is, you would take the existing apm.4, and make the following changes:

This is the important fix. The two prior changes are cleanups, but are pretty small. If you wanted to do an EN for 15.0, you could fix the size in the existing memcpy() to use __rangeof(), but this particular sort of bug is why we generally don't use memcpy() for this sort of thing.