sound: Fix panic caused by sleeping-channel destruction during asynchronous detach
Currently we are force-destroying all channels unconditionally in
pcm_killchan(). However, since asynchronous audio device detach is
possible as of 44e128fe9d92, if we do not check whether the channel is
sleeping or not and forcefully kill it, we will get a panic from
cv_timedwait_sig() (called from chn_sleep()), because it will try to use
a freed lock/cv.
Modify pcm_killchan() (renamed to pcm_killchans() since that's a more
appropriate name now) to loop through the channel list and destroy only
the channels that are awake, otherwise wake up the sleeping thread and
try again. This loop is repeated until all channels are awakened and
destroyed.
To reduce code duplication, implement chn_shutdown() which wakes up the
channel and sets CHN_F_DEAD, and use it in pcm_unregister() and
pcm_killchans().
Reported by: KASAN
Fixes: 44e128fe9d92 ("sound: Implement asynchronous device detach")
Sponsored by: The FreeBSD Foundation
MFC after: 1 day
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D44923
sound: Fix NULL dereference in dsp_clone() and mixer_clone()
If we only have a single soundcard attached and we detach it right
before entering [dsp|mixer]_clone(), there is a chance pcm_unregister()
will have returned already, meaning it will have set snd_unit to -1, and
thus devclass_get_softc() will return NULL here.
While here, 1) move the calls to dsp_destroy_dev() and mixer_uninit()
below the point where we unset SD_F_REGISTERED, and 2) follow what
mixer_clone() does and make sure we don't use a NULL d->dsp_dev in
dsp_clone().
Reported by: KASAN
Sponsored by: The FreeBSD Foundation
MFC after: 1 day
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D44924
Chris Moerz [Fri, 26 Apr 2024 18:23:13 +0000 (15:23 -0300)]
bhyve.8: Update and rearrange to improve readability
bhyve's man page is a very long block of text that has grown to
proportions that make it hard to read. In particular, the level of
nesting of various content means man can no longer render the text in a
user-friendly way.
To remedy this:
- move the -s argument documentation into a separate section and
reformat the various arguments so they are consistent
- add documentation on how to use the -o config.dump feature
- make the listing of various arguments more consistent
- consolidated duplicate listings of TPM backends
- add an example for the config.dump feature
- fix various formatting inconsistencies.
Rick Macklem [Sun, 28 Apr 2024 00:10:48 +0000 (17:10 -0700)]
nfscl: Clear out a lot of cruft related to B_DIRECT
There is only one place in the unpatched sources where B_DIRECT is
set in the NFS client and this code is never executed. As such, this patch
removes this code that is never executed, since B_DIRECT should never
be set.
During a IETF testing event this week, I saw a crash in ncl_doio_directwrite(),
but this function is only called if B_DIRECT is set.
I cannot explain how ncl_doio_directwrite() got called, but once this patch
was applied to the sources, the crash did not recur. This is not surprising,
since this patch deleted the function.
At least for HDSPe RayDAT cards, newer firmware comes with RME's own PCI
vendor id instead of the Xilinx one. Other HDSPe cards are probably also
affected. Update snd_hdspe(4) to recognize both the old Xilinx and the
new RME vendor ids.
Differential Revision: https://reviews.freebsd.org/D44978
MFC after: 1 day
Rick Macklem [Sat, 27 Apr 2024 00:55:24 +0000 (17:55 -0700)]
krpc: Ref cnt the client structures for TLS upcalls
A crash occurred during testing, where the client structures had
already been free'd when the upcall thread tried to lock them.
This patch acquires a reference count on both of the structures
and these are released when the upcall is done, so that the
structures cannot be free'd prematurely. This happened because
the testing is done over a very slow vpn.
Found during a IETF bakeathon testing event this week.
This patch introduces support for a conversion specification for
nanoseconds.
The format of %N is meant to be compatible with that of GNU date.
The nanoseconds conversion specification is implemented directly in
date(1) instead of libc (in strftime(3)) to avoid introducing
non-standard functions to libc at this time and modifying struct tm.
Apart from introducing the nanoseconds conversion specification, this
patch brings the following changes:
- The "ns" format for ISO 8061 dates is now unlocked. E.g., date -Ins
prints:
2024-04-22T12:20:28,763742224+02:00
- The -r flag when fed a file is now aware of the nanosecond part of the last
modification time.
- date(1) is now able to set the time with nanosecond precision. It is
not possible as of now to do that by specifying nanoseconds directly
via the command-line arguments. Instead, the -r flag can be used.
- date(1) is now using the clock_gettime(3) family of functions instead
of ctime(3) family of functions where possible.
Rick Macklem [Fri, 26 Apr 2024 03:58:21 +0000 (20:58 -0700)]
nfscl: Do not use nfso_own for delayed nfsrpc_doclose()
When an initial attempt to close an NFSv4 lock returns NFSERR_DELAY,
the open structure is put on a list for delayed closing. When this
is done, the nfso_own field is set to NULL, so it cannot be used by
nfsrpc_doclose().
Without this patch, the NFSv4 client can crash when a NFSv4 server
replies NFSERR_DELAY to a Close operation. Fortunately, most extant
NFSv4 servers do not do this. This patch avoids the crash for any
that do return NFSERR_DELAY for Close.
Found during a IETF bakeathon testing event this week.
Warner Losh [Thu, 25 Apr 2024 23:47:18 +0000 (17:47 -0600)]
nvmecontrol: Flesh out nvmecontrol format information
The format command takes a number of different parameters. Include a
brief summary of what the values mean, though since the driver's support
for metadata is at best weak, 0's are almost always used for values
other than -f format. Add an example that ties it all together.
This isn't actually packaged by the sysutils/rpi-firmware port, so we
cannot include it in the image. Fix the RPI release build until an
interested party adds it to the port and packages are available.
Brooks Davis [Thu, 25 Apr 2024 21:38:15 +0000 (22:38 +0100)]
Revert "config.mk: Add MK_VIMAGE knob"
This commit broke "make makeman" checks in github CI due to a lack of
option description files. The split between VIMAGE and VIMAGE_SUPPORT
is not clearly justified and the code is broken because there is no
opt_vimage.h (it's in opt_global.h).
Commit 196787f79e67 erroneously assumed that the client code for
Open/Claim_deleg_cur_FH was broken, but it was not.
It was actually wireshark that was broken and indicated
that the correct XDR was bogus.
This reverts the part of 196787f79e67 that changed the arguments for
Open/Claim_deleg_cur_FH.
Found during the IETF bakeathon testing event this week.
* In the setup phase, wait for the server to start (or fail to start)
before proceeding with the test. This makes it possible to write test
cases that don't expect a response from the server without ending up
in a race over the server PID file.
* After running each test, wait up to 30 seconds for the server to exit
and check that the exit status matches what the test case says to
expect (usually 0).
* We still kill and collect the server in the cleanup phase, in case the
test ended early.
Merge commit 0f329e0246d1 from llvm-project (by Dimitry Andric):
[sanitizer_symbolizer] Cast arguments for format strings in markup (#89815)
When compiling the common sanitizer libraries, there are many warnings
about format specifiers, similar to:
compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_markup.cpp:31:32: warning: format specifies type 'void *' but the argument has type 'uptr' (aka 'unsigned long') [-Wformat]
31 | buffer->AppendF(kFormatData, DI->start);
| ~~~~~~~~~~~ ^~~~~~~~~
compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_markup_constants.h:33:46: note: format string is defined here
33 | constexpr const char *kFormatData = "{{{data:%p}}}";
| ^~
| %lu
compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_markup.cpp:46:43: warning: format specifies type 'void *' but the argument has type 'uptr' (aka 'unsigned long') [-Wformat]
46 | buffer->AppendF(kFormatFrame, frame_no, address);
| ~~~~~~~~~~~~ ^~~~~~~
compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_markup_constants.h:36:48: note: format string is defined here
36 | constexpr const char *kFormatFrame = "{{{bt:%u:%p}}}";
| ^~
| %lu
...
This is because `uptr` is dependent on the platform, and can be either
`unsigned long long`, `unsigned long`, or `unsigned int`.
To fix the warnings, cast the arguments to the expected type of the
format strings.
It turns out that the old code was correct and it was wireshark
that was broken and indicated that the RPC's XDR was bogus.
Found during IETF bakeathon testing this week.
Skip building libclang_rt when WITHOUT_CLANG is used
As noted in bug 277096, when building a pkgbase repository using
WITHOUT_CROSS_COMPILER and WITHOUT_TOOLCHAIN (which sets WITHOUT_CLANG),
the following residual files are left over:
This is because the lib/libclang_rt directory is still descended into,
even if WITHOUT_CLANG is used. Fix it by not descending into the
libclang_rt directory in that case.
Mark Johnston [Thu, 25 Apr 2024 13:35:38 +0000 (09:35 -0400)]
kthread: Set *tdptr earlier in kproc_kthread_add()
See commit ae77041e0714 ("kthread: Set *newtdp earlier in
kthread_add1()") for details. That commit was incomplete since
g_init()'s first call to kproc_kthread_add() will cause
kproc_kthread_add() to take the `*procptr == NULL` branch, which avoids
kthread_create().
To ensure that the thread pointer is initialized before the thread
starts running, we have to start the kernel process with RFSTOPPED.
We could perhaps go further and use RFSTOPPED only when tdptr != NULL,
but it's probably better to have consistent behaviour.
sync.8: Document that the "sync dance" is not a thing
People still believe that it is essential to run sync(8) a couple of
times before a reboot/halt. Document that this has not been necessary
for a long time now.
Reviewed by: imp, bcr, Pau Amma <pauamma@gundo.com>
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D33233
accept_filter: return different errors for non-listener and a busy socket
The fact that an accept filter needs to be cleared first before setting to
a different one isn't properly documented. The requirement that the
socket needs already be listening, although trivial, isn't documented
either. At least return a more meaningful error than EINVAL for an
existing filter. Cover this with a test case.
Andrew Turner [Mon, 8 Apr 2024 10:44:33 +0000 (10:44 +0000)]
arm64: Check DMAP address is valid in PHYS_IN_DMAP
When checking if a physical address is in the DMAP region we assume
all physical addresses between DMAP_MIN_PHYSADDR and DMAP_MAX_PHYSADDR
are able to be accesses through the DMAP. It may be the case that
there is device memory in this range that shouldn't be accessed through
the DMAP mappings.
Add a check to PHYS_IN_DMAP that the translated virtual address is a
valid kernel address. To support code that already checks the address
is valid add PHYS_IN_DMAP_RANGE.
Andrew Turner [Mon, 15 Apr 2024 14:36:20 +0000 (14:36 +0000)]
arm64/vmm: Ensure the tlbi has completed
Ensure the TLB is invalidated before enabling the EL2 MMU. Without
this the TLB may be in an inconsistant state leading to a possible
exception when enabling the MMU.
Add a new kdc_restart rc variable that manages kdc (or krb5kdc) under
daemon(8). This automatically restarts the kdc should it fail, i.e.
when it's configured to use LDAP as a backend and cannot connect to its
LDAP directory.
Set kdc_restart="YES" to auto restart kdc on abnormal termination.
Set kdc_restart_delay="N" to the number of seconds to delay before
restarting the kdc. The daemon(8) default seconds applies when not set.
This is a smaller version of upstream 1fafd968b48e5cea6c85f126d77071a8de707a55 to address the
issue that less not being able to operate on files
residing in pseudo-filesystems that advertize a zero
size value.
Warner Losh [Wed, 24 Apr 2024 03:18:00 +0000 (21:18 -0600)]
Revert "swapon: Do not overwrite Linux swap header"
This reverts commit cf04a7775a4e8ff6fd28c768be9daa3d83dd382e.This is
broken on armv7, and closer scrutiny of the reviews shows I was in error
when I thought it was ready.
The CAPFAIL tracepoint was recently extended to report ECAPMODE
capability violations for processes that do not enter capability mode.
This allows developers that are interested in Capsicumizing their
programs to determine where violations are being raised.
Previously, CAPFAIL only produced output for processes using Capsicum(4)
capabilties. Thus, most ktrace users never received log output from the
trace point. With the recent changes, this is no longer the case.
Having this trace point enabled by default will produce output for all
processes that use syscalls that are not permitted in capability mode.
This may lead to confusion for users that are not familiar with the
feature. Remove KTRFAC_CAPFAIL from ktrace's default points to avoid
this.
bsdinstall/distfetch.c: check environment variables before downloading and handle memory allocation errors
1. Currently, distfetch checks environment variables existence
when it will use them or in a case (in chdir()) it doesn't check
at all. As they are necessary to set before doing anything with
it, check them, if they set or not, before proceeding any further.
This also avoids extra cleaning when that environment variable
isn't set.
2. Handle memory allocation error in malloc(PATH_MAX) and replace
(sizeof const char *) with (sizeof char *). Both are similar and
const doesn't have a size.
The new sys/conf/std.debug contains the list of debugging options
enabled by default in -CURRENT, so they don't need to be listed
individually in every kernel config.
The enabled options are the set of all debug options which were enabled
for the GENERIC kernel on any platform. This means some architectures
now have debugging options enabled in GENERIC which weren't previously
enabled:
[1] ALT_BREAK_TO_DEBUGGER is now enabled.
[2] BUF_TRACKING, FULL_BUF_TRACKING, and QUEUE_MACRO_DEBUG_TRASH are now
enabled.
[3] DEADLKRES is now enabled.
While here, move the documentation for the (commented out) K*SAN options
for amd64 from GENERIC to NOTES.
HP van Braam [Tue, 23 Apr 2024 20:47:12 +0000 (14:47 -0600)]
ahc(4)/ahd(4): target mode: cancel outstanding AIOs and INOTs
When disabling a lun there can still be outstanding AIOs and INOTs, when
this happens previously the lun would just fail to disable and trying to
re-use the lun would break the card.
isp(4) in target mode does the same thing when disabling a lun, in
testing this allows re-starting of ctld(8) with connected initiators and
allows initiators to gracefully resume afterwards.
Signed-off-by: HP van Braam <hp@tmm.cx>
Reviewed by: imp, mav
Pull Request: https://github.com/freebsd/freebsd-src/pull/1190
Karl Tomlinson [Tue, 23 Apr 2024 18:18:25 +0000 (12:18 -0600)]
pow,powf(3),__ieee754_rem_pio2(f): Avoid negative integer left shift UB
A compiler clever enough to know that z is positive with a non-zero
biased exponent could, for example, optimize away the scalbnf(z,n) in
pow() because behavior for left shift of negative values is undefined.
`n` is negative when y*log2(|x|) < -0.5. i.e. |x^y| < sqrt(0.5)
The intended behavior for operator<< in this code is to shift the two's
complement representation of the first operand.
In the pow() functions, the result is added to the IEEE 754 exponent of
z = 2^y'. n may be negative enough to underflow the biased IEEE 754
exponent below zero, which is manifested in the sign bit of j
(which would correspond to the IEEE 754 sign bit).
The conversion from uint32_t to int32_t for out-of-int32_t-range values
is implementation defined. The assumed behavior of interpreting the
uint32_t value as a two's complement representation of a signed value
is already assumed in many parts of the code, such as uses of
GET_FLOAT_WORD() with signed integers.
This code passes all the current tests, and makes some out of tree
fuzzing tests pass again rather than hit UB (detailed in the commentary
of the pull request).
Signed-off-by: Karl Tomlinson <karlt+@karlt.net>
Reviewed by: imp, steve kargl, dim
Pull Request: https://github.com/freebsd/freebsd-src/pull/1137
__vprintf(): switch from strerror() to strerror_rl()
This eliminates the use of non-thread-safe function in printf*() family,
and make the call locale-aware. Also, it stops obliterating the
strerror() static buffer, which aligns with the POSIX requirement that
implementations must behave as if no standard-mandated functions call
strerror().
PR: 278556
Reported by: Jonathan Gruber <jonathan.gruber.jg@gmail.com>
Reviewed by: imp
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D44916
Mark Johnston [Tue, 23 Apr 2024 16:51:03 +0000 (12:51 -0400)]
nfsserver: Default to nfs_reserved_port_only="YES"
This setting causes the NFS server to check that all RPCs are sent from
a privileged (<= 1023) port, rejecting those that are not. This
slightly raises the bar for a user with network access to an
unauthenticated NFS server to access exported NFS filesystems.
Users that use traditional NFS clients (e.g., those provided by FreeBSD
or Linux) should not see any difference, assuming that unprivileged
filesystem mounting is disallowed.
Note that the setting is per-VNET, so may be overridden in VNET jails
without affecting the rest of the system.
Discussed with: freebsd-arch@
Reviewed by: rmacklem, bz, emaste
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D44906
sigqueue(2): add impl-specific flag __SIGQUEUE_TID
The flag allows the pid argument to designate a thread from the calling
process. The flag value is carved from the high bit of the signal
number, which slightly changes the ABI of syscall.
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D44867