Bjoern A. Zeeb [Tue, 7 Jan 2020 16:54:43 +0000 (16:54 +0000)]
MFC r354639:
netstat: igmp stats, error on unexpected information, not only warn
The igmp stats tend to print two lines of warning for an unexpected
version and length. Despite an invalid version and struct size it
continues to try to do something with the data. Do not try to parse
the remainder of the struct and error on warning.
Note the underlying issue of the data not being available properly
is still there and needs to be fixed seperately.
Bjoern A. Zeeb [Tue, 7 Jan 2020 16:49:50 +0000 (16:49 +0000)]
MFC r354416:
m_pulldown(): Change an if () panic() into a KASSERT().
If we pass in a NULL mbuf to m_pulldown() we are in a bad situation
already. There is no point in doing that check for production code.
Change the if () panic() into a KASSERT.
Bjoern A. Zeeb [Tue, 7 Jan 2020 16:47:25 +0000 (16:47 +0000)]
MFC r351329:
gprof: disable building of a.out components
On arm64, riscv, and s390x disable building of aout components.
This allows gprof to build on these architectures which never supported
the legacy a.out binary format.
Note: there might be more work needed for arm64 or risv and the MACHINE_
checks are based on what was use elsewhere in the tree at that time. Other
will fix these parts with follow-up work.
Alexander Motin [Mon, 6 Jan 2020 01:12:15 +0000 (01:12 +0000)]
MFC r356042: Make pass(4) handle misaligned buffers of MAXPHYS size.
Since we are already using malloc()+copyin()/copyout() for smaller data
blocks, and since new asynchronous API does it always, I see no reason
to keep this ugly artificial size/alignment limitation in old API.
Tape applications suffer enough from the MAXPHYS limitations by itself,
and additional alignment requirement, often halving effectively usable
block size, does not help.
It would be good to use unmapped I/O here instead, but it require some
HBA drivers polishing first to support non-BIO unmapped buffers.
Kyle Evans [Sun, 5 Jan 2020 21:35:02 +0000 (21:35 +0000)]
MFC further inetd(8) cleanup: r356204, r356215, r356217-r356218,
r356246-r356248, r356254, r356318
r356204:
inetd: don't leak `policy` on return
sep->se_policy gets a strdup'd version of policy, so we don't need it to
stick around afterwards.
While here, remove a couple of NULL checks prior to free(policy).
r356215:
inetd: knock out some clang analyze warnings
chargen_dg: clang-analyze is convinced that endring could be non-NULL at
entry, and thus wants to assume that rs == NULL. Just independently
initialize rs if it's NULL to appease the analyzer.
getconfigent: policy leaks on return
free_connlist: reorganize the loop to make it clear that we're not going to
access `conn` after it's been freed.
cpmip/hashval: left-shifts performed will result in UB as we take
signed 0xABC3D20F and left shift it by 5.
r356217:
inetd: prefer strtonum(3) to strspn(3)+atoi(3), NFC
strtonum(3) does effectively the same validation as we had, but it's more
concise.
r356218:
inetd: prefer strlcpy to strlen(3) check + strcpy(3), NFC
This is again functionally equivalent but more concise.
r356246:
inetd: add some macros for checking child limits, NFC
The main point here is capturing the maxchild > 0 check. A future change to
inetd will start tracking all of the child pids so that it can give proper
and consistent notification of process exit/signalling.
r356247:
inetd: track all child pids, regardless of maxchild spec
Currently, child pids are only tracked if maxchildren is specified. As a
consequence, without a maxchild limit we do not get a notice in syslog on
children aborting abnormally. This turns out to be a great debugging aide at
times.
Children are now tracked in a LIST; the management interface is decidedly
less painful when there's no upper bound on the number of entries we may
have at the cost of one small allocation per connection.
r356248:
inetd: convert remaining bzero(3) to memset(3), NFC
This change is purely in the name of noise reduction from static analyzers
that want to complain that bzero(3) is obsolete in favor of memset(3).
With this, clang-analyze at least is now noise free. WARNS= 6 also appears
to have been OK for some time now, so drop the current setting and opt for
the default.
r356254:
inetd: final round of trivial cleanup, NFC
Highlights:
- Use MAX() for maxsock raising; small readability improvement IMO
- malloc(3) + memset(3) -> calloc(3) where appropriate
- stop casting the return value of malloc(3)
- mallloc(3) -> reallocarray(3) where appropriate
A future change may enter capability mode when forking for some of the
built-in handlers.
r356318:
inetd: fix WITHOUT_TCP_WRAPPERS build after r356248
After increasing WARNS, building WITHOUT_TCP_WRAPPERS failed because of
some unused variables.
Eric Joyner [Thu, 2 Jan 2020 23:16:27 +0000 (23:16 +0000)]
MFC r354977: bitstring: add functions to find contiguous set/unset bit sequences
This MFC also includes extra commits that improve on the original:
r355032: bitstring: Fix error messages in tests for area functions
r355377: Improve bit_ffc_area and bit_ffs_area_at implementation
r355400: bitstring: avoid gcc -Wsign-compare
Ian Lepore [Thu, 2 Jan 2020 19:52:01 +0000 (19:52 +0000)]
MFC r347828 (by cem):
xdma(4): Fix invalid pointer use (breaks arm.SOCFPGA build)
In xdma_handle_mem_node(), vmem_size_t and vmem_addr_t pointers were passed to
an FDT API that emits u_long values to the output parameter pointer. This
broke on systems with both xdma and 32-bit vmem size/addr types (SOCFPGA).
Rick Macklem [Tue, 31 Dec 2019 18:10:34 +0000 (18:10 +0000)]
MFC: r356066
Fix nfsmount() so that it will return NFSERR_MINORVERMISMATCH.
If nfsrpc_getdirpath() returns NFSERR_MINORVERMISMATCH, it would erroneously
get mapped to EIO. This was not particularily harmful, but would make it
hard for sysadmins to diagnose why an NFSv4 mount is failing.
mount_nfs.c still needs to be fixed so that it does not report
NFSERR_MINORVERMISMATCH as an unknown error 10021.
Kyle Evans [Mon, 30 Dec 2019 00:16:58 +0000 (00:16 +0000)]
MFC r356103: cron(8): use proper variable to determine mailer process status
While the mailer is normally opened/set if the mailto is set, this is not
the case if the grandchild actually didn't produce any output. This change
corrects the situation to only attempt to kill/close the mail process if it
was actually opened in the first place.
The reporter initially stumbled on the -n (suppress mail on success) flag
leading to a SIGKILL of the process group, but simultaneously
discovered/reported the behavior with !-n jobs if MAILTO was set and no
output happened.
All of these places that are checking mailto should actually be checking
whether mail is set, so do that for consistency+correctness.
Rick Macklem [Sun, 29 Dec 2019 23:48:48 +0000 (23:48 +0000)]
MFC: r355509
Fix kernel handling of a NFSERR_MINORVERSMISMATCH NFSv4 server reply.
When an NFSv4 server replies NFSERR_MINORVERSMISMATCH, it does not generate
a status result for the first operation in the compound. Without this
patch, this will result in a bogus EBADXDR error return.
Returning EBADXDR is relatively harmless, but a correct reply of
NFSERR_MINORVERSMISMATCH is needed by the pNFS client to select the correct
minor version to use for a File Layout DS now that there can be NFSv4.2
DS servers.
mount_nfs.c still needs to be fixed for this, although how the mount fails
is only useful to help sysadmins isolate why a mount fails.
Found during testing of the NFSv4.2 client and server.
Rick Macklem [Sat, 28 Dec 2019 22:24:16 +0000 (22:24 +0000)]
MFC: r355194
Fix two races while handling nfsuserd daemon start/stop.
A crash was reported where the nr_client field was NULL during an upcall
to the nfsuserd daemon. Since nr_client == NULL only occurs when the
nfsuserd daemon is being shut down, it appeared to be caused by a race
between doing an upcall and the daemon shutting down.
By inspection two races were identified:
1 - The nfsrv_nfsuserd variable is used to indicate whether or not the
daemon is running. However it did not handle the intermediate phase
where the daemon is starting or stopping.
This was fixed by making nfsrv_nfsuserd tri-state and having the
functions that are called during start/stop to obey the intermediate
state.
2 - nfsrv_nfsuserd was checked to see that the daemon was running at
the beginning of an upcall, but nothing prevented the daemon from
being shut down while an upcall was still in progress.
This race probably caused the crash.
The patch fixes this by adding a count of upcalls in progress and
having the shut down function delay until this count goes to zero
before getting rid of nr_client and related data used by an upcall.
Kyle Evans [Fri, 27 Dec 2019 03:00:18 +0000 (03:00 +0000)]
MFC r355936, r356045: remove unused kbd drivers
r355936:
Kill off dummy kbd drivers
As far as I can tell, these are an artifact of times when linker sets
couldn't be empty, otherwise the kernel build would fail due to unresolved
symbols. hselasky fixed this in r268138, and I've audited the kbd portions
to make sure nothing would blow up due to the empty linker set and
successfully compiled+ran a kernel with no keyboard support at all.
Kill them off now since they're no longer required.
r356045:
terasic_mtl: kill off final dummy keyboard driver
The rest were removed in r355936, which speculated that the cause of this
phenomenon was due to an inability to have an empty linker set. The comment
included with this one shows that this was, in fact, not the reason.
Regardless, syscons no longer seems to have an issue with not having any
keyboard drivers and in-fact ignores the keyboard probe anyways.
MFC r355650:
Follow RFC 4443 p2.2 and always use own addresses for reflected ICMPv6
datagrams.
Previously destination address from original datagram was used. That
looked confusing, especially in the traceroute6 output.
Also honor IPSTEALTH kernel option and do TTL/HLIM decrementing only
when stealth mode is disabled.
Reported by: Marco van Tol <marco at tols org>
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D22631
Put sections into expected offset in binary format.
Calculate binary file offset using address field, bacause software know only offset to known data, not where to load segment.
With that patch, kernel .data section can have any alignment/offset - kernel boor fine.
With absolutely no keyboards attached and no kbdmux in kernel, we descend
down this error path. 0 is a valid keyboard index, so leaving
vd->vd_keyboard at 0 when there's no keyboard found is objectively wrong as
later attachment of a keyboard will fail -- it gets index 0, and vt thinks
it's already using that keyboard.
This is decidedly the corniest of corner cases, but it's easy enough to get
correct that we should do so.
Tested in a kernel without atkbdc, atkbd, psm, kbdmux, ukbd, hyperv then
loading ukbd post-boot and attaching a usb keyboard.
Rework tcpopts_parse() to be more strict. Use const pointer. Add length
checks for specific TCP options. The main purpose of the change is
avoiding of possible out of mbuf's data access.
Toomas Soome [Sun, 22 Dec 2019 20:36:57 +0000 (20:36 +0000)]
MFC r355844:
loader.efi: efi_readkey_ex needs to key despite the shift status or toggle status
From UEFI specification 2.8, page 434:
"It should also be noted that certain input devices may not be able to produce
shift or toggle state information, and in those cases the high order bit in
the respective Toggle and Shift state fields should not be active."
But we still need to check for ScanCode and UnicodeChar.
Ian Lepore [Sun, 22 Dec 2019 20:34:15 +0000 (20:34 +0000)]
MFC r355777:
Support --all-repeats in uniq(1) for compatibility with gnu coreutils.
This adds a new -D/--all-repeats option to uniq(1), which outputs each copy
of any repeated lines (as opposed to a single copy of a repeated line). You
can specify a separator option to output a blank line before or after each
group of repeated lines. This adds compatibility with the GNU coreutils
version of uniq(1).
This change also re-groups the -c, -d, -D, -u options in the usage display
and man page to indicate that they are mutally exclusive of each other. This
matches the posix/opengroup definition of uniq(1) command line args. Note
that this change does NOT actually enforce the mutual exclusion in the code,
for now, it simply documents that the arguments should be considered
exclusive with each other.
Ian Lepore [Sun, 22 Dec 2019 20:04:35 +0000 (20:04 +0000)]
MFC r355688:
If device_delete_children() returns an error, bail on the rest of the
detach work and return the error. Especially don't call iicbus_reset()
since the most likely cause of failing to detach children is that one
of them has IO in progress.
Ian Lepore [Sun, 22 Dec 2019 19:30:13 +0000 (19:30 +0000)]
MFC r355598, r355727, r355735, r355858
r355598:
Do not attach children of owc_gpiobus until interrupts are working.
The children of the bus need to do IO on the bus to probe for hardware
presence. Doing IO means timing the bus states using sbinuptime(), and
that requires working timecounters, which are not initialized until after
device attachment has completed.
PR: 242526
r355727 (by imp):
Create new wrapper function: bus_delayed_attach_children()
Delay the attachment of children, when requested, until after interrutps are
running. This is often needed to allow children to run transactions on i2c or
spi busses. It's a common enough idiom that it will be useful to have its own
wrapper.
Reviewed by: ian
Differential Revision: https://reviews.freebsd.org/D21465
r355735 (by imp):
Be consistent about checking return value from bus_delayed_attach_children.
Most places checked, but a couple last minute changes didn't. Make them all use
the return value.
Noticed by: rpokala@
r355858:
Update owc_gpiobus (one-wire over gpio) to the modern gpio_pin interface.
It used to be required that a device be a child of gpiobus(4) to manipulate
gpio pins. That requirement didn't work well for FDT-based systems with many
cross-hierarchy users of gpio, so a more modern framework was created that
removed the old hierarchy requirement.
These changes adapt the owc_gpiobus driver to use the newer gpio_pin_*
functions to acquire, release, and manipulate gpio pins. This allows a
single driver to work for both hinted-attachment and fdt-based systems, and
removes the requirement that any one-wire fdt nodes must appear at the root
of the devicetree.
Kyle Evans [Sun, 22 Dec 2019 19:06:45 +0000 (19:06 +0000)]
MFC r355206, r355212, r355257, r355271: tty nits
r355206: tty_pts: don't rely on tty header pollution for sys/mutex.h
r355212: tty_rel_gone: add locking assertion
r355257: usb: remove some extraneous tty.h includes
r355271: Remove more needless <sys/tty.h> includes
Ian Lepore [Sun, 22 Dec 2019 18:55:09 +0000 (18:55 +0000)]
MFC r355572:
Allow baud rates of 1,228,800 and 1,843,200 on CP2101/2/3 usb-serial adapters.
The datasheets for these chips claim the maximum is 921,600, but testing
shows these two higher rates also work (but no rates above 921,600 other
than these two work; these represent dividing the base buad clock by 3 and 2
respectively).
r355467:
Implement bus_rescan for gpiobus(4). This allows on-the-fly reconfiguration
of gpio devices by using kenv to add hints for a new device and then do
'devctl rescan gpiobus4' to make the new device(s) attach.
It's not particularly easy to detect whether the 'at' hint has been deleted
for a child device that's currently attached, so this doesn't handle that.
But the user can use devctl commands to manually detach an existing device.
r355499:
Add module build stuff for gpioths(4), a driver for DHT11/DHT22 sensors.
r355531:
Several small fixes for the gpioths (temp/humidity sensor) driver.
At the end of a read cycle, set the gpio pin to INPUT rather than OUTPUT.
The state of the single-wire "bus" when idle should be high; setting the
pin to input allows the external pullup to pull the line high. Setting it
to output (and leaving it driving low) was leading a good read cycle followed
by one that would fail, and it just continued like that forever, effectively
reading the sensor once every 10 seconds instead of 5.
In the attach function, do an initial read from the device before registering
the sysctls for accessing the last-read values, to prevent reading spurious
values for the first 5 seconds after the driver attaches.
Do a callout_drain() in the detach function to prevent crashes after
unloading the module.
r355532:
Simplify sysctl stuff in the gpioths driver. There is no need to use local
functions to handle the sysctls, they all just access simple readonly
integer variables. There's no need to track the oids of the ones we add,
since the teardown is done by newbus code, not the driver itself.
Also remove the DDB code, because it just provides access to the same data
that the sysctls already provide.
r355533:
Add support for more chips to the gpioths driver.
Previously the driver supported the DHT11 sensor. Now it supports
DHT11, DHT12, DHT21, DHT22, AM3201, AM3202.
All these chips are similar, differing primarily in supported temperature
and humidity ranges and accuracy (and, presumably, cost). There are two
basic data formats reported by the various chips, and it is possible to
figure out at runtime which format to use for decoding the data based on
the range of values in a single byte of the humidity measurement. (which
is detailed in a comment block, so I won't recapitulate it here).
r355535:
Add a MODULE_DEPEND() for the gpioths driver. Also, note that the prior commit
changed the sysctl format for the temperature from "I" to "IK", and
correspondingly changed the units from integer degrees C to decikelvin.
For access via sysctl(8) the output will be the same except that now
decimal fractions will be shown when available.
r355540:
Add FDT support to the gpioths driver. It now uses the newer gpio_pin_*()
API and can attach based on either hints or fdt data.
r355548:
Add a man page for the gpioths(4) driver.
r355549:
Add myself to the copyright list. Also add an SPDX tag. And finally, fix
a missing word and a spelling error in a comment.
r355550:
Paste things correctly so that I'm added to the *end* of the copyright list.
r355551:
Connect the gpioths(4) manpage to the build.
r355565:
Switch gpioths(4) from using a callout to a taskqueue for periodic polling
of the sensor hardware. Part of the polling process involves signalling
the chip then waiting 20 milliseconds. This was being done with DELAY(),
which is a pretty rude thing to do in a callout. Now a taskqueue_thread
task is scheduled to do the polling, and because sleeping is allowed in
the task context, pause_sbt() replaces DELAY() for the 20ms wait.
Ian Lepore [Sun, 22 Dec 2019 17:57:59 +0000 (17:57 +0000)]
MFC r355100:
Allow opt-out of automatic ntpd leapfile checking/fetching.
When a system has no internet connection, or when it is configured to obtain
ntpd leapfiles from some source other than the internet, or even when the
sysadmin has decided for some reason to customize ntp.conf to eliminate use
of the leapfile, the rc.d/ntpd script emits various error messages related
to the file.
This change allows setting the rc var ntp_db_leapfile to NONE to disable all
automatic processing related to that file in rc.d/ntpd.
Kyle Evans [Sun, 22 Dec 2019 17:15:48 +0000 (17:15 +0000)]
MFC r355796-r355797, r355799: kbd: defaults for get_fkeystr/diag
The genkbd version of these remains exposed for stable branches, but
keyboard drivers that just want to use the defaults can simply not provide
their own. There shouldn't be any unset in the wild.
r355796:
kbd: provide default implementations of get_fkeystr/diag
Most keyboard drivers are using the genkbd implementations as it is;
formally use them for any that aren't set.
This file was missed in r355796, but no harm would have come from this.
r355799:
kbd: patch linker set methods, too
This is needed after r355796. Some double-registration of kbd drivers needs
to be sorted out, then this sysinit will simply add these drivers into the
normal list and kill off any other bits in the driver that are aware of the
linker set, for simplicity.
Kyle Evans [Sun, 22 Dec 2019 17:04:16 +0000 (17:04 +0000)]
Fix kbdd_diag definition
This is a direct commit to stable branches as these have been converted to
inline functions in head, which will likely not get MFC'd due to limited
utility -- follow up locking assertions likely cannot be done in stable
branches.
The use of 'level' in the macro definition was truncated to 'leve', which
makes the macro unusable.
loader: we do not support booting from pool with log device
loader: factor out label and uberblock load from vdev_probe, add MMP checks
loader: populate nvl with data even when label_txg is 0
loader: clean up the noise around log device
loader: memory leak in vdev_label_read_config()
loader: zfsimpl.c cstyle cleanup
loader: rewrite zfs vdev initialization
In some cases the pool discovery will get stuck in infinite loop while setting
up the vdev children.
To fix, we split the vdev setup into two parts, first we create vdevs based on
configuration we do get from pool label, then, we process pool config from MOS
and update the pool config if needed.
This patch bundle is work leading to and including fix for issue when
in some cases the pool configuration build does end up in infinite loop.
Pedro F. Giffuni [Sat, 21 Dec 2019 02:40:40 +0000 (02:40 +0000)]
MFC r355828:
Double the size of ARG_MAX on LP64 platforms.
As modern software keeps growing in size, we get requests to update the
value of ARG_MAX in order to link the resulting object files. Other OSs
have much higher values but increasiong ARG_MAX has a multiplied effect on
KVA, so just bumping this value is dangerous in some archs like ARM32 that
can exhaust KVA rather easily.
While it would be better to have a unique value for all archs, other OSs
(Illumos in particular) can have different ARG_MAX limits depending on the
platform, For now we want to be really conservative so we are avoidng
the change on ILP32 and in the alternative case we only double it since that
seems to work well enough for recent Code Aster.
Rick Macklem [Fri, 20 Dec 2019 22:53:23 +0000 (22:53 +0000)]
MFC: r355157, r355161
Add a cap on credential lifetime for Kerberized NFS.
The kernel RPCSEC_GSS code sets the credential (called a client) lifetime
to the lifetime of the Kerberos ticket, which is typically several hours.
As such, when a user's credentials change such as being added to a new group,
it can take several hours for this change to be recognized by the NFS server.
This patch adds a sysctl called kern.rpc.gss.lifetime_max which can be set
by a sysadmin to put a cap on the time to expire for the credentials, so that
a sysadmin can reduce the timeout.
It also fixes a bug, where time_uptime is added twice when GSS_C_INDEFINITE
is returned for a lifetime. This has no effect in practice, since Kerberos
never does this.
Brooks Davis [Fri, 20 Dec 2019 22:07:05 +0000 (22:07 +0000)]
MFC r355830:
Avoid a tautological bitwise compare.
This looks like a bit of debugging code that sliped into the initial
import of the sos@ ATA framework. This changes the behavior to omit a
line of output that appears to have been intended for omission.
Toomas Soome [Fri, 20 Dec 2019 07:40:28 +0000 (07:40 +0000)]
MFC r355713:
loader: cd9660_open() warn: is 'buf' large enough for 'struct iso_primary_descriptor'?
We do allocate amount of memory (void * or char *), and then assign this
buffer to struct iso_primary_descriptor *vd. Make sure we do
allocate enough bytes.
In fact we do allocate enough, but it is good idea to make sure this really
is so.
Kyle Evans [Thu, 19 Dec 2019 02:29:15 +0000 (02:29 +0000)]
MFC r339955, r355590: sed test fix + \r, \n, \t
r339955:
usr.bin/sed/tests: fix one of the regression test cases by adding its
results file to the build.
r355590:
sed: process \r, \n, and \t
This is both reasonable and a common GNUism that a lot of ported software
expects.
Universally process \r, \n, and \t into carriage return, newline, and tab
respectively. Newline still doesn't function in contexts where it can't
(e.g. BRE), but we process it anyways rather than passing
UB \n (escaped ordinary) through to the underlying regex engine.
Adding a --posix flag to disable these was considered, but sed.1 already
declares this version of sed a super-set of POSIX specification and this
behavior is the most likely expected when one attempts to use one of these
escape sequences in pattern space.
This differs from pre-r197362 behavior in that we now honor the three
arguably most common escape sequences used with sed(1) and we do so outside
of character classes, too.
Other escape sequences, like \s and \S, will come later when GNU extensions
are added to libregex; sed will likely link against libregex by default,
since the GNU extensions tend to be fairly un-intrusive.
Kyle Evans [Thu, 19 Dec 2019 02:09:16 +0000 (02:09 +0000)]
Add sigsetop extensions commonly found in musl libc and glibc
These functions (sigandset, sigisemptyset, sigorset) are commonly available
in at least musl libc and glibc; sigorset, at least, has proven quite useful
in qemu-bsd-user work for tracking the current process signal mask in a more
self-documenting/aesthetically pleasing manner.
Kyle Evans [Thu, 19 Dec 2019 02:05:48 +0000 (02:05 +0000)]
stand: liblua: drop default buffer size to 128
Lua allocates LUAL_BUFFERSIZE buffers on the stack for various string
functions (string.format, string.gsub) -- this works out to be somewhat
significant and not necessary, based on how we use string operations.
Dropping it risks having to allocate per call to format/gsub, but this is
not the case for our usage. This simply stops allocating 8K buffers on the
stack when luaL_Buffer is used.
Kyle Evans [Thu, 19 Dec 2019 02:04:40 +0000 (02:04 +0000)]
usr.sbin/ntp: don't emit versions w/ make -s
<sys.mk> defines ECHO=echo when not using make -s, and ECHO=true when using
make -s.
export ECHO for ntp products and use it in the mkver script to echo the
version. This suppresses the output as appropriate. ECHO is given a default
value to make sure things still work as expected for anyone that isn't
redefining ECHO.
Alexander Motin [Thu, 19 Dec 2019 01:34:34 +0000 (01:34 +0000)]
MFC r355451: Remove some branching from GEOM_DISK hot path.
pp->private just can not be NULL in those places.
In g_disk_start() and g_disk_ioctl() both dp != NULL and !dp->d_destroyed
should always be true if disk_gone() and disk_destroy() are used properly,
since GEOM does not send requests to errored providers. If the protocol is
not followed, then no amount of additional checks here give real safety.
In g_disk_access() though the checks are useful, since GEOM blocks only
new opens for errored providers, but allows closes. It should not happen
if disk_gone() and disk_destroy() are used properly, but may otherwise.
To improve cases when disk_gone() is not used, call it from disk_destroy().
It does not give full guaranties, but it errors the provider and makes
GEOM block unwanted requests at least after some race.
Alexander Motin [Thu, 19 Dec 2019 01:32:15 +0000 (01:32 +0000)]
MFC r355438: Block ioctls for dying GEOM_DEV instances.
For normal I/Os consumer and provider statuses are checked by g_io_check().
But ioctl calls often do not go through it, being dispatched directly. This
change makes their semantics more alike, protecting lower levels.