Ed Maste [Mon, 28 Mar 2022 13:33:54 +0000 (09:33 -0400)]
mpr/mps/mpt: verify cfg page ioctl lengths
*_CFG_PAGE ioctl handlers in the mpr, mps, and mpt drivers allocated a
buffer of a caller-specified size, but copied to it a fixed size header.
Add checks that the size is at least the required minimum.
Note that the device nodes are owned by root:operator with 0640
permissions so the ioctls are not available to unprivileged users.
This change includes suggestions from scottl, markj and mav.
Two of the mpt cases were reported by Lucas Leong (@_wmliang_) of
Trend Micro Zero Day Initiative; scottl reported the third case in mpt.
Same issue found in mpr and mps after discussion with imp.
Reported by: Lucas Leong (@_wmliang_), Trend Micro Zero Day Initiative
Reviewed by: imp, mav
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34692
Ed Maste [Fri, 1 Apr 2022 13:58:47 +0000 (09:58 -0400)]
installworld: handle ldd including preloaded objects
The installworld target makes a temporary copy of binaries to be used
during the install. Libraries that they depend on are also included,
found by using `ldd`.
After commit 0913953c9ed0 ldd started listing preloaded objects,
including [vdso], under a [preloaded] header. Skip ldd output that is
enclosed in square brackets.
Reviewed by: cy, kib [earlier version]
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34734
Mark Johnston [Wed, 30 Mar 2022 19:41:44 +0000 (15:41 -0400)]
pf: Initialize the table entry zone limit at initialization time
The limit may later be updated by the "set limit" directive in pf.conf.
UMA does not permit a limit to be set on a zone after any items have
been allocated from a zone.
Other UMA zones used by pf do not appear to be susceptible to this
problem: they either set a limit at zone creation time or never set one
at all.
PR: 260406
Reviewed by: kp
Sponsored by: The FreeBSD Foundation
Navdeep Parhar [Fri, 25 Mar 2022 07:34:54 +0000 (00:34 -0700)]
cxgbe(4): Handle FORCE_FEC in pcaps correctly.
The firmware doesn't report FORCE_FEC in pcaps if the transceiver
plugged in at that time does not support a speed that may use FEC. It
is incorrect for the driver to assume that the FORCE_FEC value it read
during attach (in init_link_config) is permanent. Instead, it should
check pcaps just before issuing the L1CFG command.
Warner Losh [Fri, 25 Jun 2021 17:03:17 +0000 (11:03 -0600)]
bsd-family-tree: Add 2.8BSD relationship to Research 7th edition
In the 2BSD line, the 2.8BSD tapes were the first ones to include a
kernel, both source and a bootable tape. This was an AT&T V7 kernel,
with a number of bug fixes; new features in use at Berkeley; performance
enhancements that were circulating to V7 in the licensee community; and
build system changes. Based on the TUHS archives, it contains none of
the V32 changes, however.
In addition to the source code analysis, Mike Karels relates the story
of how his group lost a customizes to V6 on a PDP-11/40 due to a disk
crash. Since V7 just came out and Bill Jolitz had just brought that up
elsewhere, they replaced their customized V6 with a V7 system, and that
base would eventually become 2.8BSD. (Quarter Century of Unix)
Given both lines of evidence, add a direct line from V7 Unix to 2.8BSD.
Also confirmed that the V6 line to 1BSD and 2BSD was appropriate. 1BSD
and 2BSD included ashell(1) and ex(1). ashell(1) was derived from v6
hell. ex(1) was an enhanced v6 ed. 2.8BSD included process control and
user-land utilities from 4.1BSD
Ed Maste [Mon, 28 Mar 2022 21:03:10 +0000 (17:03 -0400)]
fstyp: detect Raspberry Pi Pico boot filesystem as FAT
fstyp looks for a 0x55 0xAA signature at offset 510, but this is not
required by specifications and is not proivded by the Raspberry Pi Pico
bootloader.
We should really remove the signature check and implement a more
comprehensive BPB validation instead, but it will require more
investigation and testing. For now just add a special case for the
Raspberry Pi Pico bootloader, to avoid introducing regressions or new
false positives.
PR: 262896
Reviewed by: delphij
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34699
Mark Johnston [Sat, 5 Mar 2022 00:34:43 +0000 (19:34 -0500)]
x86: Defer early TSC timecounter calibration to SI_SUB_CPU
If we can't determine the TSC frequency using CPU registers, we need to
give a chance for Hyper-V drivers to register a timecounter (during
SI_SUB_HYPERVISOR) since an emulated 8254 might not be available.
Thus, split probe_tsc_freq() into early and late stages, and wait until
the latter to attempt calibration using a reference clock.
Fixes: 84369dd52369 ("x86: Probe the TSC frequency earlier")
Reported and tested by: khng, Shawn Webb
Sponsored by: The FreeBSD Foundation
Mark Johnston [Tue, 1 Mar 2022 14:39:35 +0000 (09:39 -0500)]
x86: Probe the TSC frequency earlier
This lets us use the TSC to implement early DELAY, limiting the use of
the sometimes-unreliable 8254 PIT.
PR: 262155
Reviewed by: emaste
Tested by: emaste, mike tancsa <mike@sentex.net>, Stefan Hegnauer <stefan.hegnauer@gmx.ch>
Sponsored by: The FreeBSD Foundation
Mark Johnston [Thu, 17 Mar 2022 16:54:37 +0000 (12:54 -0400)]
file: Avoid a read-after-free of fd tables in sysctl handlers
Some loops access the fd table of a different process, and drop the
filedesc lock while iterating, so they check the table's refcount.
However, we access the table before the first iteration, in order to get
the number of table entries, and this access can be a use-after-free.
Fix the problem by checking the refcount before we start iterating.
Reported by: pho
Reviewed by: mjg
Sponsored by: The FreeBSD Foundation
Andrew Turner [Sat, 26 Mar 2022 15:59:34 +0000 (15:59 +0000)]
Treat cache write as a read in arm64 data faults
On arm64 we can ask the hardware to perform cache operations from
userspace. These require read permission however when the memory is
unmapped the kernel will receive a write exception. Add a check to
see if the cause of the exception is from the cache and pass a memory
read fault type to the vm subsystem.
PR: 262836
Reported by: dch
Sponsored by: The FreeBSD Foundation
The -r flag is ignored by the FreeBSD implementation of bsdlabel(8)
(also called disklabel(8) in the past). Remove its use from examples
and tests in the tree.
This commit does not touch historical documentation under share/doc/smm
and files under contrib/netbsd-tests.
Ed Maste [Tue, 29 Mar 2022 17:55:21 +0000 (13:55 -0400)]
Clear non-x86 compat stat syscall kernel stack memory disclosure
32-bit architectures other than i386 have 64-bit time_t which results
in a struct timespec with 12 bytes for tv_sec and tv_nsec, and 4 bytes
of padding. Zero the padding holes in struct stat32 and struct
freebsd11_stat32.
i386 has 32-bit time_t; struct timespec is 8 bytes and has no padding.
Found by inspection, prompted by a report by Reno Robert of Trend Micro
Zero Day Initiative. The originally reported issue (ZDI-CAN-14538) is
already fixed in all supported FreeBSD versions (it was addressed
incidentally as part of the 64-bit inode project).
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34709
Ed Maste [Fri, 18 Mar 2022 20:11:32 +0000 (16:11 -0400)]
Remove snd_aureal driver source
This driver was not finished when it was committed in 1999 and was never
connected to the build.
A version of the driver used to be available in ports as
audio/aureal-kmod, but it has been removed. It did not build on FreeBSD
10.x or later and the binary objects it required were not available
after Google Code disappeared.
PR: 124343
Reported by: joel
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Sebastien Bini [Tue, 22 Mar 2022 15:44:09 +0000 (16:44 +0100)]
neta: split fixed and in-band link status configuration
Fixed-link mode requires different handling than the in-band
managed connection. Update interrupt, link-up/down and
autonegotiation settings for the former.
Kornel Duleba [Fri, 28 Jan 2022 09:28:37 +0000 (10:28 +0100)]
Extend device_get_property API
In order to support various types of data stored in device
tree properties or ACPI _DSD packages, create a new enum so
the caller can specify the expected type of a property they
want to read, according to the binding. The bus logic will use
that information to process the underlying data.
For example in DT all integer properties are stored in BE format.
In order to get constant results across different platforms we
need to convert its endianness to match the host.
Another example are ACPI_TYPE_INTEGER properties stored
as uint64_t. Before this patch the ACPI logic would refuse
to read them if the provided buffer was smaller than 8 bytes.
Now this can be handled by using DEVICE_PROP_UINT32 type.
Modify the existing consumers of this API to reflect the changes
and update the man pages accordingly.
Kornel Duleba [Tue, 25 Jan 2022 10:10:55 +0000 (11:10 +0100)]
bus_if: Add a default implementation of get_property
There are multiple buses that pretend to be ofw compatible,
e.g ofw_pci, mii_fdt. We now need to provide an implementation
of BUS_GET_PROPERTY for every one of them. Instead of modifying
them one by one it's better to just provide a default
implementation that simply traverses up the device tree.
Remove the now unneeded BUS_GET_PROPERTY implementation in mii_fdt.
Kornel Duleba [Mon, 15 Nov 2021 08:55:33 +0000 (09:55 +0100)]
miibus: Add support for mapping OFW nodes to PHY devices
Create a new miibus OFW specific layer leveraging miibus_fdt.c code.
PHY drivers can than read the properties using device_get_property(9) API.
Resource(interrupt) allocation is also supported.
In order to enable this each NIC/switch driver will have to be modified,
because of how miibus is attached to the parent driver.
Obtained from: Semihalf
Sponsored by: Alstom Group
Differential revision: https://reviews.freebsd.org/D32812
Kornel Duleba [Wed, 27 Oct 2021 08:34:17 +0000 (10:34 +0200)]
mii_fdt: Add support for switch PHY node lookup
Previously we would only search for a PHY xref in node of the miibus
parent.
That didn't work very well with switches.
Fix that by searching through "ports" subnode, checking if any of its
children have a valid PHY xref.
Since switches tend to have multiple ports we also have multiple
candidates.
Use the PHY address read from mii_attach_args to find the right one.
sdhci_xenon: split driver file into generic file and fdt parts
This patch splits driver code into two seperate files sdhci_xenon.c
and sdhci_xenon_fdt.c. This will allow future implementation of ACPI
discovery of sdhci on Xenon chips.
Add generic mmc_helper which uses newly introduced device_*_property
api. Thanks to this change the sd/mmc drivers will be capable
of parsing both DT and ACPI description.
Ensure backward compatibility for all mmc_fdt_helper users.
mmc: Fix regression in 8a8166e5bcfb breaking Stratix 10 boot
The refactoring in 8a8166e5bcfb introduced a functional change that
breaks booting on the Stratix 10, hanging when it should be attaching
da0. Previously OF_getencprop was called with a pointer to host->f_max,
so if it wasn't present then the existing value was left untouched, but
after that commit it will instead clobber the value with 0. The dwmmc
driver, as used on the Stratix 10, sets a default value before calling
mmc_fdt_parse and so was broken by this functional change. It appears
that aw_mmc also does the same thing, so was presumably also broken on
some boards.
acpi: Fix error code returned in acpi_bus_get_prop
ACPI implementation of device_get_property would return "-1" when
property was found, but it's type wasn't supported.
This causes device_has_property to return false in that scenario, which
arguably could be considered as incorrect.
D Scott Phillips [Fri, 25 Mar 2022 16:04:47 +0000 (09:04 -0700)]
arm64: Add explicit barrier after address translation instruction
Following ARMARM sec D5.2.11, which says:
> Where an instruction results in an update to a System register,
> as is the case with the AT * address translation instructions,
> explicit synchronization must be performed before the result is
> guaranteed to be visible to subsequent direct reads of the
> PAR_EL1.
D Scott Phillips [Fri, 25 Mar 2022 16:04:11 +0000 (09:04 -0700)]
arm64: pmap: Mask VA operand in TLBI instructions
Bits 43:0 of the TLBI operand are bits 55:12 of the VA. Leaving
bits 63:55 of the VA in bits 51:44 of the operand might wind up
setting the TTL field (47:44) and accidentally restricting which
translation levels are flushed in the TLB.
Reviewed By: andrew
MFC after: 3 days
Sponsored by: Ampere Computing
Differential Revision: https://reviews.freebsd.org/D34664
Andrew Turner [Thu, 10 Mar 2022 14:39:03 +0000 (14:39 +0000)]
Fix arm64 TLB invalidation with non-4k pages
When using 16k or 64k pages atop will shift the address by more than
the needed amount for a tlbi instruction. Replace this with a new macro
to shift the address by 12 and use PAGE_SIZE in the for loop to let the
code work with any page size.
Reviewed by: alc, markj
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34516
Martin Matuska [Sat, 26 Mar 2022 10:04:36 +0000 (11:04 +0100)]
libarchive: merge vendor bugfixes
Bugfixes:
IS #1672 and OSS-Fuzz #38766:
(zip reader) fix possible out-of-bounds read in zipx_lzma_alone_init()
PR #1676: (mtree reader) remove the unused variable "detected_bytes"
PR #1674: (doc) fix use of At mdoc(7) macro in cpio.5
Martin Matuska [Tue, 29 Mar 2022 10:41:53 +0000 (12:41 +0200)]
zfs: merge openzfs/zfs@52bad4f23 (zfs-2.1-release) into stable/13
OpenZFS release 2.1.4
Notable upstream pull request merges:
#13219 FreeBSD: add missing replay check to an assert in zfs_xvattr_set
#13220 module: freebsd: avoid a taking a destroyed lock in zfs_zevent bits
#13221 Fix ACL checks for NFS kernel server
Alexander Motin [Thu, 24 Feb 2022 21:17:34 +0000 (16:17 -0500)]
CTL: Add length validation for incoming HA messages.
This should fix uninitialized memory reads when working with broken
HA peer, like one fixed in 1a8d8a3a909. Instead print error message
and kill the HA link.
Jamie Gritton [Sat, 26 Mar 2022 02:16:51 +0000 (19:16 -0700)]
mfc jail: handle jailsys parameters in modification permission test
Avoid a null dereference when a value-less jailsys parameter is passed
to "jail -m". There was already code to handle boolean parameters,
but in reality any parameter could be passed without a value.
nhops: split nh_family into nh_upper_family and nh_neigh_family.
With IPv4 over IPv6 nexthops and IP->MPLS support, there is a need
to distingush "upper" e.g. traffic family and "neighbor" e.g. LLE/gateway
address family. Store them explicitly in the private part of the nexthop data.
While here, store nhop fibnum in nhop_prip datastructure to make it self-contained.
Introduce a new function, lltable_get(), to retrieve lltable pointer
for the specified interface and family.
Use it to avoid all-iftable list traversal when adding or deleting
ARP/ND records.
VNET teardown waits 2*MSL (60 seconds by default) before expiring
tcp PCBs. These PCBs holds references to nexthops, which, in turn,
reference ifnets. This chain results in VNET interfaces being destroyed
and moved to default VNET only after 60 seconds.
Allow tcp_msl to be set in jail by virtualising net.inet.tcp.msl sysctl,
permitting more predictable VNET tests outcomes.
Bjoern A. Zeeb [Thu, 24 Mar 2022 19:09:04 +0000 (19:09 +0000)]
LinuxKPI: 802.11: cleanup debugging
Cleanup some debugging. Rename the global variable to be less
generic. Hide all debugging behind #ifdef for now and turn off.
Rename the debugging sysctl so we can start adding more to the
subtree.
There is a need to change that wildly grown infrastructure into
something more homogenic soon but this should do for 13.1.