John Baldwin [Wed, 7 Dec 2022 20:32:19 +0000 (12:32 -0800)]
aesni: Remove misleading array bounds for aesni_decryt_ecb.
All the other functions used pointers for from/to instead of
fixed-size array parameters. More importantly, this function can
accept pointers to buffers of multiple blocks, not just a single
block.
John Baldwin [Wed, 22 Mar 2023 19:35:09 +0000 (12:35 -0700)]
sys: Stop enabling -Wnested-externs.
clang doesn't implement this warning, so violations are only caught by
GCC. It is also no longer a common practice to use this as it was in
the original BSD code, so the need for the warning is not as important
as when it was used to do cleanups 20 years ago. A recent commit
(c3179891f897d840f578a5139839fcacb587c96d) triggers this warning on
GCC, but that commit uses nested externs purposefully.
John Baldwin [Wed, 21 Dec 2022 18:47:08 +0000 (10:47 -0800)]
Disable -Wzero-length-bounds for the kernel for GCC 12.
The mlx5 driver and some other OFED bits use a somewhat dubious
pattern of:
struct foo {
uint64_t arg[0];
/* Real members of a struct */
};
The code then treats 'arg' as if it were really a kind of union
such that foo.arg[N] functions similarly to (uint64_t *)foo[N].
This uses of foo.arg[N] then trigger this warning.
No real bugs were found by this warning though, so just turn it off
globally.
John Baldwin [Wed, 21 Dec 2022 18:46:26 +0000 (10:46 -0800)]
Disable -Wdangling-pointer for the kernel for GCC 12.
Some of the warnings raised in the kernel seem to be outright bugs in
the compiler (e.g. the cases in ata_xpt.c and scsi_xpt.c). Other
cases are not fatal and it didn't seem to find any legitimate bugs in
the kernel.
John Baldwin [Wed, 21 Dec 2022 18:45:45 +0000 (10:45 -0800)]
iee80211_hwmp: Don't dereference NULL ni in debug printf.
In this call to IEEE80211_NOTE, ni is always NULL due to the assignment
a few lines earlier at the start of the function. If debug traces are
enabled, then this will pass an invalid pointer as the 'mac' pointer to
ieee80211_note_mac. Use IEEE80211_DPRINTF which doesn't take a 'ni'
argument instead.
John Baldwin [Wed, 21 Dec 2022 18:45:26 +0000 (10:45 -0800)]
mrsas: Don't leak a stack pointer value in the softc.
mrsas_issue_blocked_cmd stores a pointer to an on-stack variable
in its softc so that the driver can call wakeup() on the correct
pointer. Once the loop around tsleep() has finished however, the
pointer is no longer needed and any further use would be invalid.
Clear sc->chan to NULL after the loop.
John Baldwin [Wed, 21 Dec 2022 18:46:06 +0000 (10:46 -0800)]
Disable errors for -Wnonnull for the kernel for GCC 12.
The USB code and some other places raise false positives when a NULL
pointer is passed to an inlined function along with a separate length
and the compiler can't determine that the separate length of 0
prevents the use of the NULL pointer.
John Baldwin [Wed, 22 Mar 2023 19:34:34 +0000 (12:34 -0700)]
bhyve: Accept a variable-length string name for qemu_fwcfg_add_file.
It is illegal (UB?) to pass a shorter array to a function argument
that takes a fixed-length array. Do a runtime check for names that
are too long via strlen() instead.
John Baldwin [Mon, 5 Dec 2022 00:27:22 +0000 (16:27 -0800)]
libsa: Disable -Wdangling-pointer for zfs.c.
GCC 12 warns about a dangling pointer to 'objid' in
zfs_bootenv_initial(). However, this appears to be a false positive
as the pointer to 'objid' is only passed to zfs_lookup_dataset() but
not saved anywhere that outlives the lifetime of the
zfs_bootenv_initial() function.
John Baldwin [Wed, 30 Nov 2022 22:56:19 +0000 (14:56 -0800)]
Explicitly set CXXSTD to c++11 for old C++ code using std::auto_ptr<>.
GCC 12 defaults to C++17 which removes (not just deprecates)
std::auto_ptr<>. Trying to use CXXSTD of c++03 doesn't work with
libc++ headers, but c++11 does.
John Baldwin [Mon, 3 Oct 2022 23:10:44 +0000 (16:10 -0700)]
libefivar: Fix a buffer overread.
DevPathToTextUsbWWID allocates a separate copy of the SerialNumber
string to append a null terminator if the original string is not
null terminated. However, by using AllocateCopyPool, it tries to
copy 'Length + 1' words from the existing string containing 'Length'
characters into the target string. Split the copy out to only
copy 'Length' characters instead.
John Baldwin [Wed, 30 Nov 2022 22:50:35 +0000 (14:50 -0800)]
Silence GCC warnings when using libc++ headers.
GCC 12 raises warnings about literal operator suffixes not preceded by
'_' in libc++ headers such as <string_view> as it doesn't recognize
libc++ headers being an implementation of the standard.
GCC 12 also warns about clang-specific pragmas in <locale>.
Disabling these warnings globally for all C++ code is not ideal, but
is a better option than patching libc++ headers to ignore these
warnings.
John Baldwin [Thu, 23 Mar 2023 16:31:29 +0000 (09:31 -0700)]
libpmc: Use LIB_CXX instead of explicit LDADD to link a C++ library.
This uses the C++ compiler as the linker instead of the C compiler
letting the compiler driver pick the right libraries. This is a no-op
on main and stable/13 but matters for stable/12 where the current
logic breaks for external GCC since it tries to use a non-existent
libstdc++.
Before the commit 6cc44223cb6717795afdac4348bbe7e2a968a07d the
field event_mask was fully copied to the EventMasks field.
After this commit the event_mask (uint8_t) is 4 times casted to
EventMask (uint32_t). Because of that 24 bits of each event_mask array
is lost.
This commits brings back simple copying of field, and after words
converting 32 bits field to the requested endian.
I don't think we need more sophisticated method,
as the array is of size 4 (for 32 bits version).
Ed Maste [Mon, 24 Apr 2023 19:41:45 +0000 (15:41 -0400)]
ipv6: disable RFC 4620 nodeinfo by default
RFC 4620 is an experimental RFC that can be used to request information
about a host, including:
- the fully-qualified or single-component name
- some set of the Responder's IPv6 unicast addresses
- some set of the Responder's IPv4 unicast addresses
This is not something that should be made available by default.
PR: 257709
Submitted by: ruben@verweg.com
Reviewed by: melifaro
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D39778
Ed Maste [Mon, 17 Apr 2023 18:56:51 +0000 (14:56 -0400)]
geom: use bool for one-bit wide bit-field
A one-bit wide bit-field can take only the values 0 and -1. Clang 16
introduced a warning that "implicit truncation from 'int' to a one-bit
wide bit-field changes value from 1 to -1". Fix by using c99 bool.
Reported by: Clang, via dim
Reviewed by: dim
Sponsored by: The FreeBSD Foundation
Stefan Eßer [Tue, 25 Apr 2023 07:40:05 +0000 (09:40 +0200)]
sys/fs: do not report blocks allocated for synthetic file systems
The pseudo file systems (devfs, fdescfs, procfs, etc.) report total
and available blocks and inodes despite being synthetic with no
underlying storage device to which those values could be applied.
The current code of these file systems tends to report a fixed number
of total blocks but no free blocks, and in the case of procfs,
libprocfs, linsysfs also no free inodes.
This can be irritating in e.g. the "df" output, since 100% of the
resources seem to be in use, but it can also create warnings in
monitoring tools used for capacity management.
This patch makes these file systems return the same value for the
total and free parameters, leading to 0% in use being displayed by
"df". Since there is no resource that can be exhausted, this appears
to be a sensible result.
fs/msdosfs: add tracking of free root directory entries
This update implements tallying of free directory entries during
create, delete, or rename operations on FAT12 and FAT16 file systems.
Prior to this change, the total number of root directory entries
was reported as number of inodes, but 0 as the number of free
inodes, causing system health monitoring software to warn about
a suspected disk full issue.
The FAT12 and FAT16 file systems provide a limited number of
root directory entries, e.g. 512 on typical hard disk formats.
The valid range of values is 1 to 65535, but the msdosfs code
will effectively round up "odd" values to the next multiple of 16
(e.g. 513 would allow for 528 root directory entries).
This update implements tracking of directory entries during create,
delete, or rename operations, with initial values determined by
scanning the directory when the file system is mounted.
Total and free directory entries are reported in the f_files and
f_ffree elements of struct statfs, despite differences in semantics
of these values:
- There is no limit on the number of files and directories that can
be created on a FAT file system. Only the root directory of FAT12
and FAT16 file systems is limited, any number of files can still be
created in sub-directories, even when 0 free "inodes" are reported.
- A single file can require 1 to 21 directory entries, depending on
the character set, structure, and length of the name. The DOS 8.3
style file name takes up 1 entry, and if the name does not comply
with the syntax of a DOS 8.3 file name, 1 additional entry is used
for each 13 characters of the file name. Since all these entries
have to be contiguous, it is possible that a file or directory with
a long name can not be created, despite a sufficient total number of
free directory entries.
- Renaming a file can require more directory entries than currently
allocated to store its long name, which may prevent an in-place
update of the name if more entries are needed. This may cause a
rename operation to fail if no contiguous range of free entries for
the new name can be found.
- The volume label is stored in a directory entry. An empty FAT file
system with a volume label will therefore show 1 used "inode" in
df.
- The perceentage of free inodes shown in df or monitoring tools does
only represent the state of the root directory of a FAT12 or FAT16
file system. Neither does a reported value of 0% free inodes does
prevent files from being created in sub-directories, nor does a
value of 50% free inodes guarantee that even a single file with
a "long" name can be created in the root directory (if every other
directory entry is occupied and there are no 2 contiguous entries).
The statfs(2) and df(1) man pages have been updated with a notice
regarding the possibly different semantics of values reported as
total and free inodes for non-Unix file systems.
fs/msdosfs: Fix potential panic and size calculations
Some combinations of FAT12 file system parameters could cause a kernel
panic due to an unmapped access if the size of the FAT was larger than
the CPU page size. The reason is that FAT12 uses 3 bytes to store
2 FAT pointers, leading to partial FAT pointers at the end of buffers
of a size that is not a multiple of 3.
With a typical page size of 4 KB, this caused the FAT entry at byte
offsets 4095 and 4096 to cross the page boundary, with only the first
page mapped. This was fixed by adjusting the mapping to always cover
both bytes of each FAT entry.
Testing revealed 2 other inconsistencies that are fixed by this commit:
1) The calculation of the size of the data area did not take into
account the fact that the first two data block numbers are reserved
and that the data area starts with block 2. This could cause a
FAT12 file system created with the maximum supported number of
blocks to be incorrectly identified as FAT16.
2) The root directory does not take up space in the data area of a
FAT12 or FAT16 file system, since it is placed into a reserved
area outside of that data area. This commits makes stat() report
the logical size of the root directory, but with 0 blocks allocated
from the data area.
When sorting, both the C11 standard (ISO/IEC 9899:2011, K.3.6.3.2) and
the ISO/IEC JTC1 SC22 WG14 N1172 standard, does not define objects of
zero size as undefined behaviour. However Microsoft's cpp-docs does.
Add proper checks for this. Found while working on bsort(3).
mlx5en(4): Don't wait for receive queue to fill up with mbufs during open channels.
Failure to get mbufs may be transient.
Don't permanently fail to open the channels due to lack of mbufs.
This also makes modifying channel parameters faster.
Implement an API for sending a zero-length-packet. The purpose of such a
USB packet is to toggle the binary packet counter for USB 1.0/2.0 protocols,
without sending any data, so that the first packet sent after opening
a USB BULK endpoint doesn't get lost. This is for devices not supporting
the USB standard defined clear-stall handling.
Jessica Clarke [Sun, 24 Oct 2021 18:48:46 +0000 (19:48 +0100)]
xhci: Rework 64-byte context support to avoid pointer abuse
Currently, to support 64-byte contexts, xhci_ctx_[gs]et_le(32|64) take a
pointer to the field within a 32-byte context and, if 64-byte contexts
are in use, compute where the 64-byte context field is and use that
instead by deriving a pointer from the 32-byte field pointer. This is
done by exploiting a combination of 64-byte contexts being the same
layout as their 32-byte counterparts, just with 32 bytes of padding at
the end, and that all individual contexts are either in a device
context or an input context which itself is page-aligned. By masking out
the low 4 bits (which is the offset of the field within the 32-byte
contxt) of the offset within the page, the offset of the invididual
context within the containing device/input context can be determined,
which is itself 32 times the number of preceding contexts. Thus, adding
this value to the pointer again gets 64 times the number of preceding
contexts plus the field offset, which gives the offset of the 64-byte
context plus the field offset, which is the address of the field in the
64-byte context.
However, this involves a fair amount of lying to the compiler when
constructing these intermediate pointers, and is rather difficult to
reason about. In particular, this is problematic for CHERI, where we
compile the kernel with subobject bounds enabled; that is, unless
annotated to opt out (e.g. for C struct inheritance reasons where you
need to be able to downcast, or containerof idioms), a pointer to a
member of a struct is a capability whose bounds only cover that field,
and any attempt to dereference outside those bounds will fault,
protecting against intra-object buffer overflows. Thus the pointer given
to xhci_ctx_[gs]et_le(32|64) is a capability whose bounds only cover the
field in the 32-byte context, and computing the pointer to the 64-byte
context field takes the address out of bounds, resulting in a fault when
later dereferenced.
This can be cleaned up by using a different abstraction. Instead of
doing the 32-byte to 64-byte conversion on access to the field, we can
do the conversion when getting a pointer to the context itself, and
define proper 64-byte versions of contexts in order to let the compiler
do all the necessary arithmetic rather than do it manually ourselves.
This provides a cleaner implementation, works for CHERI and may even be
slightly more performant as it avoids the need to mess with masking
pointers (which cannot in the general case be optimised by compilers to
be reused across accesses to different fields within the same context,
since it does not know that the contexts are over-aligned compared with
the C ABI requirements).
Bjoern A. Zeeb [Fri, 1 Oct 2021 13:37:01 +0000 (13:37 +0000)]
USB: adjust the Generic XHCI ACPI probe return value
Change the probe return value from BUS_PROBE_DEFAULT to BUS_PROBE_GENERIC
given this is the "generic" attach method. This allows individual
drivers using XHCI generic but needing their own intialisation to
gain priority for attaching over the generic implementation.
usb(4): Separate the fast path and the slow path to avoid races and use-after-free for the USB FS interface.
Bad behaving user-space USB applicatoins may crash the kernel by issuing
USB FS related ioctl(2)'s out of their expected order. By default
the USB FS ioctl(2) interface is only available to the
administrator, root, and driver applications like webcamd(8) needs
to be hijacked in order for this to happen.
The issue is the fast-path code does not always see updates made
by the slow-path code, and may then work on freed memory.
This is easily fixed by using an EPOCH(9) type of synchronization
mechanism. A SX(9) lock will be used as a substitute for EPOCH(9),
due to the need for sleepability. In addition most calls going into
the fast-path originate from a single user-space process and the
need for multi-thread performance is not present.
usb(4): Code refactoring as a pre-step for adding missing synchronization mechanism.
Move code in switch cases into own functions to make later changes easier to track.
No functional change, except for removing a superfluous break statement when
range checking USB_FS_MAX_FRAMES, in the USB_FS_OPEN case.
It should not have been there at all.
Kyle Evans [Tue, 28 Feb 2023 01:59:43 +0000 (19:59 -0600)]
usb: dwc3: implement hw.usb.xhci.use_polling
Polling is currently only implemented in the xhci pci attachment.
Adding it to dwc3 doesn't make it much uglier, and supporting it can be
useful for confirming that hardware's otherwise functional when
interrupts are apparently not firing.
Reviewed by: manu
Differential Revision: https://reviews.freebsd.org/D38816
usb: Respect NO_INQUIRY quirk during device enumeration
Both usb_iface_is_cdrom and usb_msc_auto_quirk functions use SCSI INQUIRY
command to probe various properties of usb mass storage devices.
The problem here is that some very broken devices don't like this command.
Check if UQ_MSC_NO_INQUIRY quirk is set and skip cdrom and quirk
autodetection in that case.
John Baldwin [Mon, 18 Apr 2022 19:27:48 +0000 (12:27 -0700)]
uhid_snes: Remove USB_ST_TRANSFERRED handling for the status request.
The result of the request computed in new_status was never returned to
the caller leaving new_status as a set-but-unused variable. Removing
new_status leaves sc->previous_status as a write-only variable.
Removing sc->previous_status leaves current_status as a write-only
variable, so it collapses down to removing the entire
USB_ST_TRANSFERRED case.
Arguably, all of the support for UHID_SNES_STATUS_DT_RD should be
removed as it doesn't return anything to the caller. If the request
should be fixed instead then this commit should be reverted and
new_status should be returned to whoever submitted the request.
Brooks Davis [Fri, 17 Dec 2021 21:28:14 +0000 (21:28 +0000)]
libusb: remove use of COMPAT_32BIT
This codepath used uint64_t's in place of pointers in structs and
arrays to allow 32-bit code to use 64-bit version of ioctls. Now
that we support 32-bit compat natively this is no longer needed.
Brooks Davis [Fri, 17 Dec 2021 21:28:14 +0000 (21:28 +0000)]
usb: remove COMPAT_32BIT ifdefs
Now that we have proper 32-bit compat support, remove COMPAT_32BIT
ifdefs to allow 32-bit code to use the 64-bit layout of USB ioctl
structs and struct usb_fs_endpoint.
This includes the removal of redundant alignment directives that had
no effect in practice.
Brooks Davis [Fri, 17 Dec 2021 21:28:14 +0000 (21:28 +0000)]
usb: add 32-bit compat for FIFOs
Unlike most 32-bit compatability code, this isn't just a simple thunk
in the ioctl code. An ioctl (USB_FS_INIT) is used to install a
pointer to an array of usb_fs_endpoint structs which are then used
by the ugen fifo code. These struct contains an array of pointers
which requires translation. We change the interfaces around
struct usb_fs_endpoint as follows:
- We store the size of struct usb_fs_endpoint in struct usb_fifo
in the USB_FS_INIT handler so we know the ABI of the userspace
array.
- APIs to manipulate userspace struct usb_fs_endpoint objects now
take a struct usb_fifo and an index rather than a pointer to
the object. This allows most code to remain oblivious to the
different struct usb_fs_endpoint sizes.
- Add ugen_fs_copyin() which copies the struct usb_fs_endpoint
from userspace, thunking it to the native size if required.
- Uses of struct usb_fs_endpoint's ppBuffer member are now
via ugen_fs_getbuffer() which produces a native pointer.
- Updates to userspace are now handled by ugen_fs_update().
For clarity, single, fixed-sized members now are accessed with
fueword/suword rather than copyin/copyout.
al_eth: make function definitions consistent with declarations
The declarations for al_eth_lm_retimer_ds25_signal_detect() and
al_eth_lm_retimer_ds25_cdr_lock() say that these functions return
'al_bool', but the definitions actually return 'boolean_t'.
A signed one-bit wide bit-field can take only the values 0 and -1. Clang
16 introduced a warning that "implicit truncation from 'int' to a
one-bit wide bit-field changes value from 1 to -1". Fix the warnings by
using C99 bool.
powerpc: fix a few pmap related functions to return correct types
While experimenting with changing boolean_t to another type, I noticed
that several powerpc pmap related functions returned the wrong type:
boolean_t instead of int.
Fix several declarations and definitions to match the actual pmap
function types: pmap_dev_direct_mapped_t and pmap_ts_referenced_t.
kcsan: add __tsan_mem(cpy|move|set) aliases for clang >= 16
Summary:
After https://github.com/llvm/llvm-project/commit/b4257d3bf58c ("[tsan]
Replace mem intrinsics with calls to interceptors") intrinsic calls to
memcpy, memmove or memset will directly call sanitizer interceptors,
e.g. __tsan_memcpy, __tsan_memmove or __tsan_memset.
Building GENERIC-KCSAN with clang >= 16 would thus result in link errors
similar to:
ld: error: undefined symbol: __tsan_memcpy
>>> referenced by cam_compat.c:150 (/usr/src/sys/cam/cam_compat.c:150)
>>> cam_compat.o:(cam_compat_handle_0x17)
>>> referenced by cam_compat.c:151 (/usr/src/sys/cam/cam_compat.c:151)
>>> cam_compat.o:(cam_compat_handle_0x17)
>>> referenced by cam_compat.c:152 (/usr/src/sys/cam/cam_compat.c:152)
>>> cam_compat.o:(cam_compat_handle_0x17)
>>> referenced 1692 more times
Similar to subr_msan.c, add aliases from the existing kcsan_* versions
of these functions to __tsan_* names.
Reviewed by: markj
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D39772
Suppress lld 16 errors about undefined symbols in version maps
lld >= 16 turned on --no-undefined-version by default, which results in
errors whenever symbols are mentioned in version maps, but are not
actually defined in the binary.
Since we have quite a few instances of symbols that are defined or not,
depending on various compile-time settings, suppress this lld check for
the time being.
Suppress lld 16 errors about multiply defined symbols in rescue
lld >= 16 became more strict about multiply defined symbols. Since there
are many of those in crunchgen'd programs, turn off the check when
linking the rescue binary.
bhyve: add hook for PCI header of passthru devices
Most register of the PCI header are either constant values or require
emulation anyway. The command and status register are the only exception which
require hardware access. So, we're adding an emulation handler for all
other register.
As this emulation handler will be reused by some future features like
GPU passthrough, we directly export it.
Corvin Köhne [Fri, 19 Mar 2021 12:48:34 +0000 (13:48 +0100)]
bhyve: define array to protect passthru regs
GPU passthrough requires a special handling of some PCI config register.
Therefore, we need a flexible approach for implementing it. Adding an
array of handler meets this condition.
Start by using the default handler for all accesses to the PCI config
space. In upcoming commits, we can start to split the default handler
into several handler for each register that requires emulation.
bhyve: check for errors when writing device specific DSDT entries
At the moment, this function can't fail. This behaviour will change in
the future. In preparation to that, convert the return type to int in
order to be able to check for errors.