Ed Maste [Tue, 1 Mar 2022 21:42:13 +0000 (16:42 -0500)]
ssh: use standalone config file for security key support
An upcoming OpenSSH update has multiple config.h settings that change
depending on whether builtin security key support is enabled. Prepare
for this by moving ENABLE_SK_INTERNAL to a new sk_config.h header
(similar to the approach used for optional krb5 support) and optionally
including that, instead of defining the macro directly from CFLAGS.
Reviewed by: kevans
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34407
Ed Maste [Tue, 22 Mar 2022 17:48:43 +0000 (13:48 -0400)]
kbd: replace vestigial spl calls with Giant assertions
The keyboard driver was initially protected via spl* interrupt priority
calls but (as part of a comprehensive effort) migrated to use the Giant
lock (mutex).
The spl calls left behind became NOPs but they can be confusing as they
have no bearing on the actual mutual exclusion that is now present.
Remove them from kbd and add assertions that Giant is held. markj notes
that there is conflation between the "bus topo" lock (which is Giant
under the hood) and Giant. The assertions could either be addressed as
a small item along with bus topology locking work or they'll be removed
if kbd is decoupled from Giant.
PR: 206680
Reviewed by: markj
MFC after: 3 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34645
Mark Johnston [Fri, 8 Apr 2022 15:47:25 +0000 (11:47 -0400)]
net: Fix memory leaks in lltable_calc_llheader() error paths
Also convert raw epoch_call() calls to lltable_free_entry() calls, no
functional change intended. There's no need to asynchronously free the
LLEs in that case to begin with, but we might as well use the lltable
interfaces consistently.
Noticed by code inspection; I believe lltable_calc_llheader() failures
do not generally happen in practice.
Reviewed by: bz
Sponsored by: The FreeBSD Foundation
60970a328e280b25b05f1d9a9de1ef91af573c4a did one half of the job
of making rssi relative to nf and numbers for radiotap were fine.
net80211 internally works with .5 dBm units thus we need to apply a
* 2 to the value we pass in to c_rssi; leave a comment explaining.
Note: it is only ifconfig in user space which re-adjust it for printing
or contrib/wpa for calculations. Other applications getting values
from kernel also have to apply the maths.
In collaboration with: J.R. Oldroyd (fbsd opal.com)
Sponsored by: The FreeBSD Foundation
dev_alloc_skb() comapred to alloc_skb() reserves some headroom
at the beginning of the skb which is used by drivers.
Split the code for the two cases and reserve NET_SKB_PAD space,
which should at least be 32 octets.
Bjoern A. Zeeb [Wed, 30 Mar 2022 17:38:23 +0000 (17:38 +0000)]
LinuxKPI: PCI: add counter for linux_dma_map_phys_common() errors
LinuxKPI is asking for single-segment mappings. Some (wireless) drivers
are using this to map multi-pages and our busdma framework is not very
friendly to that as single-segments [D31823]. Add a counter so we can
track when this happens to gather more information.
Sponsored by: The FreeBSD Foundation
Reviewed by: hselasky
Differential Revision: https://reviews.freebsd.org/D34715
Robert Wing [Thu, 17 Mar 2022 01:27:34 +0000 (17:27 -0800)]
ffs_mount(): fix snapshotting
Commit 0455cc7104ec broke snapshotting for ffs. In that commit,
ffs_mount() was changed so the namei() lookup for a disk device happens
before ffs_snapshot(). This caused the issue where namei() would lookup
the snapshot file and fail because the file doesn't exist. Even if it did
exist, taking a snapshot would still fail since it's not a disk device.
Fix this by taking a snapshot of the filesystem as-is and return without
altering ro/rw or any other attributes that are passed in.
Reported by: pho
Reviewed by: mckusick Fixes: 0455cc7104ec ("ffs_mount(): return early if namei() fails to lookup disk device")
Differential Revision: https://reviews.freebsd.org/D34562
Robert Wing [Mon, 7 Mar 2022 19:18:03 +0000 (10:18 -0900)]
ffs_mount(): return early if namei() fails to lookup disk device
With soft updates enabled, an INVARIANTS panic is hit in ffs_unmount().
The problem occurs in ffs_mount() when upgrading a mount from ro->rw.
During a mount update, the soft update code gets set up but doesn't get
cleaned up if namei() fails when looking up the disk device.
Avoid this scenario by looking up the disk device first and bail early
if the namei() lookup fails.
Rick Macklem [Thu, 10 Mar 2022 00:52:42 +0000 (16:52 -0800)]
nfsd: Do not exempt NFSv3 Fsinfo from the TLS check
The Fsinfo RPC is exempt from the check for
Kerberized NFS being required, as recommended
by RFC2623. However, there is no reason to
exempt Fsinfo from the requirement to use TLS.
This patch fixes the code so that the exemption
only applies to Kerberized NFS and not
NFS-over-TLS.
This only affects NFS-over-TLS for an NFSv3
mount when it is required, but the client does
not do so.
- There is no need to mention in the synopsis that -f can be a list of
comma-separated type:format pairs. Let's keep it simple instead.
- Mention that -f can be supplied multiple times.
- Add -f to other entries in the synopsis where it can be used.
ifconfig.8: Add capability codes descriptions from handbook
We document capability codes (the CAPS field of "ifconfig wlan0 scan")
in both ifconfig(8) and the handbook. The list is more complete in the
manual page, while the descriptions of individual capabilities are more
detailed in the handbook.
In order to reduce content duplication and bit rot, let's move
handbook's details to the manual page and reference the manual page
whenever necessary.
Roger Pau Monné [Thu, 13 Jan 2022 13:48:14 +0000 (14:48 +0100)]
x86/xen: fallback when VCPUOP_send_nmi is not available
It has been reported that on some AWS instances VCPUOP_send_nmi
returns -38 (ENOSYS). The hypercall is only available for HVM guests
in Xen 4.7 and newer. Add a fallback to use the native NMI sending
procedure when VCPUOP_send_nmi is not available, so that the NMI is
not lost.
Reported and Tested by: avg Fixes: b2802351c162 ('xen: fix dispatching of NMIs')
Sponsored by: Citrix Systems R&D
(cherry picked from commit ad15eeeaba30cdf10036b7869d27441cfc9f0674)
Roger Pau Monné [Tue, 11 May 2021 10:19:29 +0000 (12:19 +0200)]
xen/blkback: fix reconnection of backend
The hotplug script will be executed only once for each backend,
regardless of the frontend triggering reconnections. Fix blkback to
deal with the hotplug script being executed only once, so that
reconnections don't stall waiting for a hotplug script execution
that will never happen.
As a result of the fix move the initialization of dev_mode, dev_type
and dev_name to the watch callback, as they should be set only once
the first time the backend connects.
This fix is specially relevant for guests wanting to use UEFI OVMF
firmware, because OVMF will use Xen PV block devices and disconnect
afterwards, thus allowing them to be used by the guest OS. Without
this change the guest OS will stall waiting for the block backed to
attach.
Fixes: de0bad00010c ('blkback: add support for hotplug scripts')
Sponsored by: Citrix Systems R&D
(cherry picked from commit 4772e86beb089ee08a3bff8ad359e83a4c623238)
Roger Pau Monné [Tue, 16 Mar 2021 11:43:49 +0000 (12:43 +0100)]
xen/netback: do not attempt to connect in the Initialised state
Only attempt to fetch the configuration data and connect the shared
ring once the frontend has switched to the 'Connected' state. This
seems to be inline with what Linux netback does, and is required to
make newer versions of NetBSD netfront work, since NetBSD only
publishes the required configuration before switching to the Connected
state.
pfsync: Add CTLFLAG_VNET to carp_demotion_factor sysctl
When trying to avoid a CARP demotion during a pfsync service restart, I
noticed that a non-default value for the net.pfsync.carp_demotion_factor
sysctl was not being applied during the demotion. The CARP was always
demoted by 240.
After investigating, I realized that the sysctl was using VNET_NAME()
without the CTLFLAG_VNET.
Since physical memory management is now handled by subr_physmem.c, the
need to keep this global array has diminished. It is not referenced
outside of early boot-time, and is populated by physmem_avail() in
pmap_bootstrap(). Just allocate the array on the stack for the duration
of its lifetime.
The check against physmap[0] in initriscv() can be dropped altogether,
as there is no consequence for excluding a memory range twice.
Reviewed by: markj
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34778