Gleb Smirnoff [Wed, 27 Dec 2023 16:34:37 +0000 (08:34 -0800)]
inpcb: poison several inpcb pointer in in_pcbfree()
There are few subsystems that reference inpcb and allow it to outlive
in_pcbfree(). There are no known bugs with them to unreference the
options pointers for a freed inpcb. Enforce this so that such bugs
don't appear in the future.
Gleb Smirnoff [Wed, 27 Dec 2023 16:34:37 +0000 (08:34 -0800)]
inpcb: reoder inpcb destruction
First, merge in_pcbdetach() with in_pcbfree(). The comment for
in_pcbdetach() was no longer correct. Then, make sure we remove
the inpcb from the hash before we commit any destructive actions
on it. There are couple functions that rely on the hash lock
skipping SMR + inpcb lock to lookup an inpcb. Although there are
no known functions that similarly rely on the global inpcb list
lock, also do list removal before destructive actions.
Mark Johnston [Wed, 27 Dec 2023 15:13:29 +0000 (10:13 -0500)]
netmap: Ignore errors in CSB_WRITE()
The CSB_WRITE() and _READ() macros respectively write to and read from
userspace memory and so can in principle fault. However, we do not
check for errors and will proceed blindly if they fail. Add assertions
to verify that they do not.
This is in preparation for annotating copyin() and related functions
with __result_use_check.
Ihor Antonov [Wed, 27 Dec 2023 06:07:26 +0000 (00:07 -0600)]
daemon: replace memchr with memrchr
Looping over lines in the buffer is not needed.
Same effect can be achieved by looking for the last new line.
If found the buffer is guaranteed to have one or more complete lines.
All complete lines are flushed at once with no looping.
Ihor Antonov [Wed, 27 Dec 2023 06:07:25 +0000 (00:07 -0600)]
daemon: move buffer into daemon_state
There is no reason for a buffer in listen_child()
to be a static function variable. The buffer and
its position are parts of the daemon state and should
live together with the rest of the state variables.
Ihor Antonov [Wed, 27 Dec 2023 06:07:25 +0000 (00:07 -0600)]
daemon: fix clang-tidy warnings
Fixed narrowing conversions:
- strtol replaced with strtonum with range check
- read returns ssize_t
- kevent.data explicitly cast to int before passing into strerror
While we we're here:
- Defined and documented maximum restart delay.
- Fixed typo in a comment.
- Remove unused includes
Gleb Smirnoff [Wed, 27 Dec 2023 04:22:12 +0000 (20:22 -0800)]
netlink: simplify socket destruction
Destroy the socket at the file descriptor close(2). There is no
reason to linger for any longer, there are no external references.
Remove pr_detach method as nothing left to do after pr_close.
Remove pr_abort method as it shall never be executed for this type
of socket.
Alexander Motin [Wed, 27 Dec 2023 03:30:56 +0000 (22:30 -0500)]
Schedule fast taskqueue callouts on right CPU.
With fast taskqueues using direct callouts we can reduce number of
CPU wakeups by scheduling callout on current CPU if taskqueue calls
taskqueue_enqueue_timeout() on itself. The trick won't work for
regular taskqueues, since the callout thread will occupy the CPU.
It also may not work in case of multiple threads since we do not
know which thread will pick the task, and we do not want excessive
callout migrations. So we optimize only the other cases we can.
In practice this allows iichid(4) taskqueue to stay on CPU where
underlying ig4(4) interrupts are routed and to not kick CPU 0 with
timer interrupts on each sampling period (every 2nd/3rd sleep).
netpfil: Use accessor functions and named constants for all tcphdr flags
Update all remaining references to the struct tcphdr th_x2 field.
This completes the compatibilty of various aspects with AccECN
(TH_AE), after the internal ipfw "re-checksum required" was moved
to use the TH_RES1 flag.
Alexander Motin [Wed, 27 Dec 2023 00:36:34 +0000 (19:36 -0500)]
iichid(4): Switch taskqueue to "fast"
While "fast" taskqueue may be more expensive due to spinlock use,
when used mainly for timeout tasks it allows to avoid extra context
switches to and from callout thread, that is even more expensive.
Alexander Motin [Wed, 27 Dec 2023 00:28:56 +0000 (19:28 -0500)]
iichid(4): Unify two taskqueue tasks
taskqueue_enqueue_timeout(0) is equivalent to taskqueue_enqueue(),
so no need to create a separate periodic_task and event_task to run
exactly the same handler.
For the same reason as the original https://reviews.freebsd.org/D9659:
-flto=<N>, -flto=full, and -flto=thin also produce the GIMPLE/bitcode
which is not supported by genassym, so filter those out as well.
Rick Macklem [Tue, 26 Dec 2023 22:33:39 +0000 (14:33 -0800)]
nfscl: Fix handling of expired Kerberos credentials (NFSv4.1/4.2)
If the NFS server detects that the Kerberos credentials provided
by a NFSv4.1/4.2 mount using sec=krb5[ip] have expired, the NFS
server replies with a krpc layer error of RPC_AUTHERROR.
When this happened, the client erroneously left the NFSv4.1/4.2
session slot busy, so that it could not be used by other RPCs.
If this happened for all session slots, the mount point would
hang.
This patch fixes the problem by releasing the session slot
and resetting its sequence# upon receiving a RPC_AUTHERROR
reply.
This bug only affects NFSv4.1/4.2 mounts using sec=krb5[ip],
but has existed since NFSv4.1 client support was added to
FreeBSD.
So, why has the bug remained undetected for so long?
I cannot be sure, but I suspect that, often, the client detected
the Kerberos credential expiration before attempting the RPC.
For this case, the client would not do the RPC and, as such,
there would be no busy session slot. Also, no hang would
occur until all session slots are busied (64 for a FreeBSD
client/server), so many cases of the bug probably went undetected?
Also, use of sec=krb5[ip] mounts are not that common.
rilysh [Tue, 26 Dec 2023 16:24:04 +0000 (09:24 -0700)]
bhyve/audio.c: avoid re-calculating the length of dev_name
In the function audio_init(), strlen() is being called two times,
first to get the length of dev_name and second to use in memcpy().
Creating a local variable and keeping the length avoids this
re-calculation.
Alexander Motin [Tue, 26 Dec 2023 02:19:28 +0000 (21:19 -0500)]
acpi_cpu: Reduce BUS_MASTER_RLD manipulations
Instead of setting and clearing BUS_MASTER_RLD register on every C3
state enter/exit, set it only once if the system supports C3 state
and we are going to "disable" bus master arbitration while in it.
This is what Linux does for the past 14 years, and for even more time
this register is not implemented in a relevant hardware. Same time
since this is only a single bit in a bigger register, ACPI has to
do take a global lock and do read-modify-write for it, that is too
expensive, saved only by C3 not entered frequently, but enough to be
seen in idle system CPU profiles.
Mark Johnston [Tue, 26 Dec 2023 01:43:21 +0000 (20:43 -0500)]
nmount: Ignore errors when copying out an error string
In general we copy error strings as part of reporting an error from
lower layers, so if the copyout() fails there's nothing to do since we'd
prefer to preserve the original error.
This is in preparation for annotating copyin() and related functions
with __result_use_check.
Mark Johnston [Tue, 26 Dec 2023 01:43:06 +0000 (20:43 -0500)]
geom: Report copyout() errors in g_ctl_ioctl_ctl()
Despite the name, req->serror is used in some cases to copy non-error
messages to userspace. So, report errors when copying out so long as
they don't clobber an earlier error.
Mark Johnston [Tue, 26 Dec 2023 01:42:58 +0000 (20:42 -0500)]
gntdev: Handle errors from suword32() in gntdev_alloc_gref()
Try to copy out output values before handling errors, and check that we
did so successfully. In particular, it doesn't seem sensible to ignore
errors here, otherwise userspace won't have any way to refer to the
allocations.
This is in preparation for annotating copyin() and related functions
with __result_use_check.
Mark Johnston [Tue, 26 Dec 2023 01:42:49 +0000 (20:42 -0500)]
mpr: Handle errors from copyout() in ioctl handlers
In preparation for adding a __result_use_check annotation to copyin()
and related functions, start checking for errors from copyout() in
the mpr(4) user command handler. This should make it easier to catch
bugs.
Mark Johnston [Tue, 26 Dec 2023 01:42:33 +0000 (20:42 -0500)]
mps: Handle errors from copyout() in ioctl handlers
In preparation for adding a __result_use_check annotation to copyin()
and related functions, start checking for errors from copyout() in
the mps(4) user command handler. This should make it easier to catch
bugs.
Mark Johnston [Tue, 26 Dec 2023 01:41:32 +0000 (20:41 -0500)]
sendfile: Explicitly ignore errors from copyout()
There is a documented bug in sendfile.2 which notes that sendfile(2)
does not raise an error if it fails to copy out the number of bytes
written. Explicitly ignore the error from copyout() calls in
preparation for annotating copyout() with __result_use_check.
Mark Johnston [Tue, 26 Dec 2023 01:39:39 +0000 (20:39 -0500)]
thread: Add a return value to cpu_set_upcall()
Some implementations copy data to userspace, an operation which can in
principle fail. In preparation for adding a __result_use_check
annotation to copyin() and related functions, let implementations of
cpu_set_upcall() return an error, and check for errors when copying data
to user memory.
Mark Johnston [Tue, 26 Dec 2023 01:38:57 +0000 (20:38 -0500)]
ocs: Check for copyin errors in the ioctl handler
If copyin() fails, the driver will blindly proceed with whatever had
been in the uninitialized DMA buffer. This is not what we want. Check
for copyin failures.
This is in preparation for annotating copyin() and related functions
with __result_use_check.
Mark Johnston [Tue, 26 Dec 2023 01:38:12 +0000 (20:38 -0500)]
mpi3mr: Check for copyin errors in mpi3mr_map_data_buffer_dma()
A failed copyin will cause the driver to use the contents of
uninitialized buffers instead, which is unlikely to be the behaviour
that we want. Check for errors.
This is in preparation for annotating copyin() and related functions
with __result_use_check.
Mark Johnston [Tue, 26 Dec 2023 01:37:49 +0000 (20:37 -0500)]
hid: Handle errors from copyin() in ioctl handlers
If copyin() fails, the driver will proceed blindly with a zeroed buffer,
which is not what we want. In preparation for annotating copyin() with
__result_use_check, start checking for errors.
Dimitry Andric [Mon, 25 Dec 2023 17:18:31 +0000 (18:18 +0100)]
Minimize libc++ errno-related header diffs with upstream
In commit 88640c0e8b6f5 the new EINTEGRITY errno value was added, and
this caused us to carry a patch for upstream libc++ since that time.
Because it can cause merge conflicts when importing libc++ code from
upstream, I have submitted an upstream pull request to get most of that
patch integrated.
It turns out that we do not need the errno.h part of it at all, since
all supported FreeBSD versions define EOWNERDEAD and ENOTRECOVERABLE,
and therefore the block that juggles with ELAST values is never used in
FreeBSD. At the moment it only applies to older versions of Linux, or
possibly other platforms.
Therefore the only part that needs to stay is the definition of a enum
errc value for EINTEGRITY, and this is made optional upon EINTEGRITY
being defined, to make it suitable for upstreaming.
The scalar implementation is fairly simplistic and only performs
slightly better than the generic C implementation. It could be
improved by using the same algorithm as for memchr, but it would
have been a lot more complicated.
The baseline implementation is similar to timingsafe_memcmp. It's
slightly slower than memchr() due to the more complicated main
loop, but I don't think that can be significantly improved.
lib/libc/string: document restrict qualification of memccpy() arguments
POSIX.1-2004 and the upcoming C23 agree that memccpy()'s arguments
are restrict qualified and must not overlap. In 2002, restrict
qualifiers were added to <string.h>'s declaration of the function.
Make things official and document that the arguments must not
overlap.
Based on the strlcpy code from D42863, this patch adds a SIMD-enhanced
implementation of memccpy for amd64. A scalar implementation calling
into memchr and memcpy to do the job is provided, too.
Please note that this code does not behave exactly the same as the C
implementation of memccpy for overlapping inputs. However, overlapping
inputs are not allowed for this function by ISO/IEC 9899:1999 and neither
has the C implementation any code to deal with the possibility. It just
proceeds byte-by-byte, which may or may not do the expected thing for
some overlaps. We do not document whether overlapping inputs are
supported in memccpy(3).