landonf [Wed, 10 Jan 2018 22:19:11 +0000 (22:19 +0000)]
Fix minor locking issues in the Power Mac Uninorth PCI bridge driver.
- Call resource_int_value() once during attach, rather than within the
pci_(read|write)_config() code path; this avoids taking a blocking mutex
to read kenv variables.
- Use a spin lock to protect non-atomic config space accesses; this matches
the behavior of Darwin's AppleMacRiscPCI driver.
cem [Wed, 10 Jan 2018 21:49:45 +0000 (21:49 +0000)]
mallocarray(9): panic if the requested allocation would overflow
Additionally, move the overflow check logic out to WOULD_OVERFLOW() for
consumers to have a common means of testing for overflowing allocations.
WOULD_OVERFLOW() should be a secondary check -- on 64-bit platforms, just
because an allocation won't overflow size_t does not mean it is a sane size
to request. Callers should be imposing reasonable allocation limits far,
far, below overflow.
markj [Wed, 10 Jan 2018 21:37:11 +0000 (21:37 +0000)]
Fix an off-by-one in dt_opt_setenv().
The bug would cause incorrect behaviour when attempting to override
an already set environment variable with -x setenv, as long as the
variable is not the last one in the array.
Reported by: Samuel Lepetit <slepetit@apple.com>
MFC after: 2 weeks
jhb [Wed, 10 Jan 2018 21:18:46 +0000 (21:18 +0000)]
Don't store shadow copies of per-process AIO limits.
Previously the AIO subsystem would save a snapshot of the currently
configured per-process limits the first time a process used AIO. The
process would continue to use the snapshotted limits ignoring any
changes to the global limits during the rest of its lifetime. This
change removes the snapshotted values and changes the AIO code to
always check the global values which can be toggled at runtime.
This means an administrator can now change the effective limits of
existing processes. This is more consistent with how other limits
configured via sysctl work in FreeBSD.
emaste [Wed, 10 Jan 2018 20:28:01 +0000 (20:28 +0000)]
Enable ld.lld as bootstrap linker by default on amd64
For some time we have been planning to migrate to LLVM's lld linker.
Having a man page was the last blocking issue for using ld.lld to link
the base system kernel + userland, now addressed by r327770. Link the
kernel and userland libraries and binaries with ld.lld by default, for
additional test coverage.
This has been a long time in the making. On 2013-04-13 I submitted an
upstream tracking issue in LLVM PR 23214: [META] Using LLD as FreeBSD's
system linker. Since then 85 individual issues were identified, and
submitted as dependencies. These have been addressed along with two
and a half years of other lld development and improvement.
I'd like to express deep gratitude to upstream lld developers Rui
Ueyama, Rafael Espindola, George Rimar and Davide Italiano. They put in
substantial effort in addressing the issues we found affecting
FreeBSD/amd64.
To revert to using ld.bfd as the bootstrap linker, in /etc/src.conf set
WITHOUT_LLD_BOOTSTRAP=yes
If you need to set this, please follow up with a PR or post to the
freebsd-toolchain mailing list explaining how default WITH_LLD_BOOTSTRAP
failed for your use case.
Note that GNU ld.bfd is still installed as /usr/bin/ld, and will still
be used for linking ports. ld.lld can be installed as /usr/bin/ld by
setting in /etc/src.conf
WITH_LLD_IS_LLD=yes
A followup commit will set WITH_LLD_IS_LD by default, possibly after
Clang/LLVM/lld 6.0 is merged to FreeBSD.
Release notes: Yes
Sponsored by: The FreeBSD Foundation
pfg [Wed, 10 Jan 2018 19:45:38 +0000 (19:45 +0000)]
Use mallocarray(9) in dirhash.
Basic use of mallocarray to prevent overflows. Here allocation is done
with M_NOWAIT so the code is prepared for the possibility of returning
NULL values. Since mallocarray expects unsigned parameters, unsign some
related variables to minimize sign conversions.
markj [Wed, 10 Jan 2018 19:37:21 +0000 (19:37 +0000)]
Fix handling of read errors during mirror synchronization.
We would previously just free the request BIO, which would either cause
the disk to stay stuck in the SYNCHRONIZING state, or result in
synchronization completing without having copied the block which
returned an error.
With this change, if the disk which returned an error is the only active
disk in the mirror, the synchronizing disk is kicked out. Otherwise, the
read is retried.
avg [Wed, 10 Jan 2018 17:35:00 +0000 (17:35 +0000)]
amdsbwd: fix handling of timeout values beyond the supported range
The driver now fully observes watchdog(9) protocol.
Previously a too large timeout was silently clamped while the correct
behavior is to disable the watchdog and leave the error as is
(i.e. to not report success).
Also, previously a too small value caused the timer to stop while the
correct behavior is to use the minimal supported value.
emaste [Wed, 10 Jan 2018 16:01:25 +0000 (16:01 +0000)]
lld: introduce basic man page
Upstream lld has no man page. Introduce a basic one for FreeBSD based on
ld.lld --help, with a brief introduction and additional detail for some
options.
We'll continue refining this in FreeBSD, and then submit it upstream once
the first round of edits are complete.
Submitted by: krion, Arshan Khanifar, emaste, bjk
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D13813
imp [Wed, 10 Jan 2018 14:59:19 +0000 (14:59 +0000)]
Retire pmtimer driver. Move time fixing into apm driver. Move
Iwasaki-san's copyright over. Remove FIXME code that couldn't possibly
work. Call tc_settime() with our estimate of the delta we've been
alseep (the one we print) to adjust the time. Not sure what to do
about callouts, so keep the small #ifdef in place there.
imp [Wed, 10 Jan 2018 14:58:58 +0000 (14:58 +0000)]
Remove vestiges of digi(4) driver, first attempted in r305235 with
more in r317426. There's nothing in the tree that references digiio.h
(apart from digictl(8)), so no driver implements it. Since digictl(8)
was only used to control digi(4) devices, it too should go.
cem [Wed, 10 Jan 2018 06:30:59 +0000 (06:30 +0000)]
Finally, fix Zstd kernel build on MIPS and RISC-V
Add an implementation of the intrinsics invoked by __builtin_ctz{,ll} and
__builtin_clz{,ll}, and include this compilation unit on platforms that lack
assembly intrinsics for those builtins (MIPS and RISC-V).
Future cleanup work might involve bringing these into a mini libcompiler-rt
for the standalone kernel environment. Or cleaning up the approach upstream
takes for builtins in standalone environments (or just FreeBSD). For now,
at least this builds, and doesn't require modifying the vendor code.
markj [Wed, 10 Jan 2018 05:06:21 +0000 (05:06 +0000)]
Avoid referencing a possibly freed consumer after r327496.
g_mirror_regular_request() may free the gmirror consumer for a disk
if that disk is being disconnected, after which we must not dereference
the consumer pointer.
ian [Wed, 10 Jan 2018 02:57:03 +0000 (02:57 +0000)]
Convert a collection of unrelated bitwise flags to a collection of boolean
vars in the softc. It makes the code more compact and readable, and
actually uses less memory too.
ian [Wed, 10 Jan 2018 02:31:59 +0000 (02:31 +0000)]
Bugfix: don't lose the am/pm mode flag when setting the time. Unlike most
RTC chips that have a control register bit for am/pm mode, the DS13xx series
uses one of the high bits in the hour register. Thus, when setting the time
in am/pm mode, the am/pm mode flag has to be ORed into the hour.
ian [Wed, 10 Jan 2018 02:28:10 +0000 (02:28 +0000)]
Bugfix: on RTC chips with a 32-bit binary counter, after reading the time,
return immediately rather than falling through to the logic that reads
BCD-encoded time.
jhb [Wed, 10 Jan 2018 00:18:47 +0000 (00:18 +0000)]
Allow the fast-path for disk AIO requests to fail requests.
- If aio_qphysio() returns a non-zero error code, fail the request rather
than queueing it to the AIO kproc pool to be retried via the slow path.
Currently this means that if vm_fault_quick_hold_pages() reports an
error, EFAULT is returned from the fast-path rather than retrying the
request in the slow path where it will still fail with EFAULT.
- If aio_qphysio() wishes to use the fast path for a device that doesn't
support unmapped I/O but there are already the maximum number of
such requests in flight, fail with EAGAIN as we do for other AIO
resource limits rather than queueing the request to the AIO kproc pool.
- Move the opcode check for aio_qphysio() out of the caller and into
aio_qphysio() to simplify some logic and remove two goto's while here.
It also uses a whitelist (only supported for LIO_READ / LIO_WRITE)
rather than a blacklist (skipped for LIO_SYNC).
pfg [Tue, 9 Jan 2018 22:48:13 +0000 (22:48 +0000)]
Use the __result_use_check attribute also for reallocf(3).
The GCC attribute causes a warning to be emitted if a caller of the
function with this attribute does not use its return value. Unlike the
traditional realloc, with reallocf(3) we don't have to check for NULL
values but we still have to make sure the result is used.
scottl [Tue, 9 Jan 2018 21:23:16 +0000 (21:23 +0000)]
Hold a refcount on the periph while running the allocation
queue. This will allow sub-transports to release their
probe pseudo-device with fewer convoluted restrictions.
cem [Tue, 9 Jan 2018 20:53:30 +0000 (20:53 +0000)]
Fix Zstd x86 kernel build with -march=<specific>
Disable Zstd experimental support for __BMI__ intrinsics, when built with
-march=foo supporting such intrinsics, to avoid attempting to include
immintrin.h. If a later Zstd marks the support non-experimental, we may want
to revisit this approach.
USNO and possibly others have misinterpreted the maining of the
leapseconds last-update field and incorrectly increment it when changing
the file even though the leapsecond data has not changed. For instance,
if a leapsecond file is obtained from USNO, when it expires it will not
be replaced by a newer file from other sources because it has an
incorrect later last-update (version).
nwhitehorn [Tue, 9 Jan 2018 19:41:10 +0000 (19:41 +0000)]
Add XHCI support to powerpc64 GENERIC. This is useful to get input devices
supported on newer POWER hardware and in graphical VMs run on the same,
which are typically XHCI-only. The 32-bit GENERIC kernel, which
does not run on hardware made in the last decade and is unlikely to
encounter XHCI devices, is left unchanged.
pf tests: Fix pft_ping.py to work with scapy 2.3.3
Scapy requires the Raw payload to be a string, which was not the case. This
caused the pft_ping.py script to fail, which in turn caused the test to fail.
imp [Tue, 9 Jan 2018 16:11:33 +0000 (16:11 +0000)]
Remove ccbque.h from i386/isa.
inline ccbque.h into scsi_low.h. The file isn't MD, so shouldn't live
in i386/isa. It's only used by scsi_low, so move it there so no new
clients accidentally grow. scsi_low may not even still work, and the
locking here is still SPL based. CAM should do the right thing, but
I've received no reports of these cards still working. At least it
compiles still and there's one fewer files in sys/i386/isa. While I'm
here, ansify and de-splize. CCB_MWANTED appears to be a clear-only
flag, but I've not changed that.
andrew [Tue, 9 Jan 2018 14:33:05 +0000 (14:33 +0000)]
Add a framework to install CPU errata on arm64. Each erratum can encode
a mask and value to compare with the Main ID Register. If these match then a
function is called to handle the installation of the erratum workaround.
No errata are currently handled, however this will change soon in a future
commit.
avg [Tue, 9 Jan 2018 14:22:18 +0000 (14:22 +0000)]
vmm/svm: contigmalloc of the whole svm_softc is excessive
This is a followup to r307903.
struct svm_softc takes more than 200 kilobytes while what we really need
is 3 contiguous pages for I/O permission map and 2 contiguous pages for
MSR permission map. Other physically mapped structures have a size of
a single page, so a proper alignment is sufficient for their correct
mapping.
Thus, only the permission maps are allocated with contigmalloc now,
the softc is allocated with a regular malloc.
Additionally, this commit adds a check that malloc returns memory with the
expected page alignment and that contigmalloc does not fail.
Unfortunately, at present svm_vminit() is expected to always succeed and
there is no way to report an error.
So, a contigmalloc failure leads to a panic.
We should probably fix this.
kib [Tue, 9 Jan 2018 10:51:44 +0000 (10:51 +0000)]
Generalize the fix from r322757 and apply it to several more places.
The code accesses bp->b_dep without owning the ufs mount softdep lock,
which makes it possible for the derefenced workitem to be freed in
parallel. In particular, the deallocate_dependencies(),
softdep_disk_io_initiation() and softdep_disk_write_complete() are
affected.
Move the code to safely calculate ump from the buffer with
dependencies into the helper softdep_bp_to_mp() and use it for all
found cases.
Tested by: pho (as part of the bigger patch)
Reviewed by: mckusick (as part of the bigger patch)
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
kib [Tue, 9 Jan 2018 10:44:17 +0000 (10:44 +0000)]
When handling write completion, take SU lock around calls to
handle_written_XXX() in case of processing the buffer with an error.
Tested by: pho (as part of the bigger patch)
Reviewed by: mckusick (as part of the bigger patch)
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
When growing the state, also grow the seed array. Otherwise memory
that was not allocated will be accessed.
This necessitated refactoring state seed allocation from
ipf_state_soft_init() into a new common ipf_state_seed_alloc() function
as it is now also used by ipf_state_rehash() when changing the size of
the state hash table in addition to by ipf_state_soft_init() during
initialization.
According to Christos Zoulas <christos@NetBSD.org>:
The bug was encountered by a NetBSD vendor who's customer machines had
large ipfilter states. The bug was reliably triggered by resizing the
state variables using "ipf -T".
scottl [Tue, 9 Jan 2018 00:10:59 +0000 (00:10 +0000)]
Don't hold the periph lock when calling into cam_periph_runccb()
from the ada and da dump routines. This avoids difficult locking
problems from needing to be handled. While it might seem like this
would leave the periphs unprotected during dump, they were aleady
at risk of unexpected removal due to the dump functions not
keeping refcount state across the many calls that come in during
a dump. This is an exercise for future work.
markj [Mon, 8 Jan 2018 21:27:41 +0000 (21:27 +0000)]
Generalize the gzio API.
We currently use a set of subroutines in kern_gzio.c to perform
compression of user and kernel core dumps. In the interest of adding
support for other compression algorithms (zstd) in this role without
complicating the API consumers, add a simple compressor API which can be
used to select an algorithm.
Also change the (non-default) GZIO kernel option to not enable
compressed user cores by default. It's not clear that such a default
would be desirable with support for multiple algorithms implemented,
and it's inconsistent in that it isn't applied to kernel dumps.
Reviewed by: cem
Differential Revision: https://reviews.freebsd.org/D13632
jhb [Mon, 8 Jan 2018 18:47:35 +0000 (18:47 +0000)]
Use <stand.h> instead of <inttypes.h> and <stdio.h> in boot code.
In the freestanding boot compile environment, standard headers are not
available. Curiously, only building with clang exposed this as compiles
with external GCC still succeeded.
jhb [Mon, 8 Jan 2018 18:44:36 +0000 (18:44 +0000)]
Define __dmadat after #include'ing ufsread.c.
The __dmadat variable is a statically allocated I/O buffer. The type is
declared in the ufsread.c source file and clang warns if a variable is
defined before it's type is declared.
pfg [Mon, 8 Jan 2018 15:41:48 +0000 (15:41 +0000)]
malloc(9): drop the __result_use_check attribute for the kernel allocator.
The __result_use_check attribute was brought to the kernel malloc in
r281203 for consistency with the userland malloc.
For the case of the M_WAITOK flag, the kernel malloc(), realloc(), and
reallocf() cannot return NULL so in that case the __result_use_check
attribute makes no sense.
We don't have any way of conditionalizing such attributes so just drop it.
asomers [Mon, 8 Jan 2018 00:10:45 +0000 (00:10 +0000)]
geli: optimize tests
Reduce the geli tests' runtime by about a third:
* In integrity_test:copy, use a file-backed md(4) device instead of a
malloc'd one. That way we can corrupt the underlying storage without
needing to detach and reattach the geli device.
* In integrity_test:{copy, hmac, data} and onetime_test:{onetime,
onetime_a}, move reads of /dev/random out of the loop.
pf: Avoid integer overflow issues by using mallocarray() iso. malloc()
pfioctl() handles several ioctl that takes variable length input, these
include:
- DIOCRADDTABLES
- DIOCRDELTABLES
- DIOCRGETTABLES
- DIOCRGETTSTATS
- DIOCRCLRTSTATS
- DIOCRSETTFLAGS
All of them take a pfioc_table struct as input from userland. One of
its elements (pfrio_size) is used in a buffer length calculation.
The calculation contains an integer overflow which if triggered can lead
to out of bound reads and writes later on.
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Similar to calloc() the mallocarray() function checks for integer
overflows before allocating memory.
It does not zero memory, unless the M_ZERO flag is set.
kevans [Sun, 7 Jan 2018 04:59:28 +0000 (04:59 +0000)]
aw_sid(4): Add support for Allwinner H3
The sid controller on the H3 is generally identical in location, size, and
efuse offset to the a64 and the a83t. The main difference is that the H3 has
a silicon bug that sometimes causes the rootkey (at least) to be garbled
unless first read by the prctl registers.
This device is currently not in our DTS and, as of now, is not yet present
in mainline Linux DTS.
kevans [Sun, 7 Jan 2018 03:31:55 +0000 (03:31 +0000)]
aw_sid: Add method for reading keys via prctl registers
Technically supported on the later SoCs, this will only really be used to
add support for the H3 sid. The H3 has a silicon bug that manifests itself
by returning garbled rootkeys unless first read via the prctl registers.
asomers [Sun, 7 Jan 2018 02:30:08 +0000 (02:30 +0000)]
geli: fix parallel execution of tests
The trick is not to destroy an md(4) device during a test. That can create
a "double-free" situation, because we also destroy md devices during test
cleanup.
kevans [Sun, 7 Jan 2018 02:19:54 +0000 (02:19 +0000)]
Fix bogus pass for syscon_generic introduced in r327621
ian@ pointed out that BUS_PASS_DEFAULT + $anything is bogus, given that
BUS_PASS_DEFAULT is defined as __INT_MAX. Instead, we take a page out of
imx6_usbphy's book and use BUS_PASS_DEFAULT - 1000 to achieve the desired
effect of syscon_generic attaching before if_awg and other potential
consumers, but late enough that more specialized implementations should have
no problem attaching instead.
asomers [Sun, 7 Jan 2018 00:44:22 +0000 (00:44 +0000)]
geli: convert most tests from TAP to ATF
I'm leaving readonly_test and nokey_test alone for now. In a future commit
they should be broken up into several smaller test cases and distributed
between multiple files.