Mark Johnston [Wed, 9 Jan 2019 16:47:16 +0000 (16:47 +0000)]
Stop setting if_linkmib in vlan(4) ifnets.
There are several reasons:
- The structure being exported via IFDATA_LINKSPECIFIC doesn't appear
to be a standard MIB.
- The structure being exported is private to the kernel and always
has been.
- No other drivers in common use set the if_linkmib field.
- Because IFDATA_LINKSPECIFIC can be used to overwrite the linkmib
structure, a privileged user could use it to corrupt internal
vlan(4) state. [1]
Fix loopback traffic when using non-lo0 link local IPv6 addresses.
The loopback interface can only receive packets with a single scope ID,
namely the scope ID of the loopback interface itself. To mitigate this
packets which use the scope ID are appearing as received by the real
network interface, see "origifp" in the patch. The current code would
drop packets which are designated for loopback which use a link-local
scope ID in the destination address or source address, because they
won't match the lo0's scope ID. To fix this restore the network
interface pointer from the scope ID in the destination address for
the problematic cases. See comments added in patch for a more detailed
description.
This issue was introduced with route caching (ae@).
net80211: fix panic when device is removed during initialization
if_dead() is called during device detach - check if interface is
still exists before trying to refresh vap MAC address
(IF_LLADDR will trigger page fault otherwise).
Make sh(1) recognize the default $HOME. By default /home
is a symlink; without this change, when you log in, sh(1)
won't realize the current directory (eg '/usr/home/test')
is the same as $HOME ('/home/test').
Fix an edge case when parsing large numbers which resulted in inconsistent
results between an expression that refers to a variable by name and the
same expression that includes the same variable by value.
Michael Tuexen [Wed, 9 Jan 2019 06:36:57 +0000 (06:36 +0000)]
Fix getsockopt() for IP_OPTIONS/IP_RETOPTS.
r336616 copies inp->inp_options using the m_dup() function.
However, this function expects an mbuf packet header at the beginning,
which is not true in this case.
Therefore, use m_copym() instead of m_dup().
This issue was found by syzkaller.
Reviewed by: mmacy@
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D18753
Gleb Smirnoff [Wed, 9 Jan 2019 05:53:59 +0000 (05:53 +0000)]
Timer interval is correctly counted in ticks (1/100 s) in
mibif_reset_hc_timer(). Multiplication by 10 is erroneous
and is probably a blind copy and paste from next function.
Colin Percival [Wed, 9 Jan 2019 03:55:25 +0000 (03:55 +0000)]
Turn off ec2_ephemeralswap for now
This script broke around FreeBSD 11.0 as a result of SWAPMETA no longer
being reported by vmstat -z; but it also needs to be reworked due to the
arrival in EC2 of nvme ephemeral disks.
I'll turn this option back on after I've found time to rewrite the
script in question.
Kyle Evans [Wed, 9 Jan 2019 02:47:07 +0000 (02:47 +0000)]
Fix bsdgrep manpage clobbering grep(1) with default build options
The default build should install bsdgrep(1) and grep(1), with the latter
being gnugrep(1). WITH_BSD_GREP flips this situation such that we have
gnugrep(1) and grep(1), with the latter being bsdgrep(1).
Changes to start installing the zgrep script out of usr.bin/grep
inadvertently altered the default build such that grep(1) was being
installed, and it was bsdgrep(1). Correct the typo.
In r316006 the getstrfromtype_locked() function was modified to return
an empty string, instead of NULL, if an entry is missing in the audit_control
file. Because of that change the getachost() function started to return
success even if the host name was not defined in the audit_control.
This in turn led to auditd_hostlen always being set (for an empty host it was
set to 0). If auditd_hostlen was not equal to -1 we were trying to append
the host name to trail file name. All this led to situation where when host
name is not defined in audit_control, auditd will create trail files with
a leading '.', which breaks auditdistd as it doesn't work with longer audit
trail file names.
Fix this by appending host name to the trail file name only if the host name
is not empty.
Gleb Smirnoff [Wed, 9 Jan 2019 01:11:19 +0000 (01:11 +0000)]
Mechanical cleanup of epoch(9) usage in network stack.
- Remove macros that covertly create epoch_tracker on thread stack. Such
macros a quite unsafe, e.g. will produce a buggy code if same macro is
used in embedded scopes. Explicitly declare epoch_tracker always.
- Unmask interface list IFNET_RLOCK_NOSLEEP(), interface address list
IF_ADDR_RLOCK() and interface AF specific data IF_AFDATA_RLOCK() read
locking macros to what they actually are - the net_epoch.
Keeping them as is is very misleading. They all are named FOO_RLOCK(),
while they no longer have lock semantics. Now they allow recursion and
what's more important they now no longer guarantee protection against
their companion WLOCK macros.
Note: INP_HASH_RLOCK() has same problems, but not touched by this commit.
This is non functional mechanical change. The only functionally changed
functions are ni6_addrs() and ni6_store_addrs(), where we no longer enter
epoch recursively.
Chuck Tuffli [Tue, 8 Jan 2019 15:30:56 +0000 (15:30 +0000)]
Add NVMe drive to NOIOB quirk list
Dell-branded Intel P4600 NVMe drives benefit from NVMe 1.3's NOIOB
feature. Unfortunately just like Intel DC P4500s, they don't advertise
themselves as benefiting from this...
This changes adds P4600s to the existing list of old drives which
benefit from striping.
ports.7: Do not mention deprecated WITH_SSP_PORTS and WITH_GHOSTSCRIPT_VER
As mentioned in this special status report[1] from EuroBSDCon 2013,
WITH_SSP_PORTS was relevant in the FreeBSD 9 and FreeBSD 10 days.
Nowadays, -fstack-protector is set by default. Relevant knobs and variables
are documented in ports/Mk/bsd.port.mk.
WITH_GHOSTSCRIPT_VER was part of USE_GHOSTSCRIPT, which is deprecated.
Stephen Hurd [Mon, 7 Jan 2019 23:46:54 +0000 (23:46 +0000)]
Use iflib_if_init_locked() during resume instead of iflib_init_locked().
iflib_init_locked() assumes that iflib_stop() has been called, however,
it is not called for suspend. iflib_if_init_locked() calls stop then init,
so fixes the problem.
This was causing errors after a resume from suspend.
Conrad Meyer [Mon, 7 Jan 2019 19:39:31 +0000 (19:39 +0000)]
powerpc: Fix regression introduced in r342771
In r342771, I introduced a regression in Power by abusing the platform
smp_topo() method as a shortcut for providing the MI information needed for
the stated sysctls. The smp_topo() method was already called later by
sched_ule (under the name cpu_topo()), and initializes a static array of
scheduler topology information. I had skimmed the smp_topo_foo() functions
and assumed they were idempotent; empirically, they are not (or at least,
detect re-initialization and panic).
Do the cleaner thing I should have done in the first place and add a
platform method specifically for core- and thread-count probing.
Kyle Evans [Mon, 7 Jan 2019 16:16:47 +0000 (16:16 +0000)]
libbe(3): Don't allow bootfs to be destroyed
Previously, the following sequence of events was feasible under some
circumstance:
bectl create test
bectl activate test
# the test BE dataset gets promoted and set as bootfs
bectl destroy test
I was unable to reproduce the destroy succeeding, but we should be rejecting
this before it even gets to libzfs because it would leave the system in an
inconsistent state. Forcing the user to be explicit as to which environment
should be activated instead is much better.
Reported by: Graham Perrin <grahamperrin@gmail.com>
MFC after: 3 days
Warner Losh [Mon, 7 Jan 2019 06:19:51 +0000 (06:19 +0000)]
Fix a race between setting up the interrupt handler and it firing by
setting the data prior to setting up the interrupt. Now we only set
the cookie afterwards, and that (a) cannot be helpd and (b) isn't used
in the ISR.
Warner Losh [Mon, 7 Jan 2019 05:59:58 +0000 (05:59 +0000)]
Fix TI PCI1520 PCI Cardbus bridge, but others affected.
On system with Celeron 1.5GHz CPU, sometimes when a PCMCIA to Compact Flash
adapter containing a Compact Flash card is inserted in the cardbus slot the
system hangs. This problem has not been observed in systems with a 2.8GHz
XEON CPU or faster.
Analysis of the cbb driver shows functional interrupts are routed to PCI
BEFORE the interrupt handler for functional interrupts has been registered.
Clamp tuklib_physmem() return value to SIZE_T_MAX.
On 32bit platforms it is possible to have (much) more physical RAM
than is mappable into single address space. In this case liblzma
scales the value into a request to mmap more address space than it is
theoretically possible.
Reported and tested by: pho
Reviewed by: delphij
Discussed with: emaste
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Cy Schubert [Sun, 6 Jan 2019 21:24:44 +0000 (21:24 +0000)]
Remove ipsd (IP Scan Detetor). It is unused and to my knowledge has
never been used on any platform that ipfilter has been on. However
it looks like it could be a useful utility, therefore there are plans
to make it a port one day. It lacks a man page as well.
powerd(8): allow to force a method of battery state query
This change allows to determine power source via sysctl or /dev/apm
when devd(8) is running (used by default).
Based on patch from PR; other changes on top of it:
- '-f' (force) -> '-s' (source) parameter renaming;
- allow 'apm' -> 'devd' transition when '-s devd' is set
(if APM is enabled);
- man page update.
Checked on amd64 with -s devd / sysctl and apm
(an extra build with forced USE_APM define set was done)
Kyle Evans [Sun, 6 Jan 2019 01:39:01 +0000 (01:39 +0000)]
rc.subr: Fix typo
Originally intended as 'in case in needs to be re-invoked', but it was later
decided (by myself) that 're-invoke itself' makes it more clear that the
script is expected to use this in a way.
Reported by: Jose Luis Duran (jlduran @ github)
X-MFC-With: r342792
Kyle Evans [Sat, 5 Jan 2019 21:23:25 +0000 (21:23 +0000)]
rc.subr: Provide rc_service variable for service scripts
Some rc scripts in ports (e.g. uwsgi, apache, openvpn) allow for
'application profiles' that usually require the rc script to be invoked
again for each active profile. Because there's no consistent way to
determine the path because it differs between manual/service(8) invocations
and /etc/rc invocations, this leads to patterns like these:
- www/uwsgi hardcodes the script path
- security/openvpn guesses either $_file or $0 based on $0 = /etc/rc
Instead of forcing rc scripts to guess, provide an rc_service variable to
the scripts that gets set appropriately both for direct execution or when a
script is being executed via run_rc_script (e.g. /etc/rc).
This is our analog of an OpenRC variable with the same name, different case
(RC_SERVICE).
Mark Johnston [Sat, 5 Jan 2019 16:05:39 +0000 (16:05 +0000)]
Capsicumize rtsol(8) and rtsold(8).
These programs parse ND6 Router Advertisement messages; rtsold(8) has
required an SA, SA-14:20.rtsold, for a bug in this code. Thus, they
are good candidates for sandboxing.
The approach taken is to run the main executable in capability mode
and use Casper services to provide functionality that cannot be
implemented within the sandbox. In particular, several custom services
were required.
- A Casper service is used to send Router Solicitation messages on a
raw ICMP6 socket. Initially I took the approach of creating a
socket for each interface upon startup, and connect(2)ing it to
the all-routers multicast group for the interface. This permits
the use of sendmsg(2) in capability mode, but only works if the
interface's link is up when rtsol(d) starts. So, instead, the
rtsold.sendmsg service is used to transmit RS messages on behalf
of the main process. One could alternately define a service
which simply creates and connects a socket for each destination
address, and returns the socket to the sandboxed process. However,
to implement rtsold's -m option we also need to read the ND6 default
router list, and this cannot be done in capability mode.
- rtsold may execute resolvconf(8) in response to RDNSS and DNSSL
options in received RA messages. A Casper service is used to
fork and exec resolvconf(8), and to reap the child process.
- A service is used to determine whether a given interface's
link-local address is useable (i.e., not duplicated or undergoing
DAD). This information is supplied by getifaddrs(3), which reads
a sysctl not available in capability mode. The SIOCGIFCONF socket
ioctl provides equivalent information and can be used in capability
mode, but I decided against it for now because of some limitations
of that interface.
In addition to these new services, cap_syslog(3) is used to send
messages to syslogd.
Reviewed by: oshogbo
Tested by: bz (previous versions)
MFC after: 2 months
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D17572
Mark Johnston [Sat, 5 Jan 2019 15:28:20 +0000 (15:28 +0000)]
Add a bounds check to the tws(4) passthrough ioctl handler.
tws_passthru() was doing a copyin of a user-specified request
without validating its length, so a malicious request could overrun
the buffer. By default, the tws(4) device file is only accessible
as root.
admbug: 825
Reported by: Anonymous of the Shellphish Grill Team
Reviewed by: delphij
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D18536
Reduce timeout for reading the USB HUB port status to 1000ms and try to filter
out dead USB HUB devices by implementing an error counter, so that the USB
enumeration thread does not spend all its time reading from non-responding
devices, blocking user-space access in the end.
It seems that libkern/mcount.c is the only consumer of vm/pmap.h that
does not include machine/atomic.h. Make it work by bringing
machine/atomic.h when pmap.h is used for kernel non-asm .c file.
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Andrew Gallatin [Fri, 4 Jan 2019 18:38:27 +0000 (18:38 +0000)]
Limit git history searches in newvers.sh
newvers.sh takes upwards of 4-5 seconds to complete on trees checked
out from github, due to searching the entire history for non-existent
git-svn metadata. Similarly, if one does not check out notes, we
again search the entire history for notes. That makes newvers.sh very
slow for many github users.
To fix this in a fair way, limit the history search to the last 10K
commits: if you're more than 10K commits out of sync, then you've
forked the project, and our SVN rev is no longer very important to you.
Due to how git implements --grep in conjunction with -n, --grep has been
removed for performance reasons (git does not seem to limit its search
to the -n limit in this case, and takes just as long as it did with no
limit).
Ed Maste [Fri, 4 Jan 2019 18:35:25 +0000 (18:35 +0000)]
Add explicit csu test dependency
lib/csu/tests/dynamiclib requires libh_csu.so be built first. I'm not
sure this is the most correct/best way to address this but it solves
the issue in my testing.
Conrad Meyer [Fri, 4 Jan 2019 18:31:17 +0000 (18:31 +0000)]
Expose threads-per-core and physical core count information
With new sysctls (to the best of our ability do detect them). Restructured
smp.4 slightly for clarity (keep relevant stuff closer to the top) while
documenting.
i386: Use atomic 64bit load to read PDE value from PAE pagetables in
pmap_kextract().
pmap_kextract() can race with promotion/demotion on the kernel page
table, in which case current non-atomic 64bit read would see torn
value, breaking pmap_kextract(). pmap_kextract() would correctly
handle either promoted or demoted PDE, but not a mix where one word
is from a different state.
It requires PAE and > 4G memory to reproduce. We observed this in
real loads, both for intensive use of malloc(9)/free(9) where
vtoslab() returned invalid pointer to the slab, and with the use of
busdma_bounce, where incorrect page was bounced.
In collaboration with: pho
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D18714
Mark Johnston [Fri, 4 Jan 2019 17:31:50 +0000 (17:31 +0000)]
Support MSG_DONTWAIT in send*(2).
As it does for recv*(2), MSG_DONTWAIT indicates that the call should
not block, returning EAGAIN instead. Linux and OpenBSD both implement
this, so the change makes porting easier, especially since we do not
return EINVAL or so when unrecognized flags are specified.
Mark Johnston [Fri, 4 Jan 2019 17:14:50 +0000 (17:14 +0000)]
Don't enable interrupts in init_secondary().
The MI kernel assumes that interrupts will not be enabled on APs until
after the first context switch. In particular, the problem was causing
occasional deadlocks during boot.
Remove an unneeded intr_disable() added in r335005.
Reviewed by: jhb (previous version)
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D18738
Ed Maste [Fri, 4 Jan 2019 16:47:35 +0000 (16:47 +0000)]
newvers: retire p4 version support
Perforce no longer offers a FreeBSD client and it not a viable VCS for
FreeBSD development. Remove p4 version logic to simplify newvers.sh in
advance of other changes.
Chuck Tuffli [Fri, 4 Jan 2019 15:03:35 +0000 (15:03 +0000)]
Fix bhyve's NVMe Completion Queue entry values
The function which processes Admin commands was not returning the
Command Specific value in Completion Queue Entry, Dword 0 (CDW0). This
effects commands such as Set Features, Number of Queues which returns
the number of queues supported by the device in CDW0. In this case, the
host will only create 1 queue pair (Number of Queues is zero based).
This also masked a bug in the queue counting logic.
Chuck Tuffli [Fri, 4 Jan 2019 15:03:30 +0000 (15:03 +0000)]
Fix bhyve's NVMe queue bookkeeping
Many size / length parameters in NVMe are "0's based", meaning, a value
of 0x0 represents 1, 0x1 represents 2, etc.. While this leads to an
efficient encoding, it can lead to subtle bugs. With respect to queues,
these parameters include:
- Maximum number of queue entries
- Maximum number of queues
- Number of Completion Queues
- Number of Submission Queues
To be consistent, convert all 0's based values from the host to 1's
based value internally. Likewise, covert internal 1's based values to
0's based values when returned to the host. This fixes an off-by-one bug
when creating IO queues and simplifies some of the code. Note that this
bug is masked by another bug.
While in the neighborhood,
- fix an erroneous queue ID check (checking CQ count when deleting SQ)
- check for queue ID of 0x0 in a few places where this is illegal
- clean up the Set Features, Number of Queues command and check for
illegal values
Ed Maste [Fri, 4 Jan 2019 14:42:36 +0000 (14:42 +0000)]
newvers: avoid clearing svn revision information with nested VCS dirs
Consider the case where FreeBSD is checked out via Subversion with a
(perhaps unrelated) .git or .hg directory at a higher level - for
example,
.../.git
.../src/freebsd
Previously newvers obtained the SVN revision information via svnversion,
and then tried to obtain the SVN revision corresponding to the git or hg
commit, overwriting the existing information.
As a short term fix use a different variable for hg-svn or git-svn
information, setting $svn from hg or git info only if not empty.
Reported by: Matthias Apitz
Sponsored by: The FreeBSD Foundation
Kyle Evans [Fri, 4 Jan 2019 03:13:24 +0000 (03:13 +0000)]
getopt_long(3): fix case of malformed long opt
When presented with an arg string like '-l-', getopt_long will successfully
parse out the 'l' short option, then proceed to match '--' against the first
longopts entry as it later does a strncmp with len=0. This latter bit is
arguably another bug in itself, but presumably not a practical issue as all
callers of parse_long_options are already doing the right thing (except this
one pointed out).
An opt string like '-l-' should be considered malformed and throw a bad
argument rather than behaving as if '--' were passed. It cannot possibly do
what the invoker expects, and it's probably the result of a typo (ls -l- a)
rather than any intent.
Matt Macy [Thu, 3 Jan 2019 22:49:11 +0000 (22:49 +0000)]
zfsboot: support newer ZFS versions
declare v3 objset size/layout to fix userboot and possibly other loader issues
- fix for userboot assertion failure in zfs_dev_close in free due to out of bounds write
- fix for zfs_alloc / zfs_free mismatch assertion failure when booting GPT on BIOS
Mark Johnston [Thu, 3 Jan 2019 16:21:44 +0000 (16:21 +0000)]
Fix some issues with the riscv pmap_protect() implementation.
- Handle VM_PROT_EXECUTE.
- Clear PTE_D and mark the page dirty when removing write access
from a mapping.
- Atomically clear PTE_W to avoid clobbering a hardware PTE update.
Reviewed by: jhb, kib
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D18719