jilles [Sun, 25 Oct 2015 21:39:23 +0000 (21:39 +0000)]
MFC r288309: fnmatch(): Remove exponential behaviour as in sh r229201.
The old code was exponential in the number of asterisks in the pattern.
However, once a match has been found upto the next asterisk, the previous
asterisks are no longer relevant.
jilles [Sun, 25 Oct 2015 17:17:50 +0000 (17:17 +0000)]
MFC r288430: wordexp: Rewrite to make WRDE_NOCMD reliable.
Shell syntax is too complicated to detect command substitution and unquoted
operators reliably without implementing much of sh's parser. Therefore, have
sh do this detection.
While changing sh's support anyway, also read input from a pipe instead of
arguments to avoid {ARG_MAX} limits and improve privacy, and output count
and length using 16 instead of 8 digits.
The basic concept is:
execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2",
"", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>);
The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to
fail strings containing unquoted braces with code WRDE_BADCHAR. Since this
is normally not a syntax error in sh, there is still a need for checking
code in libc, we_check().
The new we_check() is an optimistic check that all the characters
<newline> | & ; < > ( ) { }
are quoted. To avoid duplicating too much sh logic, such characters are
permitted when quoting characters are seen, even if the quoting characters
may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad
characters that get past it and are a syntax error in sh return WRDE_SYNTAX.
Although many implementations of WRDE_NOCMD erroneously allow some command
substitutions (and ours even documented this), there appears to be code that
relies on its security (codesearch.debian.net shows quite a few uses).
Passing untrusted data to wordexp() still exposes a denial of service
possibility and a fairly large attack surface.
This is also a MFC of r286830 to reduce conflicts. I changed the code
somewhat to avoid changes from r286941; in particular, WRDE_BADVAL can still
only be returned if WRDE_UNDEF was passed.
Relnotes: yes
Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
mav [Sun, 25 Oct 2015 07:26:12 +0000 (07:26 +0000)]
MFC r289146:
Make delete method set via kern.cam.da.X.delete_method persistent.
This allows to set delete method via tunable, before device capabilities
are known. Also allow ZERO method for devices not reporting LBP, if user
explicitly requests it -- it may be useful if storage supports compression
and WRITE SAME, but does not support UNMAP.
jhb [Fri, 23 Oct 2015 01:27:44 +0000 (01:27 +0000)]
MFC 287386,288949,288993:
Export current system call code and argument count for system call entry
and exit events. To preserve the ABI, the new fields are moved to the
end of struct thread in these branches (unlike HEAD) and explicitly copied
when new threads are created. In addition, the new tests are only added
in 10.
r287386:
Export current system call code and argument count for system call entry
and exit events. procfs stop events for system call tracing report these
values (argument count for system call entry and code for system call exit),
but ptrace() does not provide this information. (Note that while the system
call code can be determined in an ABI-specific manner during system call
entry, it is not generally available during system call exit.)
The values are exported via new fields at the end of struct ptrace_lwpinfo
available via PT_LWPINFO.
r288949:
Fix various edge cases related to system call tracing.
- Always set td_dbg_sc_* when P_TRACED is set on system call entry
even if the debugger is not tracing system call entries. This
ensures the fields are valid when reporting other stops that
occur at system call boundaries such as for PT_FOLLOW_FORKS or
when only tracing system call exits.
- Set TDB_SCX when reporting the stop for a new child process in
fork_return(). This causes the event to be reported as a system
call exit.
- Report a system call exit event in fork_return() for new threads in
a traced process.
- Copy td_dbg_sc_* to new threads instead of zeroing. This ensures
that td_dbg_sc_code in particular will report the system call that
created the new thread or process when it reports a system call
exit event in fork_return().
- Add new ptrace tests to verify that new child processes and threads
report system call exit events with a valid pl_syscall_code via
PT_LWPINFO.
r288993:
Document the recently added pl_syscall_* fields in struct ptrace_lwpinfo.
kp [Wed, 21 Oct 2015 15:32:21 +0000 (15:32 +0000)]
MFC r289316:
pf: Fix TSO issues
In certain configurations (mostly but not exclusively as a VM on Xen) pf
produced packets with an invalid TCP checksum.
The problem was that pf could only handle packets with a full checksum. The
FreeBSD IP stack produces TCP packets with a pseudo-header checksum (only
addresses, length and protocol).
Certain network interfaces expect to see the pseudo-header checksum, so they
end up producing packets with invalid checksums.
To fix this stop calculating the full checksum and teach pf to only update TCP
checksums if TSO is disabled or the change affects the pseudo-header checksum.
Fix numerous issues in iic(4) and iicbus(4):
--Allow multiple open iic fds by storing addressing state in cdevpriv
--Fix, as much as possible, the baked-in race conditions in the iic
ioctl interface by requesting bus ownership on I2CSTART, releasing it on
I2CSTOP/I2CRSTCARD, and requiring bus ownership by the current cdevpriv
to use the I/O ioctls
--Reduce internal iic buffer size and remove 1K read/write limit by
iteratively calling iicbus_read/iicbus_write
--Eliminate dynamic allocation in I2CWRITE/I2CREAD
--Move handling of I2CRDWR to separate function and improve error handling
--Add new I2CSADDR ioctl to store address in current cdevpriv so that
I2CSTART is not needed for read(2)/write(2) to work
--Redesign iicbus_request_bus() and iicbus_release_bus():
--iicbus_request_bus() no longer falls through if the bus is already
owned by the requesting device. Multiple threads on the same device may
want exclusive access. Also, iicbus_release_bus() was never
device-recursive anyway.
--Previously, if IICBUS_CALLBACK failed in iicbus_release_bus(), but
the following iicbus_poll() call succeeded, IICBUS_CALLBACK would not be
issued again
--Do not hold iicbus mtx during IICBUS_CALLBACK call. There are
several drivers that may sleep in IICBUS_CALLBACK, if IIC_WAIT is passed.
--Do not loop in iicbus_request_bus if IICBUS_CALLBACK returns
EWOULDBLOCK; instead pass that to the caller so that it can retry if so
desired.
Bugfix: Exit the transfer loop if any read or write operation fails. Also,
perform a stop operation on the bus if there was an error, otherwise the
bus will remain hung forever. Consistantly use 'if (error != 0)' style in
the function.
Mostly rewrite the imx i2c driver. This started out as an attempt to fix
one specific problem: the driver didn't check for ACK/NAK after writing a
slave address byte to the bus, and some slaves signal that they are busy
(such as when completing an internal write to flash memory) by sending a
NAK in response to being addressed.
Use IIC_EBUSBSY and IIC_BUSERR status values consistantly across all drivers.
Make it clearer what each one means in the comments that define them.
Add iic2errno(), a helper function to translate IIC_Exxxxx status values to
errno values that are at least vaguely equivelent. Also add a new status
value, IIC_ERESOURCE, to indicate a failure to acquire memory or other
required resources to complete a transaction.
Return only IIC_Exxxx status values from iicbus-layer functions. Most of
these functions are thin wrappers around calling the hardware-layer driver,
but some of them do sanity checks and return an error.
Add a short name, IIC_INTRWAIT, for the common case (IIC_INTR | IIC_WAIT).
Replace a local sx lock that allowed only one client at a time to access
an eeprom device with iicbus_request/release_bus(), which achieves the
same effect and also keeps other i2c slave drivers from clashing on the bus.
bdrewery [Tue, 20 Oct 2015 18:23:14 +0000 (18:23 +0000)]
MFC r288477:
META_MODE: For some reason meta mode cannot generate the intermediate tab.c
files. Split up all of the targets to be more clear on how they are
generated to fix the problem.
gjb [Mon, 19 Oct 2015 00:36:54 +0000 (00:36 +0000)]
MFC r289337:
Deprecate MD5 checksum generation in favor of SHA512.
This was discussed during the 10.2-RELEASE cycle, however
since we were nearing the end of the cycle, we decided to
defer this change until after 10.2-RELEASE.
trasz [Sun, 18 Oct 2015 14:55:09 +0000 (14:55 +0000)]
MFC r286360:
Tweak mdconfig(8) manual page, in particular revise the EXAMPLES
section. This removes stuff that doesn't really belong there,
and simplifies examples for the basic operations.
trasz [Sun, 18 Oct 2015 14:52:31 +0000 (14:52 +0000)]
MFC r258909:
Tweak mdconfig(8) manual page, in particular revise the EXAMPLES
section. This removes stuff that doesn't really belong there,
and simplifies examples for the basic operations.
trasz [Sun, 18 Oct 2015 14:34:13 +0000 (14:34 +0000)]
MFC r286237:
Fix panic that would happen on forcibly unmounting devfs (note that
as it is now, devfs ignores MNT_FORCE anyway, so it needs to be modified
to trigger the panic) with consumers still opened.
Note that this still results in a leak of r/w/e counters. It seems
to be harmless, though. If anyone knows a better way to approach
this - please tell.
trasz [Sun, 18 Oct 2015 14:25:04 +0000 (14:25 +0000)]
MFC r286226:
Rework the way iSCSI initiator handles system shutdown. This fixes
hangs on shutdown with LUNs with mounted filesystems over a disconnected
iSCSI session.
mav [Sun, 18 Oct 2015 06:53:31 +0000 (06:53 +0000)]
MFC r289136: Remove lock upgrade attempt from ctl_be_block_open_file().
I am not sure what for it was done. Now open routine should automatically
fall back to read-only if open for writing is impossible. In such case
attempt to upgrade to write sounds strange.
markj [Sat, 17 Oct 2015 20:38:40 +0000 (20:38 +0000)]
MFC r272455:
Have dtrace(1) handle SIGPIPE, and handle signals when in list mode (-l).
In particular, make sure to detach from child processes before exiting.
If no compatible cards were found after probing the bus, say so.
Don't deselect the card too soon. To set the block size or switch the
function parameters, the card has to be in transfer state. If it is in
the idle state, the commands are ignored. This caused us not to set
the proper parameters that we later assume to be present, leading to
downstream failures of the card / interface as our state machine
mismatches the card's.
Log mmc and sd command failures. Reporting of routine expected errors,
such as timeouts while probing a bus or testing for a feature, is
squelched. Also, error reporting is limited to 5 events per second,
because when an sdcard goes bad on a low-end embedded board, flooding
the console at high speed isn't helpful.
Always select the card before we do the 4.x specific stuff and
deselect it after setting the block size. This is a similar bug that
was fixed elsewhere, but not here. This makes sure that we leave the
card deselected at the end of the loop, and we don't send any commands
to the card without it selected.
Re-select the SD card before getting the SD status. On a couple Atmel
boards, this prevents some error messages during enumeration and also
gives us the correct erase block size. They appear to be harmless
elsewhere.
Deselect the sd card before re-selecting it when working around a problem
with some cards that causes them to become deselected after probing for
switch capabilities. The old workaround fixes the behavior with some cards,
but causes problems with the cards the behave correctly and don't become
deselected. Forcing a deselect then reselect appears to work correctly
with all cards in initial testing.
bdrewery [Tue, 13 Oct 2015 18:46:11 +0000 (18:46 +0000)]
MFC r288390:
When stopping ugidfw, it is not enough to just try unloading the module. If
the module is built-in to the kernel then the kldunload will fail. Rather
than do this just check if there are rules and then remove them all.
bdrewery [Tue, 13 Oct 2015 18:32:47 +0000 (18:32 +0000)]
MFC r287983,r288075:
r287983:
Replace afterinstall: hack with FILES mechanism.
r288075:
Use SHAREOWN/SHAREMODE/SHAREGRP rather than LIB* as these are plain ASCII
scripts that the linker can load rather than binary library objects.
andrew [Mon, 12 Oct 2015 13:20:17 +0000 (13:20 +0000)]
MFC of r288447. Only the Marvell driver has been updated as there is no
support for Raspbetty Pi 2 in stable/10.
An IPI must be cleared before it is handled otherwise next IPI could be
missed. In other words, if a new request for an IPI is sent while the
previous request is being handled but the IPI is not cleared yet, the
clearing of the previous IPI request also clears the new one and the
handling is missed.
There are only three MP interrupt controllers in ARM now. Two of them are
fixed by this change, the third one is correct, probably only just by
accident. The fix is minimalistic as new interrupt framework is awaited.
It was debugged on RPi2 where missing IPI handling together with SCHED_ULE
led to situation in which tdq_ipipending was not cleared and so IPI_PREEMPT
was stopped to be sent. Various odditys were found related to slow system
response time like various events timed out, and slow console response.
ian [Sun, 11 Oct 2015 17:59:20 +0000 (17:59 +0000)]
MFC 288829
The latest version of lex requires the latest m4 to build, add a dependency
when running the build-tools stage.
The requirement is due to the -P flag used when running m4 from usr.bin/lex
Makefile to generate skel.c. With the old m4 that fails and the failure is
ignored, resulting in an empty(-ish) skel.c, which leads to later build
failures when the misconfigured new lex tool is run.
This enables building -current (and 10-stable after MFC) on a stable-8
system again.
bdrewery [Fri, 9 Oct 2015 19:18:02 +0000 (19:18 +0000)]
The fmake fix in r289049 was wrong. Need to use a real variable for
.if checks rather than the iteration variable. Tested this pattern
more (rather than just looking for error) and found the right behavior.
bdrewery [Thu, 8 Oct 2015 19:10:51 +0000 (19:10 +0000)]
Direct commit to fix usage with fmake.
fmake does not have :tW, so use some clever :Q tricks to achieve the
same result. This won't work if PATH actually contains spaces, but
it's better than not working at all.
hselasky [Thu, 8 Oct 2015 08:30:40 +0000 (08:30 +0000)]
MFC r287775:
Update TSO limits to include all headers.
To make driver programming easier the TSO limits are changed to
reflect the values used in the BUSDMA tag a network adapter driver is
using. The TCP/IP network stack will subtract space for all linklevel
and protocol level headers and ensure that the full mbuf chain passed
to the network adapter fits within the given limits. See r287775
for a more detailed description.