Mark Johnston [Mon, 24 Jul 2023 22:47:42 +0000 (18:47 -0400)]
amd64: Use a larger boot stack
With sanitizers enabled, it becomes possible to overflow the stack when
only a single page is used. Follow arm64's example and use the default
kernel stack size instead. This is a bit wasteful, but without a guard
page, overflow merely corrupts adjacent .bss entries and is thus
difficult to debug.
Note, with a GENERIC kernel we already consume over half of the
available boot stack space, see the review for an example.
Reviewed by: kib
Reported by: Jenkins
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41166
vnode read(2)/write(2): acquire rangelock regardless of do_vn_io_fault()
To ensure atomicity of reads against parallel writes and truncates,
vnode lock was not enough at least since introduction of vn_io_fault().
That code only take rangelock when it was possible that vn_read() and
vn_write() could drop the vnode lock.
At least since the introduction of VOP_READ_PGCACHE() which generally
does not lock the vnode at all, rangelocks become required even
for filesystems that do not need vn_io_fault() workaround. For
instance, tmpfs.
PR: 272678
Analyzed and reviewed by: Andrew Gierth <andrew@tao11.riddles.org.uk>
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D41158
Marius Strobl [Mon, 24 Jul 2023 17:26:06 +0000 (10:26 -0700)]
bus_dma: Trim CAM includes from subr_bus_dma.c
These are no longer needed after commit c5312bd79e66. This did
require adding an include of <sys/limits.h> instead for SIZE_T_MAX
which previously was dragged in via header pollution.
Andrew Turner [Mon, 24 Jul 2023 16:58:13 +0000 (17:58 +0100)]
arm: Move contents of atomic-v6.h into atomic.h
Previously we had an armv4/v5 and armv6/v7 implementation of the atomic
operations. As we have removed armv4/v5 support we can now merge the
armv6/v7 code into atomic.h
Reviewed by: imp
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D41135
Martin Matuska [Mon, 24 Jul 2023 05:42:43 +0000 (07:42 +0200)]
libarchive: merge from vendor branch
Libarchive 3.7.0
Important changes (relevant to FreeBSD):
#1814 Do not account for NULL terminator when comparing with "TRAILER!!!"
#1818 Add ability to produce multi-frame zstd archives
#1840 year 2038 fix for pax archives on platforms with 64-bit time_t
#1860 Make single bit bitfields unsigned to avoid clang 16 warning
#1869 Fix FreeBSD builds with WARNS=6
#1873 bsdunzip ported to libarchive from FreeBSD
#1894 read support for zstd compression in 7zip archives
#1918 ARM64 filter support in 7zip archives
Whilst ^ and $ are supported with C, those are special cases, and
general regex syntax like groups and alternations are not. Use the
correct modifier so we get a version number out that's not 0 (which is
what happens when it can't be parsed by the later code).
The upcoming Xcode 15 introduces a new linker (called ld-prime or ld-new
in some documentation) to replace the classic ld64, which we need to
handle.
Previously, the linker would identify itself as:
@(#)PROGRAM:ld PROJECT:ld64-<version>
Now, there are two cases. When the classic ld64 is in use, it identifies
itself as:
@(#)PROGRAM:ld-classic PROJECT:ld64-<version>
When the new linker is in use, it identifies itself as:
@(#)PROGRAM:ld PROJECT:dyld-<version>
Thus, tweak the detection to allow a -classic suffix in the PROGRAM
string and to allow a dyld- prefix instead of an ld64- prefix on the
version number in the PROJECT string.
Move LIBADD lines from usr.bin/clang/*/Makefile one level up
Some utilities under usr.bin/clang were only linked to libz, while most
others were linked to libz and libzstd. Make this consistent, and remove
repetition, by moving these LIBADD lines to usr.bin/clang/clang.prog.mk
and usr.bin/clang/clang.prog.mk.
Merge commit 2b0f5df7b4e0 from llvm-project (by Jessica Clarke):
[builtins][Mips] Un-break FreeBSD build of __clear_cache
Commit 674a17e9bbe8 ("MIPS/compiler_rt: use synci to flush icache on
r6") completely removed the OS-specific guards under the guise of "For
pre-r6, we can use cacheflush libc function, which is same on Linux and
FreeBSD." However, the code in question had guards for Linux and
OpenBSD, not Linux and FreeBSD, and FreeBSD does not have a cacheflush
libc function as claimed, so this was neither the statement they
intended to make nor was it sufficient justification for making the code
completely unconditional. Whilst the upcoming FreeBSD 14 release has
dropped support for MIPS, FreeBSD 13 has support for it.
Fix this by only calling cacheflush on the OSes where it was previously
called, and not on other OSes where it either definitely isn't available
(FreeBSD) or is unknown (any other OS than the three mentioned in this
commit).
This is only needed for MFC'ing, as mips has been removed from
14-CURRENT.
Alan Cox [Sat, 22 Jul 2023 17:55:43 +0000 (12:55 -0500)]
arm64 pmap: Retire PMAP_INLINE
Neither of the remaining callers to pmap_kremove() warrant inlining.
Those calls rarely occur. In other words, we were optimizing for the
uncommon case.
Kevin Bowling [Sat, 22 Jul 2023 18:33:27 +0000 (11:33 -0700)]
e1000: lem(4)/em(4) ifcaps, TSO and hwcsum fixes
* em(4) obey administrative ifcaps for using hwcsum offload
* em(4) obey administrative ifcaps for hw vlan receive tagging
* em(4) add additional TSO6 ifcap, but disabled by default as is TSO4
* lem(4) obey administrative ifcaps for using hwcsum offload
* lem(4) add support for hw vlan receive tagging
* lem(4) Add ifcaps for TSO offload experimentation, but disabled by
default due to errata and possibly missing txrx code.
* lem(4) disable HWCSUM ifcaps by default on 82547 due to errata around
full duplex links. It may still be administratively enabled.
Alan Cox [Sun, 16 Jul 2023 20:58:04 +0000 (15:58 -0500)]
arm64/riscv pmap: Initialize the pmap's pm_pvchunk field
I believe that there are two reasons that the missing TAILQ
initialization operations haven't caused a problem. First, the TAILQ
head's first field is being initialized to zeroes elsewhere. Second,
the first access to the TAILQ head's last field is by
TAILQ_INSERT_HEAD(), which assigns to the last field without reading
it when the first field is NULL.
ip output: ensure that mbufs are mapped if ipsec is enabled
Ipsec needs access to packet headers to determine if a policy is
applicable. It seems that typically IP headers are mapped, but the code
is arguably needs to check this before blindly accessing them. Then,
operations like m_unshare() and m_makespace() are not yet ready for
unmapped mbufs.
Ensure that the packet is mapped before calling into IPSEC_OUTPUT().
Warner Losh [Fri, 21 Jul 2023 16:11:37 +0000 (10:11 -0600)]
cam_periph: Comment about why we need to reset cbfcnp
Just spent a few minutes puzzling out why we do this. Add a comment to
remind my future self (and other intersted folk) why we do the reset
here when we'd set it a few lines above.
Kristof Provost [Thu, 1 Jun 2023 16:03:07 +0000 (18:03 +0200)]
pf tests: test 'rdr' for SCTP
Explicitly test that we cannot change the port number with rdr.
That's not a desireable feature on SCTP, because it could break
multihomed connections.
This function is always available, even if the SCTP or SCTP_SUPPORT options
are not set.
That lets us remove an ifdef, and also means we improve pf's SCTP handling
when the options are not set.
As of pytest 7.4 it no longer walks all the way to the root directory
of the file system to find conftest files. As a result we don't find /
usr/tests/conftest.py, and don't load atf_python. That in turn causes
atf_python tests to fail.
Explicitly set the confcutdir, as advised by the pytest changelog.
See also: https://github.com/pytest-dev/pytest/pull/11043
MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D41064
xen: move vcpu_info to common, leave hook for setup
vcpu_info is crucial for the Xen event channel core. Since both the
data and setup steps are identical between architectures, move them to
the common file. Since there is no cross-architecture method to call
a function on every processor during bring-up, simply leave the setup
function.
The number of vcpu_info structures available on the shared information
page varies by architecture. Instead of hard-coding the count use
nitems(). Add a warning message for this being used.
Switch to XEN_VCPUID() and use Xen's typedefs.
panic() on failure since >32 processors is no longer unusual.
royger: Specify 64-byte alignment for vcpu_info to try to defend
against vcpu_info crossing a page boundary. Add detection for this
limit.
Warner Losh [Fri, 21 Jul 2023 04:22:37 +0000 (22:22 -0600)]
cam: Add CAM_NVME_STATUS_ERROR error code
Add CAM_NVME_STATUS_ERROR error code. Flag all NVME commands that
completed with an error status as CAM_NVME_STATUS_ERROR (a new value)
instaead of CAM_REQ_CMP_ERR. This indicates to the upper layers of CAM
that the 'cpl' field for nvmeio CCBs is valid and can be examined for
error recovery, if desired.
No functional change. nda will still see these as errors, call
ndaerror() to get the error recovery action, etc. cam_periph_error will
select the same case as before (even w/o the change, though the change
makes it explicit).
Extrapolate from the context what the intention for the rest of the
comment probably was -- that the C/POSIX (and now C.UTF-8) locales may
avoid an allocation and reuse a global table.
Reviewed by: bapt
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D41087
Kevin Bowling [Fri, 21 Jul 2023 03:30:00 +0000 (20:30 -0700)]
e1000: lem(4)/em(4) ifcaps, TSO and hwcsum fixes
* em(4) obey administrative ifcaps for using hwcsum offload
* em(4) obey administrative ifcaps for hw vlan receive tagging
* em(4) add additional TSO6 ifcap, but disabled by default as is TSO4
* lem(4) obey administrative ifcaps for using hwcsum offload
* lem(4) add support for hw vlan receive tagging
* lem(4) Add ifcaps for TSO offload experimentation, but disabled by
default due to errata and possibly missing txrx code.
* lem(4) disable HWCSUM ifcaps by default on 82547 due to errata around
full duplex links. It may still be administratively enabled.
John Baldwin [Thu, 20 Jul 2023 23:36:35 +0000 (16:36 -0700)]
share/mk: Pass -znoexecstack to ld.bfd when linking libraries and programs.
lld assumes -znoexecstack by default whereas ld.bfd still defaults to
-zexecstack in the absence of .note.GNU-stack annotations. Adding the
flags centrally avoids having to patch various libraries in the tree
as one-offs (e.g. OpenSSL 3 is the current thing generating new
warnings with ld.bfd).
In some cases driver may ask FW about link state before FW finishes
configuration of a (Q)SFP+ transceiver. If first attempt of using Get Link
Status AQC after loading driver or handling a reset fails, then re-try
periodically for 5 seconds.
Signed-off-by: Krzysztof Galazka <krzysztof.galazka@intel.com> Signed-off-by: Eric Joyner <erj@FreeBSD.org>
Tested by: jeffrey.e.pieper@intel.com
Approved by: erj@
MFC after: 2 days
Sponsored by: Intel Corporation
Differential Revision: https://reviews.freebsd.org/D40899
Intentionally or not, but the libwrap was written in such manner that
if your /etc/hosts.allow doesn't have any domain names, neither smart
keywords like LOCAL or KNOWN, then it will not try to resolve the
client address during the hosts check. This was achieved with the
NOT_INADDR() check that matched IPv4 addresses/prefixes. Extend this
to also skip resolve if client list token looks like IPv6.
This is a compromise between POLA and practical reasoning. We don't
want to block the main server loop in an attempt to resolve. But we
need to keep the format of the logged message as is, for sake of
sshguard and other scripts. So let's print just the IP address twice,
this is what libwrap's refuse() would do if it failed to resolve.
Reviewed by: philip
PR: 269456
Differential revision: https://reviews.freebsd.org/D40069
sshd: remove unneeded initialization of libwrap logging severities
This part of ca573c9a177 proved to be unnecessary. As the removed
comment says, we set them merely for logging syntax errors, as we log
refusals ourselves. However, inside the libwrap the parser logs any
syntax errors with tcpd_warn() which has hardcoded LOG_WARNING inside.
Historically, tftpd disallowed write requests to existing files
that are not publicly writable. Such requirement is questionable at least.
Let us make it possible to run tftpd in chrooted environment
keeping files non-world writable.
New option -S enables write requests to existing files
for chrooted run according to generic file permissions.
It is ignored unless tftpd runs chrooted.
Perforce has been retired since 2019 (commit feea78990c2f), so there is
no need anymore to keep perforce tools. Plus, there is no need to
mention perforce admin.
ifconfig: Fix the display of capabilities in the netlink based code.
The capabilities in if_capabilities2/if_capenable2 are reported in the
second 32b and were not being displayed correctly. v does not need to
be advanced because v[i / 32] is the correct 32b value already.
mmap(MAP_STACK): on stack grow, use original protection
If mprotect(2) changed protection in the bottom of the currently grown
stack region, currently the changed protection would be used for the
stack grow on next fault. This is arguably unexpected.
Store the original protection for the entry at mmap(2) time in the
offset member of the gap vm_map_entry, and use it for protection of the
grown stack region.
PR: 272585
Reported by: John F. Carr <jfc@mit.edu>
Reviewed by: alc, markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D41089
Eric Joyner [Wed, 19 Jul 2023 22:40:46 +0000 (15:40 -0700)]
iflib: Unlock ctx lock around call to ether_ifattach()
Panic occurs during loading driver using kldload. It exists since netlink is
enabled. There is problem with double locking ctx. This fix allows to call
ether_ifattach() without locked ctx.
John Baldwin [Wed, 19 Jul 2023 18:53:33 +0000 (11:53 -0700)]
amd64 crt1: Explicitly use a PLT entry for main in the PIC case.
This ensures GNU as generates a R_X86_64_PLT32 relocation instead of
R_X86_64_32.
Reviewed by: kib
Fixes: c969310c992a csu: Implement _start using as to satisfy unwinders on x86_64
Differential Revision: https://reviews.freebsd.org/D41101
This fixes an assertion ('Assertion failed: ((LHSExpr->containsErrors()
|| RHSExpr->containsErrors()) && "Should only occur in error-recovery
path."), function BuildBinOp') when building parts of dtrace in certain
scenarios.
Ed Maste [Wed, 19 Jul 2023 17:02:33 +0000 (13:02 -0400)]
ssh: Update to OpenSSH 9.3p2
From the release notes:
Changes since OpenSSH 9.3
=========================
This release fixes a security bug.
Security
========
Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:
* Exploitation requires the presence of specific libraries on
the victim system.
* Remote exploitation requires that the agent was forwarded
to an attacker-controlled system.
Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.
This vulnerability was discovered and demonstrated to be exploitable
by the Qualys Security Advisory team.
In addition to removing the main precondition for exploitation,
this release removes the ability for remote ssh-agent(1) clients
to load PKCS#11 modules by default (see below).
* ssh-agent(8): the agent will now refuse requests to load PKCS#11
modules issued by remote clients by default. A flag has been added
to restore the previous behaviour "-Oallow-remote-pkcs11".
Note that ssh-agent(8) depends on the SSH client to identify
requests that are remote. The OpenSSH >=8.9 ssh(1) client does
this, but forwarding access to an agent socket using other tools
may circumvent this restriction.
CVE: CVE-2023-38408
Sponsored by: The FreeBSD Foundation
Using per-CPU and per-thread trampolines is expensive and error-prone,
since we're rewriting the same memory blocks constantly. Per-probe
trampolines solve this problem by giving each probe its own block of
executable memory, which more or less remains the same after the initial
write.
What this patch does, is get rid of the initialization code which
allocates a trampoline for each thread, and instead let each port of
kinst allocate a trampoline for each new probe created. It also sets up
the infrastructure needed to support the new trampoline scheme.
This change is not currently supported on amd64, as the amd64 port needs
further changes to work, so this is a temporary/gradual patch to fix the
riscv and arm64 ports.
Reviewed by: markj
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D40962