Kyle Evans [Mon, 15 Jan 2018 22:24:11 +0000 (22:24 +0000)]
service(8): Add support for interfacing with services in jails
Provide a -j option that can take a jail name or id. If -j is specified,
check that the jail exists and proxy the service request through to
service(8) in the jail.
This allows for cleaner workflows when updating services in a jail, turning
the following:
pkg -j dns upgrade
jexec dns service named restart
Warner Losh [Mon, 15 Jan 2018 22:17:34 +0000 (22:17 +0000)]
Check the return value from utf8_to_ucs2 instead of whether or not uv
is NULL. That's more correct and doesn't depend on the error behavior
of utf8_to_ucs2. In practice, we'll never see this though since we
pass utf8_to_ucs2 a well formed string.
Warner Losh [Mon, 15 Jan 2018 22:17:15 +0000 (22:17 +0000)]
When returning an error and freeing allocated memory from ucs2_to_utf8
and utf8_to_ucs2, be sure to NULL out the return pointer too, rather
than return a pointer to free memory.
Kyle Evans [Mon, 15 Jan 2018 21:53:33 +0000 (21:53 +0000)]
wsp(4): Update to reflect new sysctl from r314467
r314467 introduced hw.usb.wsp.enable_single_tap_clicks to enable/disable
single-tap left click behavior. Update the man page to reflect the new
sysctl.
Pedro F. Giffuni [Mon, 15 Jan 2018 21:23:16 +0000 (21:23 +0000)]
misc geom and gnu: make some use of mallocarray(9).
Focus on code where we are doing multiplications within malloc(9). None of
these ire likely to overflow, however the change is still useful as some
static checkers can benefit from the allocation attributes we use for
mallocarray.
This initial sweep only covers malloc(9) calls with M_NOWAIT. No good
reason but I started doing the changes before r327796 and at that time it
was convenient to make sure the sorrounding code could handle NULL values.
Pedro F. Giffuni [Mon, 15 Jan 2018 21:21:51 +0000 (21:21 +0000)]
net*: make some use of mallocarray(9).
Focus on code where we are doing multiplications within malloc(9). None of
these ire likely to overflow, however the change is still useful as some
static checkers can benefit from the allocation attributes we use for
mallocarray.
This initial sweep only covers malloc(9) calls with M_NOWAIT. No good
reason but I started doing the changes before r327796 and at that time it
was convenient to make sure the sorrounding code could handle NULL values.
Pedro F. Giffuni [Mon, 15 Jan 2018 21:19:21 +0000 (21:19 +0000)]
netgraph: make some use of mallocarray(9).
Focus on code where we are doing multiplications within malloc(9). None of
these ire likely to overflow, however the change is still useful as some
static checkers can benefit from the allocation attributes we use for
mallocarray.
This initial sweep only covers malloc(9) calls with M_NOWAIT. No good
reason but I started doing the changes before r327796 and at that time it
was convenient to make sure the sorrounding code could handle NULL values.
Pedro F. Giffuni [Mon, 15 Jan 2018 21:18:04 +0000 (21:18 +0000)]
kern: make some use of mallocarray(9).
Focus on code where we are doing multiplications within malloc(9). None of
these ire likely to overflow, however the change is still useful as some
static checkers can benefit from the allocation attributes we use for
mallocarray.
This initial sweep only covers malloc(9) calls with M_NOWAIT. No good
reason but I started doing the changes before r327796 and at that time it
was convenient to make sure the sorrounding code could handle NULL values.
Pedro F. Giffuni [Mon, 15 Jan 2018 21:15:25 +0000 (21:15 +0000)]
cam: make some use of mallocarray(9).
Focus on code where we are doing multiplications within malloc(9). None of
these ire likely to overflow, however the change is still useful as some
static checkers can benefit from the allocation attributes we use for
mallocarray.
This initial sweep only covers malloc(9) calls with M_NOWAIT. No good
reason but I started doing the changes before r327796 and at that time it
was convenient to make sure the sorrounding code could handle NULL values.
Pedro F. Giffuni [Mon, 15 Jan 2018 21:14:56 +0000 (21:14 +0000)]
nfsclient: make some use of mallocarray(9).
Focus on code where we are doing multiplications within malloc(9). None of
these ire likely to overflow, however the change is still useful as some
static checkers can benefit from the allocation attributes we use for
mallocarray.
This initial sweep only covers malloc(9) calls with M_NOWAIT. No good
reason but I started doing the changes before r327796 and at that time it
was convenient to make sure the sorrounding code could handle NULL values.
Pedro F. Giffuni [Mon, 15 Jan 2018 21:13:30 +0000 (21:13 +0000)]
mips: make some use of mallocarray(9).
Focus on code where we are doing multiplications within malloc(9). None of
these ire likely to overflow, however the change is still useful as some
static checkers can benefit from the allocation attributes we use for
mallocarray.
This initial sweep only covers malloc(9) calls with M_NOWAIT. No good
reason but I started doing the changes before r327796 and at that time it
was convenient to make sure the sorrounding code could handle NULL values.
Pedro F. Giffuni [Mon, 15 Jan 2018 21:11:38 +0000 (21:11 +0000)]
ndis: make some use of mallocarray(9).
Focus on code where we are doing multiplications within malloc(9). None of
these ire likely to overflow, however the change is still useful as some
static checkers can benefit from the allocation attributes we use for
mallocarray.
This initial sweep only covers malloc(9) calls with M_NOWAIT. No good
reason but I started doing the changes before r327796 and at that time it
was convenient to make sure the sorrounding code could handle NULL values.
Pedro F. Giffuni [Mon, 15 Jan 2018 21:10:40 +0000 (21:10 +0000)]
powerpc: make some use of mallocarray(9).
Focus on code where we are doing multiplications within malloc(9). None of
these ire likely to overflow, however the change is still useful as some
static checkers can benefit from the allocation attributes we use for
mallocarray.
This initial sweep only covers malloc(9) calls with M_NOWAIT. No good
reason but I started doing the changes before r327796 and at that time it
was convenient to make sure the sorrounding code could handle NULL values.
Pedro F. Giffuni [Mon, 15 Jan 2018 21:09:58 +0000 (21:09 +0000)]
arm: make some use of mallocarray(9).
Focus on code where we are doing multiplications within malloc(9). None of
these ire likely to overflow, however the change is still useful as some
static checkers can benefit from the allocation attributes we use for
mallocarray.
This initial sweep only covers malloc(9) calls with M_NOWAIT. No good
reason but I started doing the changes before r327796 and at that time it
was convenient to make sure the sorrounding code could handle NULL values.
Pedro F. Giffuni [Mon, 15 Jan 2018 21:08:22 +0000 (21:08 +0000)]
x86: make some use of mallocarray(9).
Focus on code where we are doing multiplications within malloc(9). None of
these ire likely to overflow, however the change is still useful as some
static checkers can benefit from the allocation attributes we use for
mallocarray.
This initial sweep only covers malloc(9) calls with M_NOWAIT. No good
reason but I started doing the changes before r327796 and at that time it
was convenient to make sure the sorrounding code could handle NULL values.
David Bright [Mon, 15 Jan 2018 19:25:11 +0000 (19:25 +0000)]
Exit fsck_ffs with non-zero status when file system is not repaired.
When the fsck_ffs program cannot fully repair a file system, it will
output the message PLEASE RERUN FSCK. However, it does not exit with a
non-zero status in this case (contradicting the man page claim that it
"exits with 0 on success, and >0 if an error occurs." The fsck
rc-script (when running "fsck -y") tests the status from fsck (which
passes along the exit status from fsck_ffs) and issues a "stop_boot"
if the status fails. However, this is not effective since fsck_ffs can
return zero even on (some) errors. Effectively, it is left to a later
step in the boot process when the file systems are mounted to detect
the still-unclean file system and stop the boot.
This change modifies fsck_ffs so that when it cannot fully repair the
file system and issues the PLEASE RERUN FSCK message it also exits
with a non-zero status.
While here, the fsck_ffs man page has also been updated to document
the failing exit status codes used by fsck_ffs. Previously, only exit
status 7 was documented. Some of these exit statuses are tested for in
the fsck rc-script, so they are clearly depended upon and deserve
documentation.
Provide some mitigation against CVE-2017-5715 by clearing registers
upon returning from the guest which aren't immediately clobbered by
the host. This eradicates any remaining guest contents limiting their
usefulness in an exploit gadget.
Dimitry Andric [Mon, 15 Jan 2018 18:20:15 +0000 (18:20 +0000)]
Pull in r322473 from upstream llvm trunk (by Andrei Elovikov):
[LV] Don't call recordVectorLoopValueForInductionCast for
newly-created IV from a trunc.
Summary:
This method is supposed to be called for IVs that have casts in their
use-def chains that are completely ignored after vectorization under
PSE. However, for truncates of such IVs the same InductionDescriptor
is used during creation/widening of both original IV based on PHINode
and new IV based on TruncInst.
This leads to unintended second call to
recordVectorLoopValueForInductionCast with a VectorLoopVal set to the
newly created IV for a trunc and causes an assert due to attempt to
store new information for already existing entry in the map. This is
wrong and should not be done.
Andrew Turner [Mon, 15 Jan 2018 16:58:07 +0000 (16:58 +0000)]
Fix booting on some arm64 systems after r327879 by fixing the call to
utf8_to_ucs2 in boot1.efi. We need to initialise the ucs2 output string
so it will allocate space, and use the return value to determine if the
call was successful.
Ian Lepore [Mon, 15 Jan 2018 16:40:43 +0000 (16:40 +0000)]
Convert the x86 RTC driver to use new validated BCD<->timespec conversions.
New common routines were added to kern/subr_clock.c for converting between
calendrical time expressed in BCD and struct timespec. The new functions
return EINVAL on error, as expected when the clock hardware does not provide
valid time.
PR: 224813
Differential Revision: https://reviews.freebsd.org/D13731 (no reviewers)
Nathan Whitehorn [Mon, 15 Jan 2018 16:08:34 +0000 (16:08 +0000)]
Install the SLB miss trap-handling code in the SLB-based MMU driver set up,
to which it is specific, rather than in the generic AIM startup code. This
will be required to support the radix-table-based MMU introduced with POWER9.
Andriy Gapon [Mon, 15 Jan 2018 11:20:00 +0000 (11:20 +0000)]
geom_disk / scsi_da: deny opening write-protected disks for writing
Ths change consists of two parts.
geom_disk: deny opening a disk for writing if it's marked as
write-protected. A new disk(9) flag is added to mark write protected
disks. A possible alternative could be to add another parameter to d_open,
so that the open mode could be passed to it and the disk drivers could
make the decision internally, but the flag required less churn.
scsi_da: add a new phase of disk probing to query the all pages mode
sense page. We can determine if the disk is write protected using bit 7
of the device specific field in the mode parameter header returned by
MODE SENSE.
Nathan Whitehorn [Mon, 15 Jan 2018 06:46:33 +0000 (06:46 +0000)]
Move the pmap-specific code in copyinout.c that gets pointers to userland
buffers into a new pmap-module function pmap_map_user_ptr() that can
be implemented by the respective modules. This is required to implement
non-segment-based AIM-ish MMU systems such as the radix-tree page tables
introduced by POWER ISA 3.0 and present on POWER9.
Kyle Evans [Mon, 15 Jan 2018 05:00:26 +0000 (05:00 +0000)]
stand/fdt: don't send clobbered FDT to the kernel
If fdt_overlay_apply fails at some stage to apply the overlay to the base,
both the base and overlay may be in an inconsistent state (some fixups
applied, some phandles adjusted, some symbols merged). These can be bad for
a number of reasons, to include user frustration if some fixups applied and
not others. Fail a little safer by making a clean copy of the base FDT for
every overlay that we can simply discard if things go awry.
This also allows us the luxury of simply discarding overlays if we hit some
kind of memory limit or if they're malformed and extremely large for some
reason. We'll now leave a nice error message indicating that some overlays
could not be applied due to size restrictions and we apply what we can.
I note that our overlay implementation has some flaws that might still leave
your system in an unbootable state even if an overlay applies correctly;
please exercise caution in using overlays until we can swap it out for
libfdt's implementation.
Tested on: BananaPi-M3 (armv7)
Tested on: Pine64 (aarch64)
Differential Revision: https://reviews.freebsd.org/D13709
Emmanuel Vadot [Sun, 14 Jan 2018 22:05:29 +0000 (22:05 +0000)]
allwinner: mmc: Multiple improvement
- Add a per compatible configuration struct
- Not all SoC uses the same size for DMA transfert, add this into the
configuration data
- Use new timing mode for some SoC (A64 mmc)
- Auto calibrate clock for A64 mmc/emmc
- A64 mmc controller need masking of data0
- Add support for vmmc/vqmmc regulator
- Add more capabilities, r/w speed is better for eMMC
- MMC_CAP_SIGNALING_180 gives weird result so do not enable it for now.
- Add new register documented in H3/A64 user manual
Tested-On: Pine64-LTS (A64), eMMC still doesn't work
Tested-On: A64-Olinuxino (A64), sd and eMMC are working
Tested-On: NanoPi Neo Plus2 (H5), sd and eMMC are working
Tested-On: OrangePi PC2 (H5), sd only (no eMMC)
Tested-On: OrangePi One (H3), sd only (no eMMC)
Tested-On: BananaPi M2 (A31s), sd only (no eMMC)
Ian Lepore [Sun, 14 Jan 2018 17:01:37 +0000 (17:01 +0000)]
Add RTC clock conversions for BCD values, with non-panic validation.
RTC clock hardware frequently uses BCD numbers. Currently the low-level
bcd2bin() and bin2bcd() functions will KASSERT if given out-of-range BCD
values. Every RTC driver must implement its own code for validating the
unreliable data coming from the hardware to avoid a potential kernel panic.
This change introduces two new functions, clock_bcd_to_ts() and
clock_ts_to_bcd(). The former validates its inputs and returns EINVAL if any
values are out of range. The latter guarantees the returned data will be
valid BCD in a known format (4-digit years, etc).
A new bcd_clocktime structure is used with the new functions. It is similar
to the original clocktime structure, but defines the fields holding BCD
values as uint8_t (uint16_t for year), and adds a PM flag for handling hours
using AM/PM mode.
PR: 224813
Differential Revision: https://reviews.freebsd.org/D13730 (no reviewers)
Warner Losh [Sun, 14 Jan 2018 16:55:14 +0000 (16:55 +0000)]
Report CG checksum mismatches. These errors are non-fatal. The
previous behavior is preserved (the CG checksum is fixed). We're just
noisy about it now.
Dimitry Andric [Sun, 14 Jan 2018 00:08:34 +0000 (00:08 +0000)]
Upgrade our copies of clang, llvm, lld, lldb, compiler-rt and libc++ to
6.0.0 (branches/release_60 r321788). Upstream has branched for the
6.0.0 release, which should be in about 6 weeks. Please report bugs and
regressions, so we can get them into the release.
Please note that from 3.5.0 onwards, clang, llvm and lldb require C++11
support to build; see UPDATING for more information.
Nathan Whitehorn [Sat, 13 Jan 2018 23:14:53 +0000 (23:14 +0000)]
Document places we assume that physical memory is direct-mapped at zero by
using a new macro PHYS_TO_DMAP, which deliberately has the same name as the
equivalent macro on amd64. This also sets the stage for moving the direct
map to another base address.
Pedro F. Giffuni [Sat, 13 Jan 2018 22:30:30 +0000 (22:30 +0000)]
dev: make some use of mallocarray(9).
Focus on code where we are doing multiplications within malloc(9). None of
these is likely to overflow, however the change is still useful as some
static checkers can benefit from the allocation attributes we use for
mallocarray.
This initial sweep only covers malloc(9) calls with M_NOWAIT. No good
reason but I started doing the changes before r327796 and at that time it
was convenient to make sure the sorrounding code could handle NULL values.
Bryan Venteicher [Sat, 13 Jan 2018 21:39:46 +0000 (21:39 +0000)]
Fix possible panic when creating VirtIO console dev aliases
Since we have no control over the name, the MAKEDEV_CHECKNAME flag must be
used to return an error on an invalid (to devfs) name instead of panicing.
r305900 that originally added this feature also introduced a few other bugs:
- Proper locking not performed
- Theoretically broke the expectation that the control event buffer would
not span more than one pages, but did not update the CTASSERT that was
in place to prevent this. However, since the struct virtio_console_control
and the bulk buffer together were quite small, this could not have happened.
Also workaround an QEMU VirtIO spec violation in that it includes the NUL
terminator in the buffer length when the spec says it is not included.
Kyle Evans [Sat, 13 Jan 2018 18:46:31 +0000 (18:46 +0000)]
Introduce aw_syscon(4) for earlier attachment
Attaching syscon_generic earlier than BUS_PASS_DEFAULT makes it more
difficult for specific syscon drivers to attach to the syscon node and to
get ordering right. Further discussion yielded the following set of
decisions:
- Move syscon_generic to BUS_PASS_DEFAULT
- If a platform needs a syscon with different attach order or probe
behavior, it should subclass syscon_generic and match on the SoC specific
compat string
- When we come across a need for a syscon that attaches earlier but only
specifies compatible = "syscon", we should create a syscon_exclusive driver
that provides generic access but probes earlier and only matches if "syscon"
is the only compatible. Such fdt nodes do exist in the wild right now, but
we don't really use them at the moment.
Additionally:
- Any syscon provider that has needs any more complex than a spinlock solely
for syscon access and a single memory resource should subclass syscon
directly rather than attempting to subclass syscon_generic or add complexity
to it. syscon_generic's attach/detach methods may be made public should the
need arise to subclass it with additional attach/detach behavior.
We introduce aw_syscon(4) that just subclasses syscon_generic but probes
earlier to meet our requirements for if_awg and implements #2 above for this
specific situation. It currently only matches a64/a83t/h3 since these are
the only platforms that really need it at the time being.
Discussed with: ian
Reviewed by: manu, andrew, bcr (manpages, content unchanged since review)
Differential Revision: https://reviews.freebsd.org/D13793
Pull in r314838 from upstream clang trunk (by Richard Smith):
Suppress -Wmissing-braces warning when aggregate-initializing a
struct with a single field that is itself an aggregate.
In C++, such initialization of std::array<T, N> types is guaranteed
to work by the standard, is completely idiomatic, and the "suggested"
alternative from Clang was technically invalid.
Together, these suppress unneeded "suggest braces around initialization
of subobject" warnings for C++11 initializer lists.
Marius Strobl [Sat, 13 Jan 2018 17:36:11 +0000 (17:36 +0000)]
Use the correct revision specifier (EXT_CSD revision rather than
system specification version) for deciding whether the EXT_CSD
register includes the EXT_CSD_GEN_CMD6_TIME field.
Marius Strobl [Sat, 13 Jan 2018 16:32:09 +0000 (16:32 +0000)]
Fix a bug introduced in r327355; in mmcsd_ioctl_cmd() when ensuring
that userland doesn't switch partitions on its own, compare against
the partition mmcsd_ioctl_cmd() is going to switch to (based on the
device node used) rather than the currently selected partition.
Marius Strobl [Sat, 13 Jan 2018 16:21:13 +0000 (16:21 +0000)]
Fix a bug introduced in r327339; at the point in time re-tuning is
executed, the interrupt aggregation code might have disabled the
SDHCI_INT_DMA_END and/or SDHCI_INT_RESPONSE bits in slot->intmask
and the SDHCI_SIGNAL_ENABLE register respectively. So when restoring
the interrupt masks based on the previous contents of slot->intmask
in sdhci_exec_tuning(), ensure that the SDHCI_INT_ENABLE register
doesn't lose these two bits.
While at it and in the spirit of r327339, let sdhci_tuning_intmask()
set the tuning error and re-tuning interrupt bits based on the
SDHCI_TUNING_ENABLED rather than the SDHCI_TUNING_SUPPORTED flag
being set, i. e. only when (re-)tuning is actually used. Currently,
this changes makes no net difference, though.
Cy Schubert [Sat, 13 Jan 2018 08:16:10 +0000 (08:16 +0000)]
Though this block of code is not used by FreeBSD, correct a call to
sprintf() with a macro call to SNPRINTF similar to other calls to
SNPRINTF within this same block.
Justin Hibbits [Sat, 13 Jan 2018 04:53:04 +0000 (04:53 +0000)]
Replace the PMC class struct copy with an explicit memcpy()
This should be effectively a nop for all archs, but for some reason the codegen
difference on the PowerPC 970 is such that the struct assignment doesn't work
(unless a printf() using one of the elements in the copied struct follows it),
while the memcpy() succeeds. On all archs the memcpy() should be expanded to an
inline copy, since the copy is bounded to ~16 bytes.
Ed Maste [Sat, 13 Jan 2018 04:00:55 +0000 (04:00 +0000)]
Revert r327823, Enable ld.lld as bootstrap linker by default on i386
There's a report of some regression in ports. Revert for now for an
exp run for this change in isolation (previous lld exp run also included
switching the linker used for ports to lld).
Also revert the src.conf.5 regeneration in r327824.
Reported by: antoine
Sponsored by: The FreeBSD Foundation
Justin Hibbits [Sat, 13 Jan 2018 01:36:37 +0000 (01:36 +0000)]
Enable L2 cache on supported PowerQUICC and QorIQ platforms
Some PowerQUICC and QorIQ platforms have a L2 cache managed via the
memory-mapped configuration registers, and appear as a node in the device
tree. This adds basic support to enable the cache.
Jeff Roberson [Fri, 12 Jan 2018 23:34:16 +0000 (23:34 +0000)]
Add support for NUMA domains to bus dma tags. This causes all memory
allocated with a tag to come from the specified domain if it meets the
other constraints provided by the tag. Automatically create a tag at
the root of each bus specifying the domain local to that bus if
available.
Jeff Roberson [Fri, 12 Jan 2018 23:25:05 +0000 (23:25 +0000)]
Implement NUMA support in uma(9) and malloc(9). Allocations from specific
domains can be done by the _domain() API variants. UMA also supports a
first-touch policy via the NUMA zone flag.
The slab layer is now segregated by VM domains and is precise. It handles
iteration for round-robin directly. The per-cpu cache layer remains
a mix of domains according to where memory is allocated and freed. Well
behaved clients can achieve perfect locality with no performance penalty.
The direct domain allocation functions have to visit the slab layer and
so require per-zone locks which come at some expense.
Jeff Roberson [Fri, 12 Jan 2018 23:13:55 +0000 (23:13 +0000)]
Implement NUMA policy for kmem_*(9). This maintains compatibility with
reservations by giving each memory domain its own KVA space in vmem that
is naturally aligned on superpage boundaries.
Pedro F. Giffuni [Fri, 12 Jan 2018 23:12:30 +0000 (23:12 +0000)]
libalias: small memory allocation cleanups.
Make the calloc wrappers behave as expected by using mallocarray.
It is rather weird that the malloc wrappers also zeroes the memory: update
a comment to reflect at least two cases where it is expected.