MFC r319219: add a sanity check before installworld on the running system
FreeBSD does not guarantee kernel forward compatibility (that is,
running a newer userland on an older kernel). The documented upgrade
procedure specifies that installkernel should be performed, followed by
a reboot and then installworld. As a sanity check when installing onto
the running system (DESTDIR is / or unset), attempt to run "sh echo OK"
using rescue from the objdir. If rescue fails (e.g., because the system
has not been rebooted and the "old" kernel lacks a system call required
by the to-be-installed world), abort the installation.
This was added to avoid ino64 foot-shooting in HEAD, but is generally
useful for any upgrade case adding new syscalls.
MFC r320056: arm: set appropriate section flags for .init_pagetable
The arm kernel linker scripts place the .init_pagetable section in .bss,
but .init_pagetable had no section flags set, and so did not match the
expected flags for .bss.
GNU ld silently ignores this case, but lld reports an error:
MFC: r320458
Fix an NFSv3 client case that probably never happens.
If an NFSv3 server were to reply with weak cache consistency attributes,
but not post operation attributes, the client would use garbage attributes
from memory. This was spotted during work on the code for the NFSv4.1 client.
I have never seen evidence that this happens and it wouldn't make sense
for an NFSv3 server to do this, so this patch is basically "theoretical",
but does fix the problem if a server were to do the above.
MFC: r320345
Add support to the NFSv4.1/pNFS client for commits through the DS.
A NFSv4.1/pNFS server using File Layout can specify that Commit operations
are to be done against the DS instead of MDS. Since no extant pNFS
server did this, the code was untested and "#ifdef notyet".
The FreeBSD pNFS server I am developing does specify that Commits be done
through the DS, so the code has been enabled/tested.
This patch should only affect the case of a pNFS server that specfies
Commits through the DS.
In r246085 some bits that are MI movied out into headers in compat/linux,
but I missed that when I commited x86_64 Linuxulator. So remove the duplicates.
MFC: r320322
Add two new compound RPCs to the NFSv4.1/pNFS client.
When the NFSv4.1 client is doing pNFS, it needs to get an Open and
a Layout for every file it will be doing I/O on. The current code
does two separate RPCs to get these. This patch adds two new compounds
that do the both the Open and LayoutGet in the same RPC, reducing the
RPC count.
It also factors out the code that sets up and parses the LayoutGet operation
into separate functions, so that the code doesn't get duplicated for
these new RPCs.
This patch is fairly large, but should only affect the NFSv4.1 client
when the "pnfs" option is specified.
MFC r320876:
Make sure the mlx4en RX DMA ring gets stamped with software ownership
in order to prevent the flow of QP to error in the firmware once
UPDATE_QP is called.
MFC r320906: MFV r320905: Import upstream fix for CVE-2017-11103.
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
marius [Tue, 11 Jul 2017 21:51:43 +0000 (21:51 +0000)]
MFC: r320577, r320620
Retry up to 2 ms to enable bus power as at least with some Intel
SDHCI/eMMC controllers the first attempt after a D3 to D0 transition,
i. e. when the firmware has put the devices into D3 state before,
can fail.
MFC r316541, r316544, and r320688 from HEAD to stable/11.
r316541:
Fix a double free in ixgbe_rxeof()
r316544:
Don't overwrite vf->flags variable at the end of ixgbe(4) ixgbe_add_vf()
r320688:
ixgbe(4): Update HEAD (p3) to 3.2.12-k
Includes:
- Support for X550EM devices.
- Support for Bypass adapters.
- Flow Director code moved to separate files
- SR-IOV code moved to separate files
- Netmap code moved to separate files
- `TEST_METADATA.foo` should be `TEST_METADATA.run_tests`: this will unbreak
trying to run the tests on a system without python installed in $PATH.
- The tests require root because they load aesni(4) and/or cryptodev(4) if
not already loaded.
r319456:
tests/sys/opencrypto/runtests: apply minor polish to test script
- Refactor kld loading/unloading logic:
-- Use a loop instead of an unrolled one.
-- Check for the module being loaded before trying to load it, to reduce
noise when loading modules that are already loaded.
-- Don't mute stderr from kldload -- it could be potentially useful to
the tester.
-- In the event that the test script was terminated early, it would leave
the modules still attached to the system (which is undesirable).
Always unload the modules at test end with EXIT/SIGINT/SIGTERM so the
system is returned to its former operating state as best possible.
Unload the modules in reverse order, in part for consistency and/or
dependency reasons.
MFC r320408:
ext2fs: Support e2di_uid_high and e2di_gid_high.
The fields exist on all versions of the filesystem and using them is a mount
option on linux. For FreeBSD, the corresponding i_uid and i_gid are always
long enough so use them by default.
We have support for reading ext4 "huge" files but we can't write
(anything) on ext4. and some filesystem. Formally enable the feature
so that we can mount such filesystems.
MFC 320675: Add deprecation notices for gdb and kgdb.
Even though gdb and kgdb may not be removed for 12.0 on some architectures,
the notice is unconditional as these tools will likely be removed at some
point in the future when adequate replacements are available (gdb in ports
or lldb in base).
MFC: r320208
Ensure that the credentials field of the NFSv4 client open structure is
initialized.
bdrewery@ has reported panics "newnfs_copycred: negative nfsc_ngroups".
The only way I can see that this occurs is that the credentials field of
the open structure gets used before being filled in.
I am not sure quite how this happens, but for the file create case, the
code is serialized via the vnode lock on the directory. If, somehow, a
link to the same file gets created just after file creation, this might
occur.
This patch ensures that the credentials field is initialized to a reasonable
set of credentials before the structure is linked into any list, so I
this should ensure it is initialized before use.
I am committing the patch now, since bdrewery@ notes that the panics
are intermittent and it may be months before he knows if the patch fixes
his problem.
Fix up r320731:
* Record mergeinfo for merges of r317518, r318647, r319197, r319198,
r319199, r319201, r320625, r320626, r320628, r320629, r320630, r320631,
r320632.
* Merge r319200, which (commit message notwithstanding) seems to have
gotten lost from the r320731 merge.
r317518:
Import Amazon Elastic Network Adapter (ENA) HAL to sys/contrib/
Import from vendor-sys/ena-com/1.1.4.1
SVN rev.: 317516
Version: 1.1.4.1
r318647:
Add support for Amazon Elastic Network Adapter (ENA) NIC
ENA is a networking interface designed to make good use of modern CPU
features and system architectures.
The ENA device exposes a lightweight management interface with a
minimal set of memory mapped registers and extendable command set
through an Admin Queue.
The driver supports a range of ENA devices, is link-speed independent
(i.e., the same driver is used for 10GbE, 25GbE, 40GbE, etc.), and has
a negotiated and extendable feature set.
Some ENA devices support SR-IOV. This driver is used for both the
SR-IOV Physical Function (PF) and Virtual Function (VF) devices.
ENA devices enable high speed and low overhead network traffic
processing by providing multiple Tx/Rx queue pairs (the maximum number
is advertised by the device via the Admin Queue), a dedicated MSI-X
interrupt vector per Tx/Rx queue pair, and CPU cacheline optimized
data placement.
The ENA driver supports industry standard TCP/IP offload features such
as checksum offload and TCP transmit segmentation offload (TSO).
Receive-side scaling (RSS) is supported for multi-core scaling.
The ENA driver and its corresponding devices implement health
monitoring mechanisms such as watchdog, enabling the device and driver
to recover in a manner transparent to the application, as well as
debug logs.
Some of the ENA devices support a working mode called Low-latency
Queue (LLQ), which saves several more microseconds. This feature will
be implemented for driver in future releases.
r319197:
Add mbuf defragmentation to the ENA driver
When mbuf chain is too long and device cannot handle that number
of segments in DMA transaction, mbuf chain will be defragmented.
Initially, driver was dropping all mbuf chains that were exceeding
supported number of segments.
r319198:
Add locks before each ena_up and ena_down
Lock only ena_up and ena_down calls in ioctl handler, instead of whole
ioctl. Locking ioctl with sx lock that is sleepable, is not allowed in
some cases, e.g. when multicast options are being changed.
Additional locking was added in deatch function to prevent race condition
with ioctl function.
r319199:
Add error handling to the ENA driver if init of the reset task fails
Also, to simplify cleaning routine, reset task is initialized before
allocating statistics and other resources.
r319200:
Move ENA's hw stats updating routine to separate task
Initially, stats were being updated each time OS was requesting for
the first statistic.
To read statistics from hw, condvar was used. cv_timedwait cannot be
called when unsleepable lock is held, and this happens when FreeBSD
is requesting statistic.
Seperate task is reading statistics from NIC each 1 second.
r319201:
Introduce additional locks when releasing TX resources and buffers in ENA
There could be race condition with TX cleaning routine when cleaning mbufs,
when it was called directly from main sending thread (ena_mq_start).
r320625:
Add missing lock upon initialization of the interface
Lack of this lock was causing crash if down was called in
parallel with the initialization routine.
r320626:
Acquire locks before calling drbr_flush()
It is required to hold lock that is associated with buffer ring before
flushing drbr.
r320628:
Unmask all IO irqs after driver state is set as running
If driver left MSI-x handlling routine because interface was put down,
it is not unmasking IRQs, so any requesting interrupt will be awaiting
for unmasking.
On ena_up() routine all interrupts are being unmasked and any awaiting
interrupt will be handled right away.
If handler was executed before driver state was set as running, handling
routine is being ended immediately, leaving IO irqs for given queue
masked.
r320629:
Call drbr_advance() before leaving TX routine
If drbr_advance() is not called before doing cleanup and packet is
already enqueued for sending (tx_info is holding pointer to mbuf), then
mbuf is cleaned both in drbr_flush() and in cleanup routine, when all
mbufs hold by tx_buffer_info are being released.
This causes panic, because mbuf is released twice.
r320630:
Remove RX mtx from ENA driver
RX lock is no longer required. There can only be one RX cleanup task
running at a time, RX cleanup cannot be executed if interface is not
yet initialized and ena_down() will not free any RX resources if any io
interrupt is being handled - RX cleanup task is only called from an
interrupt handler.
r320631:
Fix creation of dma tags and TSO settings
TSO settings were not reflecting real HW capabilities.
DMA tags were created with wrong window - high address was the same as
low, so excluding window was not working.
Capabilities of TX dma transaction were not set properly - TSO max size
had been increased and size of one segment had been adjusted.
r320632:
Replace mbuf defragmentation with collapse
Collapse should be more effective than defragmentation.
Added missing declaration of ena_check_and_collapse_mbuf().
Submitted by: Michal Krawczyk <mk@semihalf.com>
Jakub Palider <jpa@semihalf.com>
Jan Medala <jan@semihalf.com>
Obtained from: Semihalf, Amazon.com Inc.
Sponsored by: Amazon.com Inc.
The textproc/glimpse port expired over 3 years ago because there weren't any
more publicly available distfiles, and because it lacked a maintainer. Remove
the target as it's no longer executable on FreeBSD.
Verify that echo(1) does not...
- ... print the trailing newline character with option '-n'.
- ... print the trailing newline character when '\c' is appended to
the end of the string.
MFC r320599:
Fix Vagrant image upload after recent API changes.
- Update ATLAS_UPLOAD_URL to avoid various regular expressions
from failing to match due to redirections.
- Use ATLAS_UPLOAD_URL throughout the script.
- Adjust several regular expression patterns.
This update is primarily bug fixes in C++ symbol demangling, including:
- rvalue reference
- builtin type auto and decltype(auto)
- revamped support for function return types
- formatting fixes
- omit void when its the only param
- ref-qualifiers and others in function types
- type qualifiers in pointer-to-member function types
- incorrect handling regarding CV-qualifiers in function types
- ref-qualifier found in nested-name
- properly handle <name> ::= <substitute><template-args>
- make sure that nested function name is not a substitute candidate
- correctly handle expression in template args
- skip unknown substitution abbreviations
Also r320663 libelftc: bump version, tracking import in r320343
* Verify that when creating a hard link to a symbolic link, '-L' option
creates a hard link to the target of the symbolic link
* Verify that when creating a hard link to a symbolic link, '-P' option
creates a hard link to the symbolic link itself
* Verify that if the target file already exists, '-f' option unlinks it so
that link may occur
* Verify that if the target file or directory is a symbolic link, '-shf'
option prevents following the link
* Verify that if the target file or directory is a symbolic link, '-snf'
option prevents following the link
* Verify that '-s' option creates a symbolic link
* Verify that '-w' option produces a warning if the source of a symbolic
link does not currently exist
If /etc/bootparams contains a line with an excessively long pathname, and a
client asks for that path, then bootparamd will overflow a buffer and crash
while parsing that line. This is not remotely exploitable since it requires
a malformed /etc/bootparams file.
Add MAP_GUARD and use it for stack grow area protection.
Bump __FreeBSD_version.
MFC r320317:
Implement address space guards.
MFC r320338:
Remove stale part of the comment.
MFC r320339:
Correctly handle small MAP_STACK requests.
MFC r320344:
For now, allow mprotect(2) over the guards to succeed regardless of
the requested protection.
MFC r320430:
Treat the addr argument for mmap(2) request without MAP_FIXED flag as
a hint.
MFC r320560 (by alc):
Modify vm_map_growstack() to protect itself from the possibility of the
gap entry in the vm map being smaller than the sysctl-derived stack guard
size.
andrew [Tue, 4 Jul 2017 10:54:08 +0000 (10:54 +0000)]
MFC r320403, r320497
r320403:
Some of the atomic_clear_* functions were incorrectly defined to be an
atomic add. Correct these, fixing a NULL-pointer dereference in netgraph.
PR: 220273
Sponsored by: DARPA, AFRL
r320497:
Remove a blank line accidentally added in r320403.
MFC r319699
When allocating swap blocks, if the available number of free blocks in a
subtree is already zero, then setting the "largest contiguous free block"
hint for that subtree to anything other than zero makes no sense. (To be
clear, assigning a value to the hint that is too large is not a correctness
problem, only a pessimization.)
MFC r319755
blist_fill()'s return type is too narrow. blist_fill() accepts a 64-bit
quantity as the size of the range to fill, but returns a 32-bit quantity
as the number of blocks that were allocated to fill that range. This
revision corrects that mismatch.
MFC r319793
Remove an unnecessary field from struct blist. (The comment describing
what this field represented was also inaccurate.)
In r178792, blist_create() grew a malloc flag, allowing M_NOWAIT to be
specified. However, blist_create() was not modified to handle the
possibility that a malloc() call failed. Address this omission.
Increase the width of the local variable "radix" to 64 bits. This
matches the width of the corresponding field in struct blist.
MFC: r319882, r320062, r320070, r320126
Make MAXBCACHEBUF a tunable called vfs.maxbcachebuf.
By making MAXBCACHEBUF a tunable, it can be increased to allow for
larger read/write data sizes for the NFS client.
The tunable is limited to MAXPHYS, which is currently 128K.
Making MAXPHYS a tunable or increasing its value is being discussed,
since it would be nice to support a read/write data size of 1Mbyte
for the NFS client when mounting the AmazonEFS file service.
Also, define NFS_MAXXDR as the upper bound on XDR overhead in an NFS RPC.
ken [Mon, 3 Jul 2017 15:34:21 +0000 (15:34 +0000)]
MFC r320421:
------------------------------------------------------------------------
r320421 | ken | 2017-06-27 13:26:02 -0600 (Tue, 27 Jun 2017) | 37 lines
Fix a panic in camperiphfree().
If a peripheral driver (e.g. da, sa, cd) is added or removed from the
peripheral driver list while an unrelated peripheral driver instance (e.g.
da0, sa5, cd2) is going away and is inside camperiphfree(), we could
dereference an invalid pointer.
When peripheral drivers are added or removed (see periphdriver_register()
and periphdriver_unregister()), the peripheral driver array is resized
and existing entries are moved.
Although we hold the topology lock while we traverse the peripheral driver
list, we retain a pointer to the location of the peripheral driver pointer
and then drop the topology lock. So we are still vulnerable to the list
getting moved around while the lock is dropped.
To solve the problem, cache a copy of the peripheral driver pointer. If
its storage location in the list changes while we have the lock dropped, it
won't have any effect.
This doesn't solve the issue that peripheral drivers ("da", "cd", as opposed
to individual instances like "da0", "cd0") are not generally part of a
reference counting scheme to guard against deregistering them while there
are instances active. The caller (generally the person unloading a module)
has to be aware of active drivers and not unload something that is in use.
sys/cam/cam_periph.c:
In camperiphfree(), cache a pointer to the peripheral driver
instance to avoid holding a pointer to an invalid memory location
in the event that the peripheral driver list changes while we have
the topology lock dropped.
ken [Mon, 3 Jul 2017 15:10:16 +0000 (15:10 +0000)]
MFC r320420:
------------------------------------------------------------------------
r320420 | ken | 2017-06-27 11:55:25 -0600 (Tue, 27 Jun 2017) | 25 lines
In scsi_zbc_in(), fill in the length in the ZBC IN CDB.
Without the allocation length set, the target will either reject
the command or complete it without transferring any data.
This fixes the REPORT ZONES command for SCSI ZBC protocol devices,
as well as ATA ZAC protocol devices that are behind a SCSI to ATA
translation layer. (LSI/Broadcom's 12Gb SAS adapters translate ZBC
commands to ZAC commands.) Those are Host Aware and Host Managed SMR
drives.
This will fix REPORT ZONE commands sent to the da(4) driver via the
GEOM bio interface and zonectl, and REPORT ZONE commands sent from
camcontrol(8).
Note that in the case of camcontrol(8), we currently only send
SCSI ZBC commands to native SCSI protocol devices, not ATA devices
behind a SAT layer.
sys/cam/scsi/scsi_da.c:
Fill in the length field in scsi_zbc_in().
r319682:
Make the VNC authentication build with LibreSSL on HardenedBSD and TrueOS.
PR: 219790
Submitted by: Shirkdog <mshirk@daemon-security.com>
Reviewed by: grehan and rgrimes
Sponsored by: iXsystems, Inc.
Differential Revision: https://reviews.freebsd.org/D11071
r319968:
Initialize variables and use byteorder(9) instead of aliasing char array
buf via uint32_t pointer.
CID: 1375949
Reported by: Coverity, cem
Reviewed by: cem
Sponsored by: iXsystems, Inc.
Differential Revision: https://reviews.freebsd.org/D11153
r319995:
Check if pthread_create(3) successfully created the thread prior to call
pthread_join(3). The variable tid is not yet initialized in case
the authentication fails at early stage, that would lead pthread_join be
called with an uninitialized variable.
CID: 1375950
Reported by: Coverity, cem
Reviewed by: cem
Sponsored by: iXsystems, Inc.
Differential Revision: https://reviews.freebsd.org/D11150
With r318394 seems it breaks gpart(8) in some embedded systems such like PCEngines,
RPI1-B, Alix and APU2 boards as well as NanoBSD with the following message:
Seems the breakage was because it was missed to include acr in glabel update.
Reported by: Peter Blok <pblok@bsd4all.org>,
madpilot, imp and trasz.
Reviewed by: trasz
Tested by: Peter Blok and madpilot.
Sponsored by: iXsystems, Inc.
Differential Revision: https://reviews.freebsd.org/D11365
MFC r320049
Pages that are passed to swap_pager_putpages() should already be fully
dirty. Assert that they are fully dirty rather than redundantly calling
vm_page_dirty() on them.
alc [Wed, 28 Jun 2017 05:28:15 +0000 (05:28 +0000)]
MFC r315518
Avoid unnecessary calls to vm_map_protect() in elf_load_section().
Typically, when elf_load_section() unconditionally passed VM_PROT_ALL to
elf_map_insert(), it was needlessly enabling execute access on the
mapping, and it would later have to call vm_map_protect() to correct the
mapping's access rights. Now, instead, elf_load_section() always passes
its parameter "prot" to elf_map_insert(). So, elf_load_section() must
only call vm_map_protect() if it needs to remove the write access that
was temporarily granted to perform a copyout().