John Baldwin [Fri, 4 Dec 2020 01:09:51 +0000 (01:09 +0000)]
MFC 366844: Mark asymmetric cryptography via OCF deprecated for 14.0.
Only one MIPS-specific driver implements support for one of the
asymmetric operations. There are no in-kernel users besides
/dev/crypto. The only known user of the /dev/crypto interface was the
engine in OpenSSL releases before 1.1.0. 1.1.0 includes a rewritten
engine that does not use the asymmetric operations due to lack of
documentation.
Yuri Pankov [Wed, 2 Dec 2020 22:44:40 +0000 (22:44 +0000)]
MFC r353130:
Mark "private use area" characters as printable.
At least some of the characters in E000-F8FF range are used by Powerline
fonts, and having no attributes for these ranges in UnicodeData.txt
other than "Other, Private Use" it should be safe to mark all of them as
printable. Some actually were before r340491, so this fixes the
regression introduced there as well.
Dimitry Andric [Wed, 2 Dec 2020 21:44:41 +0000 (21:44 +0000)]
MFC r367809:
When elftoolchain's objcopy (or strip) is rewriting a file in-place,
make it create the temporary file in the same directory as the source
file by default, instead of always using $TMPDIR or /tmp. If creating
that file fails because the directory is not writable, also fallback to
$TMPDIR or /tmp.
This has also been submitted upstream as:
https://sourceforge.net/p/elftoolchain/tickets/597/
Dimitry Andric [Wed, 2 Dec 2020 21:39:54 +0000 (21:39 +0000)]
MFC r367304:
Add WITH_LLVM_CXXFILT option to install llvm-cxxfilt as c++filt
Since elftoolchain's cxxfilt is rather far behind on features, and we
ran into several bugs, add an option to use llvm-cxxfilt as an drop-in
replacement.
It supports the same options as elftoolchain cxxfilt, though it doesn't
have support for old ARM (C++ Annotated Reference Manual, not the CPU)
and GNU v2 manglings. But these are irrelevant in 2020.
Note: as we already compile the required libraries as part of libllvm,
this will not add any significant build time either.
Alan Somers [Tue, 1 Dec 2020 15:15:18 +0000 (15:15 +0000)]
Fix error merging r354116 from OpenZFS
When we merged 4c0883fb4af0d5565459099b98fcf90ecbfa1ca1 from OpenZFS (svn
r354116), there were some merge conflicts. One of those was resolved
incorrectly, causing "zfs receive" to fail to delete snapshots that a "zfs
send -R" stream has deleted.
This change corrects that merge conflict, and also reduces some harmless
diffs vis-a-vis OpenZFS that were also introduced by the same revision.
Direct commit to stable/12 because head has moved on to OpenZFS.
MFC r366933 and r366934:
Add support for IP over infiniband, IPoIB, to lagg(4). Currently only
the failover protocol is supported due to limitations in the IPoIB
architecture. Refer to the lagg(4) manual page for how to configure
and use this new feature. A new network interface type,
IFT_INFINIBANDLAG, has been added, similar to the existing
IFT_IEEE8023ADLAG .
ifconfig(8) has been updated to accept a new laggtype argument when
creating lagg(4) network interfaces. This new argument is used to
distinguish between ethernet and infiniband type of lagg(4) network
interface. The laggtype argument is optional and defaults to
ethernet. The lagg(4) command line syntax is backwards compatible.
MFC r366930, r366936, r366993 and r366994:
Factor out generic IP over infiniband, IPoIB, definitions and code
into net/if_infiniband.c and net/infiniband.h . No functional change
intended.
MFC r367719:
Make mlx5_cmd_exec_cb() a safe API in mlx5core.
APIs that have deferred callbacks should have some kind of cleanup
function that callers can use to fence the callbacks. Otherwise things
like module unloading can lead to dangling function pointers, or worse.
The IB MR code is the only place that calls this function and had a
really poor attempt at creating this fence. Provide a good version in
the core code as future patches will add more places that need this
fence.
Make completion event path mostly lockless using EPOCH(9).
Implement a mechanism using EPOCH(9) which allows us to make
the callback path for completion events mostly lockless.
Simplify draining callback events using epoch_wait().
While at it make sure all receive completion callbacks are
covered by the network EPOCH(9), because this is required
when calling if_input() and ether_input() after r357012.
MFC r367716:
Use mlx5core to create/destroy all Dynamically Connected Targets, DCTs.
To prevent a hardware memory leak when a DEVX DCT object is destroyed
without calling drain DCT before, (e.g. under cleanup flow), need to
manage its creation and destruction via mlx5 core.
MFC r367555:
Include GID type when deleting GIDs from HW table under RoCE in mlx4ib.
Refer to the Linux commit mentioned below for a more detailed description.
- Sort options alphabetically
- Add missing arguments (e.g., "list" to -a)
- Adjust the width of Bl
Clean up the synopsis section & fix mandoc warnings
The synopsis section had two very similar entries. The flags documented by
the first one were a strict subset of the second one. Let's just keep only
the second entry for simplicity.
Let's have two entries in the synopsis:
- chpass now lists options which can be used for non-NIS-specific
functionalities.
- ypchpass additionally lists the NIS-specific flags.
Technically, it is an artificial distinction, as chpass and ypchpass behave
identically. Nevertheless, it might help navigating the synopsis section.
Michael Tuexen [Mon, 30 Nov 2020 09:45:44 +0000 (09:45 +0000)]
MFC r367530:
RFC 7323 specifies that:
* TCP segments without timestamps should be dropped when support for
the timestamp option has been negotiated.
* TCP segments with timestamps should be processed normally if support
for the timestamp option has not been negotiated.
This patch enforces the above.
Manually resolved merge conflicts.
MFC 367891:
Fix an issue I introuced in r367530: tcp_twcheck() can be called
with to == NULL for SYN segments. So don't assume tp != NULL.
Thanks to jhb@ for reporting and suggesting a fix.
MFC r367946:
Fix two occurences of a typo in a comment introduced in r367530.
Thanks to lstewart@ for reporting them.
Michael Tuexen [Mon, 30 Nov 2020 09:21:01 +0000 (09:21 +0000)]
MFC r367464:
The ioctl() calls using FIONREAD, FIONWRITE, FIONSPACE, and SIOCATMARK
access the socket send or receive buffer. This is not possible for
listening sockets since r319722.
Because send()/recv() calls fail on listening sockets, fail also ioctl()
indicating EINVAL.
PR: 250366
Reported by: Yong-Hao Zou
Reviewed by: glebius, rscheff
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D26897
Michael Tuexen [Mon, 30 Nov 2020 09:18:13 +0000 (09:18 +0000)]
MFC r366750:
Improve the handling of cookie life times.
The staleness reported in an error cause is in us, not ms.
Enforce limits on the life time via sysct; and socket options
consistently. Update the description of the sysctl variable to
use the right unit. Also do some minor cleanups.
This also fixes an interger overflow issue if the peer can
modify the cookie. This was reported by Felix Weinrank by fuzz testing
the userland stack and in
https://oss-fuzz.com/testcase-detail/4800394024452096
Rick Macklem [Sun, 29 Nov 2020 23:37:18 +0000 (23:37 +0000)]
Fix startup of gssd when /usr is a separately mounted local file system.
meowthink@gmail.com reported that the gssd daemon was not
starting, because /etc/rc.d/gssd was executed before his local
/usr file system was mounted.
He fixed the problem by adding mountcritlocal to the REQUIRED
line.
This fix seems safe and works for a separately mounted /usr file
system on a local disk.
The case of a separately mounted remote /usr file system (such as
NFS) is still broken, but there is no obvious solution for that.
Adding mountcritremote would fix the problem, but it would
cause a POLA violation, because all kerberized NFS mounts
in /etc/fstab would need the "late" option specified to work.
Rick Macklem [Sun, 29 Nov 2020 23:23:08 +0000 (23:23 +0000)]
MFC: r367423
Add support for the new mountd -R option.
r376026 added a new "-R" option to mountd, which tells it to
not support the Mount protocol (not used by NFSv4) and not
register with rpcbind.
Rpcbind is considered a security issue by some sites now.
This patch adds a new yes/no variable called nfsv4_server_only.
When that is set, make vfs.nfsd.server_min_vers=4 and set "=R"
for mountd.
Setting vfs.nfsd.server_min_vers=4 tells nfsd to not register with rpcbind.
While here, add a check for "load_kld nfsd" failing to nfsd.
Rick Macklem [Sun, 29 Nov 2020 01:22:30 +0000 (01:22 +0000)]
MFC: r367026
Add "-R" option to tell mountd to not register with rpcbind.
rpcbind is now considered a security risk for some sites.
Since an NFSv4 only NFS server does not need rpcbind,
it makes sense to have an option that implements this.
This patch adds a "-R" option that disables the Mount
protocol (not used by NFSv4) and does not register
with rpcbind.
Changes are required to /etc/rc.d/mountd and /etc/rc.d/nfsd.
Those will be in a separate commit.
Alan Somers [Thu, 26 Nov 2020 23:35:13 +0000 (23:35 +0000)]
MFC r365956:
fsx: fix build with WARNS=6
* signed/unsigned comparisons
* use standard warn(3)
* Suppress warnings about local vars and funcs not declared static
* const-correctness
* declaration shadows a variable in the global scope
Alan Somers [Thu, 26 Nov 2020 23:34:02 +0000 (23:34 +0000)]
MFC r365910:
fix integer underflow in getgrnam_r and getpwnam_r
Sometimes nscd(8) will return a 1-byte buffer for a nonexistent entry. This
triggered an integer underflow in grp_unmarshal_func, causing getgrnam_r to
return ERANGE instead of 0.
Fix the user's buffer size check, and add a correct check for a too-small
nscd buffer.
Marcin Wojtas [Wed, 25 Nov 2020 03:24:43 +0000 (03:24 +0000)]
MFC: Merge ENA v2.3.0 driver
r367805 Update ENA driver version to v2.3.0
r367803 Rename descriptions of the supported ENA devices
r367802 Add ENI metrics for the ENA driver
r367801 Add SPDX license tag to the ENA driver files
r367800 Add Rx offsets support for the ENA driver
r367799 Adjust ENA driver files to latest ena-com changes
r367795 Fix completion descriptors alignment for the ENA
Alexander Motin [Tue, 24 Nov 2020 13:17:12 +0000 (13:17 +0000)]
MFC r367044: Introduce support of SCSI Command Priority.
SAM-3 specification introduced concept of Task Priority, that was renamed
to Command Priority in SAM-4, and supported by all modern SCSI transports.
It provides 15 levels of relative priorities: 1 - highest, 15 - lowest and
0 - default. SAT specification for SATA devices translates priorities 1-3
into NCQ high priority.
This change adds new "priority" field into empty spots of struct ccb_scsiio
and struct ccb_accept_tio of CAM and struct ctl_scsiio of CTL. Respective
support is added into iscsi(4), isp(4), mpr(4), mps(4) and ocs_fc(4) drivers
for both initiator and where applicable target roles. Minimal support was
added to CTL to receive the priority value from different frontends, pass it
between HA controllers and report in few places.
This patch does not add consumers of this functionality, so nothing should
really change yet, since the field is still set to 0 (default) on initiator
and not actively used on target. Those are to be implemented separately.
I've confirmed priority working on WD Red SATA disks connected via mpr(4)
and properly transferred to CTL target via iscsi(4), isp(4) and ocs_fc(4).
While there, added missing tag_action support to ocs_fc(4) initiator role.
Navdeep Parhar [Tue, 24 Nov 2020 00:17:05 +0000 (00:17 +0000)]
MFC r366929 and r367608.
r366929:
cxgbe(4): fix the size of the iq/eq maps.
The firmware can allocate ingress and egress context ids anywhere from
its configured range. Size the iq/eq maps to match the entire range
instead of assuming that the firmware always allocates the first
available context id.
Reported by: Baptiste Wicht @ Verisign
r367608:
cxgbev(4): Make sure that the iq/eq map sizes are correct for VFs.
Navdeep Parhar [Mon, 23 Nov 2020 23:53:21 +0000 (23:53 +0000)]
MFC r366532 and r366862.
r366532:
cxgbe(4): knobs to drop various kinds of undesirable frames on ingress.
These kind of drops come for free in the sense that they do not use the
filter TCAM or any other resource that wouldn't normally be used during
rx. Frames dropped by the hardware get counted in the MAC's rx stats
but are not delivered to the driver.
hw.cxgbe.attack_filter
Set to 1 to enable the "attack filter". Default is 0. The attack
filter will drop an incoming frame if any of these conditions is true:
src ip/ip6 == dst ip/ip6; tcp and src/dst ip is not unicast; src/dst ip
is loopback (127.x.y.z); src ip6 is not unicast; src/dst ip6 is loopback
(::1/128) or unspecified (::/128); tcp and src/dst ip6 is mcast
(ff00::/8).
hw.cxgbe.drop_ip_fragments
Set to 1 to drop all incoming IP fragments. Default is 0. Note that
this drops valid frames.
hw.cxgbe.drop_pkts_with_l2_errors
Set to 1 to drop incoming frames with Layer 2 length or checksum errors.
Default is 1.
hw.cxgbe.drop_pkts_with_l3_errors
Set to 1 to drop incoming frames with IP version, length, or checksum
errors. Default is 0.
hw.cxgbe.drop_pkts_with_l4_errors
Set to 1 to drop incoming frames with Layer 4 length, checksum, or other
errors. Default is 0.
r366862:
cxgbe(4): Updates to the drop features from r366532.
Navdeep Parhar [Mon, 23 Nov 2020 23:46:07 +0000 (23:46 +0000)]
MFC r365732 and r366589.
r365732:
cxgbe(4): Get the count of FCS errors from the MAC and not MPS for T6 ports.
The MPS register on the T6 counts something other than FCS errors despite its
name.
r366589:
cxgbe(4): More fixes for the T6 FCS error counter.
r365732 was the first attempt to get an accurate count but it was
writing to some read-only registers to clear them and that obviously
didn't work. Instead, note the counter's value when it is supposed to
be cleared and subtract it from future readings.
dev.<port>.stats.rx_fcs_error should not be serviced from the MPS
register for T6.
The stats.* sysctls should all use T5_PORT_REG for T5 and above. This
must have been missed in the initial T5 support years ago. Fix it while
here.