Correct sysent flags for dynamically loaded syscalls.
Using the https://github.com/google/capsicum-test/ suite, the
PosixMqueue.CapModeForked test was failing due to an ECAPMODE after
calling kmq_notify(). On further inspection, the dynamically
loaded syscall entry was initialized with sy_flags zeroed out, since
SYSCALL_INIT_HELPER() left sysent.sy_flags with the default value.
Add a new helper SYSCALL{,32}_INIT_HELPER_F() which takes an
additional argument to specify the sy_flags value.
Submitted by: Siva Mahadevan <smahadevan@freebsdfoundation.org>
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D11576
Ryan Libby [Fri, 14 Jul 2017 00:10:51 +0000 (00:10 +0000)]
ixl: gcc build errors
Fix minor -Werror issues when building with gcc from -Wredundant-decls,
-Wunused, -Wbool-operations. Also ensure the M_IXL malloc type is only
defined once.
Alan Somers [Thu, 13 Jul 2017 22:49:55 +0000 (22:49 +0000)]
Use ATF cleanup routines in aio_test.c
Remove aio_test's legacy timeout handling and cleanup routines. Instead,
use ATF's builtin capabilities. ATF automatically cleans up newly created
files, too, so we don't have to explicitly unlink them. The only tests than
need a cleanup routine are the md(4) tests, which must destroy their md
device.
Eric Joyner [Thu, 13 Jul 2017 22:12:41 +0000 (22:12 +0000)]
ixl(4)/ixlv(4): Stop leaking every busdma entry in receive path
From Brett:
In short, busdma maps for received packets were not being unloaded in the
interrupt handler before the packets were passed up the network stack. The fix
was to add a busdma sync and unload for the two receive maps.
This bug is significant for certain busdma providers, for example IOMMUs,
where not unloading the maps means that 1) the IOMMU mappings that allow the
NIC to DMA the received packets into host memory stay open indefinitely,
potentially violating a desired security policy, and 2) resources such as
device address space addresses and host memory for bookkeeping are never freed.
Without an IOMMU or bounce buffering enabled for the ixl device, I don't think
adding these calls will have any significant performance impact. With the
IOMMU enabled, I have noticed a performance impact on the receive side, which
is expected.
Add an rc.d script to setup a netflow export via ng_netflow
The default is to export netflow data on localhost on the netflow port.
ngtee is used to have the lowest overhead possible.
The ipfw ng hook is the netflow port (it can only be numeric)
Default is netflow version 5.
Add some basic tests for hexdump(1)'s various output flags. Formatting
tests are omitted for this initial run as there are still some bugs to work
out there.
This covers -s flag testing on devices and non-devices that would have
caught breakage found in PR 219173 as well as other subtle breakage caused
locally.
META_MODE: Fix not writing .meta files in the kernel build.
This was a regression in r320220 due to improper porting of the
same logic from share/mk/bsd.dep.mk and having only tested with
-DNO_FILEMON at the time.
Pointyhat to: bdrewery
Reported by: Mark Millard, dhw, O. Hartmann
Sponsored by: Dell EMC Isilon
Ryan Libby [Wed, 12 Jul 2017 07:30:14 +0000 (07:30 +0000)]
kvprintf %b enhancements
Make the %b formatter accept number formatting flags. It will now accept
alternate form, precision, and length modifiers. It also now partially
supports field width (but forces left justification).
Xin LI [Wed, 12 Jul 2017 07:19:06 +0000 (07:19 +0000)]
MFV r320905: Import upstream fix for CVE-2017-11103.
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
Xin LI [Wed, 12 Jul 2017 07:13:56 +0000 (07:13 +0000)]
Import upstream fix for CVE-2017-11103:
CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
Ian Lepore [Wed, 12 Jul 2017 02:53:54 +0000 (02:53 +0000)]
Support multiple realtime clocks, and remove locking/sleeping restrictions
on clock drivers.
This tracks multiple concurrent realtime clock drivers in a list sorted by
clock resolution. When system time changes (and periodically) the
clock_settime() methods of all registered clocks are invoked.
To initialize system time, each driver is tried in turn from best to worst
resolution, until one succesfully returns a valid time.
The code no longer holds a mutex while calling the clock_settime() and
clock_gettime() methods of the registered clocks. This allows clock drivers
to do whatever kind of locking or sleeping is necessary (this is especially
important for i2c clock chips since i2c drivers often need to sleep).
A new clock_register_flags() function allows the clock driver to pass
flags. The flags currently defined help support drivers that use their own
techniques to avoid roundoff errors (prevents the 4/5 rounding done by the
subr_rtc code). A driver which may need to wait for resources (such as bus
ownership) may pass a flag to indicate that it will obtain system time for
itself after waiting for resources; this is merely an optimization to avoid
the common code retrieving a timespec that will never get used.
Ian Lepore [Wed, 12 Jul 2017 02:42:57 +0000 (02:42 +0000)]
Protect access to the AT realtime clock with its own mutex.
The mutex protecting access to the registered realtime clock should not be
overloaded to protect access to the atrtc hardware, which might not even be
the registered rtc. More importantly, the resettodr mutex needs to be
eliminated to remove locking/sleeping restrictions on clock drivers, and
that can't happen if MD code for amd64 depends on it. This change moves the
protection into what's really being protected: access to the atrtc date and
time registers.
This change also adds protection when the clock is accessed from
xentimer_settime(), which bypasses the resettodr locking.
John Baldwin [Tue, 11 Jul 2017 21:55:20 +0000 (21:55 +0000)]
Consistently use vop_stdpathconf() for default pathconf values.
Update filesystems not currently using vop_stdpathconf() in pathconf
VOPs to use vop_stdpathconf() for any configuration variables that do
not have filesystem-specific values. vop_stdpathconf() is used for
variables that have system-wide settings as well as providing default
values for some values based on system limits. Filesystems can still
explicitly override individual settings.
Mark Johnston [Tue, 11 Jul 2017 17:59:15 +0000 (17:59 +0000)]
Don't dlclose NSS modules from nss_atexit().
As hinted in the commit log message for r259042, this is unnecessary.
Moreover, as a result of that change we may invoke a DSO's atexit handler
after it has been unmapped.
Andrew Turner [Tue, 11 Jul 2017 16:30:16 +0000 (16:30 +0000)]
Add external PLATFORM access on arm, and use it in the pl310 driver.
This allows multiple instances of SoCs that use the pl310 driver to be
built within the same kernel:
* Add access to the platform_t object from outside platform.c
* Use this with the pl310 driver
There is a new platform_pl310 interface to replace the existing code. SoCs
need to implement the init method, and if they have special requirements to
write to the two registers we care about will also need to implement the
write_ctrl and write_debug methods.
Make fsck_y_enable default to passing pass -R to fsck_ffs(8) in addition
to -y. To me, fsck_y_enable means "try as hard as possible", and without
-R, it... well, doesn't.
Make sure the mlx4en RX DMA ring gets stamped with software ownership
in order to prevent the flow of QP to error in the firmware once
UPDATE_QP is called.
MFC after: 3 days
Sponsored by: Mellanox Technologies
Create libdl.so.1 as a filter for libc.so.7 which exports public dl*
functions. The functions are resolved from the rtld instead, the goal
of creating library is to avoid errors from the static linker due to
missed libdl. For static binaries, an empty .o is compiled into
libdl.a so that static binaries still get dl stubs from libc.a.
Right now lld cannot create filter objects, disable libdl on arm64
when binutils are not used.
Reviewed by: bdrewery, dim (previos version); emaste
Exp run: PR 220525, done by antoine
Sponsored by: The FreeBSD Foundation
MFC after: 1 month
Differential revision: https://reviews.freebsd.org/D11504
Bruce Evans [Mon, 10 Jul 2017 09:00:35 +0000 (09:00 +0000)]
Fix attribute flipping for cut marking in pixel mode. The text-mode
code was used, so the lightness bit was not flipped, so the flipping
was unnecessarily null in some cases. E.g., the unusal color scheme
of lightwhite on white (white = lightgrey in kernelspeak) is not
completely unusable, except null flipping of it gave no visible marks
for cut marking. Now flipping it works in pixel mode only.
Fix text cursor attribute adjustment over cut marking in text mode for
the usual cursor type (non-blinking full block). Apply the flipping
for cut marking first and adjust that instead of vice versa. This
gives a uniform color scheme for the usual text cursor type in text
mode: a white block background with no change to the character
foreground except for variations to avoid collisions. The old order
gave a white character fg with no change in the bg in non-colliding
cases. Versions before r316636 changed the bg to the non-cut-marked
one about half the time using a saveunder bug; this accidentally gave
something resembling a block cursor half the time.
Enji Cooper [Mon, 10 Jul 2017 05:16:07 +0000 (05:16 +0000)]
Fix whitespace bugs
- Delete trailing whitespace.
- Replace 8 single column spaces with hard tabs.
- Delete lines with consisting purely of blank space.
- Add space between `return` and `(`, per style(9).
Special care was taken to not blindly replace 8 single column spaces
with tabs; doing so could break tools that do strict string comparisons
with camcontrol output.
pf_purge_thread() breaks up the work of iterating all states (in
pf_purge_expired_states()) and tracks progress in the idx variable.
If multiple vnets exist this results in pf_purge_thread() only calling
pf_purge_expired_states() for part of the states (the first part of the
first vnet, second part of the second vnet and so on).
Combined with the mark-and-sweep approach to cleaning up old rules (in
V_pf_unlinked_rules) that resulted in pf freeing rules that were still
referenced by states. This in turn caused panics when pf_state_expires()
encounters that state and attempts to access the rule.
We need to track the progress per vnet, not globally, so idx is moved
into a per-vnet V_pf_purge_idx.
Warner Losh [Sun, 9 Jul 2017 17:02:47 +0000 (17:02 +0000)]
Added mmcnull, an emulated lightweight MMC controller
This emulated device attaches to the ISA bus and registers itself as
HBA supporting MMC/SD cards. This allows to develop and test MMC XPT
and MMC / SDIO peripheral drivers even in the VM such as bhyve.
Warner Losh [Sun, 9 Jul 2017 16:57:24 +0000 (16:57 +0000)]
An MMC/SD/SDIO stack using CAM
Implement the MMC/SD/SDIO protocol within a CAM framework. CAM's
flexible queueing will make it easier to write non-storage drivers
than the legacy stack. SDIO drivers from both the kernel and as
userland daemons are possible, though much of that functionality will
come later.
Some of the CAM integration isn't complete (there are sleeps in the
device probe state machine, for example), but those minor issues can
be improved in-tree more easily than out of tree and shouldn't gate
progress on other fronts. Appologies to reviews if specific items
have been overlooked.
Reported by: antoine
Tested by: Stefan Ehmann <shoesoft@gmx.net>,
Jan Kokemueller <jan.kokemueller@gmail.com>
PR: 220493
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Allwinner:
* H3/H5 were merged into a common dtsi file
* include/dt-bindings/sun4i-a10.h is not included anymore
in a lot of dts files
* Add sun8i-h3-nanopi-neo-air board DTS file
Bruce Evans [Sun, 9 Jul 2017 12:13:37 +0000 (12:13 +0000)]
Move open coding of construction of attributes for cut regions and
text cursors to functions so that it is easier to fix and improve.
This commit doesn't fix anything except for removing unnecessary
complications and adding comments.
Switch prison check from PROV_DRIVER to PRIV_KMEM_WRITE (like /dev/mem).
Access to the dri device gives effectively access to the entire memory of the machine (you can program
the graphic card to do DMA).
For current/stable/release this is a NOP, as access to memory is not allowed in a jail. This puts the dri
device into the same (in)security class than /dev/mem for future use.
Discussed with: anholt(?) several years ago
Sponsored by: Hackathon Essen 2017
- Extend pr_allow flags visually to 32 bits, to make it more obvious at first look how much flags we still
have available to use in the future.
- Add kmem_access flag as a placeholder (reserve it), not used yet.
Bruce Evans [Sat, 8 Jul 2017 17:30:33 +0000 (17:30 +0000)]
Add many bitmaps (now there are 13) for mouse cursors and logic to try
to choose the best one.
The old 9x13 cursor was was sort of correct for CGA 640x200 text mode,
but distorted for all other modes. This mode is still available on
all systems with VGA, but stopped being useful in ~1985. It has very
unsquare pixels with an aspect ratio of 240:100 on 4:3 monitors. On
16:9 monitors, the unsquareness in this mode is reduced to only 180:100
iff the monitor stretches the pixels to the full screen.
Newer modes and systems have smaller distortions, but with many more
variations. Square pixels first became common with VGA 640x480 mode
on 4:3 monitors. However, standard VGA text mode also has 9-bit wide
characters and only 25 lines, so it has 720x400 pixels. This has
unsquare pixels with an aspect ratio of 135:100 on 4:3 monitors. On
16:9 monitors, it gives almost-square pixels with an aspect ration of
101:100 iff the monitor stretches, but in modes that were square on
4:3 monitors square similar monitor stretching breaks the squareness.
Guess the physical aspect ratio using heuristics. The old version of
X that I use is further from doing this using info from PnP monitors
that is unavailable in syscons (X doesn't understand if the monitor
is doing stretching and doesn't even understand how its its own mode
changes affect the pixel size). Monitors with aspect ratio control
should be configured to _not_ stretch 4:3 modes to 16:9. Otherwise,
use the machdep.vga_aspect_scale sysctl to compensate. Only 1 of my
4 monitors/laptops requires this. It always stretches to 16:9.
The mouse data has new aspect ratio fields for selecting the best
cursor and a new name field for display in debugging messages.
Selecting the mouse cursor is now a slow operation so it is not done
for every drawing of the cursor. To avoid a new initialization method,
it is done whenever the text cursor is set or changed. Also remove
dead code in settings of text cursors.
Use larger mouse cursors (sometimes the full 10x16 one) for 8x8 fonts
in cases where this works better (mostly in graphics mode).