Zhenlei Huang [Fri, 17 Mar 2023 17:24:46 +0000 (01:24 +0800)]
ehci(4): Correct PCI device ID for Zhaoxin USB 2.0 controller
And minor style fixes.
Tested by: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
Fixes: f9237e1937a4 ehci(4): Add new USB IDs
Differential Revision: https://reviews.freebsd.org/D38923
Vitaliy Gusev [Fri, 17 Mar 2023 09:17:22 +0000 (10:17 +0100)]
vmm: fix missing ipi statistic
ipi counters are missing in bhyvectl's output because vm_maxcpu is 0
when initializing them. That's because vmm_stat_register is executed
before vmm_init.
Instead of directly fixing it, there's a better solution in illumos
which is cherry picked:
https://github.com/illumos/illumos-gate/commit/65a3bc83734e5fb0fc2c19df3e5112b87dcdc3f8
It replaces the matrix statistic by two counters per vcpu. One for
counting the ipis to the vcpu and one counting the ipis received by the
vcpu. This has several advantages:
- A matrix statistic becomes huge when using many vcpus.
- A matrix statistic easily reaches the MAX_VMM_STAT_ELEMS limit.
- Two counters are enough in most cases. DTrace can be used for more
advanced debugging purposes.
- A matrix statistic wastes memory. The matrix size is determined by
vm_maxcpu regardless of the number of vcpus assigned to the vm.
Emmanuel Vadot [Wed, 15 Mar 2023 09:29:27 +0000 (10:29 +0100)]
arm: Remove SOCFPGA specific kernel configs
We had GENERIC for a while now so anyone still interested in those boards
should make sure that we can boot on them with it and with upstream DTS files.
Emmanuel Vadot [Thu, 16 Mar 2023 09:48:06 +0000 (10:48 +0100)]
arm: Rename hdmi_if.m to crtc_if.m
There is nothing hdmi related in this interface, it's just a generic interface
for crt controller so rename it.
This also remove the 'hdmi' device used in arm kernel config. 'vt' now controls
if we build this interface (sc(4) isn't supported on arm).
Sponsored by: Beckhoff Automation GmbH & Co. KG
Reviewed by: andrew
Differential Revision: https://reviews.freebsd.org/D39120
Emmanuel Vadot [Wed, 15 Mar 2023 09:39:02 +0000 (10:39 +0100)]
arm: Remove IMX5 specific kernel configs
We had GENERIC for a while now so anyone still interested in those boards
should make sure that we can boot on them with it and with upstream DTS files.
Sponsored by: Beckhoff Automation GmbH & Co. KG
Reviewed by: andrew
Differential Revision: https://reviews.freebsd.org/D39089
Emmanuel Vadot [Wed, 15 Mar 2023 09:26:24 +0000 (10:26 +0100)]
arm: Remove VYBRID specific kernel config
We had GENERIC for a while now so anyone still interested in those boards
should make sure that we can boot on them with it and with upstream DTS files.
Sponsored by: Beckhoff Automation GmbH & Co. KG
Reviewed by: andrew
Differential Revision: https://reviews.freebsd.org/D39087
Emmanuel Vadot [Wed, 15 Mar 2023 09:17:24 +0000 (10:17 +0100)]
arm: Remove kernel config APALIS-IMX6
It reference to a non-existant dts file apalis-imx6.dts so unlikekly to compile.
Aldo IMX6 support is in GENERIC so anyone interested in this board should
make it work with GENERIC kernel (if that's not already the case).
Sponsored by: Beckhoff Automation GmbH & Co. KG
Reviewed by: andrew
Differential Revision: https://reviews.freebsd.org/D39086
Corvin Köhne [Wed, 11 Aug 2021 08:04:36 +0000 (10:04 +0200)]
bhyve: add helper for adding fwcfg files
Fwcfg items without a fixed index are reported by the file_dir. They
have an index of 0x20 and above. This helper simplifies the addition of
such fwcfg items. It selects a new free index, assigns it to the fwcfg
items and creates an proper entry in the file_dir.
cpuid detection may have picked up a more specific guest type already,
and a follow-up check of smbios vendor/product may erroneously blow
away the previously detected type.
This reportedly fixes the boot under Hyper-V, which advertises an
smbios.system.product of "Virtual Machine."
PR: 270239
Reviewed by: imp, kib (both earlier version, same concept)
Fixes: 2fee87562948 ("abstract out the vm detection via smbios..")
Differential Revision: https://reviews.freebsd.org/D39140
Rick Macklem [Thu, 16 Mar 2023 22:55:36 +0000 (15:55 -0700)]
nfscl: Add a new NFSv4.1/4.2 mount option for Kerberized mounts
Without this patch, a Kerberized NFSv4.1/4.2 mount must provide
a Kerberos credential for the client at mount time. This credential
is typically referred to as a "machine credential". It can be
created one of two ways:
- The user (usually root) has a valid TGT at the time the mount
is done and this becomes the machine credential.
There are two problems with this.
1 - The user doing the mount must have a valid TGT for a user
principal at mount time. As such, the mount cannot be put
in fstab(5) or similar.
2 - When the TGT expires, the mount breaks.
- The client machine has a service principal in its default keytab
file and this service principal (typically called a host-based
initiator credential) is used as the machine credential.
There are problems with this approach as well:
1 - There is a certain amount of administrative overhead creating
the service principal for the NFS client, creating a keytab
entry for this principal and then copying the keytab entry
into the client's default keytab file via some secure means.
2 - The NFS client must have a fixed, well known, DNS name, since
that FQDN is in the service principal name as the instance.
This patch uses a feature of NFSv4.1/4.2 called SP4_NONE, which
allows the state maintenance operations to be performed by any
authentication mechanism, to do these operations via AUTH_SYS
instead of RPCSEC_GSS (Kerberos). As such, neither of the above
mechanisms is needed.
It is hoped that this option will encourage adoption of Kerberized
NFS mounts using TLS, to provide a more secure NFS mount.
This new NFSv4.1/4.2 mount option, called "syskrb5" must be used
with "sec=krb5[ip]" to avoid the need for either of the above
Kerberos setups to be done by the client.
Note that all file access/modification operations still require
users on the NFS client to have a valid TGT recognized by the
NFSv4.1/4.2 server. As such, this option allows, at most, a
malicious client to do some sort of DOS attack.
Although not required, use of "tls" with this new option is
encouraged, since it provides on-the-wire encryption plus,
optionally, client identity verification via a X.509
certificate provided to the server during TLS handshake.
Alternately, "sec=krb5p" does provide on-the-wire
encryption of file data.
A mount_nfs(8) man page update will be done in a separate commit.
Discussed on: freebsd-current@
MFC after: 3 months
Andrew Turner [Thu, 16 Mar 2023 15:36:06 +0000 (15:36 +0000)]
Switch the arm64 VM_MEMATTR_DEVICE to nGnRE
Move device memory to a weaker type. The new device memory type allows
the system to acknowledge a write to a device before the write has
completed. This is inline with VM_MEMATTR_DEVICE on armv6/armv7.
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D38945
Andrew Turner [Thu, 16 Mar 2023 15:35:59 +0000 (15:35 +0000)]
Allow forcing non-posted memory on arm64
To allow for debugging after changing the arm64 VM_MEMATTR_DEVICE
memory type add a new set of tunables to tell the kernel to use
non-posted memory.
This adds the following tunables:
- kern.force_nonposted: When set to non-zero the kernel will use
non-posted memory for all device allocations.
- hint.<dev>.<unit>.force_nonposted: As above, however only forces
non-posted memory on the named device.
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D38944
Randall Stewart [Thu, 16 Mar 2023 15:43:16 +0000 (11:43 -0400)]
Move access to tcp's t_logstate into inline functions and provide new tracepoint and bbpoint capabilities.
The TCP stacks have long accessed t_logstate directly, but in order to do tracepoints and the new bbpoints
we need to move to using the new inline functions. This adds them and moves rack to now use
the tcp_tracepoints.
Ed Maste [Thu, 16 Mar 2023 14:29:55 +0000 (10:29 -0400)]
ssh: Update to OpenSSH 9.3p1
This release fixes a number of security bugs and has minor new
features and bug fixes. Security fixes, from the release notes
(https://www.openssh.com/txt/release-9.3):
This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in OpenSSH
8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This problem
was reported by Luci Stanescu.
* ssh(1): Portable OpenSSH provides an implementation of the
getrrsetbyname(3) function if the standard library does not
provide it, for use by the VerifyHostKeyDNS feature. A
specifically crafted DNS response could cause this function to
perform an out-of-bounds read of adjacent stack data, but this
condition does not appear to be exploitable beyond denial-of-
service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the system's
standard library lacks this function and portable OpenSSH was not
compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
problem was found by the Coverity static analyzer.
Kristof Provost [Sun, 12 Mar 2023 15:08:31 +0000 (16:08 +0100)]
pf tests: test IPv6 fragmentation with link-local addresses
We've observed a panic after pf_refragment6() with link-local addresses,
because pf_refragment6() calls ip6_forward() even for a simple output
case.
That results in us entering ip6_forward() with an mbuf with a NULL
m->m_pkthdr.rcvif, which can cause a NULL deref (but seemingly not for
GUAs.
Kristof Provost [Mon, 13 Mar 2023 09:27:59 +0000 (10:27 +0100)]
pf: set scope in pf_refragment6()
Link-local traffic needs to have a scope embedded before it's passed on
to ip6_output(). Do so in pf_refragment6(), because when we end up here
in the output path we may have passed through ip6_output() already
(before being reassembled), where the scope would have been removed.
Re-embed the scope so that link-local traffic is sent correctly.
Kristof Provost [Sun, 12 Mar 2023 17:34:42 +0000 (18:34 +0100)]
pf: distinguish forwarding and output cases for pf_refragment6()
Re-introduce PFIL_FWD, because pf's pf_refragment6() needs to know if
we're ip6_forward()-ing or ip6_output()-ing.
ip6_forward() relies on m->m_pkthdr.rcvif, at least for link-local
traffic (for in6_get_unicast_scopeid()). rcvif is not set for locally
generated traffic (e.g. from icmp6_reflect()), so we need to call the
correct output function.
Michael Tuexen [Thu, 16 Mar 2023 09:45:13 +0000 (10:45 +0100)]
sctp: don't do RTT measurements with cookies
When receiving a cookie, the receiver does not know whether the
peer retransmitted the COOKIE-ECHO chunk or not. Therefore, don't
do an RTT measurement. It might be much too long.
To overcome this limitation, one could do at least two things:
1. Bundle the INIT-ACK chunk with a HEARTBEAT chunk for doing the
RTT measurement. But this is not allowed.
2. Add a flag to the COOKIE-ECHO chunk, which indicates that it
is the initial transmission, and not a retransmission. But
this requires an RFC.
Michael Tuexen [Wed, 15 Mar 2023 21:29:52 +0000 (22:29 +0100)]
sctp: improve negotiation of zero checksum feature
Enforce consistency between announcing 0-cksum support and actually
using it in the association. The value from the inp when the
INIT ACK is sent must be used, not the one from the inp when the
cookie is received.
Summary:
* add snl_send_message() as a convenient send wrapper
* add signed integer parsers
* add snl_read_reply_code() to simplify operation result checks
* add snl_read_reply_multi() to simplify reading multipart messages
* add snl_create_genl_msg_request()
* add snl_get_genl_family() to simplify family name->id resolution
* add tests for some of the functionality
Andrew Turner [Wed, 15 Mar 2023 13:33:02 +0000 (13:33 +0000)]
Use the arm physical timer when able
To allow bhyve manage the virtual timer while in a guest have FreeBSD
use the virtual timer only when bhyve will be unavailable due to not
starting at EL2 where the hypervisor switcher will run.
Mitchell Horne [Wed, 15 Mar 2023 15:26:57 +0000 (12:26 -0300)]
arm64: limit EFI excluded regions to physical memory types
Consolidate add_efi_map_entry() and exclude_efi_map_entry() into a
single function, handle_efi_map_entry(), so that the exact set of entry
types handled is the same in the addition or exclusion cases. Before,
exclude_efi_map_entry() had a 'default' case that would exclude all
entry types that were not listed explicitly in the switch statement.
Logically, we do not need to exclude a range that could not possibly be
added to physmem, and we do not need to exclude bus ranges that are not
physical memory, for example EFI_MD_TYPE_IOMEM.
Since physmem's ram0 device will reserve bus memory resources for its
owned ranges, this was preventing attachment of the watchdog device on
the RPI4B. For some reason its region of memory-mapped I/O appeared in
the EFI memory map (with the aforementioned EFI_MD_TYPE_IOMEM type).
This change fixes the attachment issue, as we prevent the physmem API
from messing with this range of bus space.
John Grafton [Wed, 15 Mar 2023 03:14:14 +0000 (21:14 -0600)]
libbe: Avoid double printing cloning errors.
be_clone calls be_clone_cb and both call set_error on the return
error path. set_error prints the error resulting in a double print.
be_clone_cb should just return the error code and allow be_clone
to print it.
Ed Maste [Wed, 16 Nov 2022 21:24:19 +0000 (16:24 -0500)]
CI: Run pkgbase METALOG lint script
tools/pkgbase/metalog_reader.lua checks for errors in METALOG (for
pkgbase staging), such as hard links with differing modes, duplicate
entries, etc. Run it as part of the Cirrus-CI job to prevent
regressions.
Reviewed by: manu, imp
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D37521
Jessica Clarke [Wed, 15 Mar 2023 00:06:53 +0000 (00:06 +0000)]
Add new DISK_IMAGE_TOOLS_BOOTSTRAP option
This will build etdump, makefs and mkimg as bootstrap tools to allow
easily creating disk images. Note that etdump is bootstrapped due to its
use in the release scripts for building ISO images.
Bjoern A. Zeeb [Tue, 14 Mar 2023 21:01:19 +0000 (21:01 +0000)]
net80211: make ieee80211_scan_dump_channels private
ieee80211_scan_dump_channels() is only used locally and only when
IEEE80211_DEBUG is compiled. Stop exporting it, make it file local
and hide under the #ifdef to reduce the footprint for production
kernels a tiny bit.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D38833
Bjoern A. Zeeb [Tue, 14 Mar 2023 21:00:48 +0000 (21:00 +0000)]
net80211: define mask for ss_flags rather than using hardcoded 0xfff
scan state ss_flags in two places cut off the "internal" GOTPICK
options. Replace the hardcoded 0xfff with a defined mask.
Note that "internal" flags is confusing as we also supplement the
the 16bit by another 16bit of "internal flags" passed around but
comaparing to GOTPICK never stored to my understanding.
No functional change.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D38832
netmap: get rid of save_if_input for emulated adapters
The save_if_input function pointer was meant to save the previous
value of ifp->if_input before replacing it with the emulated
adapter hook.
However, the same pointer value is already stored in the if_input
field of the netmap_adapter struct, to be used for host TX ring processing.
Reuse the netmap_adapter if_input field to simplify the code
and save some space.
Justin Hibbits [Thu, 9 Feb 2023 02:32:47 +0000 (21:32 -0500)]
infiniband: Convert BPF handling for IfAPI
Summary:
All callers of infiniband_bpf_mtap() call it through the wrapper macro,
which checks the if_bpf member explicitly. Since this is getting
hidden, move this check into the internal function and remove the
wrapper macro.
Ed Maste [Wed, 8 Feb 2023 13:16:53 +0000 (08:16 -0500)]
ssh: fix leak and apply style(9) to hostname canonicalization
Fixes: bf2e2524a2ce ("ssh: canonicize the host name before...")
Fixes: 3e74849a1ee2 ("ssh: canonicize the host name before...")
Reviewed by: rew
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D38441
Ed Maste [Tue, 14 Mar 2023 17:01:20 +0000 (13:01 -0400)]
compiler-rt: remove eprintf
It was used by ancient GCC assert.h. Prior to 2001 GCC used to provide
its own assert.h The GCC assert.h required __eprintf to emit the error
message. FreeBSD's own assert.h never used this.
Reviewed by: ed (previously), imp
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D2597
dl [Tue, 14 Mar 2023 04:26:41 +0000 (22:26 -0600)]
Increase protection provided by veriexec with new unlink/rename hooks.
Functions implemented :
- mac_veriexec_vnode_check_unlink: Unlink on a file has been
requested and requires validation. This function prohibits the
deleting a protected file (or deleting one of these hard links, if
any).
- mac_veriexec_vnode_check_rename_from: Rename the file has been
requested and must be validated. This function controls the renaming
of protected file
- mac_veriexec_vnode_check_rename_to: File overwrite rename has been
requested and must be validated. This function prevent overwriting of
a file protected (overwriting by mv command).
The 3 fonctions together aim to control the 'removal' (via unlink) and
the 'mv' on files protected by veriexec. The intention is to reach the
functional level of NetBSD veriexec.
Add sysctl node security.mac.veriexec.unlink to toggle control on
syscall unlink.
Add tunable kernel variable security.mac.veriexec.block_unlink to toggle
unlink protection. Add the corresponding read-only sysctl.
[ tidied up commit message, trailing whitespace, long lines, { placement ]
Allan Jude [Sat, 26 Nov 2022 18:11:13 +0000 (18:11 +0000)]
loader: Add support for booting from a ZFS snapshot
When booting from a snapshot we need to follow a different code path
to turn the objset ID into the name, and for forward lookups we need
to walk the parent's snapnames_zap.
With this, it is possible to set the pools BOOTFS property to a
snapshot and boot with a read-only filesystem of that snapshot.
Reviewed by: tsoome, rew, imp
Sponsored By: Beckhoff Automation GmbH & Co. KG
Sponsored By: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D38600
Roger Pau Monné [Mon, 13 Mar 2023 14:17:21 +0000 (15:17 +0100)]
xen: take struct size into account for video information
The xenpf_dom0_console_t structure can grow as more data is added, and
hence we need to check that the fields we accesses have been filled by
Xen. The only extra field FreeBSD currently uses is the top 32 bits
for the frame buffer physical address.
Note that this field is present in all the versions that make the
information available from the platform hypercall interface, so the
check here is mostly cosmetic, and to remember us that newly added
fields require checking the size of the returned data.
Fixes: 6f80738b228c ('xen: fetch dom0 video console information from Xen')
Sponsored by: Citrix Systems R&D
lucy [Mon, 13 Mar 2023 22:01:12 +0000 (16:01 -0600)]
Add GNU glibc compatible secure_getenv
Add mostly glibc and msl compatible secure_getenv. Return NULL if
issetugid() indicates the process is tainted, otherwise getenv(x). The
rational behind this is the fact that many Linux applications use this
function instead of getenv() as it's widely consider a, "best
practice".
Jessica Clarke [Tue, 14 Mar 2023 04:12:31 +0000 (04:12 +0000)]
arm64: Move Azure-specific config from std.hyperv to std.azure
Hyper-V does not provide Mellanox hardware, some of Azure's instances
do, thus the configuration to enable them does not belong in the generic
std.hyperv config.
Fixes: 15e7fa83ef3c ("arm64: Hyper-V: Add vPCI and Mellanox driver modules into build")