Rick Macklem [Sun, 22 May 2022 20:49:08 +0000 (13:49 -0700)]
rpc.tlsclntd: Modify the -C option to use SSL_CTX_set_ciphersuites
Commit 0b4f2ab0e913 fixes the krpc so that it can use TLS
version 1.3 for NFS-over-TLS, as required by
the draft (someday to be an RFC).
This patch replaces SSL_CTX_set_cipher_list() with
SSL_CTX_set_ciphersuites(), since that is the function
that is used for TLS1.3.
The man page will be updated in a separate commit.
Rick Macklem [Sun, 22 May 2022 20:44:31 +0000 (13:44 -0700)]
rpc.tlsservd: Modify the -C option to use SSL_CTX_set_ciphersuites
Commit 0b4f2ab0e913 fixes the krpc so that it can use TLS
version 1.3 for NFS-over-TLS, as required by
the draft (someday to be an RFC).
This patch replaces SSL_CTX_set_cipher_list() with
SSL_CTX_set_ciphersuites(), since that is the function
that is used for TLS1.3.
Yan Ka Chiu [Sun, 22 May 2022 16:33:02 +0000 (12:33 -0400)]
pam_exec: fix segfault when authtok is null
According to pam_exec(8), the `expose_authtok` option should be ignored
when the service function is `pam_sm_setcred`. Currently `pam_exec` only
prevent prompt for anth token when `expose_authtok` is set on
`pam_sm_setcred`. This subsequently led to segfault when there isn't an
existing auth token available.
Bug reported on this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263893
After reading https://reviews.freebsd.org/rS349556 I am not sure if the
default behaviour supposed to be simply not prompt for authentication
token, or is it to ignore the option entirely as stated in the man page.
This patch is therefore only adding an additional NULL check on the item
`pam_get_item` provide, and exit with `PAM_SYSTEM_ERR` when such item is
NULL.
Jessica Clarke [Sun, 22 May 2022 08:31:42 +0000 (10:31 +0200)]
pfctl: fix out-of-bounds access
If pfctl is called with "pfctl -a ''" we read outside of the anchoropt
buffer. Check that the buffer is sufficiently long to avoid that.
Maintain the existing (and desired, because it's used as such in
/etc/periodic/security/520.pfdenied) behaviour of treating "-a ''" as a
request for the root anchor (or no anchor specified).
Mark Johnston [Sat, 21 May 2022 18:22:30 +0000 (14:22 -0400)]
boot/zfs: Extend zfsimpl.h and make it easier to use
Some makefs(8) patches make use of zfsimpl.h (not zfsimpl.c though) to
provide definitions for various on-disk structures. Most of this diff
simply adds new definitions that are useful.
Also reduce dependencies of the header:
- remove an unused list_node_t field to drop the sys/list.h dependency
- replace CTASSERT with _Static_assert
And fix the declaration of decode_embedded_bp_compressed().
No functional change intended.
Reviewed by: tsoome
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35278
bsdinstall(8) has an option to enable moused support.
However, if it is not selected, moused is still started
through the configuration of nondefault devices.
So, automatically add the moused_nondefault_enable="NO"
setting to rc.conf unless moused support is selected.
Andrew Turner [Sat, 21 May 2022 10:45:41 +0000 (11:45 +0100)]
Set mm before passing it to the UEFI firmware
When reading the UEFI memory map we pass in a pointer to the memory to
hold the map. Unfortunately it wasn't initialised before the first use
so clang decided it was undefined behaviour so the entire loop was
removed. This leads to everything in bi_load after this to also be
removed as dead code.
The next function after bi_load in the binary is efi_copy_init. The
above caused us to enter efi_copy_init with a return address of the
start of the function. Because of this it would enter an infinite
loop of calling the function, allocating memory, then returning to
the start of the function.
Mike Karels [Fri, 20 May 2022 14:16:01 +0000 (09:16 -0500)]
ping: if -S srcaddr uses a numeric address, use that protocol
The command "ping -S dotted.quad hostname" fails on dual-stack hosts
with the confusing message "ping: invalid source address: Name does
not resolve" because IPv6 is selected in preference. If the argument
to -S is numeric (likely), select the corresponding address family,
as if -4 or -6 was specified. Add tests that either IPv4 or IPv6 can
be forced via a -S parameter.
Rick Macklem [Fri, 20 May 2022 21:57:42 +0000 (14:57 -0700)]
rpc.tlsclntd: Add an option to force use of TLS version 1.2
Commit 0b4f2ab0e913 fixes the krpc so that it can use TLS
version 1.3 for NFS-over-TLS, as required by
the draft (someday to be an RFC).
Since FreeBSD 13.0, 13.1 use TLS version 1.2 for
NFS-over-TLS mounts, this command line option
may be used so that NFS-over-TLS mounts to 13.0, 13.1
servers will still work.
Without the command line option, NFS-over-TLS mounts
will use TLS version 1.3.
Rick Macklem [Fri, 20 May 2022 21:44:50 +0000 (14:44 -0700)]
rpc.tlsservd: Add an option to allow TLS version 1.2
Commit 0b4f2ab0e913 fixes the krpc so that it can use TLS
version 1.3 for NFS-over-TLS, as required by
the draft (someday to be an RFC).
Since FreeBSD 13.0, 13.1 use TLS version 1.2 for
NFS-over-TLS mounts, this command line option
may be used so that mounts from 13.0, 13.1 will still work.
Without the command line option, only TLS version 1.3
mounts are permitted.
Working on an update for rtw88 baed on wireless-testing I ran into
a build issue with struct ieee802211_sta. Some fields were factored
out into their own struct apparently preparing for MLO (Multi Link
Operation).
In order to be able to update one driver we have to adjust both
rtw88 and iwlwifi (and the ones still out-of-tree) now.
This is mostly a sed-replace job and no functional changes are
intended.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Mark Johnston [Fri, 20 May 2022 14:18:10 +0000 (10:18 -0400)]
bitstring_test: Add regression tests for bit_ff(c|s)_area_at()
Validate the cases where a match can be found immediately and where no
match can be found. This extends the existing test cases and is enough
to catch the bug fixed in commit 6e7a585348d5 ("bitstring: fix ff_area()
when start!=0").
Reviewed by: dougm
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35259
Mark Johnston [Fri, 20 May 2022 14:17:35 +0000 (10:17 -0400)]
libsa: Make the nvlist implementation more self-contained
Move declarations into a new nvlist.h rather than putting everything in
libzfs.h. This makes this nvlist code easier to reuse elsewhere. In
particular, the nvlist implementation in sys/contrib/libnv does not
provide XDR encoding, but this is needed when reading from or writing to
ZFS pools.
Also:
- Remove references to boolean_t. It has to be a 32-bit int here, so
just reference the underlying type.
- Add includes needed when compiling the nvlist code outside of stand/.
No functional change intended.
Reviewed by: tsoome
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35255
Mark Johnston [Fri, 20 May 2022 14:15:00 +0000 (10:15 -0400)]
libsa: Fix a bug in nvlist creation
When adding an entry to an nvlist, the data buffer might need to be
resized. When this happens, the XDR encoder's notion of the buffer size
also needs to be updated, otherwise the operation may erroneously fail.
Reviewed by: tsoome, imp
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35254
Mark Johnston [Fri, 20 May 2022 14:11:31 +0000 (10:11 -0400)]
cpuset: Fix the KASAN and KMSAN builds
Rename the "copyin" and "copyout" fields of struct cpuset_copy_cb to
something less generic, since sanitizers define interceptors for
copyin() and copyout() using #define.
Reported by: syzbot+2db5d644097fc698fb6f@syzkaller.appspotmail.com
Fixes: 47a57144af25 ("cpuset: Byte swap cpuset for compat32 on big endian architectures")
Sponsored by: The FreeBSD Foundation
Kristof Provost [Wed, 18 May 2022 15:29:35 +0000 (17:29 +0200)]
pf tests: extend ethernet dummynet test
Extend the existing ethernet dummynet test to also test dummynet on the
outbound direction.
This used to be a problem as traffic shaping wasn't done in the ethernet
code. It merely tagged the packet and left shaping up to the layer 3 pf
code. This works in the inbound direction, but not for outbound traffic
where we hit the L3 code first and only then the L2 code.
Kristof Provost [Wed, 18 May 2022 15:49:28 +0000 (17:49 +0200)]
pf: call dummynet directly from the ethernet code
Until recently dummynet in ethernet rules did not send packets directly
to dummynet but instead marked them and left the interactions with
dummynet to the layer 3 pf code.
This worked fine for incoming packets (where we process ethernet rules
before layer 3 rules), but not for outbound packets (where the order of
operations is the reverse).
Dummynet does support handling layer 2 traffic, so send the packets
directly to dummynet.
The main limitation now is that pf does not inspect layer 4 (i.e.
TCP/UDP) so we don't have protocol information or port numbers. Dummynet
potentially uses this to separate traffic flows, which will not work for
ethernet dummynet rules. However, pipes (i.e. adding latency or
restricting bandwidth) will work exactly as expected.
Kristof Provost [Thu, 19 May 2022 13:12:54 +0000 (15:12 +0200)]
dummynet: do not store struct ifnet pointers
The dn_pkt_tag tag contained a struct ifnet pointer. If we persist that
across NET_EPOCH boundaries (as we did in dummynet) we risk panics if
the interface is removed between the packet being enqueued and it being
dequeued.
Convert the pointer into an index/generation pair and restore it when
the packet is taken out of the queue.
Bjoern A. Zeeb [Wed, 18 May 2022 22:39:57 +0000 (22:39 +0000)]
LinuxKPI: 802.11 updates
Add more values to the ieee80211_min_mpdu_start_spacing enum with
two missing given we do not know how they are called. Also update
the reference while here.
Add struct ieee80211_hdr_3addr and correct the comment on the
ieee80211_hdr to match the one in net80211 to avoid future confusion.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Bjoern A. Zeeb [Wed, 18 May 2022 22:36:31 +0000 (22:36 +0000)]
LinuxKPI: implement pcie_capability_set_word()
Implement pcie_capability_set_word() using the already available
read/write functions.
Also define the completion timeout disable value to our PCI one.
Both needed by a driver update.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Reviewed by: manu, hselasky
Differential Revision: https://reviews.freebsd.org/D35250
Navdeep Parhar [Thu, 19 May 2022 19:25:30 +0000 (12:25 -0700)]
cxgbe/iw_cxgbe: c4iw_zero_addr should not use IN_ZERONET.
c4iw_zero_addr is supposed to check for all-zero addresses but was using
IN_ZERONET (which does something different) for IPv4 addresses. Fix it
by simply checking for 0 as is done for IPv6 addresses.
Justin Hibbits [Thu, 12 May 2022 20:38:22 +0000 (15:38 -0500)]
cpuset: Byte swap cpuset for compat32 on big endian architectures
Summary:
BITSET uses long as its basic underlying type, which is dependent on the
compile type, meaning on 32-bit builds the basic type is 32 bits, but on
64-bit builds it's 64 bits. On little endian architectures this doesn't
matter, because the LSB is always at the low bit, so the words get
effectively concatenated moving between 32-bit and 64-bit, but on
big-endian architectures it throws a wrench in, as setting bit 0 in
32-bit mode is equivalent to setting bit 32 in 64-bit mode. To
demonstrate:
32-bit mode:
BIT_SET(foo, 0): 0x00000001
64-bit sees: 0x0000000100000000
cpuset is the only system interface that uses bitsets, so solve this
by swapping the integer sub-components at the copyin/copyout points.
Reviewed by: kib
MFC after: 3 days
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D35225
Andrew Turner [Mon, 9 May 2022 14:28:56 +0000 (15:28 +0100)]
Handle cas failure when the compare succeeds
When locking a priority inherit mutex we perform a compare and swap
operation to try and acquire the mutex. This may fail even when the
compare succeeds.
Check and handle this case.
PR: 263825
Reviewed by: kib, markj
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35150
Andrew Turner [Thu, 12 May 2022 12:50:59 +0000 (13:50 +0100)]
Fix the name of Makefile.aarch64
Makefile.arm64 relies on being included via Makefile.${MACHINE}. This
only works when arm64 is the only aarch64 architecture. Switch to
Makefile.aarch64 so downstream CheriBSD can use the file when building
for Morello which uses a differen ${MACHINE} value.
In function mlx4_opreq_action(), pointer "mailbox" is not released,
when mlx4_cmd_box() return and error, causing a memory leak bug.
Fix this issue by going to "out" label, mlx4_free_cmd_mailbox() can
free this pointer.
ibcore: Fix possible memory leak in ib_mad_post_receive_mads()
If ib_dma_mapping_error() returns non-zero value,
ib_mad_post_receive_mads() will jump out of loops and return -ENOMEM
without freeing mad_priv. Fix this memory-leak problem by freeing
mad_priv in this case.
Notable upstream pull request merges:
#10662 zvol_wait: Ignore locked zvols
#12789 Improve log spacemap load time
#12812 Improved zpool status output, list all affected datasets
#13277 FreeBSD: Use NDFREE_PNBUF if available
#13302 Make zfs_max_recordsize default to 16M
#13311 Fix error handling in FreeBSD's get/putpages VOPs
#13345 FreeBSD: Fix translation from ABD to physical pages
#13373 zfs: holds: dequadratify
#13375 Corrected edge case in uncompressed ARC->L2ARC handling
#13388 Improve mg_aliquot math
#13405 Reduce dbuf_find() lock contention
#13406 FreeBSD: use zero_region instead of allocating a dedicated page
Ruslan Bukin [Wed, 18 May 2022 13:11:23 +0000 (14:11 +0100)]
Add OFW support to arm64's IOMMU framework.
This is needed to support non-PCI devices like memory-mapped
display controllers.
Split-out some initialization code from iommu_ctx_alloc() into
iommu_ctx_init() method so we could pass controller's MD-data
obtained from DTS to the driver prior to a CTX initialization.
Ruslan Bukin [Wed, 18 May 2022 12:42:37 +0000 (13:42 +0100)]
Fix stream table entry (STE) initialization and removal.
For PCI devices we have entire L1 descriptor for every session ID (SID),
but for non-PCI (e.g. Display Processing Unit DPU), a single L1
descriptor serves multiple SIDs.
So prevent re-initialization of L1 descriptor if already initialized.
Don't free entire L1 descriptor on every STE removal.
Michael Gmelin [Tue, 17 May 2022 09:37:21 +0000 (11:37 +0200)]
hidraw: Return string lengths for certain ioctls
Make HIDIOCGRAWPHYS, HIDIOCGRAWNAME, and HIDIOCGRAWUNIQ return
the length of the copied out string (including the trailing NUL
character), so they behave like their Linux hidraw counterparts.
802.11i-2004 did not specify that RSN can be added to the probereq,
only to the proberesp (and others) yet it was added in what seems was b032f27c365b992e9d8e42214183b39acfb8c6ac (multi-BSS support).
802.11-2020 does not list the IE either for probereq so remove it.
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Okayed by: adrian
Differential Revision: https://reviews.freebsd.org/D34893
Coleman Kane [Tue, 17 May 2022 20:07:39 +0000 (16:07 -0400)]
Fix compiler warnings about zero-length arrays in inline bitops
The compiler appears to be expanding the unused NULL pointer into a
zero-length array via the inline bitops code. When -Werror=array-bounds
is used, this causes a build failure. Recommended solution is allocate
temporary structures, fill with zeros (to avoid uninitialized data use
warnings), and pass the pointer to those to the inline calls.
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Coleman Kane <ckane@colemankane.org>
Closes #13463
Closes #13465
Piotr Kubaj [Tue, 17 May 2022 06:39:29 +0000 (08:39 +0200)]
powerpc: enable supported sanitizers on powerpc64*
1. Merge LLVM's 315d792130258a9b7250494be8d002ebb427b08f, adding support
for FreeBSD/powerpc64*.
2. Add sanitizer list to lib/libclang_rt/Makefile, taken from the list of
libraries that llvm-devel port builds.
3. powerpc64le supports the same sanitizers that powerpc64, but powerpc64le
also supports xray* sanitizers.
4. lib/libclang_rt/xray/Makefile hardcodes amd64-specific files, so that needs
to be conditionalized.
5. Sanitizers are not enabled for powerpc, because powerpc supports only
builtins and profile.
Reviewed by: dim
Differential Revision: https://reviews.freebsd.org/D35228
Relnotes: yes
MFC after: 3 days
Kristof Provost [Tue, 17 May 2022 12:41:25 +0000 (14:41 +0200)]
pf: allocate krule->timestamp in pf_krule_alloc()
There are three calls which can allocate a new rule. DIOCADDRULE,
DIOCADDRULENV and DIOCCHANGERULE. The first two call pf_ioctl_addrule(),
but DIOCCHANGERULE does not. As a result rules created through
DIOCCHANGERULE do not have the timestamp per-cpu memory allocated, and
we panic when the rule is exported with pf_krule_to_nvrule().
LinuxKPI: Switch irq_work implementation back to standard taskqueue
from fast one as dmabuf does not run callbacks from critical sections
since drm-kmod 5.7.
Consumers which requires fair irq_work like drm-kmod 5.4 must #define
LKPI_IRQ_WORK_USE_FAST_TQ somewhere in source file before linux/irq_work.h
inclusion to enable old behavior.
LinuxKPI: Implement kthread_worker related functions
Kthread worker is a single thread workqueue which can be used in cases
where specific kthread association is necessary, for example, when it
should have RT priority or be assigned to certain cgroup.
This change implements Linux v4.9 interface which mostly hides kthread
internals from users thus allowing to use ordinary taskqueue(9) KPI.
As kthread worker prohibits enqueueing of already pending or canceling
tasks some minimal changes to taskqueue(9) were done.
taskqueue_enqueue_flags() was added to taskqueue KPI which accepts extra
flags parameter. It contains one or more of the following flags:
TASKQUEUE_FAIL_IF_PENDING - taskqueue_enqueue_flags() fails if the task
is already scheduled to execution. EEXIST is returned and the
ta_pending counter value remains unchanged.
TASKQUEUE_FAIL_IF_CANCELING - taskqueue_enqueue_flags() fails if the
task is in the canceling state and ECANCELED is returned.
Kevin Bowling [Tue, 17 May 2022 03:15:34 +0000 (20:15 -0700)]
igc: Increase rx_buffer_size local variable to 32b
Apply 6987c47569b377f4b6eba9966afdedfb1b39fca8 to igc. This is not
expected to have any benefit on current parts with current observed PBA
sizes but will avoid surprises if they are increased in future chips.
Approved by: grehan
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D35217
Alan Somers [Mon, 16 May 2022 22:32:10 +0000 (16:32 -0600)]
makefs: fix calculation of file sizes
When a new FS image is created we need to calculate how much space each
file is going to consume.
Fix two bugs in that logic:
1) Count the space needed for indirect blocks for large files.
1) Normally the trailing data of a file is written to a block of frag
size, 4 kB by default.
However for files that use indirect blocks a full block is allocated,
32kB by default. Take that into account.
Adjust size calculations to match what is done in ffs_mkfs routine:
* Depending on the UFS version the superblock is stored at a different
offset. Take that into account.
* Add the cylinder group block size.
* All of the above has to be aligned to the block size.
Finally, Remove "ncg" variable. It's always 1 and it was used to
multiply stuff.