Martin Matuska [Tue, 13 Dec 2022 19:21:13 +0000 (20:21 +0100)]
libarchive: merge from vendor branch
Libarchive 3.6.2
Important bug fixes:
rar5 reader: fix possible garbled output with bsdtar -O (#1745)
mtree reader: support reading mtree files with tabs (#1783)
various small fixes for issues found by CodeQL
Warner Losh [Tue, 13 Dec 2022 04:46:05 +0000 (21:46 -0700)]
stand: Make ioctl declaration consistent
It typically had two args with an optional third from the userland
declaration in sys/ioccom.h. However, the funciton definition used a
non-optional char * argument. This mismatch is UB behavior (but worked
due to the calling convetions of all our machines).
Instead, add a declaration for ioctl to stand.h, make the third arg
'void *' which is a better match to the ... declaration before. This
prevents the convert int * -> char * errors as well. Make the ioctl
user-space declaration truly user-space specific (omit it in the
stand-alone build).
Ed Maste [Mon, 12 Dec 2022 22:00:13 +0000 (17:00 -0500)]
ssh: remove note about local change to [Use]PrivilegeSeparation
We documented "[Use]PrivilegeSeparation defaults to sandbox" as one of
our modifications to ssh's server-side defaults, but this is not (any
longer) a difference from upstream.
Alan Cox [Sat, 8 Oct 2022 07:20:25 +0000 (02:20 -0500)]
pmap: standardize promotion conditions between amd64 and arm64
On amd64, don't abort promotion due to a missing accessed bit in a
mapping before possibly write protecting that mapping. Previously,
in some cases, we might not repromote after madvise(MADV_FREE) because
there was no write fault to trigger the repromotion. Conversely, on
arm64, don't pointlessly, yet harmlessly, write protect physical pages
that aren't part of the physical superpage.
Don't count aborted promotions due to explicit promotion prohibition
(arm64) or hardware errata (amd64) as ordinary promotion failures.
Chuck Silvers [Mon, 12 Dec 2022 16:14:17 +0000 (08:14 -0800)]
restore: fix restore of NFS4 ACLs
Changing the mode bits on a file with an NFS4 ACL results in the
NFS4 ACL being replaced by one matching the new mode bits being set,
so when restoring a file with an NFS4 ACL, set the owner/group/mode first
and then set the NFS4 ACL, so that setting the mode does not throw away
the ACL that we just set.
Mark Johnston [Sun, 11 Dec 2022 16:40:12 +0000 (11:40 -0500)]
bridge: Fix a potential memory leak in bridge_enqueue()
A comment at the beginning of the function notes that we may be
transmitting multiple fragments as distinct packets. So, the function
loops over all fragments, transmitting each mbuf chain. If if_transmit
fails, we need to free all of the fragments, but m_freem() only frees an
mbuf chain - it doesn't follow m_nextpkt.
Change the error handler to free each untransmitted packet fragment, and
count each fragment as a separate error since we increment OPACKETS once
per fragment when transmission is successful.
Mark Johnston [Sun, 11 Dec 2022 16:27:22 +0000 (11:27 -0500)]
libdtrace: Change the binding of USDT probe symbols to STB_WEAK
Otherwise, if multiple object files contain references to the same
probe, newish lld will refuse to link them by default, raising a
duplicate global symbol definition error. Previously, duplicate global
symbols with identical absolute st_values were permitted by both lld and
GNU ld.
Since dtrace has no use for probe function symbols after the relocation
performed by dtrace -G, make the symbols weak as well, following a
suggestion from MaskRay.
Reported by: dim
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
When the lower filesystem directory hierarchy is the same as the nullfs
mount point (admittedly not likely to be a useful situation in
practice), nullfs is subject to the exact deadlock between the busy
count drain and the covered vnode lock that VV_CROSSLOCK is intended
to address.
unionfs: allow recursion on covered vnode lock during mount/unmount
When taking the covered vnode lock during mount and unmount operations,
specify LK_CANRECURSE as the existing lock state of the covered vnode
is not guaranteed (AFAIK) either by assertion or documentation for
these code paths.
For the mount path, this is done only for completeness as the covered
vnode lock is not currently held when VFS_MOUNT() is called.
For the unmount path, the covered vnode is currently held across
VFS_UNMOUNT(), and the existing code only happens to work when unionfs
is mounted atop FFS because FFS sets LO_RECURSABLE on its vnode locks.
This of course doesn't cover a hypothetical case in which the covered
vnode may be held shared, but for the mount and unmount paths such a
scenario seems unlikely to materialize.
When VV_CROSSLOCK is present, the lock for the vnode at the current
stage of lookup must be held across the VFS_ROOT() call for the
filesystem mounted at the vnode. Since VV_CROSSLOCK implies that
the root vnode reuses the already-held lock, the possibility for
recursion should be made clear in the flags passed to VFS_ROOT().
For cases in which the lock is held exclusive, this means passing
LK_CANRECURSE. For cases in which the lock is held shared, it
means clearing LK_NODDLKTREAT to allow VFS_ROOT() to potentially
recurse on the shared lock even in the presence of an exclusive
waiter.
That the existing code works for unionfs is due to a coincidence
of the current unionfs implementation.
Mike Karels [Sat, 10 Dec 2022 19:40:55 +0000 (13:40 -0600)]
growfs(7): document addition of swap partition and growfs_fstab script
Add documentation of the growfs script's new ability to add a swap
partition, expanding on the previous functionality as well. Add the
growfs_fstab helper script, which runs separately. Add a description
of how to expand a file system a second time if swap had been added.
While here, fix a typo.
Mike Karels [Sat, 10 Dec 2022 19:39:59 +0000 (13:39 -0600)]
growfs_fstab: add new /etc/rc.d script to add swap to fstab
The growfs_fstab script is a helper for the growfs script to add any
new swap partition to /etc/fstab on first boot. If growfs adds a
swap partition, it sets growfs_swap_pdev in the kenv. In this case,
after the root file system is read/write, if there is no swap partition
in the fstab, growfs_fstab adds growfs_swap as a swap partition to the
fstab. Also, it runs dumpon to add the swap partition (as this
happened earlier in the startup sequence).
Mike Karels [Sat, 10 Dec 2022 19:38:36 +0000 (13:38 -0600)]
growfs script: add swap partition as well as growing root
Add the ability to create a swap partition in the course of growing
the root file system on first boot, enabling by default. The default
rules are: add swap if the disk is at least 15 GB (decimal), and the
existing root is less than 40% of the disk. The default size is 10%
of the disk, but is limited by the memory size. The limit is twice
memory size up to 4 GB, 8 GB up to 8 GB memory, and memory size over
8 GB memory. Swap size is clamped at vm.swap_maxpages/2 as well.
The new swap partition is labeled as "growfs_swap".
The default behavior can be overridden by setting growfs_swap_size in
/etc/rc.conf or in the kernel environment, with kenv taking priority.
A value of 0 inhibits the addition of swap, an empty value specifies
the default, and other values indicate a swap size in bytes.
By default, addition of swap is inhibited if a swap partition is found
in the output of the sysctl kern.geom.conftxt before the current root
partition, usually meaning that there is another disk present.
Swap space is not added if one is already present in /etc/fstab.
The root partition is read-only when growfs runs, so /etc/fstab can
not be modified. That step is handled by a new growfs_fstab script,
added in a separate commit. Set the value "growfs_swap_pdev" in kenv
to indicate that this should be done, as well as for internal use.
There is optional verbose output meant for debugging; it can only be
enabled by modifying the script (in two places, for sh and awk).
This should be removed before release, after testing on -current.
John Baldwin [Fri, 9 Dec 2022 18:26:23 +0000 (10:26 -0800)]
vmm: Don't lock a vCPU for VM_PPTDEV_MSI[X].
These are manipulating state in a ppt(4) device none of which is
vCPU-specific. Mark the vcpu fields in the relevant ioctl structures
as unused, but don't remove them for now.
Martin Matuska [Fri, 9 Dec 2022 16:26:30 +0000 (17:26 +0100)]
Update vendor/libarchive to libarchive/libarchive@ba80276cc
Important Bugfixes:
rar5 reader: fix possible garbled output with bsdtar -O (#1745)
mtree reader: support reading mtree files with tabs (#1783)
various small fixes for issues found by CodeQL
Warner Losh [Fri, 9 Dec 2022 14:55:42 +0000 (07:55 -0700)]
kboot: Use (void) instead of () for functiosn with no args
`int foo();` means 'a function that takes any number of arguments.`
not `a function that takes no arguemnts`, that's spelled `int foo(void);`
Adopt the latter.
Cy Schubert [Fri, 9 Dec 2022 14:06:04 +0000 (06:06 -0800)]
heimdal: kadm5_c_get_principal() should check return code
kadm5_c_get_principal() should check the return code from
kadm5_ret_principal_ent(). As it doesn't it assumes success when
there is none and can lead to potential vulnerability. Fix this.
Cy Schubert [Thu, 8 Dec 2022 23:22:43 +0000 (15:22 -0800)]
heimdal: Properly ix bus fault when zero-length request received
Zero length client requests result in a bus fault when attempting to
free malloc()ed pointers within the requests softc. Return an error
when the request is zero length.
This properly fixes PR/268062 without regressions.
PR: 268062
Reported by: Robert Morris <rtm@lcs.mit.edu>
MFC after: 3 days
tmpfs: for used pages, account really allocated pages, instead of file sizes
This makes tmpfs size accounting correct for the sparce files. Also
correct report st_blocks/va_bytes. Previously the reported value did not
accounted for the swapped out pages.
PR: 223015
Reviewed by: markj
Tested by: pho
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D37097
tmpfs: make vm_object point to the tmpfs node instead of vnode
The vnode could be reclaimed and allocated again during the lifecycle of
the node, but the node cannot. Also, referencing the node would allow
to reach it and tmpfs mount data from the object, regardless of the
state of the possibly absent vnode.
Still use swp_tmpfs for back-pointer, instead of using handle. Use of
named swap objects would incur taking the sw_alloc_sx on node allocation
and deallocation.
swp_tmpfs is renamed to swp_priv to remove the last bit of tmpfs in vm/.
Reviewed by: markj
Tested by: pho
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D37097
netlink: add interface notification on link status / flags change.
* Add link-state change notifications by subscribing to ifnet_link_event.
In the Linux netlink model, link state is reported in 2 places: first is
the IFLA_OPERSTATE, which stores state per RFC2863.
The second is an IFF_LOWER_UP interface flag. As many applications rely
on the latter, reserve 1 bit from if_flags, named as IFF_NETLINK_1.
This flag is mapped to IFF_LOWER_UP in the netlink headers. This is done
to avoid making applications think this flag is actually
supported / presented in non-netlink outputs.
* Add flag change notifications, by hooking into rt_ifmsg().
In the netlink model, notification should include the bitmask for the
change flags. Update rt_ifmsg() to include such bitmask.
Warner Losh [Fri, 9 Dec 2022 05:07:52 +0000 (22:07 -0700)]
kboot: Allow loading fdt from different sources
Linux has /sys/firmware/fdt and /proc/device-tree to publish the dtb for
the system. The former has it all in one file, while the latter breaks
it out. Prefer the former since it's the more modern interface, but
retain both since I don't have a PS3 to test to see if its kernel is new
enough for /sys/firmware or not.
Mark Johnston [Thu, 8 Dec 2022 20:03:51 +0000 (15:03 -0500)]
kinst: Add per-CPU interrupt trampolines
In the common case, kinst emulates a traced instruction by copying it to
a trampoline, where it is followed by a jump back to the original code,
and pointing the interrupted thread's %rip at the trampoline. In
particular, the trampoline is executed with the same CPU context as the
original instruction, so if interrupts are enabled at the point where
the probe fires, they will be enabled when the trampoline is
subsequently executed.
It can happen that an interrupt is raised while a thread is executing a
kinst trampoline. In that case, it is possible that the interrupt
handler will trigger a kinst probe, so we must ensure that the thread
does not recurse and overwrite its trampoline before it is finished
executing the original contents, otherwise an attempt to trace code
called from interrupt handlers can crash the kernel.
To that end, add a per-CPU trampoline, used when the probe fired with
interrupts disabled. Note that this is not quite complete since it does
not handle the possibility of kinst probes firing while executing an NMI
handler.
Also ensure that we do not trace instructions which set IF, since in
that case it is not clear which trampoline (the per-thread trampoline or
the per-CPU trampoline) we should use, and since such instructions are
rare.
Alan Somers [Thu, 1 Dec 2022 16:49:57 +0000 (09:49 -0700)]
[skip ci] improvements to cap_sysctl.3
* Correct some function prototypes which were documented with the wrong
pointer type.
* Clarify return values and requirements for freeing the limit handle.
Emmanuel Vadot [Thu, 8 Dec 2022 10:55:39 +0000 (11:55 +0100)]
pkgbase: Stop adding FreeBSD-runtime as a dep for every package
shlib_required/provided is enough for the dependencies and this also
causes problems for packages like rescue which shouldn't depend on runtime
at all.
PR: 268063
Sponsored by: Beckhoff Automation GmbH & Co. KG
Doug Rabson [Thu, 17 Nov 2022 10:48:20 +0000 (10:48 +0000)]
imgact_binmisc: Optionally pre-open the interpreter vnode
This allows the use of chroot and/or jail environments which depend on
interpreters registed with imgact_binmisc to use emulator binaries from
the host to emulate programs inside the chroot.
Michael Tuexen [Thu, 8 Dec 2022 08:48:29 +0000 (09:48 +0100)]
ppp: improve MSS clamping
ppp supports MSS clamping for TCP/IPv4. This patch
* improves MSS clamping for TCP/IPv4 by using the MSS as specified
in RFC 6691.
* adds support for MSS clamping for TCP/IPv6.
John Baldwin [Wed, 7 Dec 2022 20:32:19 +0000 (12:32 -0800)]
aesni: Remove misleading array bounds for aesni_decryt_ecb.
All the other functions used pointers for from/to instead of
fixed-size array parameters. More importantly, this function can
accept pointers to buffers of multiple blocks, not just a single
block.
Gleb Smirnoff [Wed, 7 Dec 2022 19:51:49 +0000 (11:51 -0800)]
udp: add protocol method declarations to udp_var.h
They are shared between UDP over IPv4 and over IPv6. To prevent all
possible kernel build failures wrap them in #ifdef _SYS_PROTOSW_H_.
Prompted by feedback from jhb@ and jrtc27@ on c93db4abf454.
Warner Losh [Wed, 7 Dec 2022 17:58:44 +0000 (10:58 -0700)]
stand/kboot: Parse the command line args
Do the standard command line parsing... With a small twist to deal with
the quirks of booting via linuxboot to the initrd from the command line
in shell.efi and other observed oddities.
Warner Losh [Wed, 7 Dec 2022 00:36:29 +0000 (17:36 -0700)]
boot: pass in args as const
Copy the arg that sets a variable to maximize the reuse of this
routine. There are places we call it from that are const char * and it
might not be safe to cast that away.
Warner Losh [Wed, 7 Dec 2022 17:50:35 +0000 (10:50 -0700)]
stand/kboot: Initialize all the devices
main() of the boot loader is expected to call devinit() early. We do
this at the same time we do it in the EFI loader (except we don't have a
buffer cache here, we don't need to initialize time and we don't have
special efi partition handles to enumerate). This is just after we probe
for the console.
Warner Losh [Tue, 6 Dec 2022 17:55:58 +0000 (10:55 -0700)]
kboot: Mark the EFI specific parts of bootinfo.c
bootinfo.c is about to be shared with kboot since they create
substantially similar environments / metadata tagging / etc. Tag this
with #ifdef EFI for the moment until the proper abstracting out can
happen.